On 08/11/2019 01:25 PM, Dmitry Fomichev wrote: > In tcmu_handle_completion() function, the variable called read_len is > always initialized with a value taken from se_cmd structure. If this > function is called to complete an expired (timed out) out command, the > session command pointed by se_cmd is likely to be already deallocated by > the target core at that moment. As the result, this access triggers a > use-after-free warning from KASAN. > > This patch fixes the code not to touch se_cmd when completing timed out > TCMU commands. It also resets the pointer to se_cmd at the time when the > TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid > after calling target_complete_cmd() later in the same function, > tcmu_check_expired_cmd(). > > Signed-off-by: Dmitry Fomichev <dmitry.fomichev@xxxxxxx> > --- Acked-by: Mike Christie <mchristi@xxxxxxxxxx>
