[SCSI] fix use-after-free in scsi_init_io() we're using a pointer through a freed command to reset the request, which has shown up as an oops with slab poisoning: Reported-by: Tejun Heo <tj@kernel.org> Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>

commit: 3a5c19c23db65a554f2e4f5df5f307c668277056 [log] [tgz]
author: James Bottomley <James.Bottomley@suse.de> Mon Aug 16 10:06:26 2010 -0500
committer: James Bottomley <James.Bottomley@suse.de> Thu Sep 09 09:58:18 2010 -0500
tree: eb89ea587d49af31eb21ba2c08824c0b9cf056b0
parent: 7e443312403ad1ff40ef3177590e96d1fe747c79 [diff] [blame]
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 9ade720..ee02d38 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c

@@ -1011,8 +1011,8 @@
 
 err_exit:
 	scsi_release_buffers(cmd);
-	scsi_put_command(cmd);
 	cmd->request->special = NULL;
+	scsi_put_command(cmd);
 	return error;
 }
 EXPORT_SYMBOL(scsi_init_io);
commit	3a5c19c23db65a554f2e4f5df5f307c668277056	[log] [tgz]
author	James Bottomley <James.Bottomley@suse.de>	Mon Aug 16 10:06:26 2010 -0500
committer	James Bottomley <James.Bottomley@suse.de>	Thu Sep 09 09:58:18 2010 -0500
tree	eb89ea587d49af31eb21ba2c08824c0b9cf056b0
parent	7e443312403ad1ff40ef3177590e96d1fe747c79 [diff] [blame]