On 6/24/22 16:47, Jason Gunthorpe wrote:
On Fri, Jun 24, 2022 at 04:26:06PM -0700, Bart Van Assche wrote:
On 6/24/22 15:59, Jason Gunthorpe wrote:
I don't even understand how get_device() prevents this call chain??
It looks to me like the problem is srp_remove_one() is not waiting for
or canceling some outstanding work.
Hi Jason,
My conclusions from the call traces in Li's email are as follows:
* scsi_host_dev_release() can get called after srp_remove_one().
* srp_exit_cmd_priv() uses the ib_device pointer. If srp_remove_one() is
called before srp_exit_cmd_priv() then a use-after-free is triggered.
Shouldn't srp_remove_one() wait for the scsi_host_dev to complete
destruction? Clearly it cannot continue to exist once the IB device
has been removed
That sounds like an interesting approach to me. Li, do you perhaps want
to implement this approach?
Thanks,
Bart.
