[SCSI] fix use-after-free in scsi_init_io()

we're using a pointer through a freed command to reset the request, which has shown up as an oops with slab poisoning: Reported-by: Tejun Heo <tj@kernel.org> Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
git-mirror · Sep 9, 2010 · 3a5c19c · 3a5c19c
1 parent 7e44331
commit 3a5c19c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
@@ -1011,8 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
 
 err_exit:
 	scsi_release_buffers(cmd);
-	scsi_put_command(cmd);
 	cmd->request->special = NULL;
+	scsi_put_command(cmd);
 	return error;
 }
 EXPORT_SYMBOL(scsi_init_io);