From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: yuuzheng <yuuzheng@google.com>,
Jack Wang <jinpu.wang@cloud.ionos.com>,
Viswas G <Viswas.G@microchip.com>,
Ruksar Devadi <Ruksar.devadi@microchip.com>,
Radha Ramachandran <radha@google.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 06/66] scsi: pm80xx: Fix pm8001_mpi_get_nvmd_resp() race condition
Date: Tue, 22 Dec 2020 21:21:52 -0500 [thread overview]
Message-ID: <20201223022253.2793452-6-sashal@kernel.org> (raw)
In-Reply-To: <20201223022253.2793452-1-sashal@kernel.org>
From: yuuzheng <yuuzheng@google.com>
[ Upstream commit 1f889b58716a5f5e3e4fe0e6742c1a4472f29ac1 ]
A use-after-free or null-pointer error occurs when the 251-byte response
data is copied from IOMB buffer to response message buffer in function
pm8001_mpi_get_nvmd_resp().
After sending the command get_nvmd_data(), the caller begins to sleep by
calling wait_for_complete() and waits for the wake-up from calling
complete() in pm8001_mpi_get_nvmd_resp(). Due to unexpected events (e.g.,
interrupt), if response buffer gets freed before memcpy(), a use-after-free
error will occur. To fix this, the complete() should be called after
memcpy().
Link: https://lore.kernel.org/r/20201102165528.26510-5-Viswas.G@microchip.com.com
Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com>
Signed-off-by: yuuzheng <yuuzheng@google.com>
Signed-off-by: Viswas G <Viswas.G@microchip.com>
Signed-off-by: Ruksar Devadi <Ruksar.devadi@microchip.com>
Signed-off-by: Radha Ramachandran <radha@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_hwi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
index f374abfb7f1f8..44a4630fdb2f8 100644
--- a/drivers/scsi/pm8001/pm8001_hwi.c
+++ b/drivers/scsi/pm8001/pm8001_hwi.c
@@ -3196,10 +3196,15 @@ pm8001_mpi_get_nvmd_resp(struct pm8001_hba_info *pm8001_ha, void *piomb)
pm8001_ha->memoryMap.region[NVMD].virt_ptr,
fw_control_context->len);
kfree(ccb->fw_control_context);
+ /* To avoid race condition, complete should be
+ * called after the message is copied to
+ * fw_control_context->usrAddr
+ */
+ complete(pm8001_ha->nvmd_completion);
+ PM8001_MSG_DBG(pm8001_ha, pm8001_printk("Set nvm data complete!\n"));
ccb->task = NULL;
ccb->ccb_tag = 0xFFFFFFFF;
pm8001_tag_free(pm8001_ha, tag);
- complete(pm8001_ha->nvmd_completion);
}
int pm8001_mpi_local_phy_ctl(struct pm8001_hba_info *pm8001_ha, void *piomb)
--
2.27.0
next prev parent reply other threads:[~2020-12-23 2:41 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-23 2:21 [PATCH AUTOSEL 4.14 01/66] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 02/66] tomoyo: fix clang pointer arithmetic warning Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 03/66] crypto: omap-aes - fix the reference count leak of omap device Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 04/66] staging: wimax: depends on NET Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 05/66] scsi: pm80xx: Avoid busywait in FW ready check Sasha Levin
2020-12-23 2:21 ` Sasha Levin [this message]
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 07/66] staging: ks7010: fix missing destroy_workqueue() on error in ks7010_sdio_probe Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 08/66] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 09/66] mips: ar7: add missing iounmap() on error in ar7_gpio_init Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 10/66] mips: cm: add missing iounmap() on error in mips_cm_probe() Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 11/66] locktorture: Prevent hangs for invalid arguments Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 12/66] rcutorture: " Sasha Levin
2020-12-23 2:21 ` [PATCH AUTOSEL 4.14 13/66] drm: panel: simple: add missing platform_driver_unregister() in panel_simple_init Sasha Levin
2020-12-23 2:21 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 14/66] drm/ast: Fixed 1920x1080 sync. polarity issue Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 15/66] s390/trng: set quality to 1024 Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 16/66] Bluetooth: hidp: use correct wait queue when removing ctrl_wait Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 17/66] net: skb_vlan_untag(): don't reset transport offset if set by GRO layer Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 18/66] mwifiex: pcie: skip cancel_work_sync() on reset failure path Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 19/66] MIPS: BMC47xx: fix kconfig dependency bug for BCM47XX_SSB Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 20/66] jfs: Fix memleak in dbAdjCtl Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 21/66] media: zr364xx: propagate errors from zr364xx_start_readpipe() Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 22/66] media: cec-core: first mark device unregistered, then wake up fhs Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 23/66] media: isif: reset global state Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 24/66] s390/dasd: Fix operational path inconsistency Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 25/66] media: usb: dvb-usb-v2: zd1301: fix missing platform_device_unregister() Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 