From nobody Sat Jun 13 07:31:35 2026
Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com
 [209.85.222.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCDFB2C0F93
	for <linux-kernel@vger.kernel.org>; Thu, 11 Jun 2026 12:32:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781181139; cv=none;
 b=Su3dWSWGjiAJAf8/Ncq59nVotHF3zYUZNxsb112bTcCdSIZvtLabFMsStEY/RgkgSMXMqS9f6/GXpTp3MzYn6lbVJ0qUjta38vY/bEVBBxsaASVt/P0Ot+oKRxXBd7fgk8VlM1h1WeoU5q4b3utbkDEU6u65xXKlof5sF6myOxI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781181139; c=relaxed/simple;
	bh=BSx2REIDdYh6rBcLzILSd3dV8BAOIWvSwTx3IBfTmHI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=I4dF0u8kumkwznXh+qFcnXi0hxnKA1y/A/S5GvwEGjs5ZDYZI0lAT3tOA7V2bLqxF7ZuqsyVL/EB7oUET9yo0YYA8B1hU/tESx0MW8NmhE1/xjhwJEeaL8BD48LsqnqRIR0RMDzKqpTfp+iCUJ+cWhI76fDM5XO/oq5KEkcd1Ik=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=fusS4jyO; arc=none smtp.client-ip=209.85.222.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="fusS4jyO"
Received: by mail-qk1-f169.google.com with SMTP id
 af79cd13be357-9159f631656so128904785a.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 11 Jun 2026 05:32:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781181137; x=1781785937;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=mLymrEZazNmQKknDX1QeqtCgPzdIbUvDepEeTIb67zo=;
        b=fusS4jyOa5zHNNzrdMeHlzjDsolfIbVNkICGkyClIIWsCwESgBqYtsHIEEU3x6HhGO
         0JPnrpiybvQ4cWf4I4/S9UO3IcosKCI3tCMZbOWEsZay2gGu4ra3Fy4Li/ImZIHagM6x
         FUlMWvSW/pjSYWc0cD9h0O7i8l9V6Woydhq4bG6BP6hXkifYqt5kNhmUpHI5uR+aoaT6
         oyregi29XXuDRDQG+KJEmyfIWqzYYK1bQrfeDJUemX3S53sqGS7T5j2MsBpYIxlfTpy4
         ndHOD4LMCD1+YoH45+iawFoZlNkbcay+eo70O/X0LGtmPDTT3pCIweHfVi5Ioe4WCsjM
         xaaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781181137; x=1781785937;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=mLymrEZazNmQKknDX1QeqtCgPzdIbUvDepEeTIb67zo=;
        b=nYnXUgJ/iPLm1eUzoSEcivaxihhPNZD4nzY1tZr0vbJ3wEwC4WlCp6e9ZceAIm2UFG
         soS2/IHXYn1h+t83oCAvI6nYjZ7Tf0+UKfkfkaN69NclgZ3mnsqM6DFhnJ6PSX0d2Oti
         /27wY7KlPbdlWTJPXEhvFyiq+UhYJqwutFp9PuLAYhPIAQI63PJy+y0pjHUfftjNVKFZ
         MsF5OZJR/U2zGMkV+/uUb3uMOZmRCogWbdzeGL74zbijXFiUMxNyuBQ0KGxXVtji5w6p
         cvG87xrZ6637iLqQfmc3+bgVXfpt53zrISxtIAZ5CcH4MbVDWkZWfPA0F8DMQCdvBAAd
         IuHw==
X-Forwarded-Encrypted: i=1;
 AFNElJ8rPUtrkFQ4frV9CYt0XjJT+vna5Up9qBEzoi2MbzZXYvHEfaXg0oD7Bf6/hGZNMY5kcRmbECLYbnke0VM=@vger.kernel.org
X-Gm-Message-State: AOJu0YyqI4O4XUHRtpA46UaLNee7kP/IeDu3va0zsKFhu6X9YCQI33z8
	r3NwoFAsGyMdmF1wU1mNODkrBpfbkWDbeq+Pw0QTlwkrPGMVjFalkmk0DQsuDXR/EMs=
X-Gm-Gg: Acq92OGZj61NGIgzht5S4gPwVY6TQLcvEqvROah1r6H5OVMivBDfXZlxyMA2dsxSXXN
	rd8H/ZHYZcVEqrmpD77dWxyzA+nR5adCSMPV71oCmeYpAK05HTJeqg9QStu3UFrp+lzeW0aoaoO
	+13mXkfNPkOSY98+pZ6aibHxfWPCLig1F+yZetGck63RtoJ2F/Xx7ivrzGw/1uaqqkoe4D5zkhB
	kSYE8LUSX+POldyWWXLSrlLqm0MyDE+AvgYUAFrZDtwh7tgRDbppPW2U8GSNYweQ29JLSt6HQdI
	Valco772YiHi3EWpWsweRd64MOIgZIvSxteWFMcjQ6AJx/0pqB6XFBwtBtoiDZreN3gS0FJ7Htn
	6N7exaYTUEAj6/pI6Oh5PKus817LicLUo+Iv7/Bmv14t79AgRb79lWMaIOS6Fh91wDE7Q6khIYs
	0whpvUrOGTkFLihdF75SGTgU7F9Tt+KFi59ZOapme3BPCMyposN9Qbi2YxojaME50ogpXWd+JnM
	4VCCB37azCrnnvJUK/jBKzPBt4SrRw=
X-Received: by 2002:a05:620a:440c:b0:910:c1ba:91d3 with SMTP id
 af79cd13be357-9160a841f7fmr283346285a.45.1781181136610;
        Thu, 11 Jun 2026 05:32:16 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-9160b02f758sm171220685a.36.2026.06.11.05.32.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Jun 2026 05:32:15 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Juergen Gross <jgross@suse.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: xen-devel@lists.xenproject.org,
	linux-scsi@vger.kernel.org,
	stable@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] xen/scsiback: free unsubmitted command instead of
 double-putting it
Date: Thu, 11 Jun 2026 08:30:45 -0400
Message-ID: <20260611123046.2323342-2-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260611123046.2323342-1-michael.bommarito@gmail.com>
References: <20260611123046.2323342-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

