scsi_init_io() dereferences scsi_cmnd after putting it in the error
path leading to oops. Fix it.
Signed-off-by: Tejun Heo <tj@xxxxxxxxxx>
Cc: stable@xxxxxxxxxx
---
drivers/scsi/scsi_lib.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Index: block/drivers/scsi/scsi_lib.c
===================================================================
--- block.orig/drivers/scsi/scsi_lib.c
+++ block/drivers/scsi/scsi_lib.c
@@ -968,7 +968,9 @@ static int scsi_init_sgtable(struct requ
*/
int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
{
+ struct request *req = cmd->request;
int error = scsi_init_sgtable(cmd->request, &cmd->sdb, gfp_mask);
+
if (error)
goto err_exit;
@@ -1012,7 +1014,7 @@ int scsi_init_io(struct scsi_cmnd *cmd,
err_exit:
scsi_release_buffers(cmd);
scsi_put_command(cmd);
- cmd->request->special = NULL;
+ req->special = NULL;
return error;
}
EXPORT_SYMBOL(scsi_init_io);
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
