On Thu, Jun 30, 2022 at 02:37:33PM -0700, Bart Van Assche wrote: > There are two .exit_cmd_priv implementations. Both implementations use > resources associated with the SCSI host. Make sure that these resources are Please document what the exact resources associated with this SCSI host is. We need the root cause. I understand it might be related with module unloading, since ib_srp may be gone already, but not sure if it is the exact one in this report. > still available when .exit_cmd_priv is called by moving the .exit_cmd_priv > calls from scsi_host_dev_release() to scsi_forget_host(). Moving > blk_mq_free_tag_set() from scsi_host_dev_release() to scsi_forget_host() is > safe because scsi_forget_host() drains all the request queues that use the > host tag set. This guarantees that no requests are in flight and also that > no new requests will be allocated from the host tag set. > > This patch fixes the following use-after-free: > > ================================================================== > BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp] > Read of size 8 at addr ffff888100337000 by task multipathd/16727 What is the 8bytes buffer which triggers UAF? what does srp_exit_cmd_priv+0x27 point to? Thanks, Ming
