Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1145166pxu; Fri, 27 Nov 2020 00:21:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJzlL9C5lgDlsaUgefkwK5F/ACY00Hp6PAWOdaqXJ61FD+ZWHFq2UCTbeG6+Vu/2Wx2EoUEu X-Received: by 2002:aa7:df81:: with SMTP id b1mr6311299edy.365.1606465260982; Fri, 27 Nov 2020 00:21:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606465260; cv=none; d=google.com; s=arc-20160816; b=eO0vSDIuBK/M5tnLOgsprZPFtzAACUrqHVVIm/tHKf8oKCv0LhFwBS8O1iPaGzYilj EUPiH2iSSS6EGzOqncffleVj96q7gg8cdTW/a9u6H+5z4Vn3TK6/w1XnR4PZBjA4Zu46 WsFdV4LDqHru9edRFAMAY3RKX+CbAiqjrdHF+iMgQIng+cgkhYZ7LcwTRNVXg1Y6041Q rN/nVtBSpPlM7qkZg3ruliheQhNU8v8u/C5szW9TGn7EvKKsFc/DvCPXVO0canRazinN vFC4mW1sHPvErCYxHiJgYJIFFegpYqhIylaKZePtguYHEebv488zRtA2T1/wgC0wvkeY lGDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=f0xExOnqx5Pbui9jkzThsmhoyS9CqqEVUzl0lt2Xm84=; b=Wil35+NAEnYDUBa6PI9kppbDIJrXT9rKpBVhZX712IokX4ctdMkZvHcBq6eKmP0rRI TNICU7gUQnNs4vZJOCeSS6+yHphutTdideKZfg+W3fofXb2UydK3yODG/UE+B5gqXWNY 2VLylySMwJAU992DBmlXSSI9KD7radGZEOZ8RJbTkFpGOyS2W5ve3ToFrgb46gxRXNry 1mCiuMBcH7SEQR8Ia7tS7i6jdoibFno4QNHYBRK5fPpDPblVU/D7awWLVi9hkePJVdT5 +oQO39Ou569/KqD6BUFlJC7rpFyRKWXOuEz2KfkaUPmFUTDbZrQO2vtxOacandFaxSLR yKSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w13si3797819ejn.15.2020.11.27.00.20.38; Fri, 27 Nov 2020 00:21:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388660AbgKZMHl (ORCPT + 99 others); Thu, 26 Nov 2020 07:07:41 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:8596 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727039AbgKZMHk (ORCPT ); Thu, 26 Nov 2020 07:07:40 -0500 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4Chc225s5PzLsCR; Thu, 26 Nov 2020 20:07:06 +0800 (CST) Received: from [10.174.177.149] (10.174.177.149) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.487.0; Thu, 26 Nov 2020 20:07:32 +0800 Subject: Re: [PATCH] scsi: zfcp: fix use-after-free in zfcp_unit_remove To: Benjamin Block , Cornelia Huck CC: Steffen Maier , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , , , References: <20201120074854.31754-1-miaoqinglang@huawei.com> <20201125170658.GB8578@t480-pf1aa2c2> <4c65bead-2553-171e-54d2-87a9de0330e8@huawei.com> <20201126091353.50cf6ab6.cohuck@redhat.com> <20201126094259.GE8578@t480-pf1aa2c2> From: Qinglang Miao Message-ID: <9ba663ad-97fe-6c2a-e15a-45f2de1f0af0@huawei.com> Date: Thu, 26 Nov 2020 20:07:32 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20201126094259.GE8578@t480-pf1aa2c2> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.177.149] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2020/11/26 17:42, Benjamin Block 写道: > On Thu, Nov 26, 2020 at 09:13:53AM +0100, Cornelia Huck wrote: >> On Thu, 26 Nov 2020 09:27:41 +0800 >> Qinglang Miao wrote: >> >>> 在 2020/11/26 1:06, Benjamin Block 写道: >>>> On Fri, Nov 20, 2020 at 03:48:54PM +0800, Qinglang Miao wrote: >>>>> kfree(port) is called in put_device(&port->dev) so that following >>>>> use would cause use-after-free bug. >>>>> >>>>> The former put_device is redundant for device_unregister contains >>>>> put_device already. So just remove it to fix this. >>>>> >>>>> Fixes: 86bdf218a717 ("[SCSI] zfcp: cleanup unit sysfs attribute usage") >>>>> Reported-by: Hulk Robot >>>>> Signed-off-by: Qinglang Miao >>>>> --- >>>>> drivers/s390/scsi/zfcp_unit.c | 2 -- >>>>> 1 file changed, 2 deletions(-) >>>>> >>>>> diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c >>>>> index e67bf7388..664b77853 100644 >>>>> --- a/drivers/s390/scsi/zfcp_unit.c >>>>> +++ b/drivers/s390/scsi/zfcp_unit.c >>>>> @@ -255,8 +255,6 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun) >>>>> scsi_device_put(sdev); >>>>> } >>>>> >>>>> - put_device(&unit->dev); >>>>> - >>>>> device_unregister(&unit->dev); >>>>> >> return 0; >>>> >>>> Same as in the other mail for `zfcp_sysfs_port_remove_store()`. We >>>> explicitly get a new ref in `_zfcp_unit_find()`, so we also need to put >>>> that away again. >>>> >>> Sorry, Benjamin, I don't think so, because device_unregister calls >>> put_device inside. >>> >>> It seem's that another put_device before or after device_unregister is >>> useless and even might cause an use-after-free. >> >> The issue here (and in the other patches that I had commented on) is >> that the references have different origins. device_register() acquires >> a reference, and that reference is given up when you call >> device_unregister(). However, the code here grabs an extra reference, >> and it of course has to give it up again when it no longer needs it. >> >> This is something that is not that easy to spot by an automated check, >> I guess? >> > > Indeed. > > I do think the two patches for zfcp have merit, but not by simply > removing the put_device(), but by moving it. > > For this patch in particular, I'd think the "proper logic" would be to > move the `put_device()` to after the `device_unregister()`: > > device_unregister(&unit->dev); > put_device(&unit->dev); > > return 0; > > As Cornelia pointed out, the extra `get_device()` we do in > `_zfcp_unit_find()` needs to be reversed, otherwise we have a dangling > reference and probably some sort of memory-/resource-leak. > > Let's go by example. If we assume the reference count of `unit->dev` is > R, and the function starts with R = 1 (otherwise the deivce would've > been freed already), we get: > > int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun) > { > struct zfcp_unit *unit; > struct scsi_device *sdev; > > write_lock_irq(&port->unit_list_lock); > // unit->dev (R = 1) > unit = _zfcp_unit_find(port, fcp_lun); > // get_device(&unit->dev) > // unit->dev (R = 2) > if (unit) > list_del(&unit->list); > write_unlock_irq(&port->unit_list_lock); > > if (!unit) > return -EINVAL; > > sdev = zfcp_unit_sdev(unit); > if (sdev) { > scsi_remove_device(sdev); > scsi_device_put(sdev); > } > > // unit->dev (R = 2) > put_device(&unit->dev); > // unit->dev (R = 1) > device_unregister(&unit->dev); > // unit->dev (R = 0) > > return 0; > } > > If we now apply this patch, we'd end up with R = 1 after > `device_unregister()`, and the device would not be properly removed. > > If you still think that's wrong, then you'll need to better explain why. > Hi Banjamin and Cornelia, Your replies make me reliaze that I've been holding a mistake understanding of put_device() as well as reference count. Thanks for you two's patient explanation !! BTW, should I send a v2 on these two patches to move the position of put_device()? >