git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Zilin Guan <zilin@seu.edu.cn>
	Thu, 13 Nov 2025 15:12:46 +0000 (15:12 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 18 Dec 2025 13:03:06 +0000 (14:03 +0100)
commit	5fa1c8226b4532ad7011d295d3ab4ad45df105ae
tree	f20f917c96bf0bfb64a86cd29c67abc2d228d600	tree \| snapshot
parent	638779b175216840e321319bd371ff89fdcd5e56	commit \| diff

scsi: qla2xxx: Fix improper freeing of purex item

[ Upstream commit 78b1a242fe612a755f2158fd206ee6bb577d18ca ]

In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().

The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().

An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.

Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.

Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20251113151246.762510-1-zilin@seu.edu.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>