[PATCH AUTOSEL 5.16 28/42] scsi: pm8001: Fix use-after-free for aborted TMF sas_task

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: John Garry <john.garry@huawei.com>,
	Damien Le Moal <damien.lemoal@opensource.wdc.com>,
	Jack Wang <jinpu.wang@ionos.com>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	jinpu.wang@cloud.ionos.com, jejb@linux.ibm.com,
	linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.16 28/42] scsi: pm8001: Fix use-after-free for aborted TMF sas_task
Date: Wed,  9 Feb 2022 13:33:00 -0500	[thread overview]
Message-ID: <20220209183335.46545-28-sashal@kernel.org> (raw)
In-Reply-To: <20220209183335.46545-1-sashal@kernel.org>

From: John Garry <john.garry@huawei.com>

[ Upstream commit 61f162aa4381845acbdc7f2be4dfb694d027c018 ]

Currently a use-after-free may occur if a TMF sas_task is aborted before we
handle the IO completion in mpi_ssp_completion(). The abort occurs due to
timeout.

When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the
sas_task is freed in pm8001_exec_internal_tmf_task().

However, if the I/O completion occurs later, the I/O completion still
thinks that the sas_task is available. Fix this by clearing the ccb->task
if the TMF times out - the I/O completion handler does nothing if this
pointer is cleared.

Link: https://lore.kernel.org/r/1643289172-165636-3-git-send-email-john.garry@huawei.com
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/pm8001/pm8001_sas.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index 83e73009db5cd..c0b45b8a513d7 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -753,8 +753,13 @@ static int pm8001_exec_internal_tmf_task(struct domain_device *dev,
 		res = -TMF_RESP_FUNC_FAILED;
 		/* Even TMF timed out, return direct. */
 		if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
+			struct pm8001_ccb_info *ccb = task->lldd_task;
+
 			pm8001_dbg(pm8001_ha, FAIL, "TMF task[%x]timeout.\n",
 				   tmf->tmf);
+
+			if (ccb)
+				ccb->task = NULL;
 			goto ex_err;
 		}
 
-- 
2.34.1

next prev parent reply	other threads:[~2022-02-09 18:36 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-09 18:32 [PATCH AUTOSEL 5.16 01/42] ASoC: mediatek: fix unmet dependency on GPIOLIB for SND_SOC_DMIC Sasha Levin
2022-02-09 18:32 ` Sasha Levin
2022-02-09 18:32 ` Sasha Levin
2022-02-09 18:32 ` Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 02/42] platform/x86: touchscreen_dmi: Add info for the RWC NANOTE P8 AY07J 2-in-1 Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 03/42] platform/x86: ISST: Fix possible circular locking dependency detected Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 04/42] platform/x86: amd-pmc: Correct usage of SMU version Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 05/42] kunit: tool: Import missing importlib.abc Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 06/42] selftests: rtc: Increase test timeout so that all tests run Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 07/42] kselftest: signal all child processes Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 08/42] selftests: netfilter: reduce zone stress test running time Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 09/42] selftests: netfilter: check stateless nat udp checksum fixup Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 10/42] net: ieee802154: at86rf230: Stop leaking skb's Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 11/42] selftests/zram: Skip max_comp_streams interface on newer kernel Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 12/42] selftests/zram01.sh: Fix compression ratio calculation Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 13/42] selftests/zram: Adapt the situation that /dev/zram0 is being used Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 14/42] selftests: openat2: Print also errno in failure messages Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 15/42] selftests: openat2: Add missing dependency in Makefile Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 16/42] selftests: openat2: Skip testcases that fail with EOPNOTSUPP Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 17/42] selftests: skip mincore.check_file_mmap when fs lacks needed support Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 18/42] ax25: improve the incomplete fix to avoid UAF and NPD bugs Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 19/42] cifs: unlock chan_lock before calling cifs_put_tcp_session Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 20/42] pinctrl: bcm63xx: fix unmet dependency on REGMAP for GPIO_REGMAP Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 21/42] vfs: make freeze_super abort when sync_filesystem returns error Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 22/42] vfs: make sync_filesystem return errors from ->sync_fs Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 23/42] quota: make dquot_quota_sync " Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 24/42] iommu: Fix potential use-after-free during probe Sasha Levin
2022-02-09 18:32   ` Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 25/42] scsi: pm80xx: Fix double completion for SATA devices Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 26/42] kselftest: Fix vdso_test_abi return status Sasha Levin
2022-02-09 18:32 ` [PATCH AUTOSEL 5.16 27/42] scsi: core: Reallocate device's budget map on queue depth change Sasha Levin
2022-02-09 18:33 ` Sasha Levin [this message]
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 29/42] scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 30/42] drm/amd: Warn users about potential s0ix problems Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 31/42] mailmap: update Christian Brauner's email address Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 32/42] nvme: fix a possible use-after-free in controller reset during load Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 33/42] nvme-tcp: fix possible use-after-free in transport error_recovery work Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 34/42] nvme-rdma: " Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 35/42] net: sparx5: do not refer to skb after passing it on Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 36/42] drm/amd: add support to check whether the system is set to s3 Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 37/42] drm/amd: Only run s3 or s0ix if system is configured properly Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 38/42] drm/amdgpu: fix logic inversion in check Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33   ` Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 39/42] x86/Xen: streamline (and fix) PV CPU enumeration Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 40/42] Revert "module, async: async_synchronize_full() on module init iff async is used" Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 41/42] gcc-plugins/stackleak: Use noinstr in favor of notrace Sasha Levin
2022-02-09 18:33 ` [PATCH AUTOSEL 5.16 42/42] random: wake up /dev/random writers after zap Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:83e73009db5c dfblob:c0b45b8a513d )
 OR (
bs:"[PATCH AUTOSEL 5.16 28/42] scsi: pm8001: Fix use-after-free for aborted TMF sas_task" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220209183335.46545-28-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=damien.lemoal@opensource.wdc.com \
    --cc=jejb@linux.ibm.com \
    --cc=jinpu.wang@cloud.ionos.com \
    --cc=jinpu.wang@ionos.com \
    --cc=john.garry@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.