8fe4ce5836
There are two .exit_cmd_priv implementations. Both implementations use
resources associated with the SCSI host. Make sure that these resources are
still available when .exit_cmd_priv is called by waiting inside
scsi_remove_host() until the tag set has been freed.
This commit fixes the following use-after-free:
==================================================================
BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
Read of size 8 at addr ffff888100337000 by task multipathd/16727
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0x5e/0x5db
kasan_report+0xab/0x120
srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
scsi_mq_exit_request+0x4d/0x70
blk_mq_free_rqs+0x143/0x410
__blk_mq_free_map_and_rqs+0x6e/0x100
blk_mq_free_tag_set+0x2b/0x160
scsi_host_dev_release+0xf3/0x1a0
device_release+0x54/0xe0
kobject_put+0xa5/0x120
device_release+0x54/0xe0
kobject_put+0xa5/0x120
scsi_device_dev_release_usercontext+0x4c1/0x4e0
execute_in_process_context+0x23/0x90
device_release+0x54/0xe0
kobject_put+0xa5/0x120
scsi_disk_release+0x3f/0x50
device_release+0x54/0xe0
kobject_put+0xa5/0x120
disk_release+0x17f/0x1b0
device_release+0x54/0xe0
kobject_put+0xa5/0x120
dm_put_table_device+0xa3/0x160 [dm_mod]
dm_put_device+0xd0/0x140 [dm_mod]
free_priority_group+0xd8/0x110 [dm_multipath]
free_multipath+0x94/0xe0 [dm_multipath]
dm_table_destroy+0xa2/0x1e0 [dm_mod]
__dm_destroy+0x196/0x350 [dm_mod]
dev_remove+0x10c/0x160 [dm_mod]
ctl_ioctl+0x2c2/0x590 [dm_mod]
dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0
dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Link: https://lore.kernel.org/r/20220826002635.919423-1-bvanassche@acm.org
Fixes: 65ca846a53
("scsi: core: Introduce {init,exit}_cmd_priv()")
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Mike Christie <michael.christie@oracle.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: John Garry <john.garry@huawei.com>
Cc: Li Zhijian <lizhijian@fujitsu.com>
Reported-by: Li Zhijian <lizhijian@fujitsu.com>
Tested-by: Li Zhijian <lizhijian@fujitsu.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
194 lines
6.5 KiB
C
194 lines
6.5 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _SCSI_PRIV_H
|
|
#define _SCSI_PRIV_H
|
|
|
|
#include <linux/device.h>
|
|
#include <scsi/scsi_device.h>
|
|
#include <linux/sbitmap.h>
|
|
|
|
struct bsg_device;
|
|
struct request_queue;
|
|
struct request;
|
|
struct scsi_cmnd;
|
|
struct scsi_device;
|
|
struct scsi_target;
|
|
struct scsi_host_template;
|
|
struct Scsi_Host;
|
|
struct scsi_nl_hdr;
|
|
|
|
#define SCSI_CMD_RETRIES_NO_LIMIT -1
|
|
|
|
/*
|
|
* Scsi Error Handler Flags
|
|
*/
|
|
#define SCSI_EH_ABORT_SCHEDULED 0x0002 /* Abort has been scheduled */
|
|
|
|
#define SCSI_SENSE_VALID(scmd) \
|
|
(((scmd)->sense_buffer[0] & 0x70) == 0x70)
|
|
|
|
/* hosts.c */
|
|
extern int scsi_init_hosts(void);
|
|
extern void scsi_exit_hosts(void);
|
|
|
|
/* scsi.c */
|
|
int scsi_init_sense_cache(struct Scsi_Host *shost);
|
|
void scsi_init_command(struct scsi_device *dev, struct scsi_cmnd *cmd);
|
|
#ifdef CONFIG_SCSI_LOGGING
|
|
void scsi_log_send(struct scsi_cmnd *cmd);
