From: sashiko-bot@kernel.org
To: "Yousef Alhouseen" <alhouseenyousef@gmail.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH 2/2] scsi: 3w-xxxx: sanitize passthrough SGLs
Date: Thu, 25 Jun 2026 09:26:50 +0000 [thread overview]
Message-ID: <20260625092651.4CFA11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625085842.4522-2-alhouseenyousef@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The DMA buffer is freed while the hardware may still be actively writing to it on timeout failure paths.
--
commit 046079df1a1f193432bc739db902b2c478f12b8c
Author: Yousef Alhouseen <alhouseenyousef@gmail.com>
scsi: 3w-xxxx: sanitize passthrough SGLs
TW_CMD_PACKET_WITH_DATA accepts a command packet from userspace and
patches only the first SGL entry before posting it to the controller. The
command size and remaining SGL contents can still describe user-controlled
DMA descriptors to firmware.
> diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
> index c68678fa72c1e..58bab58083c08 100644
> --- a/drivers/scsi/3w-xxxx.c
> +++ b/drivers/scsi/3w-xxxx.c
[ ... ]
> @@ -966,17 +967,31 @@ static long tw_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long a
> /* Load the sg list */
> switch (TW_SGL_OUT(tw_ioctl->firmware_command.opcode__sgloffset)) {
> case 2:
> + memset(tw_ioctl->firmware_command.byte8.param.sgl, 0,
> + sizeof(tw_ioctl->firmware_command.byte8.param.sgl));
> + tw_ioctl->firmware_command.size = 4;
> tw_ioctl->firmware_command.byte8.param.sgl[0].address = dma_handle + sizeof(TW_New_Ioctl);
> tw_ioctl->firmware_command.byte8.param.sgl[0].length = data_buffer_length_adjusted;
> break;
> case 3:
> + memset(tw_ioctl->firmware_command.byte8.io.sgl, 0,
> + sizeof(tw_ioctl->firmware_command.byte8.io.sgl));
> + tw_ioctl->firmware_command.size = 5;
> tw_ioctl->firmware_command.byte8.io.sgl[0].address = dma_handle + sizeof(TW_New_Ioctl);
> tw_ioctl->firmware_command.byte8.io.sgl[0].length = data_buffer_length_adjusted;
> break;
> case 5:
> + memset(passthru->sg_list, 0, sizeof(passthru->sg_list));
> + passthru->size = 7;
> passthru->sg_list[0].address = dma_handle + sizeof(TW_New_Ioctl);
> passthru->sg_list[0].length = data_buffer_length_adjusted;
> break;
> + default:
> + retval = -EINVAL;
> + tw_dev->chrdev_request_id = TW_IOCTL_CHRDEV_FREE;
> + tw_state_request_finish(tw_dev, request_id);
> + spin_unlock_irqrestore(tw_dev->host->host_lock, flags);
> + goto out2;
> }
>
> memcpy(tw_dev->command_packet_virtual_address[request_id], &(tw_ioctl->firmware_command), sizeof(TW_Command));
[Severity: High]
This is a pre-existing issue, but does tw_chrdev_ioctl() have a use-after-free
risk when handling command timeouts?
If wait_event_timeout() times out and tw_reset_device_extension() fails, the
driver jumps to out2 and calls dma_free_coherent() on the ioctl buffer:
tw_chrdev_ioctl() {
...
timeout = wait_event_timeout(tw_dev->ioctl_wqueue,
tw_dev->chrdev_request_id == TW_IOCTL_CHRDEV_FREE,
timeout);
if (tw_dev->chrdev_request_id != TW_IOCTL_CHRDEV_FREE) {
retval = -EIO;
if (tw_reset_device_extension(tw_dev)) {
goto out2;
}
}
...
out2:
dma_free_coherent(..., cpu_addr, dma_handle);
}
Since the hardware was not successfully reset, couldn't the controller still
be actively performing DMA writes to this freed page after it is returned to
the page allocator?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625085842.4522-1-alhouseenyousef@gmail.com?part=2
next prev parent reply other threads:[~2026-06-25 9:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 8:58 [PATCH 1/2] scsi: 3w-9xxx: sanitize passthrough SGLs Yousef Alhouseen
2026-06-25 8:58 ` [PATCH 2/2] scsi: 3w-xxxx: " Yousef Alhouseen
2026-06-25 9:26 ` sashiko-bot [this message]
2026-06-25 9:31 ` [PATCH 1/2] scsi: 3w-9xxx: " sashiko-bot
2026-06-25 13:57 ` [PATCH v2 " Yousef Alhouseen
2026-06-25 14:15 ` sashiko-bot
2026-06-25 13:57 ` [PATCH v2 2/2] scsi: 3w-xxxx: " Yousef Alhouseen
2026-06-25 14:08 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625092651.4CFA11F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alhouseenyousef@gmail.com \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.