[SCSI] fix for bidi use after free

When ending a bi-directionional SCSI request, blk_finish_request()
cleans up and frees the request, but scsi_release_bidi_buffers() tries
to indirect through the request to find it's data buffers.  This causes
a panic due to a null pointer dereference.

Move the call to scsi_release_bidi_buffers() before the call to
blk_finish_request().

Signed-off-by: Daniel Gryniewicz <[email protected]>
Reviewed-by: Webb Scales <[email protected]>
Signed-off-by: Christoph Hellwig <[email protected]>
Signed-off-by: James Bottomley <[email protected]>

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index d837dc180522142fa1dcaf5b4e09c141effbfc4a..aaea4b98af1628c8ca8d0217ebca9a9da1708b8a 100644 (file)
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -733,12 +733,13 @@ static bool scsi_end_request(struct request *req, int error,
        } else {
                unsigned long flags;
 
+               if (bidi_bytes)
+                       scsi_release_bidi_buffers(cmd);
+
                spin_lock_irqsave(q->queue_lock, flags);
                blk_finish_request(req, error);
                spin_unlock_irqrestore(q->queue_lock, flags);
 
-               if (bidi_bytes)
-                       scsi_release_bidi_buffers(cmd);
                scsi_release_buffers(cmd);
                scsi_next_command(cmd);
        }