From c161969df9771502810adf51a29be30958ffc159 Mon Sep 17 00:00:00 2001
From: Jim Harris <james.r.harris@intel.com>
Date: Wed, 15 Mar 2023 16:34:15 +0000
Subject: [PATCH] bdev/iscsi: fix use-after-free in bdev_iscsi_command_cb()

Fixes issue #2946.

Signed-off-by: Jim Harris <james.r.harris@intel.com>
Change-Id: Ibd4d68ae6c639aede1fab56d04adf5583ef347f5
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/17210
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com>
Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
---
 module/bdev/iscsi/bdev_iscsi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/module/bdev/iscsi/bdev_iscsi.c b/module/bdev/iscsi/bdev_iscsi.c
index 9f7a9e6e5..ce6adf144 100644
--- a/module/bdev/iscsi/bdev_iscsi.c
+++ b/module/bdev/iscsi/bdev_iscsi.c
@@ -269,8 +269,6 @@ bdev_iscsi_command_cb(struct iscsi_context *context, int status, void *_task, vo
 	iscsi_io->asc = (task->sense.ascq >> 8) & 0xFF;
 	iscsi_io->ascq = task->sense.ascq & 0xFF;
 
-	scsi_free_scsi_task(task);
-
 	if (_bdev_iscsi_is_size_change(status, task)) {
 		bdev_iscsi_readcapacity16(context, iscsi_io->lun);
 
@@ -285,6 +283,8 @@ bdev_iscsi_command_cb(struct iscsi_context *context, int status, void *_task, vo
 	} else {
 		bdev_iscsi_io_complete(iscsi_io, SPDK_BDEV_IO_STATUS_SUCCESS);
 	}
+
+	scsi_free_scsi_task(task);
 }
 
 static int