From: "Li, Zhijian" <lizhijian@fujitsu.com>
To: Ming Lei <ming.lei@redhat.com>, Bart Van Assche <bvanassche@acm.org>
Cc: "Martin K . Petersen" <martin.petersen@oracle.com>,
Jaegeuk Kim <jaegeuk@kernel.org>, <linux-scsi@vger.kernel.org>,
Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@suse.de>,
John Garry <john.garry@huawei.com>
Subject: Re: [PATCH v2 3/3] scsi: core: Call blk_mq_free_tag_set() earlier
Date: Fri, 1 Jul 2022 15:45:02 +0800 [thread overview]
Message-ID: <ea467e1c-dc50-a0cd-2714-22551ec327b1@fujitsu.com> (raw)
In-Reply-To: <Yr5tlDkrTTldwjSq@T590>
Send again, the format of previous one is wrong.
on 7/1/2022 11:44 AM, Ming Lei wrote:
> On Thu, Jun 30, 2022 at 02:37:33PM -0700, Bart Van Assche wrote:
>> There are two .exit_cmd_priv implementations. Both implementations use
>> resources associated with the SCSI host. Make sure that these resources are
> Please document what the exact resources associated with this SCSI host is.
>
> We need the root cause.
>
> I understand it might be related with module unloading, since ib_srp may
> be gone already, but not sure if it is the exact one in this report.
>
>> still available when .exit_cmd_priv is called by moving the .exit_cmd_priv
>> calls from scsi_host_dev_release() to scsi_forget_host(). Moving
>> blk_mq_free_tag_set() from scsi_host_dev_release() to scsi_forget_host() is
>> safe because scsi_forget_host() drains all the request queues that use the
>> host tag set. This guarantees that no requests are in flight and also that
>> no new requests will be allocated from the host tag set.
>>
>> This patch fixes the following use-after-free:
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
>> Read of size 8 at addr ffff888100337000 by task multipathd/16727
> What is the 8bytes buffer which triggers UAF? what does srp_exit_cmd_priv+0x27
> point to?
This bug was reported by me, let's input some debug information.
*Attention*: below debug info came from a modified source, so the offset it is a bit different from above one.
[ 120.400572] ib_srp: lizhijian: srp_exit_cmd_priv:975: target_host ffff88810b8d6000, ffff88810b8d67e0
[ 120.400578] ib_srp: lizhijian: srp_exit_cmd_priv:977: target_host ffff88810b8d6000, ffff88810b8d67e0
[ 120.400590] ==================================================================
[ 120.400592] BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x6c/0x109 [ib_srp]
[ 120.400616] Read of size 8 at addr ffff8881076b1800 by task multipathd/1417
[ 120.400619]
[ 120.400621] CPU: 0 PID: 1417 Comm: multipathd Not tainted 5.19.0-rc1-roce-flush+ #85
[ 120.400626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014
crash> struct srp_target_port.srp_host ffff88810b8d67e0
srp_host = 0xffff8881076b1800,
crash> struct srp_target_port.srp_host
struct srp_target_port {
[104] struct srp_host *srp_host;
}
crash> struct srp_host.srp_dev 0xffff8881076b1800
srp_dev = 0xffff88800bcd1400,
crash> struct srp_device 0xffff88800bcd1400
struct srp_device {
dev_list = {
next = 0xffff888106fafd00,
prev = 0xb680010900000749
},
dev = 0x0,
pd = 0x0,
global_rkey = 0,
mr_page_mask = 3,
mr_page_size = 181960704,
mr_max_size = -30592,
max_pages_per_mr = 117112064,
has_fr = 129,
use_fast_reg = 136
}
crash> dis -s srp_exit_cmd_priv+0x6c
FILE: ../drivers/infiniband/ulp/srp/ib_srp.c
LINE: 978
973 struct srp_request *req;
974
975 pr_info("lizhijian: %s:%d: target_host %px, %px\n", __func__, __LINE__, shost, shost->hostdata);
976 target = host_to_target(shost);
977 pr_info("lizhijian: %s:%d: target_host %px, %px\n", __func__, __LINE__, shost, shost->hostdata);
* 978 dev = target->srp_host->srp_dev;
979 ibdev = dev->dev;
980 req = scsi_cmd_priv(cmd);
981
982 kfree(req->fr_list);
983 if (req->indirect_dma_addr) {
984 ib_dma_unmap_single(ibdev, req->indirect_dma_addr,
985 target->indirect_size,
986 DMA_TO_DEVICE);
987 }
988 kfree(req->indirect_desc);
989
990 return 0;
991 }
Thanks
Zhijian
>
>
> Thanks,
> Ming
>
next prev parent reply other threads:[~2022-07-01 7:45 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-30 21:37 [PATCH v2 0/3] Call blk_mq_free_tag_set() earlier Bart Van Assche
2022-06-30 21:37 ` [PATCH v2 1/3] scsi: Simplify scsi_forget_host() Bart Van Assche
2022-07-05 2:40 ` Ming Lei
2022-06-30 21:37 ` [PATCH v2 2/3] scsi: Make scsi_forget_host() wait for request queue removal Bart Van Assche
2022-07-01 16:25 ` Mike Christie
2022-07-01 23:44 ` Bart Van Assche
2022-07-05 3:38 ` Ming Lei
2022-06-30 21:37 ` [PATCH v2 3/3] scsi: core: Call blk_mq_free_tag_set() earlier Bart Van Assche
2022-07-01 3:44 ` Ming Lei
2022-07-01 7:25 ` lizhijian
2022-07-01 7:45 ` Li, Zhijian [this message]
2022-07-01 14:07 ` Bart Van Assche
2022-07-01 14:37 ` Ming Lei
2022-07-01 23:58 ` Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea467e1c-dc50-a0cd-2714-22551ec327b1@fujitsu.com \
--to=lizhijian@fujitsu.com \
--cc=bvanassche@acm.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=jaegeuk@kernel.org \
--cc=john.garry@huawei.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=ming.lei@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox