Commit c0b7da13 authored Feb 10, 2026 by Vladimir Riabchun Committed by Martin K. Petersen Mar 07, 2026

scsi: qla2xxx: Completely fix fcport double free

In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.

qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.

Fixes: 82f522ae ("scsi: qla2xxx: Fix double free of fcport")
Fixes: 4895009c ("scsi: qla2xxx: Prevent command send on chip reset")
Signed-off-by: Vladimir Riabchun <ferr.lambarginio@gmail.com>
Signed-off-by: Farhat Abbas <fabbas@cloudlinux.com>
Link: https://patch.msgid.link/aYsDln9NFQQsPDgg@vova-pc

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent b0bd84c3

drivers/scsi/qla2xxx/qla_iocb.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -2751,7 +2751,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode,
		if (!elsio->u.els_logo.els_logo_pyld) {
		/* ref: INIT */
		kref_put(&sp->cmd_kref, qla2x00_sp_release);
		qla2x00_free_fcport(fcport);
		return QLA_FUNCTION_FAILED;
		}

		@@ -2776,7 +2775,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode,
		if (rval != QLA_SUCCESS) {
		/* ref: INIT */
		kref_put(&sp->cmd_kref, qla2x00_sp_release);
		qla2x00_free_fcport(fcport);
		return QLA_FUNCTION_FAILED;
		}