In the Linux kernel, the following vulnerability has been resolved:
RDMA/srp: Do not call scsidone() from srpabort()
After scmdehaborthandler() has called the SCSI LLD ehaborthandler callback, it performs one of the following actions: * Call scsiqueueinsert(). * Call scsifinishcommand(). * Call scsiehscmdadd(). Hence, SCSI abort handlers must not call scsidone(). Otherwise all the above actions would trigger a use-after-free. Hence remove the scsidone() call from srpabort(). Keep the srpfree_req() call before returning SUCCESS because we may not see the command again if SUCCESS is returned.