[SCSI] fix for bidi use after free
When ending a bi-directionional SCSI request, blk_finish_request() cleans up and frees the request, but scsi_release_bidi_buffers() tries to indirect through the request to find it's data buffers. This causes a panic due to a null pointer dereference. Move the call to scsi_release_bidi_buffers() before the call to blk_finish_request(). Signed-off-by: Daniel Gryniewicz <dang@linuxbox.com> Reviewed-by: Webb Scales <webbnh@hp.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
This commit is contained in:
parent
e8be1cf58d
commit
f81426a84b
|
@ -733,12 +733,13 @@ static bool scsi_end_request(struct request *req, int error,
|
||||||
} else {
|
} else {
|
||||||
unsigned long flags;
|
unsigned long flags;
|
||||||
|
|
||||||
|
if (bidi_bytes)
|
||||||
|
scsi_release_bidi_buffers(cmd);
|
||||||
|
|
||||||
spin_lock_irqsave(q->queue_lock, flags);
|
spin_lock_irqsave(q->queue_lock, flags);
|
||||||
blk_finish_request(req, error);
|
blk_finish_request(req, error);
|
||||||
spin_unlock_irqrestore(q->queue_lock, flags);
|
spin_unlock_irqrestore(q->queue_lock, flags);
|
||||||
|
|
||||||
if (bidi_bytes)
|
|
||||||
scsi_release_bidi_buffers(cmd);
|
|
||||||
scsi_release_buffers(cmd);
|
scsi_release_buffers(cmd);
|
||||||
scsi_next_command(cmd);
|
scsi_next_command(cmd);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue