Re: [EXT] Re: [PATCH 3/3] qla2xxx: Fix NVME cmd and LS cmd timeout race condition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/17/19 5:01 PM, Quinn Tran wrote:

Attached is the clean-up patch that we held back from the series. > We felt it wasn't ready for wider audience because it needed additional
soak time with our test group.

We want to ahead and share it with you to let you know that we intent
to cleanup the duplicate atomic [ref_count|kref].  Once it has some
soak time in our test group, we'll submit it in the next RC window.


Hi Quinn,
Thank you for having shared that patch early. My comments about that patch are as follows: - The patch description is not correct. Today freeing of an SRB does not happen when ref_count reaches zero but it happens when the firmware reports a completion. That is why today the abort code can trigger a use-after-free. ref_count is only useful today for the abort code to detect atomically whether or not the firmware already reported that a request completed. - Only calling cmd->scsi-done(cmd) when the reference count reaches zero involves a behavior change. If a command completion and a request to abort a command race, this patch will report the command as aborted to the SCSI mid-layer instead of as completed. This change has not been mentioned in the patch description. Is this change perhaps unintentional? - I think that this patch does not address the memory leak that can be triggered by aborting a command. If a command is aborted it will be freed by qla_release_fcp_cmd_kref() calling qla2xxx_rel_qpair_sp() and by qla2xxx_rel_qpair_sp() calling sp->free(sp). However, the implementation of the free function for multiple SRB types is incomplete. - The approach for avoiding that qla2xxx_eh_abort() triggers a use-after-free (the new srb_private structure) is interesting. However, that approach does not look correct to me. The patch attached to the previous e-mail inserts the following code in qla2xxx_eh_abort(): 
  'sp = CMD_SP(cmd); if (!sp || !sp->qpair || ...) return SUCCESS'
As one can see the sp pointer is dereferenced although the memory it points at could already have been freed and could have been reallocated by another driver or another process. So I don't think the new code for avoiding a use-after-free is correct. 

Thanks,

Bart.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux