Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit f81426a84bef870d26e5e752772d8ca203cd4aed

Authored by Daniel Gryniewicz
Committed by James Bottomley
1 parent e8be1cf58d

[SCSI] fix for bidi use after free 

When ending a bi-directionional SCSI request, blk_finish_request()
cleans up and frees the request, but scsi_release_bidi_buffers() tries
to indirect through the request to find it's data buffers.  This causes
a panic due to a null pointer dereference.

Move the call to scsi_release_bidi_buffers() before the call to
blk_finish_request().

Signed-off-by: Daniel Gryniewicz <dang@linuxbox.com>
Reviewed-by: Webb Scales <webbnh@hp.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

Showing 1 changed file with 3 additions and 2 deletions Side-by-side Diff

drivers/scsi/scsi_lib.c
Diff comments   View file @ f81426a
... ... @@ -733,12 +733,13 @@
733 733 } else {
734 734 unsigned long flags;
735 735  
  736 + if (bidi_bytes)
  737 + scsi_release_bidi_buffers(cmd);
  738 +
736 739 spin_lock_irqsave(q->queue_lock, flags);
737 740 blk_finish_request(req, error);
738 741 spin_unlock_irqrestore(q->queue_lock, flags);
739 742  
740   - if (bidi_bytes)
741   - scsi_release_bidi_buffers(cmd);
742 743 scsi_release_buffers(cmd);
743 744 scsi_next_command(cmd);
744 745 }