From 2bef5a182233e3ad6cfed40e48b9b279d970225d Mon Sep 17 00:00:00 2001
From: Gleb Chesnokov <gleb.chesnokov@scst.dev>
Date: Wed, 27 Dec 2023 23:04:18 +0300
Subject: [PATCH] scst_lib: Fix use-after-free

Fixes: https://github.com/SCST-project/scst/issues/204
---
 scst/src/scst_lib.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/scst/src/scst_lib.c b/scst/src/scst_lib.c
index 02d03ba15..72377caad 100644
--- a/scst/src/scst_lib.c
+++ b/scst/src/scst_lib.c
@@ -4505,15 +4505,15 @@ int scst_acg_add_lun(struct scst_acg *acg, struct kobject *parent,
 		scst_cm_on_del_lun(acg_dev, false);
 
 out_free:
-	/*
-	 * synchronize_rcu() does not have to be called here because the
-	 * tgt_devs that will be freed have never been on any of the
-	 * sess->sess_tgt_dev_list[] lists.
-	 */
+	mutex_lock(&sess->tgt_dev_list_mutex);
 	list_for_each_entry_safe(tgt_dev, tt, &tmp_tgt_dev_list,
 			 extra_tgt_dev_list_entry) {
+		scst_del_tgt_dev(tgt_dev);
+		synchronize_rcu();
 		scst_free_tgt_dev(tgt_dev);
 	}
+	mutex_unlock(&sess->tgt_dev_list_mutex);
+
 	scst_del_free_acg_dev(acg_dev, false);
 	goto out;
 }