From: James Bottomley <James.Bottomley@suse.de>
Date: Mon, 16 Aug 2010 15:06:26 +0000 (-0500)
Subject: [SCSI] fix use-after-free in scsi_init_io()
X-Git-Tag: Ubuntu-goldfish-3.4.0-4.27~5785^2
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=3a5c19c23db65a554f2e4f5df5f307c668277056;p=mirror_ubuntu-zesty-kernel.git

[SCSI] fix use-after-free in scsi_init_io()

we're using a pointer through a freed command to reset the request,
which has shown up as an oops with slab poisoning:

Reported-by: Tejun Heo <tj@kernel.org>
Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
---

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 9ade720422c6..ee02d3838a0a 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1011,8 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
 
 err_exit:
 	scsi_release_buffers(cmd);
-	scsi_put_command(cmd);
 	cmd->request->special = NULL;
+	scsi_put_command(cmd);
 	return error;
 }
 EXPORT_SYMBOL(scsi_init_io);