All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Yousef Alhouseen" <alhouseenyousef@gmail.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH 2/2] scsi: 3w-xxxx: sanitize passthrough SGLs
Date: Thu, 25 Jun 2026 09:26:50 +0000	[thread overview]
Message-ID: <20260625092651.4CFA11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625085842.4522-2-alhouseenyousef@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The DMA buffer is freed while the hardware may still be actively writing to it on timeout failure paths.
--

commit 046079df1a1f193432bc739db902b2c478f12b8c
Author: Yousef Alhouseen <alhouseenyousef@gmail.com>

scsi: 3w-xxxx: sanitize passthrough SGLs

TW_CMD_PACKET_WITH_DATA accepts a command packet from userspace and
patches only the first SGL entry before posting it to the controller. The
command size and remaining SGL contents can still describe user-controlled
DMA descriptors to firmware.

> diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
> index c68678fa72c1e..58bab58083c08 100644
> --- a/drivers/scsi/3w-xxxx.c
> +++ b/drivers/scsi/3w-xxxx.c

[ ... ]

> @@ -966,17 +967,31 @@ static long tw_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long a
>  			/* Load the sg list */
>  			switch (TW_SGL_OUT(tw_ioctl->firmware_command.opcode__sgloffset)) {
>  			case 2:
> +				memset(tw_ioctl->firmware_command.byte8.param.sgl, 0,
> +				       sizeof(tw_ioctl->firmware_command.byte8.param.sgl));
> +				tw_ioctl->firmware_command.size = 4;
>  				tw_ioctl->firmware_command.byte8.param.sgl[0].address = dma_handle + sizeof(TW_New_Ioctl);
>  				tw_ioctl->firmware_command.byte8.param.sgl[0].length = data_buffer_length_adjusted;
>  				break;
>  			case 3:
> +				memset(tw_ioctl->firmware_command.byte8.io.sgl, 0,
> +				       sizeof(tw_ioctl->firmware_command.byte8.io.sgl));
> +				tw_ioctl->firmware_command.size = 5;
>  				tw_ioctl->firmware_command.byte8.io.sgl[0].address = dma_handle + sizeof(TW_New_Ioctl);
>  				tw_ioctl->firmware_command.byte8.io.sgl[0].length = data_buffer_length_adjusted;
>  				break;
>  			case 5:
> +				memset(passthru->sg_list, 0, sizeof(passthru->sg_list));
> +				passthru->size = 7;
>  				passthru->sg_list[0].address = dma_handle + sizeof(TW_New_Ioctl);
>  				passthru->sg_list[0].length = data_buffer_length_adjusted;
>  				break;
> +			default:
> +				retval = -EINVAL;
> +				tw_dev->chrdev_request_id = TW_IOCTL_CHRDEV_FREE;
> +				tw_state_request_finish(tw_dev, request_id);
> +				spin_unlock_irqrestore(tw_dev->host->host_lock, flags);
> +				goto out2;
>  			}
>  
>  			memcpy(tw_dev->command_packet_virtual_address[request_id], &(tw_ioctl->firmware_command), sizeof(TW_Command));

[Severity: High]
This is a pre-existing issue, but does tw_chrdev_ioctl() have a use-after-free
risk when handling command timeouts?

If wait_event_timeout() times out and tw_reset_device_extension() fails, the
driver jumps to out2 and calls dma_free_coherent() on the ioctl buffer:

tw_chrdev_ioctl() {
    ...
    timeout = wait_event_timeout(tw_dev->ioctl_wqueue,
                                 tw_dev->chrdev_request_id == TW_IOCTL_CHRDEV_FREE,
                                 timeout);

    if (tw_dev->chrdev_request_id != TW_IOCTL_CHRDEV_FREE) {
        retval = -EIO;
        if (tw_reset_device_extension(tw_dev)) {
            goto out2;
        }
    }
    ...
out2:
    dma_free_coherent(..., cpu_addr, dma_handle);
}

Since the hardware was not successfully reset, couldn't the controller still
be actively performing DMA writes to this freed page after it is returned to
the page allocator?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625085842.4522-1-alhouseenyousef@gmail.com?part=2

  reply	other threads:[~2026-06-25  9:26 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-25  8:58 [PATCH 1/2] scsi: 3w-9xxx: sanitize passthrough SGLs Yousef Alhouseen
2026-06-25  8:58 ` [PATCH 2/2] scsi: 3w-xxxx: " Yousef Alhouseen
2026-06-25  9:26   ` sashiko-bot [this message]
2026-06-25  9:31 ` [PATCH 1/2] scsi: 3w-9xxx: " sashiko-bot
2026-06-25 13:57 ` [PATCH v2 " Yousef Alhouseen
2026-06-25 14:15   ` sashiko-bot
2026-06-25 13:57 ` [PATCH v2 2/2] scsi: 3w-xxxx: " Yousef Alhouseen
2026-06-25 14:08   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260625092651.4CFA11F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=alhouseenyousef@gmail.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.