|
|
void scsi_log_completion(struct scsi_cmnd *cmd, int disposition);
|
|
#else
|
|
static inline void scsi_log_send(struct scsi_cmnd *cmd)
|
|
{ };
|
|
static inline void scsi_log_completion(struct scsi_cmnd *cmd, int disposition)
|
|
{ };
|
|
#endif
|
|
|
|
/* scsi_devinfo.c */
|
|
|
|
/* list of keys for the lists */
|
|
enum scsi_devinfo_key {
|
|
SCSI_DEVINFO_GLOBAL = 0,
|
|
SCSI_DEVINFO_SPI,
|
|
};
|
|
|
|
extern blist_flags_t scsi_get_device_flags(struct scsi_device *sdev,
|
|
const unsigned char *vendor,
|
|
const unsigned char *model);
|
|
extern blist_flags_t scsi_get_device_flags_keyed(struct scsi_device *sdev,
|
|
const unsigned char *vendor,
|
|
const unsigned char *model,
|
|
enum scsi_devinfo_key key);
|
|
extern int scsi_dev_info_list_add_keyed(int compatible, char *vendor,
|
|
char *model, char *strflags,
|
|
blist_flags_t flags,
|
|
enum scsi_devinfo_key key);
|
|
extern int scsi_dev_info_list_del_keyed(char *vendor, char *model,
|
|
enum scsi_devinfo_key key);
|
|
extern int scsi_dev_info_add_list(enum scsi_devinfo_key key, const char *name);
|
|
extern int scsi_dev_info_remove_list(enum scsi_devinfo_key key);
|
|
|
|
extern int __init scsi_init_devinfo(void);
|
|
extern void scsi_exit_devinfo(void);
|
|
|
|
/* scsi_error.c */
|
|
extern void scmd_eh_abort_handler(struct work_struct *work);
|
|
extern enum blk_eh_timer_return scsi_timeout(struct request *req);
|
|
extern int scsi_error_handler(void *host);
|
|
extern enum scsi_disposition scsi_decide_disposition(struct scsi_cmnd *cmd);
|
|
extern void scsi_eh_wakeup(struct Scsi_Host *shost);
|
|
extern void scsi_eh_scmd_add(struct scsi_cmnd *);
|
|
void scsi_eh_ready_devs(struct Scsi_Host *shost,
|
|
struct list_head *work_q,
|
|
struct list_head *done_q);
|
|
int scsi_eh_get_sense(struct list_head *work_q,
|
|
struct list_head *done_q);
|
|
bool scsi_noretry_cmd(struct scsi_cmnd *scmd);
|
|
void scsi_eh_done(struct scsi_cmnd *scmd);
|
|
|
|
/* scsi_lib.c */
|
|
extern int scsi_maybe_unblock_host(struct scsi_device *sdev);
|
|
extern void scsi_device_unbusy(struct scsi_device *sdev, struct scsi_cmnd *cmd);
|
|
extern void scsi_queue_insert(struct scsi_cmnd *cmd, int reason);
|
|
extern void scsi_io_completion(struct scsi_cmnd *, unsigned int);
|
|
extern void scsi_run_host_queues(struct Scsi_Host *shost);
|
|
extern void scsi_requeue_run_queue(struct work_struct *work);
|
|
extern void scsi_start_queue(struct scsi_device *sdev);
|
|
extern int scsi_mq_setup_tags(struct Scsi_Host *shost);
|
|
extern void scsi_mq_free_tags(struct kref *kref);
|
|
extern void scsi_exit_queue(void);
|
|
extern void scsi_evt_thread(struct work_struct *work);
|
|
|
|
/* scsi_proc.c */
|
|
#ifdef CONFIG_SCSI_PROC_FS
|
|
extern void scsi_proc_hostdir_add(struct scsi_host_template *);
|
|
extern void scsi_proc_hostdir_rm(struct scsi_host_template *);
|
|
extern void scsi_proc_host_add(struct Scsi_Host *);
|
|
extern void scsi_proc_host_rm(struct Scsi_Host *);
|
|
extern int scsi_init_procfs(void);
|
|
extern void scsi_exit_procfs(void);
|
|
#else
|
|
# define scsi_proc_hostdir_add(sht) do { } while (0)
|
|
# define scsi_proc_hostdir_rm(sht) do { } while (0)
|
|
# define scsi_proc_host_add(shost) do { } while (0)
|
|
# define scsi_proc_host_rm(shost) do { } while (0)
|
|
# define scsi_init_procfs() (0)
|
|
# define scsi_exit_procfs() do { } while (0)
|
|
#endif /* CONFIG_PROC_FS */
|
|
|
|
/* scsi_scan.c */
|
|
void scsi_enable_async_suspend(struct device *dev);
|
|
extern int scsi_complete_async_scans(void);
|
|
extern int scsi_scan_host_selected(struct Scsi_Host *, unsigned int,
|
|
unsigned int, u64, enum scsi_scan_mode);
|
|
extern void scsi_forget_host(struct Scsi_Host *);
|
|
extern void scsi_rescan_device(struct device *);
|
|
|
|
/* scsi_sysctl.c */
|
|
#ifdef CONFIG_SYSCTL
|
|
extern int scsi_init_sysctl(void);
|
|
extern void scsi_exit_sysctl(void);
|
|
#else
|
|
# define scsi_init_sysctl() (0)
|
|
# define scsi_exit_sysctl() do { } while (0)
|
|
#endif /* CONFIG_SYSCTL */
|
|
|
|
/* scsi_sysfs.c */
|
|
extern int scsi_sysfs_add_sdev(struct scsi_device *);
|
|
extern int scsi_sysfs_add_host(struct Scsi_Host *);
|
|
extern int scsi_sysfs_register(void);
|
|
extern void scsi_sysfs_unregister(void);
|
|
extern void scsi_sysfs_device_initialize(struct scsi_device *);
|
|
extern int scsi_sysfs_target_initialize(struct scsi_device *);
|
|
extern struct scsi_transport_template blank_transport_template;
|
|
extern void __scsi_remove_device(struct scsi_device *);
|
|
|
|
extern struct bus_type scsi_bus_type;
|
|
extern const struct attribute_group *scsi_shost_groups[];
|
|
|
|
/* scsi_netlink.c */
|
|
#ifdef CONFIG_SCSI_NETLINK
|
|
extern void scsi_netlink_init(void);
|
|
extern void scsi_netlink_exit(void);
|
|
extern struct sock *scsi_nl_sock;
|
|
#else
|
|
static inline void scsi_netlink_init(void) {}
|
|
static inline void scsi_netlink_exit(void) {}
|
|
#endif
|
|
|
|
/* scsi_pm.c */
|
|
#ifdef CONFIG_PM
|
|
extern const struct dev_pm_ops scsi_bus_pm_ops;
|
|
|
|
extern void scsi_autopm_get_target(struct scsi_target *);
|
|
extern void scsi_autopm_put_target(struct scsi_target *);
|
|
extern int scsi_autopm_get_host(struct Scsi_Host *);
|
|
extern void scsi_autopm_put_host(struct Scsi_Host *);
|
|
#else
|
|
static inline void scsi_autopm_get_target(struct scsi_target *t) {}
|
|
static inline void scsi_autopm_put_target(struct scsi_target *t) {}
|
|
static inline int scsi_autopm_get_host(struct Scsi_Host *h) { return 0; }
|
|
static inline void scsi_autopm_put_host(struct Scsi_Host *h) {}
|
|
#endif /* CONFIG_PM */
|
|
|
|
/* scsi_dh.c */
|
|
#ifdef CONFIG_SCSI_DH
|
|
void scsi_dh_add_device(struct scsi_device *sdev);
|
|
void scsi_dh_release_device(struct scsi_device *sdev);
|
|
#else
|
|
static inline void scsi_dh_add_device(struct scsi_device *sdev) { }
|
|
static inline void scsi_dh_release_device(struct scsi_device *sdev) { }
|
|
#endif
|
|
|
|
struct bsg_device *scsi_bsg_register_queue(struct scsi_device *sdev);
|
|
|
|
extern int scsi_device_max_queue_depth(struct scsi_device *sdev);
|
|
|
|
/*
|
|
* internal scsi timeout functions: for use by mid-layer and transport
|
|
* classes.
|
|
*/
|
|
|
|
#define SCSI_DEVICE_BLOCK_MAX_TIMEOUT 600 /* units in seconds */
|
|
|
|
#endif /* _SCSI_PRIV_H */
|