Re: [RFC PATCH] RDMA/srp: Fix use-after-free in srp_exit_cmd_priv

From: Bart Van Assche
Date: Fri Jun 24 2022 - 19:57:55 EST

Next message: Mike Kravetz: "Re: [PATCH v2 3/9] mm/hugetlb: make pud_huge() and huge_pud() aware of non-present pud entry"
Previous message: Kuogee Hsieh: "Re: [PATCH v1 2/3] drm/msm/dp: decoupling dp->id out of dp controller_id at scxxxx_dp_cfg table"
In reply to: Jason Gunthorpe: "Re: [RFC PATCH] RDMA/srp: Fix use-after-free in srp_exit_cmd_priv"
Next in thread: lizhijian@xxxxxxxxxxx: "Re: [RFC PATCH] RDMA/srp: Fix use-after-free in srp_exit_cmd_priv"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/24/22 16:47, Jason Gunthorpe wrote:

On Fri, Jun 24, 2022 at 04:26:06PM -0700, Bart Van Assche wrote:

On 6/24/22 15:59, Jason Gunthorpe wrote:

I don't even understand how get_device() prevents this call chain??

It looks to me like the problem is srp_remove_one() is not waiting for
or canceling some outstanding work.

Hi Jason,

My conclusions from the call traces in Li's email are as follows:
* scsi_host_dev_release() can get called after srp_remove_one().
* srp_exit_cmd_priv() uses the ib_device pointer. If srp_remove_one() is
called before srp_exit_cmd_priv() then a use-after-free is triggered.

Shouldn't srp_remove_one() wait for the scsi_host_dev to complete
destruction? Clearly it cannot continue to exist once the IB device
has been removed

That sounds like an interesting approach to me. Li, do you perhaps want to implement this approach?

Thanks,

Bart.

Next message: Mike Kravetz: "Re: [PATCH v2 3/9] mm/hugetlb: make pud_huge() and huge_pud() aware of non-present pud entry"
Previous message: Kuogee Hsieh: "Re: [PATCH v1 2/3] drm/msm/dp: decoupling dp->id out of dp controller_id at scxxxx_dp_cfg table"
In reply to: Jason Gunthorpe: "Re: [RFC PATCH] RDMA/srp: Fix use-after-free in srp_exit_cmd_priv"
Next in thread: lizhijian@xxxxxxxxxxx: "Re: [RFC PATCH] RDMA/srp: Fix use-after-free in srp_exit_cmd_priv"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]