>>>>> "Doug" == Douglas Gilbert <dgilbert@xxxxxxxxxxxx> writes: >> In sg_common_write(), we free the block request and return -ENODEV if >> the device is detached in the middle of the SG_IO ioctl(). >> >> Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we >> end up freeing rq->cmd in the already free rq object, and then free >> the object itself out from under the current user. >> >> This ends up corrupting random memory via the list_head on the rq >> object. The most common crash trace I saw is this: >> Signed-off-by: Calvin Owens <calvinowens@xxxxxx> Doug> Acked-by: Douglas Gilbert <dgilbert@xxxxxxxxxxxx> Applied. -- Martin K. Petersen Oracle Linux Engineering -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
