Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp7035052rwl;
        Wed, 22 Mar 2023 20:49:07 -0700 (PDT)
X-Google-Smtp-Source: AK7set9+F5UNtmU0JYnQuHC+dPwccblAlKH+Rroii78qhaTzJViMLdGlLd3lXF10aAGov/uJDAyw
X-Received: by 2002:a05:6402:895:b0:4fc:5888:473a with SMTP id e21-20020a056402089500b004fc5888473amr9696238edy.9.1679543347688;
        Wed, 22 Mar 2023 20:49:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679543347; cv=none;
        d=google.com; s=arc-20160816;
        b=N3fv3O4LCnvJt2B2M4JgtKF6P86BaqaHM3hDIPbw252SJ2cWUJgHzs0D7a/DALeVsA
         tMWuKuCtQmPMbYjuoLS/j16JHLCKhzKrHnJvdsdudINgSovw1yXZlPgpfINzDfqudfM3
         O3am5r642ukVnWtgQQEMVhVqUvHGBioc+8XyYP3fgVBB/tJxbA0InSSEs+s5N5kiYYnw
         Odl9GKfDvMaIM/yl8l+RRdd9NJxC4vGIg2l1unhA/7v2TkxSFfBOX1PnPNzFa9KqGJ8C
         /erI5OlJiRdrmJ/jLXOOoA+NG7ckOGkDwBIQcZXlyD7NAX8uVtLgvuhmIZSvcnqIkeqi
         0vcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=I171lXLGYV7u+3rjBTP4CGRLJzbcrLM+Iqv+gS6+BCY=;
        b=iS9j+i+ZMD1Rqf+pFktPqhyXuRbsoH1tfW2B4I6eGysyZDpqTpoyEgRhObRAFfRgVD
         G5923TOe/Pk649oD6hwo+rWJNzXUQJ6Abu3/R+pNmbwatCg7XcnR0W8FkQ6FO7+NqM4J
         1iMeAUzCQX3fxhmcLvjSqFuOgiuU9B0DSIO1rXjAQ4VVEdV4Fym+C0TrLu+eBipYLA5O
         qI2+s25BLytxtjQvchH2tEUlT9Loh3pJIL/A9Nxfi9W3nVnahfGbOm3ty/vj81GntTE9
         7WJp8A9crSXCfP1JG+oSpOPMWMBEw52//xpeUYD7ZHmWTOSYD8M3bf67TNuKmWYIpe70
         T9iA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b="UHmSP/BA";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id h23-20020aa7c957000000b004fd298d2f99si16341718edt.492.2023.03.22.20.48.43;
        Wed, 22 Mar 2023 20:49:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b="UHmSP/BA";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230164AbjCWDpN (ORCPT <rfc822;andreas.gruenbacher@gmail.com>
        + 99 others); Wed, 22 Mar 2023 23:45:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57946 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230025AbjCWDpL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Mar 2023 23:45:11 -0400
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BE562BF20;
        Wed, 22 Mar 2023 20:45:07 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id u38so7575508pfg.10;
        Wed, 22 Mar 2023 20:45:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1679543107;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=I171lXLGYV7u+3rjBTP4CGRLJzbcrLM+Iqv+gS6+BCY=;
        b=UHmSP/BABiNrDs8XARQZV9iEOWMitcUws55M1qHqpkGa6OSQniJHlHhrxyNZWnwPCK
         Lf0dO7yD181b1KnNAznzZQ0y70lceC1yNpzKUOQbEUvZHwkYu7GmC/ukouxWpW7pH3IW
         79xpYXjKunNyHFBvVi7wLZYR35kiFX0Ss+XsunBTkVMw4/+BKpN/G9Z02XpcsAq6mbQ2
         MLwPJLWoBjCsnOkljUuA+WgHq5wC1d2j/VEd4nSp4DWt75Y5FiAfkL8bzOUxA/DpHJHC
         UZ0UvmHvrK4hggoEa7DCr+LdTbgw9VodsjeNdy9WW1B3JtkRxIKxvu9j/GGMgIP+aAnQ
         YdCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1679543107;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=I171lXLGYV7u+3rjBTP4CGRLJzbcrLM+Iqv+gS6+BCY=;
        b=oY3tJF6n4JAY+SuyzP5xayNhoxSJhXK+xCIBnNbfpr7ynVYYrrRO1VMEw69j6xhN8s
         ZJsIiNeyZPEmOY2VBdE5BbfBtsm8ifgzaiHtt3n+ZNoCgVMgaYHSJ6tIOIrwCp6pzyaG
         Y+QuDFLMjNe8fqO81FnWuZAeCMmUKVDNZI83UETL0GOW5BEDLSUPpHvAsaeyzTGdagrk
         hz6h9WwxPC4EM4q8mn9Vfq8wWiNPZkkO0iTbAmPl0G2dS16w6ORJL03J1+l9GItxNXXT
         0U0NhOGWpOdHiE8wT+knxSD+V+m6oaTHqjpVrdCa/cJ3CePqOCYwSx/uUvEWUehiAtqi
         WYcQ==
X-Gm-Message-State: AO0yUKUn9vsaCT2+UMG9ds5Awg6xR7WoR5MRpupGXG8q5/BtyaOXM83U
        TL522szRASBVPFdcAEEVUKm8fhLw5nnB4nQB/cK4Hl4R8hiPhA==
X-Received: by 2002:a05:6a00:9a9:b0:625:563e:7d17 with SMTP id
