On 08/11/2015 07:42 AM, Sagi Grimberg wrote:
[PATCH] IB/srp: Fix possible protection fault
srp_destroy_qp is designed to indicate we are safe to continue with
freeing the channel resources by modifying the qp error state,
posting a dummy wr on the queue-pair and waiting for it to flush.
This also holds for the channel registration pool as we are unmapping
the memory region when handling a scsi response. Destroying the
channel registration pool before we make sure we processed all the
inflight IO might introduce a use-after-free of the registration pool.
This use-after-free is demonstrated in the stack trace below where
srp is trying to unmap a used FMR after the fmr_pool was already destroyed.
>
Reported-by: Eliott Kespi <[email protected]>
Signed-off-by: Sagi Grimberg <[email protected]>
Please consider Cc-ing "stable" for this patch. Anyway,
Reviewed-by: Bart Van Assche <[email protected]>
Sorry for the mixup. Does this patch make more sense?
Thank you for the quick respin. By posting this second patch quickly you
saved me considerable time. I was going to verify whether any upstream
patches were missing from the distro kernel that was used in your tests
but this second description makes it clear that scsi_remove_host() was
not involved in this crash.
Bart.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