scsiback_get_pend_req() obtains a command tag and returns a
vscsibk_pend whose embedded se_cmd has only been memset to 0, so
its cmd_kref is 0; the se_cmd is initialised (kref_init() via
target_init_cmd()) only later, in scsiback_cmd_exec(), on the
successful VSCSIIF_ACT_SCSI_CDB path. The two error paths in
scsiback_do_cmd_fn() taken before the command is submitted -- a
failed scsiback_gnttab_data_map() and an unknown ring_req.act --
call transport_generic_free_cmd(&pending_req->se_cmd, 0), which
kref_put()s a refcount of 0. That underflows it ("refcount_t:
underflow; use-after-free") and, as the release function is not
run, leaks the command tag.

Impact: a pvSCSI guest can leak every command tag of a LUN's
session, stopping the LUN, by submitting requests with a bad
grant reference or an unknown request type; under panic_on_warn
the refcount underflow panics the host.

Add a helper that just returns the tag with target_free_tag() and
sends the error response. It frees the tag while the v2p reference
still pins the session, and snapshots the response fields
beforehand because freeing the tag can let another ring reuse the
pending_req slot.

Fixes: 2dbcdf33dbf6 ("xen-scsiback: Convert to percpu_ida tag allocation")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
Reproduced on a Xen dom0 (Linux 6.1.y) exporting a pvSCSI LUN to a guest.
A frontend that sends a single ring request with an unknown action type
drives scsiback_do_cmd_fn() into transport_generic_free_cmd() on the
never-initialised command and logs

  refcount_t: underflow; use-after-free
  WARNING: ... refcount_warn_saturate
   transport_generic_free_cmd+0x... [target_core_mod]
   scsiback_do_cmd_fn+0x... [xen_scsiback]
   scsiback_irq_fn+0x... [xen_scsiback]

from the vscsiif IRQ thread, and panics the dom0 under panic_on_warn.  The
failed grant-map path reaches the same free.  With this patch the same
request is answered with DID_ERROR and the tag is returned, with no
underflow.  These error paths are unchanged since 2dbcdf33dbf6, so mainline
is affected identically.

