[SCSI] virtio_scsi: fix TMF use-after-free (e4594bb5) · Commits · Android-smartphones / zte / blade-a610 / work in progress / mediatek kernel

Commit e4594bb5 authored May 04, 2012 by Paolo Bonzini Committed by James Bottomley May 10, 2012

[SCSI] virtio_scsi: fix TMF use-after-free



Fix a use-after-free in the TMF path, where cmd may have been already
freed by virtscsi_complete_free when wait_for_completion restarts
executing virtscsi_tmf.  Technically a race, but in practice the command
will always be freed long before the completion waiter is awoken.

The fix is to make callers specifying a completion responsible for
freeing the command in all cases.

Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

parent 3c8d9a95

Hide whitespace changes

Inline Side-by-side

Please register or to comment