From b3716301853f81358be360d4e895add1dbc556d9 Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@acm.org>
Date: Mon, 30 Nov 2009 09:51:17 +0000
Subject: [PATCH] Avoid dangling pointer dereferences by resetting ioctx->scmnd
 in srpt_on_free_cmd().

git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@1371 d57e44dd-8a1f-0410-8b47-8ef2f437770f
---
 srpt/src/ib_srpt.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/srpt/src/ib_srpt.c b/srpt/src/ib_srpt.c
index 8e36cb8de..6fd675a58 100644
--- a/srpt/src/ib_srpt.c
+++ b/srpt/src/ib_srpt.c
@@ -2602,13 +2602,14 @@ static void srpt_on_free_cmd(struct scst_cmd *scmnd)
 	ioctx = scst_cmd_get_tgt_priv(scmnd);
 	BUG_ON(!ioctx);
 
-	srpt_set_cmd_state(ioctx, SRPT_STATE_ABORTED);
 	ch = ioctx->ch;
 	BUG_ON(!ch);
-	ioctx->ch = NULL;
 
-	srpt_reset_ioctx(ch, ioctx);
 	scst_cmd_set_tgt_priv(scmnd, NULL);
+	srpt_set_cmd_state(ioctx, SRPT_STATE_ABORTED);
+	ioctx->scmnd = NULL;
+	ioctx->ch = NULL;
+	srpt_reset_ioctx(ch, ioctx);
 }
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20) && ! defined(BACKPORT_LINUX_WORKQUEUE_TO_2_6_19)