Unless I made a prior mistake implementors have corrected, or my eyes/mind are currently misleading me...
Regarding changes in drivers\usb\usbstor\pdo.c ...
The patch from that issue was incorrectly interpreted/applied. 'OutData' is an OUT' parameter.
The ExFreePoolWithTag(Request->DataBuffer) in USBSTOR_SendIrp() should be subject to an 'else' and only executed when the preceding IoCallDriver () is a failure AND Request->DataBuffer is NOT passed back out via *OutData.
As currently implemented, that buffer is being free in SUCCESS situations where clients of USBSTOR_SendIrp() expect to use it (i.e. outside of USBSTOR_SendIrp() via actual parameter passed to 'OutData'), and those clients eventually will likely reference it AND perform a free on it as well.
Please review the original patch to see the 'else' placement originally intended.