[SCSI] fix use-after-free in scsi_init_io()
we're using a pointer through a freed command to reset the request, which has shown up as an oops with slab poisoning: Reported-by: Tejun Heo <tj@kernel.org> Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
This commit is contained in:
parent
7e44331240
commit
3a5c19c23d
|
@ -1011,8 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
|
|||
|
||||
err_exit:
|
||||
scsi_release_buffers(cmd);
|
||||
scsi_put_command(cmd);
|
||||
cmd->request->special = NULL;
|
||||
scsi_put_command(cmd);
|
||||
return error;
|
||||
}
|
||||
EXPORT_SYMBOL(scsi_init_io);
|
||||
|
|
Loading…
Reference in New Issue