forked from Minki/linux
8fe4ce5836
There are two .exit_cmd_priv implementations. Both implementations use
resources associated with the SCSI host. Make sure that these resources are
still available when .exit_cmd_priv is called by waiting inside
scsi_remove_host() until the tag set has been freed.
This commit fixes the following use-after-free:
==================================================================
BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
Read of size 8 at addr ffff888100337000 by task multipathd/16727
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0x5e/0x5db
kasan_report+0xab/0x120
srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
scsi_mq_exit_request+0x4d/0x70
blk_mq_free_rqs+0x143/0x410
__blk_mq_free_map_and_rqs+0x6e/0x100
blk_mq_free_tag_set+0x2b/0x160
scsi_host_dev_release+0xf3/0x1a0
device_release+0x54/0xe0
kobject_put+0xa5/0x120
device_release+0x54/0xe0
kobject_put+0xa5/0x120
scsi_device_dev_release_usercontext+0x4c1/0x4e0
execute_in_process_context+0x23/0x90
device_release+0x54/0xe0
kobject_put+0xa5/0x120
scsi_disk_release+0x3f/0x50
device_release+0x54/0xe0
kobject_put+0xa5/0x120
disk_release+0x17f/0x1b0
device_release+0x54/0xe0
kobject_put+0xa5/0x120
dm_put_table_device+0xa3/0x160 [dm_mod]
dm_put_device+0xd0/0x140 [dm_mod]
free_priority_group+0xd8/0x110 [dm_multipath]
free_multipath+0x94/0xe0 [dm_multipath]
dm_table_destroy+0xa2/0x1e0 [dm_mod]
__dm_destroy+0x196/0x350 [dm_mod]
dev_remove+0x10c/0x160 [dm_mod]
ctl_ioctl+0x2c2/0x590 [dm_mod]
dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0
dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Link: https://lore.kernel.org/r/20220826002635.919423-1-bvanassche@acm.org
Fixes:
|
||
---|---|---|
.. | ||
fc | ||
fc_frame.h | ||
fcoe_sysfs.h | ||
iscsi_if.h | ||
iscsi_proto.h | ||
iser.h | ||
libfc.h | ||
libfcoe.h | ||
libiscsi_tcp.h | ||
libiscsi.h | ||
libsas.h | ||
sas_ata.h | ||
sas.h | ||
scsi_bsg_iscsi.h | ||
scsi_cmnd.h | ||
scsi_common.h | ||
scsi_dbg.h | ||
scsi_device.h | ||
scsi_devinfo.h | ||
scsi_dh.h | ||
scsi_driver.h | ||
scsi_eh.h | ||
scsi_host.h | ||
scsi_ioctl.h | ||
scsi_proto.h | ||
scsi_status.h | ||
scsi_tcq.h | ||
scsi_transport_fc.h | ||
scsi_transport_iscsi.h | ||
scsi_transport_sas.h | ||
scsi_transport_spi.h | ||
scsi_transport_srp.h | ||
scsi_transport.h | ||
scsi.h | ||
scsicam.h | ||
sg.h | ||
srp.h | ||
viosrp.h |