On 8/28/22 18:18, Ming Lei wrote:
On Thu, Aug 25, 2022 at 05:26:34PM -0700, Bart Van Assche wrote:
There are two .exit_cmd_priv implementations. Both implementations use
resources associated with the SCSI host. Make sure that these resources are
still available when .exit_cmd_priv is called by waiting inside
scsi_remove_host() until the tag set has been freed.
This patch fixes the following use-after-free:
==================================================================
BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
Read of size 8 at addr ffff888100337000 by task multipathd/16727
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0x5e/0x5db
kasan_report+0xab/0x120
srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
scsi_mq_exit_request+0x4d/0x70
blk_mq_free_rqs+0x143/0x410
__blk_mq_free_map_and_rqs+0x6e/0x100
blk_mq_free_tag_set+0x2b/0x160
scsi_host_dev_release+0xf3/0x1a0
The trace must be triggered on old kernel, cause this issue is fixed by
upstream since commit f323896fe6fa ("scsi: core: Call blk_mq_free_tag_set() earlier")
from you, :-)
Hi Ming,
Did you perhaps overlook the patch series "[PATCH 0/4] Revert "Call
blk_mq_free_tag_set() earlier""
(https://lore.kernel.org/linux-scsi/20220821220502.13685-1-bvanassche@xxxxxxx/)?
This patch reworks the patch series "Call blk_mq_free_tag_set() earlier"
but without triggering the deadlock reported by syzbot and also here:
https://lore.kernel.org/all/Yv%2FMKymRC9O04Nqu@xxxxxxxxxx/
Thanks,
Bart.
