iscsit_release_cmd() frees the memory that "se_cmd" was pointing to so this is a use after free bug. Also "se_cmd" is non-null here so I removed the unneeded null check. Signed-off-by: Dan Carpenter <error27@xxxxxxxxx> diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c index a1acb01..bea5c29 100644 --- a/drivers/target/iscsi/iscsi_target_util.c +++ b/drivers/target/iscsi/iscsi_target_util.c @@ -297,9 +297,8 @@ struct iscsi_cmd *iscsit_allocate_se_cmd_for_tmr( return cmd; out: + transport_free_se_cmd(se_cmd); iscsit_release_cmd(cmd); - if (se_cmd) - transport_free_se_cmd(se_cmd); return NULL; } -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
