HP-PARISC NCR710 SCSI Controller NetBSD issues

[PATCH 02/10] scsi:ncr710: Fix use after free in command_complete

Posted by Soumyajyotii Ssarkar 1 month, 3 weeks ago

Add proper hba_private pointer cleanup in ncr710_command_complete.
This prevents use after free errors from occuring.

This was causing memory corruption in NetBSD device initialization
when commands complete and the request structures were freed while
still being referenced.

Signed-off-by: Soumyajyotii Ssarkar<soumyajyotisarkar23@gmail.com>
---
 hw/scsi/ncr53c710.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c
index bab2ea7210..ac1ca4cef8 100644
--- a/hw/scsi/ncr53c710.c
+++ b/hw/scsi/ncr53c710.c
@@ -798,7 +798,13 @@ void ncr710_command_complete(SCSIRequest *req, size_t resid)
 
     ncr710_set_phase(s, PHASE_ST);
 
-    if (req->hba_private == s->current) {
+    if (p) {
+        req->hba_private = NULL;
+        if (p == s->current) {
+            p->req = NULL;
+        } else {
+            ncr710_request_free(s, p);
+        }
         scsi_req_unref(req);
     }
 
-- 
2.49.0

Re: [PATCH 02/10] scsi:ncr710: Fix use after free in command_complete

Posted by Helge Deller 1 month, 2 weeks ago

On 12/21/25 15:23, Soumyajyotii Ssarkar wrote:
> Add proper hba_private pointer cleanup in ncr710_command_complete.
> This prevents use after free errors from occuring.
> 
> This was causing memory corruption in NetBSD device initialization
> when commands complete and the request structures were freed while
> still being referenced.
> 
> Signed-off-by: Soumyajyotii Ssarkar<soumyajyotisarkar23@gmail.com>
> ---
>   hw/scsi/ncr53c710.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)

Reviewed-by: Helge Deller <deller@gmx.de>