From patchwork Thu Jul 9 07:08:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Li Xiao Keng X-Patchwork-Id: 11653651 X-Patchwork-Delegate: christophe.varoqui@free.fr Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B300413B4 for ; Thu, 9 Jul 2020 07:24:54 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1A9532070E for ; Thu, 9 Jul 2020 07:24:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1A9532070E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-511-hFCeE6NROT-Tt39okWjZ_w-1; Thu, 09 Jul 2020 03:24:51 -0400 X-MC-Unique: hFCeE6NROT-Tt39okWjZ_w-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2A23D1DE3; Thu, 9 Jul 2020 07:24:46 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4AD0A5C1C3; Thu, 9 Jul 2020 07:24:45 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C27811809547; Thu, 9 Jul 2020 07:24:42 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0697OdgU010938 for ; Thu, 9 Jul 2020 03:24:40 -0400 Received: by smtp.corp.redhat.com (Postfix) id C3323100405E; Thu, 9 Jul 2020 07:24:39 +0000 (UTC) Delivered-To: dm-devel@redhat.com Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8135C1004044 for ; Thu, 9 Jul 2020 07:24:37 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1EE7D800883 for ; Thu, 9 Jul 2020 07:24:37 +0000 (UTC) Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-507-_HRkatJ3M5qjFaEV9Y83fQ-1; Thu, 09 Jul 2020 03:24:34 -0400 X-MC-Unique: _HRkatJ3M5qjFaEV9Y83fQ-1 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 3505E8906AFB2EE3B3DF for ; Thu, 9 Jul 2020 15:08:55 +0800 (CST) Received: from [127.0.0.1] (10.174.179.62) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Thu, 9 Jul 2020 15:08:49 +0800 From: lixiaokeng To: Message-ID: Date: Thu, 9 Jul 2020 15:08:48 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 Content-Language: en-GB X-Originating-IP: [10.174.179.62] X-CFilter-Loop: Reflected X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: dm-devel@redhat.com Cc: linfeilong@huawei.com, liuzhiqiang26@huawei.com, lutianxiong@huawei.com Subject: [dm-devel] [dm-level] master - libmultipath: fix use after free when iscsi logs in X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com When two iscsi ips log in and out alternately and the following scripts run at the same time, #!/bin/bash interval=5 while true do iscsiadm -m node -p 9.41.147.171 &> /dev/null iscsiadm -m node -p 9.41.148.172 &> /dev/null iscsiadm -m session &> /dev/null rescan-scsi-bus.sh &> /dev/null multipath -v2 &> /dev/null multipath -ll &> /dev/null sleep $interval done multipathd will have a segfault after about 30 mins. The reason is that mpp->hwe is accessed after hwe is already freed. In extract_hwe_from_path func, mpp->hwe is set to pp->hwe, so they points to the same hwe. For some reasons, pp->mpp will be set to NULL in orphan_path func. Then, pp and hwe will be freed with (pp->mpp == NULL) in free_path func called by ev_remove_path func. However, mpp->hwe is not set to NULL while hwe is already freed. So, when iscsi device logs in and new path is added to mpp, mpp->hwe will be accessed in select_pgfailback func. Finally, use-after-free problem occurs. The procedure details given as follows, 1.wait_dmevents thread wait_dmevents ->dmevent_loop ->update_multipath ->__setup_multipath ->update_multipath_strings -> sync_paths ->orphan_path 2.uevqloop thread (iscsi log out, remove path) uevqloop ->uevent_dispatch ->service_uevq ->uev_remove_path ->ev_remove_path //pp->mpp is NULL ->free_path(pp) //pp->hew are freed but mpp->hwe is not set to NULL 3.ev_remove_path (iscsi log in, add path) uevqloop ->uevent_dispatch ->service_uevq ->ev_add_path ->select_pgfailback //mpp->hwe is accessed Here, we will set mpp->hwe to NULL before setting pp->map to NULL in orphan_path func. Signed-off-by: Tianxiong Lu Signed-off-by: lixiaokeng Signed-off-by: Zhiqiang Liu --- libmultipath/structs_vec.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.26.1 -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel diff --git a/libmultipath/structs_vec.c b/libmultipath/structs_vec.c index 3dbbaa0..9bbe5d1 100644 --- a/libmultipath/structs_vec.c +++ b/libmultipath/structs_vec.c @@ -93,6 +93,8 @@ int adopt_paths(vector pathvec, struct multipath *mpp) void orphan_path(struct path *pp, const char *reason) { condlog(3, "%s: orphan path, %s", pp->dev, reason); + if (pp->mpp && pp->mpp->hwe == pp->hwe) + pp->mpp->hwe = NULL; pp->mpp = NULL; pp->dmstate = PSTATE_UNDEF; pp->uid_attribute = NULL;