[PATCH v5 5/7] scsi: core: Fix a use-after-free related to releasing device handlers

From: Bart Van Assche <bvanassche@acm.org>
To: "Martin K . Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org, Bart Van Assche <bvanassche@acm.org>,
	Jun'ichi Nomura <j-nomura@ce.jp.nec.com>,
	Christoph Hellwig <hch@lst.de>, Ming Lei <ming.lei@redhat.com>,
	Hannes Reinecke <hare@suse.de>,
	John Garry <john.garry@huawei.com>,
	Mike Christie <michael.christie@oracle.com>,
	Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	James Bottomley <JBottomley@Odin.com>
Subject: [PATCH v5 5/7] scsi: core: Fix a use-after-free related to releasing device handlers
Date: Wed, 14 Sep 2022 15:56:19 -0700	[thread overview]
Message-ID: <20220914225621.415631-6-bvanassche@acm.org> (raw)
In-Reply-To: <20220914225621.415631-1-bvanassche@acm.org>

The SCSI device name can be freed by kobject_cleanup() before
scsi_device_dev_release_usercontext() is called since the latter function
may be called asynchronously. Hence, the SCSI device name must not be
dereferenced from inside the SCSI device release function. Since
scsi_dh_release_device() dereferences the SCSI device name, call it
earlier. This patch fixes the following use-after-free:

BUG: KASAN: use-after-free in string+0xdc/0x1d0
Read of size 1 at addr ffff8881280d05f0 by task kworker/54:2/1373

CPU: 54 PID: 1373 Comm: kworker/54:2 Tainted: G            E      6.0.0-rc5-dbg #12
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
Workqueue: events scsi_device_dev_release_usercontext
Call Trace:
 <TASK>
 show_stack+0x4e/0x53
 dump_stack_lvl+0x51/0x66
 print_address_description.constprop.0.cold+0xd5/0x412
 print_report.cold+0x90/0x219
 kasan_report+0xb1/0xe0
 __asan_load1+0x4d/0x50
 string+0xdc/0x1d0
 vsnprintf+0x44d/0x7f0
 snprintf+0x88/0xa0
 dev_vprintk_emit+0x19c/0x1dc
 dev_printk_emit+0x8c/0xa6
 __dev_printk+0x73/0x8f
 _dev_printk+0xa8/0xbe
 sdev_prefix_printk+0x12c/0x180
 scsi_dh_release_device+0x74/0xa0
 scsi_device_dev_release_usercontext+0x60/0x8a0
 process_one_work+0x571/0xa40
 worker_thread+0x90/0x650
 kthread+0x185/0x1c0
 ret_from_fork+0x1f/0x30

Freed by task 509:
 kasan_save_stack+0x26/0x50
 kasan_set_track+0x25/0x30
 kasan_set_free_info+0x24/0x40
 ____kasan_slab_free+0x155/0x1c0
 __kasan_slab_free+0x12/0x20
 kfree+0x1fe/0x3e0
 kfree_const+0x21/0x30
 kobject_cleanup+0x8d/0x1c0
 kobject_put+0x6e/0x90
 put_device+0x13/0x20
 __scsi_remove_device+0x140/0x200
 scsi_forget_host+0xa7/0xb0
 scsi_remove_host+0x9b/0x1b0
 srp_remove_work+0x12b/0x2e0 [ib_srp]
 process_one_work+0x571/0xa40
 worker_thread+0x90/0x650
 kthread+0x185/0x1c0
 ret_from_fork+0x1f/0x30

Cc: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: John Garry <john.garry@huawei.com>
Cc: Mike Christie <michael.christie@oracle.com>
Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Fixes: 23695e41a1ca ("scsi_dh: fix use-after-free when removing scsi device")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
 drivers/scsi/scsi_sysfs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 5d61f58399dc..a3aaafdeac1d 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -456,8 +456,6 @@ static void scsi_device_dev_release_usercontext(struct work_struct *work)
 
 	mod = sdev->host->hostt->module;
 
-	scsi_dh_release_device(sdev);
-
 	parent = sdev->sdev_gendev.parent;
 
 	spin_lock_irqsave(sdev->host->host_lock, flags);
@@ -1479,6 +1477,9 @@ void __scsi_remove_device(struct scsi_device *sdev)
 	kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
 	cancel_work_sync(&sdev->requeue_work);
 
+	/* Only detach the device handler after I/O processing has finished. */
+	scsi_dh_release_device(sdev);
+
 	if (sdev->host->hostt->slave_destroy)
 		sdev->host->hostt->slave_destroy(sdev);
 	transport_destroy_device(dev);
