[SCSI] fix use-after-free in scsi_init_io()

we're using a pointer through a freed command to reset the request, which has shown up as an oops with slab poisoning: Reported-by: N Tejun Heo <tj@kernel.org> Reported-by: N Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: N James Bottomley <James.Bottomley@suse.de>

[SCSI] fix use-after-free in scsi_init_io()
we're using a pointer through a freed command to reset the request, which has shown up as an oops with slab poisoning: Reported-by: N Tejun Heo <tj@kernel.org> Reported-by: N Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: N James Bottomley <James.Bottomley@suse.de>
3a5c19c2 · James Bottomley · 7e443312 · 3a5c19c2
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/scsi/scsi_lib.c drivers/scsi/scsi_lib.c +1 -1

未找到文件。
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1011,8 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
 err_exit:
 	scsi_release_buffers(cmd);
-	scsi_put_command(cmd);
 	cmd->request->special = NULL;
+	scsi_put_command(cmd);
 	return error;
 }
 EXPORT_SYMBOL(scsi_init_io);