scsi: dpt_i2o: use after free in adpt_release()

The scsi_host_put() function frees "pHba" and then we dereference it on
the next line when we do "scsi_host_put(pHba->host);".

[mkp: included fix from hch]

Fixes: 38e09e3bb056 ("scsi: dpt_i2o: stop using scsi_unregister")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 3c667b2..67379e4 100644 (file)
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -304,10 +304,12 @@ rebuild_sys_tab:
 
 static void adpt_release(adpt_hba *pHba)
 {
-       scsi_remove_host(pHba->host);
+       struct Scsi_Host *shost = pHba->host;
+
+       scsi_remove_host(shost);
 //     adpt_i2o_quiesce_hba(pHba);
        adpt_i2o_delete_hba(pHba);
-       scsi_host_put(pHba->host);
+       scsi_host_put(shost);
 }