Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()

Christoph, > This fix is broken! adpt_i2o_delete_hba references pHba->host as well. > > Instead we need a local variable for the host. Thanks for spotting this! Fixed it up. -- Martin K. Petersen Oracle Linux Engineering

Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()

Yeah. You're right. Thanks for catching that. regards, dan carpenter

Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()

On Mon, Mar 19, 2018 at 11:08:37PM -0400, Martin K. Petersen wrote: > > Dan, > > > The scsi_host_put() function frees "pHba" and then we dereference it on > > the next line when we do "scsi_host_put(pHba->host);". > > Applied to 4.17/scsi-queue, thank you. This fix is broken! adpt_i2o_delete_h

Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()

Dan, > The scsi_host_put() function frees "pHba" and then we dereference it on > the next line when we do "scsi_host_put(pHba->host);". Applied to 4.17/scsi-queue, thank you. -- Martin K. Petersen Oracle Linux Engineering

[PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()

The scsi_host_put() function frees "pHba" and then we dereference it on the next line when we do "scsi_host_put(pHba->host);". Fixes: 38e09e3bb056 ("scsi: dpt_i2o: stop using scsi_unregister") Signed-off-by: Dan Carpenter diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 3c667b2