In the Linux kernel, the following vulnerability has been resolved:
scsi: Revert scsi: core: Do not increase scsi_devices iorequest_cnt if dispatch failed
The atomic_inc(&cmd->device->iorequest_cnt) in scsi_queue_rq() would cause kernel panic because cmd->device may be freed after returning from scsi_dispatch_cmd().
This reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d.