[PATCH] qla2xxx: Reset done and free callback pointer on release

From: Daniel Wagner <dwagner@suse.de>
To: linux-scsi@vger.kernel.org
Cc: Nilesh Javali <njavali@marvell.com>,
	linux-kernel@vger.kernel.org, Daniel Wagner <dwagner@suse.de>
Subject: [PATCH] qla2xxx: Reset done and free callback pointer on release
Date: Mon,  3 Aug 2020 18:23:01 +0200	[thread overview]
Message-ID: <20200803162301.103927-1-dwagner@suse.de> (raw)

Reset ->done and ->free when releasing the srb. There is a hidden
use-after-free bug in the driver which corrupts the srb memory pool
which originates from the cleanup callbacks. By explicitly resetting
the callbacks to NULL, we workaround the memory corruption.

An extensive search didn't bring any lights on the real problem. The
initial idea was to set both pointers to NULL and try to catch invalid
accesses. But instead the memory corruption was gone and the driver
didn't crash.

Signed-off-by: Daniel Wagner <dwagner@suse.de>
---

Hi,

Although I would prefer to fix the real problem, it's propably better
to go with this workaround until we can fix it properly. I still
hope to find the use-after-free with KASAN...

Thanks,
Daniel

 drivers/scsi/qla2xxx/qla_inline.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h
index 861dc522723c..6d41d758fc17 100644
--- a/drivers/scsi/qla2xxx/qla_inline.h
+++ b/drivers/scsi/qla2xxx/qla_inline.h
@@ -211,6 +211,8 @@ static inline void
 qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp)
 {
 	sp->qpair = NULL;
+	sp->done = NULL;
+	sp->free = NULL;
 	mempool_free(sp, qpair->srb_mempool);
 	QLA_QPAIR_MARK_NOT_BUSY(qpair);
 }
-- 
2.16.4

