git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Zilin Guan <zilin@seu.edu.cn>
	Thu, 13 Nov 2025 15:12:46 +0000 (15:12 +0000)
committer	Martin K. Petersen <martin.petersen@oracle.com>
	Thu, 20 Nov 2025 03:38:27 +0000 (22:38 -0500)
commit	78b1a242fe612a755f2158fd206ee6bb577d18ca
tree	20e93d2c05cd5a74090214ed9f8b34ba5ff14e00	tree \| snapshot
parent	cda5f23eed84cdca374d60734bf0190138788608	commit \| diff

scsi: qla2xxx: Fix improper freeing of purex item

In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().

The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().

An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.

Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.

Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20251113151246.762510-1-zilin@seu.edu.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>