Dmitry, > In tcmu_handle_completion() function, the variable called read_len is > always initialized with a value taken from se_cmd structure. If this > function is called to complete an expired (timed out) out command, the > session command pointed by se_cmd is likely to be already deallocated > by the target core at that moment. As the result, this access triggers > a use-after-free warning from KASAN. Applied to 5.3/scsi-fixes, thanks! -- Martin K. Petersen Oracle Linux Engineering
