scsi: dpt_i2o: Use after free in I2ORESETCMD ioctl

Here is another use after free if we reset the card.  The adpt_hba_reset()
function frees "pHba" on error.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 6866975b25f39f64e66912cde53bed9728fd39e9..5ceea8da7bb606558b3a9415f7eaff758ab15344 100644 (file)
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -2051,13 +2051,16 @@ static int adpt_ioctl(struct inode *inode, struct file *file, uint cmd, ulong ar
                }
                break;
                }
-       case I2ORESETCMD:
-               if(pHba->host)
-                       spin_lock_irqsave(pHba->host->host_lock, flags);
+       case I2ORESETCMD: {
+               struct Scsi_Host *shost = pHba->host;
+
+               if (shost)
+                       spin_lock_irqsave(shost->host_lock, flags);
                adpt_hba_reset(pHba);
-               if(pHba->host)
-                       spin_unlock_irqrestore(pHba->host->host_lock, flags);
+               if (shost)
+                       spin_unlock_irqrestore(shost->host_lock, flags);
                break;
+       }
        case I2ORESCANCMD:
                adpt_rescan(pHba);
                break;