Re: [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach

From: Bart Van Assche
Date: Wed Jul 28 2021 - 17:55:24 EST

Next message: Kees Cook: "Re: [PATCH 47/64] btrfs: Use memset_after() to clear end of struct"
Previous message: Kees Cook: "Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap"
In reply to: yebin: "Re: [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach"
Next in thread: Martin K. Petersen: "Re: [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/28/21 7:24 AM, yebin wrote:

On 2021/7/23 12:04, Bart Van Assche wrote:

On 1/12/21 10:31 PM, Ye Bin wrote:

      sdev->handler_data = NULL;
+    synchronize_rcu();
      kfree(h);

What is the purpose of the new synchronize_rcu() call?

Thanks for your reply.
Yes, I add new synchronize_rcu() call is to wait until *h is no longer in use. If free
"h" right now , mybe lead to UAF.

If its purpose is
to wait until *h is no longer in use, please use kfree_rcu() instead.

struct rdac_dh_data {
        struct list_head        node;
        .....
}
As rdac_dh_data.node type is "struct list_head", but kfree_rcu the first parameter type is
"struct rcu_head". So we can only use synchronize_rcu() at here.

Ah, that's right. Hence:

Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx>

Next message: Kees Cook: "Re: [PATCH 47/64] btrfs: Use memset_after() to clear end of struct"
Previous message: Kees Cook: "Re: [PATCH 02/64] mac80211: Use flex-array for radiotap header bitmap"
In reply to: yebin: "Re: [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach"
Next in thread: Martin K. Petersen: "Re: [PATH v2] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]