On Thu, Aug 25, 2022 at 05:26:34PM -0700, Bart Van Assche wrote:
> There are two .exit_cmd_priv implementations. Both implementations use
> resources associated with the SCSI host. Make sure that these resources are
> still available when .exit_cmd_priv is called by waiting inside
> scsi_remove_host() until the tag set has been freed.
>
> This patch fixes the following use-after-free:
>
> ==================================================================
> BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
> Read of size 8 at addr ffff888100337000 by task multipathd/16727
> Call Trace:
> <TASK>
> dump_stack_lvl+0x34/0x44
> print_report.cold+0x5e/0x5db
> kasan_report+0xab/0x120
> srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
> scsi_mq_exit_request+0x4d/0x70
> blk_mq_free_rqs+0x143/0x410
> __blk_mq_free_map_and_rqs+0x6e/0x100
> blk_mq_free_tag_set+0x2b/0x160
> scsi_host_dev_release+0xf3/0x1a0
The trace must be triggered on old kernel, cause this issue is fixed by
upstream since commit f323896fe6fa ("scsi: core: Call blk_mq_free_tag_set() earlier")
from you, :-)
Thanks,
Ming
