[PATCH] drivers/scsi/dpt_i2o.c: fix a user-after-free

The Coverity checker spotted this obvious use-after-free

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 7235f94f1191ef06ce816e0539527c0cd11f256d..8a603ea2bbe6493ffd5f2cb3acf9f0d739b83e4a 100644 (file)
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -816,7 +816,7 @@ static int adpt_hba_reset(adpt_hba* pHba)
 static void adpt_i2o_sys_shutdown(void)
 {
        adpt_hba *pHba, *pNext;
-       struct adpt_i2o_post_wait_data *p1, *p2;
+       struct adpt_i2o_post_wait_data *p1, *old;
 
         printk(KERN_INFO"Shutting down Adaptec I2O controllers.\n");
         printk(KERN_INFO"   This could take a few minutes if there are many devices attached\n");
@@ -830,13 +830,14 @@ static void adpt_i2o_sys_shutdown(void)
        }
 
        /* Remove any timedout entries from the wait queue.  */
-       p2 = NULL;
 //     spin_lock_irqsave(&adpt_post_wait_lock, flags);
        /* Nothing should be outstanding at this point so just
         * free them 
         */
-       for(p1 = adpt_post_wait_queue; p1; p2 = p1, p1 = p2->next) {
-               kfree(p1);
+       for(p1 = adpt_post_wait_queue; p1;) {
+               old = p1;
+               p1 = p1->next;
+               kfree(old);
        }
 //     spin_unlock_irqrestore(&adpt_post_wait_lock, flags);
        adpt_post_wait_queue = NULL;