diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2012-05-04 12:32:04 +0200 |
---|---|---|
committer | James Bottomley <JBottomley@Parallels.com> | 2012-05-10 08:27:06 +0100 |
commit | e4594bb50518eb89c447be97dabd5bd99f405d71 (patch) | |
tree | f4e8d81b2b30cb8ab53207382c2841983954b833 /arch/m32r/mm/fault.c | |
parent | 3c8d9a957d0ae62c2815393a781ab7ff4d5205e7 (diff) |
[SCSI] virtio_scsi: fix TMF use-after-free
Fix a use-after-free in the TMF path, where cmd may have been already
freed by virtscsi_complete_free when wait_for_completion restarts
executing virtscsi_tmf. Technically a race, but in practice the command
will always be freed long before the completion waiter is awoken.
The fix is to make callers specifying a completion responsible for
freeing the command in all cases.
Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'arch/m32r/mm/fault.c')
0 files changed, 0 insertions, 0 deletions