From 5716ffa73700a6f8137ad5fe0e1cdd05f5dcc0b7 Mon Sep 17 00:00:00 2001
From: Gleb Chesnokov <gleb.chesnokov@scst.dev>
Date: Wed, 27 Dec 2023 23:04:18 +0300
Subject: [PATCH] scst_lib: Fix mem access after free

Fixes: https://github.com/SCST-project/scst/issues/204
---
 scst/src/scst_lib.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/scst/src/scst_lib.c b/scst/src/scst_lib.c
index 02d03ba15..081832227 100644
--- a/scst/src/scst_lib.c
+++ b/scst/src/scst_lib.c
@@ -4505,15 +4505,18 @@ out_on_del:
 		scst_cm_on_del_lun(acg_dev, false);
 
 out_free:
-	/*
-	 * synchronize_rcu() does not have to be called here because the
-	 * tgt_devs that will be freed have never been on any of the
-	 * sess->sess_tgt_dev_list[] lists.
-	 */
 	list_for_each_entry_safe(tgt_dev, tt, &tmp_tgt_dev_list,
 			 extra_tgt_dev_list_entry) {
+		sess = tgt_dev->sess;
+
+		mutex_lock(&sess->tgt_dev_list_mutex);
+		scst_del_tgt_dev(tgt_dev);
+		mutex_unlock(&sess->tgt_dev_list_mutex);
+
+		synchronize_rcu();
 		scst_free_tgt_dev(tgt_dev);
 	}
+
 	scst_del_free_acg_dev(acg_dev, false);
 	goto out;
 }