 u41-20020a056a0009a900b00625563e7d17mr3332605pfg.0.1679543106787; Wed, 22 Mar
 2023 20:45:06 -0700 (PDT)
MIME-Version: 1.0
References: <20230318081303.792969-1-zyytlz.wz@163.com> <bce4f9d8-e4b9-39e6-4534-34b7dc7d43ac@oracle.com>
In-Reply-To: <bce4f9d8-e4b9-39e6-4534-34b7dc7d43ac@oracle.com>
From:   Zheng Hacker <hackerzheng666@gmail.com>
Date:   Thu, 23 Mar 2023 11:44:54 +0800
Message-ID: <CAJedcCx9s9HSbJEEb_RUmW7yjSMkYaoXhuH9qrqYo1smpL=iJw@mail.gmail.com>
Subject: Re: [PATCH RESEND] scsi: qedi: Fix use after free bug in qedi_remove
 due to race condition
To:     Mike Christie <michael.christie@oracle.com>
Cc:     Zheng Wang <zyytlz.wz@163.com>, njavali@marvell.com,
        mrangankar@marvell.com, GR-QLogic-Storage-Upstream@marvell.com,
        jejb@linux.ibm.com, martin.petersen@oracle.com,
        linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
        1395428693sheep@gmail.com, alex000young@gmail.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Mike Christie <michael.christie@oracle.com> =E4=BA=8E2023=E5=B9=B43=E6=9C=
=8821=E6=97=A5=E5=91=A8=E4=BA=8C 00:11=E5=86=99=E9=81=93=EF=BC=9A
>
> On 3/18/23 3:13 AM, Zheng Wang wrote:
> > In qedi_probe, it calls __qedi_probe, which bound &qedi->recovery_work
> > with qedi_recovery_handler and bound &qedi->board_disable_work
> > with qedi_board_disable_work.
> >
> > When it calls qedi_schedule_recovery_handler, it will finally
> > call schedule_delayed_work to start the work.
> >
> > When we call qedi_remove to remove the driver, there
> > may be a sequence as follows:
> >
> > Fix it by finishing the work before cleanup in qedi_remove.
> >
> > CPU0                  CPU1
> >
> >                      |qedi_recovery_handler
> > qedi_remove          |
> >   __qedi_remove      |
> > iscsi_host_free      |
> > scsi_host_put        |
> > //free shost         |
> >                      |iscsi_host_for_each_session
> >                      |//use qedi->shost
> >
> > Fixes: 4b1068f5d74b ("scsi: qedi: Add MFW error recovery process")
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
> >  drivers/scsi/qedi/qedi_main.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_mai=
n.c
> > index f2ee49756df8..25223f6f5344 100644
> > --- a/drivers/scsi/qedi/qedi_main.c
> > +++ b/drivers/scsi/qedi/qedi_main.c
> > @@ -2414,6 +2414,10 @@ static void __qedi_remove(struct pci_dev *pdev, =
int mode)
> >       int rval;
> >       u16 retry =3D 10;
> >
> > +     /*cancel work*/
>
> This comment is not needed. The name of the functions you are calling hav=
e
> "cancel" and "work" in them so we know. If you want to add a comment expl=
ain
> why the cancel calls are needed here.
>

Hi,

Sorry for my late reply and thanks for your advice. Will remove it in
the next version of patch.

>
> > +     cancel_delayed_work_sync(&qedi->recovery_work);
> > +     cancel_delayed_work_sync(&qedi->board_disable_work);
>
>
> How do you know after you have called cancel_delayed_work_sync that
> schedule_recovery_handler or schedule_hw_err_handler can't be called?
> I don't know the qed driver well, but it looks like you could have
> operations still running, so after you cancel here one of those ops
> could lead to them scheduling the work again.
>

Sorry I didn't know how to make sure there's no more schedule. But I do thi=
nk
this is important. Maybe there're someone else who can give us advice.

Best regards,
Zheng
>
> > +
> >       if (mode =3D=3D QEDI_MODE_NORMAL)
> >               iscsi_host_remove(qedi->shost, false);
> >       else if (mode =3D=3D QEDI_MODE_SHUTDOWN)
>