From: Daniel Gryniewicz Date: Tue, 16 Sep 2014 14:41:13 +0000 (-0400) Subject: [SCSI] fix for bidi use after free X-Git-Tag: firefly_0821_release~176^2~3209^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f81426a84bef870d26e5e752772d8ca203cd4aed;p=firefly-linux-kernel-4.4.55.git [SCSI] fix for bidi use after free When ending a bi-directionional SCSI request, blk_finish_request() cleans up and frees the request, but scsi_release_bidi_buffers() tries to indirect through the request to find it's data buffers. This causes a panic due to a null pointer dereference. Move the call to scsi_release_bidi_buffers() before the call to blk_finish_request(). Signed-off-by: Daniel Gryniewicz Reviewed-by: Webb Scales Signed-off-by: Christoph Hellwig Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index d837dc180522..aaea4b98af16 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -733,12 +733,13 @@ static bool scsi_end_request(struct request *req, int error, } else { unsigned long flags; + if (bidi_bytes) + scsi_release_bidi_buffers(cmd); + spin_lock_irqsave(q->queue_lock, flags); blk_finish_request(req, error); spin_unlock_irqrestore(q->queue_lock, flags); - if (bidi_bytes) - scsi_release_bidi_buffers(cmd); scsi_release_buffers(cmd); scsi_next_command(cmd); }