From b25a9b5679ccbbf6374e65f95f869000d20ecde2 Mon Sep 17 00:00:00 2001
From: Mike Christie <mchristi@redhat.com>
Date: Mon, 15 Jan 2018 14:37:59 -0600
Subject: [PATCH] tcmu: fix cmd user after free
Git-commit: 45dc488c0ee19ba5cba7a67be473aeaf88a7447e
Patch-mainline: v4.16-rc1
References: bsc#1118978
If we are failing the command due to a qfull timeout we are
also freeing the tcmu command, so we cannot access it later
to get the se_cmd.
Note: The clearing of cmd->se_cmd is not needed. We do not check
it later for something like determining if the command was failed
due to a timeout. As a result I am dropping it.
Signed-off-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Acked-by: David Disseldorp <ddiss@suse.de>
---
drivers/target/target_core_user.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index db3a7a4e3276..a503d34736f7 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1180,6 +1180,7 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
return 0;
is_running = list_empty(&cmd->cmdr_queue_entry);
+ se_cmd = cmd->se_cmd;
if (is_running) {
/*
@@ -1205,8 +1206,6 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
pr_debug("Timing out cmd %u on dev %s that is %s.\n",
id, udev->name, is_running ? "inflight" : "queued");
- se_cmd = cmd->se_cmd;
- cmd->se_cmd = NULL;
target_complete_cmd(se_cmd, scsi_status);
return 0;
}
--
2.13.7