 drivers/xen/xen-scsiback.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
index e33f95c91b096..f324732eba7f8 100644
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -611,6 +611,25 @@ static void scsiback_disconnect(struct vscsibk_info *i=
nfo)
 	xenbus_unmap_ring_vfree(info->dev, info->ring.sring);
 }
=20
+/*
+ * Send the error response for a request that did not reach the target core
+ * and return its tag.  Free the tag before the response drops the v2p
+ * reference that keeps the session alive, and snapshot what the response
+ * needs since returning the tag can let the slot be reused.
+ */
+static void scsiback_resp_and_free(struct vscsibk_pend *pending_req,
+				   int32_t result)
+{
+	struct vscsibk_info *info =3D pending_req->info;
+	struct v2p_entry *v2p =3D pending_req->v2p;
+	struct se_session *se_sess =3D v2p->tpg->tpg_nexus->tvn_se_sess;
+	u16 rqid =3D pending_req->rqid;
+
+	target_free_tag(se_sess, &pending_req->se_cmd);
+	scsiback_send_response(info, NULL, result, 0, rqid);
+	kref_put(&v2p->kref, scsiback_free_translation_entry);
+}
+
 static void scsiback_device_action(struct vscsibk_pend *pending_req,
 	enum tcm_tmreq_table act, int tag)
 {
@@ -792,9 +811,8 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info,
 		case VSCSIIF_ACT_SCSI_CDB:
 			if (scsiback_gnttab_data_map(&ring_req, pending_req)) {
 				scsiback_fast_flush_area(pending_req);
-				scsiback_do_resp_with_sense(NULL,
-						DID_ERROR << 16, 0, pending_req);
-				transport_generic_free_cmd(&pending_req->se_cmd, 0);
+				scsiback_resp_and_free(pending_req,
+						       DID_ERROR << 16);
 			} else {
 				scsiback_cmd_exec(pending_req);
 			}
@@ -808,9 +826,7 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info,
 			break;
 		default:
 			pr_err_ratelimited("invalid request\n");
-			scsiback_do_resp_with_sense(NULL, DID_ERROR << 16, 0,
-						    pending_req);
-			transport_generic_free_cmd(&pending_req->se_cmd, 0);
+			scsiback_resp_and_free(pending_req, DID_ERROR << 16);
 			break;
 		}
=20
--=20
2.53.0
From nobody Sat Jun 13 07:31:35 2026
Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com
 [209.85.222.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75AAA3F822F
	for <linux-kernel@vger.kernel.org>; Thu, 11 Jun 2026 12:32:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781181140; cv=none;
 b=kwmABctVdRXxijUft1T3h+DyckSQEk6ZCuRgKfuJ2zH9ahlz+mFdbyph4fig0yprK89R1tD0p24uf3yPGR5zbTdqeg8fWQYDTUcAIKZgIRG7yd81fe9O5ZPnEHBQ6X/YcFcItocfhIrBBmi739tKnPr/PbckUwsFtNkCFhTRsYM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781181140; c=relaxed/simple;
	bh=+g3UoGJSQBMIJWfE4I1WQriSnOqWfRW0HPDuB75fY0k=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=XWGLInIqd2WshJoL7JRCT6keIwhjYo0/XIOSOjOWS6ImRntyBbEovIZ+dQT0LQD3KuVGCSiqctnMrlZW+VOfiCk7eCj/kO8EwsdWC7T6sioNsdpyUucdgNlb5S7r1Yh+urpzDC2niKXcFgZS4nWReF5cxuLzG2uKnCRDgP0/UXg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=AVQN5Lzz; arc=none smtp.client-ip=209.85.222.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="AVQN5Lzz"
Received: by mail-qk1-f173.google.com with SMTP id
 af79cd13be357-9158629a220so880551285a.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 11 Jun 2026 05:32:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781181138; x=1781785938;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VGR23VQQ0KIak7ZD7YLq3Alex+Q6WU/vJpcU1WhhyY0=;
        b=AVQN5LzzLDR6l4zmuedj4Kj76oucvGfD7HqTkq4tGb18BXNO3Sj+YvVqF1GKv030m+
         JlImv9Eyfv0eKC0hfNukxTwO241dNX0vERIXnj2SlDOSqNTafdJbDKN6YH3Zzusk6Rdw
         Fz4VAOjJjHISNW+ol7QjZ46yq/MDbOptcdaL8uxBeh0QMuB8gj/lc6Fz5k5b0W4wSc5L
         dsnRLO7XJN7gYHgNapC/oM8Nm/7aZtvaIbczFeKUMZzIX58xyJ/Wu+MMPGFBnsXaSrSf
         8jJ+DYORCHRqYHnBPpblAIihk8wzUpFfWJpYLdHzLBPrPqOtZL/4SoMF9oHCJq/L/nCg
         lSBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781181138; x=1781785938;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=VGR23VQQ0KIak7ZD7YLq3Alex+Q6WU/vJpcU1WhhyY0=;
        b=jH6inAl7ocP5N4dsuYOMZR4mRYOx/Rzw44W+NPlBVfU5q1Q07T4OK4dW6kD4SsaOPL
         /lv5sNhN3y+jP0dU9Yobd5py2yTrDHuuGAjI9LrJrqkEgFk0FC4b7coz2Ct5dMRx3GC3
         TduK2Yt487nk1DMcg211iNNndcvzGinedKHQtXS8fcabd8825ZeBAxF2IJMHuyKOu2Z8
         W6KCOdsEVNJdTSvegQAp/tfpF+GXci6NNaoANLi0VCYMAd4lnvaOLLprXHfRF7yqMNe9
         aSxM8UdViEvhBEVAt/k1be88TmUJOtOEfb/BPUYD5KUFCHGDy8ZuKaR1O4gU2y0MAfs9
         DnLA==
X-Forwarded-Encrypted: i=1;
 AFNElJ8Jxxf/xbXLDpuU3LHdWMot5BhmCAibWbMtD1F91amqtASNSqEqnGp7aV6UKgl7W0eeeTSnCjN4Q41zC5A=@vger.kernel.org
X-Gm-Message-State: AOJu0YzvN4RvgdBV41jJsXVkc8a6kyV1ekQouWHIoAqdH3bLVlwhAVnO
	lmk3PdL6PyqlEQXA2FZ2H2WKUj3Y6QTcAGy/ZaepUmljoymjbK00vcD4
X-Gm-Gg: Acq92OF1zRxbuB7y8xf1LrdcN4jE35N98YKUL2+xFELrrLP4IZTz1DpiTysROJk+vhl
	mxSkbz92JpjSj6T3l7gCENlwKkG/EEwT/6r531qwiM+knz1l6Tsfjz1d4VpY2INWmTpjtGA4VEa
	5JIA618mJJrm9Un30ut+WWqSz3dUgn4ErWp854IUFooGNBGidMW3kVYle1+SoyW4S727whXmWMG
	QyZnfof7xbt8nE9Ebz9Mr+GG8V1YjU2q56eaCiykxRC9HRprYrFLEMqGgmeJ7J6hyhbIHoO/00U
	1UWG/1fe8y67YhQQywsYRYR4mrxz55iR4jnkzpRPyF6SX+VB052gMTFCSb7LsksqDGfSXfRS61i
	VPJxZgsiKqWFgP/1rDqGC4Ip0KMiIZFeuXKJxl665CM41Eg0n3WwX0btWWgpsqbgPRg2pFkOClI
	rdzPkSNQeh/b/OOm1EFlMDoS2T383V/ZFWeXy4z8zrHByLvo36yMfouyT0ll771Kwrw7wfaYcG3
	OhJECu/azImYyWs/MqtnELQapAoi8A=
X-Received: by 2002:a05:620a:17a2:b0:915:3542:ff72 with SMTP id
 af79cd13be357-9160acc37e6mr365473885a.22.1781181138395;
        Thu, 11 Jun 2026 05:32:18 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-9160b02f758sm171220685a.36.2026.06.11.05.32.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Jun 2026 05:32:17 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Juergen Gross <jgross@suse.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: xen-devel@lists.xenproject.org,
	linux-scsi@vger.kernel.org,
	stable@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 2/2] xen/scsiback: free the command tag on the TMR
 submit-failure path
Date: Thu, 11 Jun 2026 08:30:46 -0400
Message-ID: <20260611123046.2323342-3-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260611123046.2323342-1-michael.bommarito@gmail.com>
References: <20260611123046.2323342-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

