Avoid dangling pointer dereferences by resetting ioctx->scmnd in srpt_on_free_cmd().
authorbvassche <bvassche@d57e44dd-8a1f-0410-8b47-8ef2f437770f>
Mon, 30 Nov 2009 09:51:17 +0000 (09:51 +0000)
committerbvassche <bvassche@d57e44dd-8a1f-0410-8b47-8ef2f437770f>
Mon, 30 Nov 2009 09:51:17 +0000 (09:51 +0000)
git-svn-id: https://scst.svn.sourceforge.net/svnroot/scst/trunk@1371 d57e44dd-8a1f-0410-8b47-8ef2f437770f

srpt/src/ib_srpt.c

index 8e36cb8..6fd675a 100644 (file)
@@ -2602,13 +2602,14 @@ static void srpt_on_free_cmd(struct scst_cmd *scmnd)
        ioctx = scst_cmd_get_tgt_priv(scmnd);
        BUG_ON(!ioctx);
 
-       srpt_set_cmd_state(ioctx, SRPT_STATE_ABORTED);
        ch = ioctx->ch;
        BUG_ON(!ch);
-       ioctx->ch = NULL;
 
-       srpt_reset_ioctx(ch, ioctx);
        scst_cmd_set_tgt_priv(scmnd, NULL);
+       srpt_set_cmd_state(ioctx, SRPT_STATE_ABORTED);
+       ioctx->scmnd = NULL;
+       ioctx->ch = NULL;
+       srpt_reset_ioctx(ch, ioctx);
 }
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20) && ! defined(BACKPORT_LINUX_WORKQUEUE_TO_2_6_19)