scsi: qla2xxx: Fix improper freeing of purex item

GoodLuck612 · martinkpetersen · commit 78b1a242fe61 · 2025-11-19T22:38:27.000-05:00
In qla2xxx_process_purls_iocb(), an item is allocated via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). The qla24xx_alloc_purex_item() function may return a pre-allocated item from a per-adapter pool for small allocations, instead of dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() to release the item. If the item was from the pre-allocated pool, calling kfree() on it is a bug that can lead to memory corruption. Fix this by using the correct deallocation function, qla24xx_free_purex_item(), which properly handles both dynamically allocated and pre-allocated items. Fixes: 875386b ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com> Link: https://patch.msgid.link/20251113151246.762510-1-zilin@seu.edu.cn Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
@@ -1292,7 +1292,7 @@ void qla2xxx_process_purls_iocb(void **pkt, struct rsp_que **rsp)
 		a.reason = FCNVME_RJT_RC_LOGIC;
 		a.explanation = FCNVME_RJT_EXP_NONE;
 		xmt_reject = true;
-		kfree(item);
+		qla24xx_free_purex_item(item);
 		goto out;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -1292,7 +1292,7 @@ void qla2xxx_process_purls_iocb(void pkt, struct rsp_que rsp)`
`1292`	`1292`	`a.reason = FCNVME_RJT_RC_LOGIC;`
`1293`	`1293`	`a.explanation = FCNVME_RJT_EXP_NONE;`
`1294`	`1294`	`xmt_reject = true;`
`1295`		`- kfree(item);`
	`1295`	`+ qla24xx_free_purex_item(item);`
`1296`	`1296`	`goto out;`
`1297`	`1297`	`}`
`1298`	`1298`