On Mon, 2010-08-16 at 16:15 +0200, Tejun Heo wrote:
> scsi_init_io() dereferences scsi_cmnd after putting it in the error
> path leading to oops. Fix it.
>
> Signed-off-by: Tejun Heo <tj@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxx
> ---
> drivers/scsi/scsi_lib.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Index: block/drivers/scsi/scsi_lib.c
> ===================================================================
> --- block.orig/drivers/scsi/scsi_lib.c
> +++ block/drivers/scsi/scsi_lib.c
> @@ -968,7 +968,9 @@ static int scsi_init_sgtable(struct requ
> */
> int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
> {
> + struct request *req = cmd->request;
> int error = scsi_init_sgtable(cmd->request, &cmd->sdb, gfp_mask);
> +
> if (error)
> goto err_exit;
>
> @@ -1012,7 +1014,7 @@ int scsi_init_io(struct scsi_cmnd *cmd,
> err_exit:
> scsi_release_buffers(cmd);
> scsi_put_command(cmd);
> - cmd->request->special = NULL;
> + req->special = NULL;
Thanks for the bug report. The fix is a bit heavy handed; what about
this?
James
---
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 9ade720..ee02d38 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1011,8 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
err_exit:
scsi_release_buffers(cmd);
- scsi_put_command(cmd);
cmd->request->special = NULL;
+ scsi_put_command(cmd);
return error;
}
EXPORT_SYMBOL(scsi_init_io);
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
