On 08/11/2015 07:42 AM, Sagi Grimberg wrote:
[PATCH] IB/srp: Fix possible protection fault srp_destroy_qp is designed to indicate we are safe to continue with freeing the channel resources by modifying the qp error state, posting a dummy wr on the queue-pair and waiting for it to flush. This also holds for the channel registration pool as we are unmapping the memory region when handling a scsi response. Destroying the channel registration pool before we make sure we processed all the inflight IO might introduce a use-after-free of the registration pool. This use-after-free is demonstrated in the stack trace below where srp is trying to unmap a used FMR after the fmr_pool was already destroyed.
>
Reported-by: Eliott Kespi <eliottk@xxxxxxxxxxxx> Signed-off-by: Sagi Grimberg <sagig@xxxxxxxxxxxx>
Please consider Cc-ing "stable" for this patch. Anyway, Reviewed-by: Bart Van Assche <bvanassche@xxxxxxxxxxx>
Sorry for the mixup. Does this patch make more sense?
Thank you for the quick respin. By posting this second patch quickly you saved me considerable time. I was going to verify whether any upstream patches were missing from the distro kernel that was used in your tests but this second description makes it clear that scsi_remove_host() was not involved in this crash.
Bart. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
