Commit 3a5c19c2 authored Aug 16, 2010 by James Bottomley

[SCSI] fix use-after-free in scsi_init_io()



we're using a pointer through a freed command to reset the request,
which has shown up as an oops with slab poisoning:

Reported-by: Tejun Heo <tj@kernel.org>
Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

parent 7e443312

drivers/scsi/scsi_lib.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1011,8 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)

		err_exit:
		scsi_release_buffers(cmd);
		scsi_put_command(cmd);
		cmd->request->special = NULL;
		scsi_put_command(cmd);
		return error;
		}
		EXPORT_SYMBOL(scsi_init_io);