Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp405053pxu;
        Thu, 26 Nov 2020 01:29:08 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwLv1tZE85RwUC5AGiR/6TdVHEiAt4uWdF2JZvVBqEwSs/GIwjcl6PYrs45RaZh5YO+QOhN
X-Received: by 2002:a05:6402:170e:: with SMTP id y14mr1687750edu.115.1606382947870;
        Thu, 26 Nov 2020 01:29:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606382947; cv=none;
        d=google.com; s=arc-20160816;
        b=0QXx0KWCTuHX8ySQAo54lh1bMyEzn6afqN22TJvKyhhS7xt98gKOHZmUzMROgyyEgW
         VD9W3UvgE1jWHNzkd4QyQFyFbBjz5KG82pUyjnTKXeja8i1Gq8EkPjpkkFIRYlMeSQRv
         0IVals8YcpDmQRQYWa2OaVx78doXAwD3rgWB5C+9yaQTV05s0oER48fotV/vds6DOBS2
         utbbu0br28yKPyauo/12gEyrU9071eD3J6koFet/01f8prwa5nfD4Osx909kdp8tJ2R3
         Z9mLZtqipA4UCKQTa6s+oBObIHOsivdXwqbkaCvegUeAAiQWkD6bDEpH6PRcmzVnlQjv
         PC2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:cc:to
         :subject;
        bh=HsG0HT474D9kwAN2NdWoX0aYkzUccn6KLqaC3GsU4T4=;
        b=T+X69IjdERyS1wY9EBJcLozANAqabDtAIKnQ9jgenTaAvzlMnroQNx3j+aC8EzQHMv
         UW3WgiXqvxqOC0Po0UorFWf3JQSt4AzahuaALiBCjZ3x04uMN7W9vcXM81tyGhosv6dZ
         b23jkID5wQWuB4KSZzpjjPx8T9IdyihuKHulsOikIDUihGwAsuU/fz/sWBJDXG+3zPHW
         nFSS3yMFDWylMWkYpAX1nSL9GccA1aJ0S55dDjNDL1h3cw/IMTxr7C9qzTCPN4nbNudj
         McgiOovx8jeRqe/QUadAAGL8gQjRkKQghxKFWuMn2gXXbjFHGSQimy05savuD6JwYvF1
         5jng==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o24si3071370edz.608.2020.11.26.01.28.22;
        Thu, 26 Nov 2020 01:29:07 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731526AbgKZB1p (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Wed, 25 Nov 2020 20:27:45 -0500
Received: from szxga07-in.huawei.com ([45.249.212.35]:8402 "EHLO
        szxga07-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730067AbgKZB1p (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 25 Nov 2020 20:27:45 -0500
Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60])
        by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4ChKqs5czRz73q7;
        Thu, 26 Nov 2020 09:27:21 +0800 (CST)
Received: from [10.174.177.149] (10.174.177.149) by
 DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id
 14.3.487.0; Thu, 26 Nov 2020 09:27:41 +0800
Subject: Re: [PATCH] scsi: zfcp: fix use-after-free in zfcp_unit_remove
To:     Benjamin Block <bblock@linux.ibm.com>
CC:     Steffen Maier <maier@linux.ibm.com>,
        Heiko Carstens <hca@linux.ibm.com>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Christian Borntraeger <borntraeger@de.ibm.com>,
        <linux-s390@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <linux-scsi@vger.kernel.org>
References: <20201120074854.31754-1-miaoqinglang@huawei.com>
 <20201125170658.GB8578@t480-pf1aa2c2>
From:   Qinglang Miao <miaoqinglang@huawei.com>
Message-ID: <4c65bead-2553-171e-54d2-87a9de0330e8@huawei.com>
Date:   Thu, 26 Nov 2020 09:27:41 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <20201125170658.GB8578@t480-pf1aa2c2>
Content-Type: text/plain; charset="gbk"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.174.177.149]
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



?? 2020/11/26 1:06, Benjamin Block д??:
> On Fri, Nov 20, 2020 at 03:48:54PM +0800, Qinglang Miao wrote:
>> kfree(port) is called in put_device(&port->dev) so that following
>> use would cause use-after-free bug.
>>
>> The former put_device is redundant for device_unregister contains
>> put_device already. So just remove it to fix this.
>>
>> Fixes: 86bdf218a717 ("[SCSI] zfcp: cleanup unit sysfs attribute usage")
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
>> ---
>>   drivers/s390/scsi/zfcp_unit.c | 2 --
>>   1 file changed, 2 deletions(-)
>>
>> diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c
>> index e67bf7388..664b77853 100644
>> --- a/drivers/s390/scsi/zfcp_unit.c
>> +++ b/drivers/s390/scsi/zfcp_unit.c
>> @@ -255,8 +255,6 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun)
>>   		scsi_device_put(sdev);
>>   	}
>>   
>> -	put_device(&unit->dev);
>> -
>>   	device_unregister(&unit->dev);
>>  >>   	return 0;
> 
> Same as in the other mail for `zfcp_sysfs_port_remove_store()`. We
> explicitly get a new ref in `_zfcp_unit_find()`, so we also need to put
> that away again.
>
Sorry, Benjamin, I don't think so, because device_unregister calls 
put_device inside.

It seem's that another put_device before or after device_unregister is 
useless and even might cause an use-after-free.