From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 19 Mar 2018 10:33:03 +0000 (+0300)
Subject: scsi: dpt_i2o: use after free in adpt_release()
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=24268fd1ad3213079f1af09359b4243fffa95869;p=linux.git

scsi: dpt_i2o: use after free in adpt_release()

The scsi_host_put() function frees "pHba" and then we dereference it on
the next line when we do "scsi_host_put(pHba->host);".

[mkp: included fix from hch]

Fixes: 38e09e3bb056 ("scsi: dpt_i2o: stop using scsi_unregister")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 3c667b23a8019..67379e4d0bf97 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -304,10 +304,12 @@ rebuild_sys_tab:
 
 static void adpt_release(adpt_hba *pHba)
 {
-	scsi_remove_host(pHba->host);
+	struct Scsi_Host *shost = pHba->host;
+
+	scsi_remove_host(shost);
 //	adpt_i2o_quiesce_hba(pHba);
 	adpt_i2o_delete_hba(pHba);
-	scsi_host_put(pHba->host);
+	scsi_host_put(shost);
 }