From 08422b5843f2dd9782eeab3aa7bd3dbf5af4195c Mon Sep 17 00:00:00 2001
From: Jim Harris <james.r.harris@intel.com>
Date: Tue, 23 Aug 2022 20:52:48 +0000
Subject: [PATCH] bdev_virtio: fix use-after-free in scsi scan_ctx

Found while debugging issue #2596, unfortunately this
is not the root cause of that issue.

Signed-off-by: Jim Harris <james.r.harris@intel.com>
Change-Id: I27501e283ce7c9bf7a431e8b48842c83f80792c8
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/14165
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Paul Luse <paul.e.luse@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com>
Reviewed-by: Dong Yi <dongx.yi@intel.com>
---
 module/bdev/virtio/bdev_virtio_scsi.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/module/bdev/virtio/bdev_virtio_scsi.c b/module/bdev/virtio/bdev_virtio_scsi.c
index d0269b741..308590c36 100644
--- a/module/bdev/virtio/bdev_virtio_scsi.c
+++ b/module/bdev/virtio/bdev_virtio_scsi.c
@@ -805,6 +805,11 @@ bdev_virtio_poll(void *arg)
 		bdev_virtio_io_cpl(io[i]);
 	}
 
+	/* scan_ctx could have been freed while processing completions above, so
+	 * we need to re-read the value again here into the local variable before
+	 * using it.
+	 */
+	scan_ctx = svdev->scan_ctx;
 	if (spdk_unlikely(scan_ctx && scan_ctx->needs_resend)) {
 		if (svdev->removed) {
 			_virtio_scsi_dev_scan_finish(scan_ctx, -EINTR);