diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2008-12-12 14:28:29 -0500 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2008-12-13 15:31:03 -0500 |
| commit | 02bd3499a3be984f1e88821c3ed252c8c49c498e (patch) | |
| tree | c71e88075895d9b5f46d880e64b7e702acbea87d | |
| parent | 57458036af75c6dbb62bee04b3982e92261eddb1 (diff) | |
[SCSI] scsi_lib: only call scsi_unprep_request() under queue lock
It's called under that lock everywhere else and it does alter the
request state, so it should be.
This one occurance in scsi_requeue_command() could open a window where
req->special is set to NULL while the requests is going through either
timeout or completion processing leading to NULL pointer derefs of the
sort complained of in bugzillas 12020 and 12195.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
| -rw-r--r-- | drivers/scsi/scsi_lib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index fa45a1a66867..148d3af92aef 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c | |||
| @@ -648,8 +648,8 @@ static void scsi_requeue_command(struct request_queue *q, struct scsi_cmnd *cmd) | |||
| 648 | struct request *req = cmd->request; | 648 | struct request *req = cmd->request; |
| 649 | unsigned long flags; | 649 | unsigned long flags; |
| 650 | 650 | ||
| 651 | scsi_unprep_request(req); | ||
| 652 | spin_lock_irqsave(q->queue_lock, flags); | 651 | spin_lock_irqsave(q->queue_lock, flags); |
| 652 | scsi_unprep_request(req); | ||
| 653 | blk_requeue_request(q, req); | 653 | blk_requeue_request(q, req); |
| 654 | spin_unlock_irqrestore(q->queue_lock, flags); | 654 | spin_unlock_irqrestore(q->queue_lock, flags); |
| 655 | 655 | ||