From: James Bottomley Date: Fri, 12 Dec 2008 19:28:29 +0000 (-0600) Subject: [SCSI] scsi_lib: only call scsi_unprep_request() under queue lock X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=02bd3499a3be984f1e88821c3ed252c8c49c498e;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [SCSI] scsi_lib: only call scsi_unprep_request() under queue lock It's called under that lock everywhere else and it does alter the request state, so it should be. This one occurance in scsi_requeue_command() could open a window where req->special is set to NULL while the requests is going through either timeout or completion processing leading to NULL pointer derefs of the sort complained of in bugzillas 12020 and 12195. Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index fa45a1a66867..148d3af92aef 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -648,8 +648,8 @@ static void scsi_requeue_command(struct request_queue *q, struct scsi_cmnd *cmd) struct request *req = cmd->request; unsigned long flags; - scsi_unprep_request(req); spin_lock_irqsave(q->queue_lock, flags); + scsi_unprep_request(req); blk_requeue_request(q, req); spin_unlock_irqrestore(q->queue_lock, flags);