On 7/1/22 07:37, Ming Lei wrote:
On Fri, Jul 01, 2022 at 07:07:13AM -0700, Bart Van Assche wrote:
On 6/30/22 20:44, Ming Lei wrote:
On Thu, Jun 30, 2022 at 02:37:33PM -0700, Bart Van Assche wrote:
BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
Read of size 8 at addr ffff888100337000 by task multipathd/16727
What is the 8bytes buffer which triggers UAF? what does srp_exit_cmd_priv+0x27
point to?
I think that Li already answered this question.
OK, from Li's input, the UAF is on the following code:
struct srp_device *dev = target->srp_host->srp_dev;
So looks you meant target->srp_host is freed by srp_remove_one() before calling
srp_exit_cmd_priv?
Then when is srp_remove_one() triggered? And why is it called before
scsi_remove_host()? Sorry for the stupid question since I am not familiar with srp.
Hi Ming,
I think that can happen as the result of the following sequence (will
look into converting this into a blktests test):
* The Soft-RoCE (or soft-iWARP) driver is bound to a network interface.
This results in the instantation of an RDMA interface that supports
RDMA loopback.
* ib_srp and ib_srpt are told to connect to each other over that RDMA
loopback interface. This results in the creation of a SCSI host and
one or more SCSI devices.
* The Soft-RoCE (or soft-iWARP) driver is dissociated from all network
interfaces. This causes the RDMA core to report a hot-unplug event.
That results in a call of srp_remove_one(). I think the call chain is
as follows:
rxe_notify()
ib_unregister_device_queued()
ib_unregister_work()
__ib_unregister_device()
disable_device()
remove_client_context()
srp_remove_one()
Bart.