scsiback_device_action() obtains a command tag in
scsiback_get_pend_req() and submits a task-management request with
target_submit_tmr(). When target_submit_tmr() fails it returns < 0
and scsiback jumps to the err: label, which sends a response but
frees nothing, leaking the tag.

Impact: a pvSCSI guest can leak the command tags of a LUN's
session, stopping the LUN, by issuing VSCSIIF_ACT_SCSI_ABORT or
RESET requests whenever target_submit_tmr() fails.

transport_generic_free_cmd() cannot be used here. By the time
target_submit_tmr() returns an error it has already run
__target_init_cmd() (so se_cmd->cmd_kref is one, not zero), and on
its target_get_sess_cmd() error path it has freed se_cmd->se_tmr_req
via core_tmr_release_req() while leaving SCF_SCSI_TMR_CDB set and
the pointer dangling. Letting the command release run
target_free_cmd_mem() would then double-free se_tmr_req.

Use the same helper, which returns just the tag, on this path too.

Fixes: 2dbcdf33dbf6 ("xen-scsiback: Convert to percpu_ida tag allocation")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 drivers/xen/xen-scsiback.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
index f324732eba7f8..c7036e0e41bda 100644
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -658,7 +658,7 @@ static void scsiback_device_action(struct vscsibk_pend =
*pending_req,
 	return;
=20
 err:
-	scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
+	scsiback_resp_and_free(pending_req, err);
 }
=20
 /*
--=20
2.53.0