Commit f81426a8 authored Sep 16, 2014 by Daniel Gryniewicz Committed by James Bottomley Sep 19, 2014

[SCSI] fix for bidi use after free



When ending a bi-directionional SCSI request, blk_finish_request()
cleans up and frees the request, but scsi_release_bidi_buffers() tries
to indirect through the request to find it's data buffers.  This causes
a panic due to a null pointer dereference.

Move the call to scsi_release_bidi_buffers() before the call to
blk_finish_request().

Signed-off-by: Daniel Gryniewicz <dang@linuxbox.com>
Reviewed-by: Webb Scales <webbnh@hp.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

parent e8be1cf5

drivers/scsi/scsi_lib.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -733,12 +733,13 @@ static bool scsi_end_request(struct request *req, int error,
		} else {
		unsigned long flags;

		if (bidi_bytes)
		scsi_release_bidi_buffers(cmd);

		spin_lock_irqsave(q->queue_lock, flags);
		blk_finish_request(req, error);
		spin_unlock_irqrestore(q->queue_lock, flags);

		if (bidi_bytes)
		scsi_release_bidi_buffers(cmd);
		scsi_release_buffers(cmd);
		scsi_next_command(cmd);
		}