Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp810492pxb;
        Fri, 22 Apr 2022 11:38:39 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzdpacRwylMq6JXNLsjRIxWXjkxcMIGwGkpTnHQPAR/D+jNBI4czWzJWrrGAcFDbi+lVEwj
X-Received: by 2002:a65:618d:0:b0:39e:2d10:6d69 with SMTP id c13-20020a65618d000000b0039e2d106d69mr4976602pgv.468.1650652719498;
        Fri, 22 Apr 2022 11:38:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650652719; cv=none;
        d=google.com; s=arc-20160816;
        b=xm8Mz9COKlKqydhlAeHCGXcJ5po+q5ZzY2J4gqrl3gFO0KLGhQh+EODOeq5jBg7RNb
         rI+i/rhTVCJ2KeQ3wASIY9FK6fMvfxhThywwarewYQ2VauXOMGQh5jyCkPv68rWBOGPl
         Fk6v/7lgrjr8W4HbCnudAJXth/ELhMP43fay5FLqhBARIt9p2Rui6qO/S0HHxX+afPDJ
         zlHkiexfR8usx2Mj7cXt9TZvqlLMjaF+cEbg3PwKXx5czz0TNdNqfpD1QFsY7JqvQozT
         lxfMtWAku2a+8s1eANaXol/d8iwpVBrirFEJ42yFrnFSpWS/wPAVCoXvXq8d1Jo0Mw+u
         F+Pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=I3dUJFVCPXZaMJBWWHsjrJMoHwI/m38j7KfpLhkL4xU=;
        b=sUPvBL1t9QbuDlzwUKeM8fXhEHZ11kTRz1U3m1lgGPSLRdLuI/wsQ4UZnzoMVNQyx8
         6SEG4RfGJri+vDTZ4xSi2L9MF52MRxgg9LCzFoA45ZI2nlcpDwZVQiKOIziX/gd7qV/v
         bnhB5b8BtlQ7eme+fASKqnpV77bJeFBXvWO6HXtaKUbrSiJ0np3Jy/9QBCAGgfAbCJ0d
         ufq4i1eUd8+Xa5+f80kkJt9yN+zmIaeWmDSxq3ELLUC7xtJSc7iqmVUgjgZfneZRNtwZ
         VrUPgh7QRADKzMRowJimDqCWt0QwQvYCcIc+oz4y49FInnVBm6S76bIdGcSLJgd8oyoW
         Kzkw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id kb18-20020a17090ae7d200b001ca67459147si10506302pjb.104.2022.04.22.11.38.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 22 Apr 2022 11:38:39 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9FED915CF60;
	Fri, 22 Apr 2022 11:07:54 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1351620AbiDUP1y (ORCPT <rfc822;alexandru.stratulat91@gmail.com>
        + 99 others); Thu, 21 Apr 2022 11:27:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55830 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232403AbiDUP1a (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Apr 2022 11:27:30 -0400
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C0B643AC0;
        Thu, 21 Apr 2022 08:24:39 -0700 (PDT)
Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.53])
        by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Kkh6y2WlDzCrQS;
        Thu, 21 Apr 2022 23:20:10 +0800 (CST)
Received: from dggpemm500017.china.huawei.com (7.185.36.178) by
 dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Thu, 21 Apr 2022 23:24:36 +0800
Received: from [10.174.178.220] (10.174.178.220) by
 dggpemm500017.china.huawei.com (7.185.36.178) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Thu, 21 Apr 2022 23:24:36 +0800
Message-ID: <b6777ef0-629c-0bb6-da5a-6aef096b6079@huawei.com>
Date:   Thu, 21 Apr 2022 23:24:36 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.8.0
Subject: Re: [Question] SCSI_EH: How does EH guarantee there is no UAF of
 scsi_cmnd if host reset failed
Content-Language: en-US
To:     Hannes Reinecke <hare@suse.de>,
        "James E.J. Bottomley" <jejb@linux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        <linux-scsi@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
CC:     Feilong Lin <linfeilong@huawei.com>
References: <6301e87f-15f6-4c1f-41f5-d2f1aa4eedd7@huawei.com>
 <da087e9b-bd07-e5fd-421d-242e6adce22b@suse.de>
From:   Wenchao Hao <haowenchao@huawei.com>
In-Reply-To: <da087e9b-bd07-e5fd-421d-242e6adce22b@suse.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.174.178.220]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 dggpemm500017.china.huawei.com (7.185.36.178)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-3.0 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,
	RDNS_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 2022/4/19 22:56, Hannes Reinecke wrote:
> On 4/19/22 16:28, Wenchao Hao wrote:
>> Hi all, I am wondered how does SCSI EH guarantee there is no UAF of scsi_cmnd
>> if host reset failed. If host reset failed and eh_cmd_q of shost is not empty,
>> these command in eh_cmd_q would be added to done_q in scsi_eh_offline_sdevs()
>> and finished by scsi_eh_flush_done_q(). So these scsi_cmnd and it's related
>> request would be freed.
>>
> Yes.
> 
>> While since host reset failed, we can not guarantee the LLDDs has cleared all
>> references to these commands in eh_cmd_q. Is there any possibility that the
>> LLDDs reference to these commands? If this happened, then a using after free
>> issue would occur.
>>
> If host reset has failed there are _no_ assumptions we can make about commands, and not even about the PCI device itself.
> So in effect, once host_reset failed the system is hosed.
> 
> We _might_ be able to resurrect the system by doing PCI EEH, but not many systems nor drivers implement that.
> 
> Cheers,
> 
> Hannes
> 
> .

Thanks a lot for your reply. I am writing single LUN reset EH flow which discussed in previous mail
and testing it, if the test result is good I would post it.

By the way, you said you would make EH rework, are you doing it? Could you tell us your plan
if it's not secret.