Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp810492pxb; Fri, 22 Apr 2022 11:38:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzdpacRwylMq6JXNLsjRIxWXjkxcMIGwGkpTnHQPAR/D+jNBI4czWzJWrrGAcFDbi+lVEwj X-Received: by 2002:a65:618d:0:b0:39e:2d10:6d69 with SMTP id c13-20020a65618d000000b0039e2d106d69mr4976602pgv.468.1650652719498; Fri, 22 Apr 2022 11:38:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650652719; cv=none; d=google.com; s=arc-20160816; b=xm8Mz9COKlKqydhlAeHCGXcJ5po+q5ZzY2J4gqrl3gFO0KLGhQh+EODOeq5jBg7RNb rI+i/rhTVCJ2KeQ3wASIY9FK6fMvfxhThywwarewYQ2VauXOMGQh5jyCkPv68rWBOGPl Fk6v/7lgrjr8W4HbCnudAJXth/ELhMP43fay5FLqhBARIt9p2Rui6qO/S0HHxX+afPDJ zlHkiexfR8usx2Mj7cXt9TZvqlLMjaF+cEbg3PwKXx5czz0TNdNqfpD1QFsY7JqvQozT lxfMtWAku2a+8s1eANaXol/d8iwpVBrirFEJ42yFrnFSpWS/wPAVCoXvXq8d1Jo0Mw+u F+Pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=I3dUJFVCPXZaMJBWWHsjrJMoHwI/m38j7KfpLhkL4xU=; b=sUPvBL1t9QbuDlzwUKeM8fXhEHZ11kTRz1U3m1lgGPSLRdLuI/wsQ4UZnzoMVNQyx8 6SEG4RfGJri+vDTZ4xSi2L9MF52MRxgg9LCzFoA45ZI2nlcpDwZVQiKOIziX/gd7qV/v bnhB5b8BtlQ7eme+fASKqnpV77bJeFBXvWO6HXtaKUbrSiJ0np3Jy/9QBCAGgfAbCJ0d ufq4i1eUd8+Xa5+f80kkJt9yN+zmIaeWmDSxq3ELLUC7xtJSc7iqmVUgjgZfneZRNtwZ VrUPgh7QRADKzMRowJimDqCWt0QwQvYCcIc+oz4y49FInnVBm6S76bIdGcSLJgd8oyoW Kzkw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id kb18-20020a17090ae7d200b001ca67459147si10506302pjb.104.2022.04.22.11.38.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Apr 2022 11:38:39 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9FED915CF60; Fri, 22 Apr 2022 11:07:54 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351620AbiDUP1y (ORCPT + 99 others); Thu, 21 Apr 2022 11:27:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232403AbiDUP1a (ORCPT ); Thu, 21 Apr 2022 11:27:30 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C0B643AC0; Thu, 21 Apr 2022 08:24:39 -0700 (PDT) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.53]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Kkh6y2WlDzCrQS; Thu, 21 Apr 2022 23:20:10 +0800 (CST) Received: from dggpemm500017.china.huawei.com (7.185.36.178) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 21 Apr 2022 23:24:36 +0800 Received: from [10.174.178.220] (10.174.178.220) by dggpemm500017.china.huawei.com (7.185.36.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 21 Apr 2022 23:24:36 +0800 Message-ID: Date: Thu, 21 Apr 2022 23:24:36 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [Question] SCSI_EH: How does EH guarantee there is no UAF of scsi_cmnd if host reset failed Content-Language: en-US To: Hannes Reinecke , "James E.J. Bottomley" , "Martin K. Petersen" , , "linux-kernel@vger.kernel.org" CC: Feilong Lin References: <6301e87f-15f6-4c1f-41f5-d2f1aa4eedd7@huawei.com> From: Wenchao Hao In-Reply-To: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.178.220] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpemm500017.china.huawei.com (7.185.36.178) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-3.0 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/4/19 22:56, Hannes Reinecke wrote: > On 4/19/22 16:28, Wenchao Hao wrote: >> Hi all, I am wondered how does SCSI EH guarantee there is no UAF of scsi_cmnd >> if host reset failed. If host reset failed and eh_cmd_q of shost is not empty, >> these command in eh_cmd_q would be added to done_q in scsi_eh_offline_sdevs() >> and finished by scsi_eh_flush_done_q(). So these scsi_cmnd and it's related >> request would be freed. >> > Yes. > >> While since host reset failed, we can not guarantee the LLDDs has cleared all >> references to these commands in eh_cmd_q. Is there any possibility that the >> LLDDs reference to these commands? If this happened, then a using after free >> issue would occur. >> > If host reset has failed there are _no_ assumptions we can make about commands, and not even about the PCI device itself. > So in effect, once host_reset failed the system is hosed. > > We _might_ be able to resurrect the system by doing PCI EEH, but not many systems nor drivers implement that. > > Cheers, > > Hannes > > . Thanks a lot for your reply. I am writing single LUN reset EH flow which discussed in previous mail and testing it, if the test result is good I would post it. By the way, you said you would make EH rework, are you doing it? Could you tell us your plan if it's not secret.