提交 f81426a8 编写于 作者: D Daniel Gryniewicz 提交者: James Bottomley

[SCSI] fix for bidi use after free

When ending a bi-directionional SCSI request, blk_finish_request()
cleans up and frees the request, but scsi_release_bidi_buffers() tries
to indirect through the request to find it's data buffers.  This causes
a panic due to a null pointer dereference.

Move the call to scsi_release_bidi_buffers() before the call to
blk_finish_request().
Signed-off-by: NDaniel Gryniewicz <dang@linuxbox.com>
Reviewed-by: NWebb Scales <webbnh@hp.com>
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
上级 e8be1cf5
......@@ -733,12 +733,13 @@ static bool scsi_end_request(struct request *req, int error,
} else {
unsigned long flags;
if (bidi_bytes)
scsi_release_bidi_buffers(cmd);
spin_lock_irqsave(q->queue_lock, flags);
blk_finish_request(req, error);
spin_unlock_irqrestore(q->queue_lock, flags);
if (bidi_bytes)
scsi_release_bidi_buffers(cmd);
scsi_release_buffers(cmd);
scsi_next_command(cmd);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册