26/66] media: dvbdev: Fix memleak in dvb_register_device Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 27/66] mmc: tmio: do not print real IOMEM pointer Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 28/66] ARM: OMAP2+: Fix memleak in omap2xxx_clkt_vps_init Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 29/66] MIPS: kvm: Use vm_get_page_prot to get protection bits Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 30/66] scsi: ufs: Atomic update for clkgating_enable Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 31/66] ALSA: usb-audio: Don't call usb_set_interface() at trigger callback Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 32/66] rxrpc: Don't leak the service-side session key to userspace Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 33/66] scsi: atari_scsi: Fix race condition between .queuecommand and EH Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 34/66] ARM: dts: hisilicon: fix errors detected by snps-dw-apb-uart.yaml Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 35/66] ARM: dts: hisilicon: fix errors detected by usb yaml Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 36/66] ARM: dts: hisilicon: fix errors detected by simple-bus.yaml Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 37/66] ARM: dts: hisilicon: fix errors detected by spi-pl022.yaml Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 38/66] selftests/x86/fsgsbase: Fix GS == 1, 2, and 3 tests Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 39/66] brcmsmac: ampdu: Check BA window size before checking block ack Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 40/66] hv_netvsc: Validate number of allocated sub-channels Sasha Levin
2020-12-23 2:47 ` Michael Kelley
2020-12-23 8:59 ` Andrea Parri
2020-12-23 14:14 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 41/66] iommu/tegra-smmu: Expand mutex protection range Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 42/66] arm64: tegra: Fix GIC400 missing GICH/GICV register regions Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 43/66] crypto: qce - Fix SHA result buffer corruption issues Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 44/66] media: gp8psk: initialize stats at power control logic Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 45/66] net/lapb: fix t1 timer handling for LAPB_STATE_0 Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 46/66] x86/pci: Fix the function type for check_reserved_t Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 47/66] x86/mce: Panic for LMCE only if mca_cfg.tolerant < 3 Sasha Levin
2020-12-23 2:22 ` [Bridge] [PATCH AUTOSEL 4.14 48/66] bridge: switchdev: Notify about VLAN protocol changes Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 15:31 ` [Bridge] " Vladimir Oltean
2020-12-23 15:31 ` Vladimir Oltean
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 49/66] MIPS: KASLR: Avoid endless loop in sync_icache if synci_step is zero Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 50/66] cpufreq: sti-cpufreq: fix mem leak in sti_cpufreq_set_opp_info() Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 51/66] cpufreq: mediatek: add missing platform_driver_unregister() on error in mtk_cpufreq_driver_init Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 52/66] clocksource/drivers/sh_cmt: Fix potential deadlock when calling runtime PM Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 53/66] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 54/66] misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 55/66] iwlwifi: trans: consider firmware dead after errors Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 56/66] iwlwifi: add an extra firmware state in the transport Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 57/66] USB: typec: tcpm: Fix PR_SWAP error handling Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 58/66] USB: typec: tcpm: Add a 30ms room for tPSSourceOn in PR_SWAP Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 59/66] nl80211: always accept scan request with the duration set Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 60/66] cfg80211: Save the regulatory domain when setting custom regulatory Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 61/66] mac80211: disallow band-switch during CSA Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 62/66] mac80211: Fix calculation of minimal channel width Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 63/66] mac80211: don't filter out beacons once we start CSA Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 64/66] mac80211: Update rate control on channel change Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 65/66] ALSA: hda/hdmi: packet buffer index must be set before reading value Sasha Levin
2020-12-23 2:22 ` Sasha Levin
2020-12-23 2:22 ` [PATCH AUTOSEL 4.14 66/66] PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201223022253.2793452-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Ruksar.devadi@microchip.com \
--cc=Viswas.G@microchip.com \
--cc=jinpu.wang@cloud.ionos.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=radha@google.com \
--cc=stable@vger.kernel.org \
--cc=yuuzheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.