From: sashiko-bot@kernel.org
To: "Ranjan Kumar" <ranjan.kumar@broadcom.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v1 07/10] mpi3mr: Fix firmware event reference leak during cleanup
Date: Fri, 26 Jun 2026 12:03:03 +0000 [thread overview]
Message-ID: <20260626120304.EC29F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626114109.43685-8-ranjan.kumar@broadcom.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] The patch introduces a Use-After-Free and Double-Free vulnerability by prematurely decrementing the reference count of the currently executing firmware event in the early-exit path of `mpi3mr_cleanup_fwevt_list`.
Pre-existing issues:
- [High] Lockless read of `mrioc->current_event` in `mpi3mr_cleanup_fwevt_list` leads to a Time-of-Check to Time-of-Use (TOCTOU) use-after-free when racing with the firmware event worker thread.
--
commit 50f8b457978a02d12ee5baafb77e83f6f06d294f
Author: Ranjan Kumar <ranjan.kumar@broadcom.com>
Subject: mpi3mr: Fix firmware event reference leak during cleanup
This commit attempts to fix a firmware event reference leak during cleanup.
It adds a call to release the firmware event reference before returning from
the early-exit path when an event is currently executing or pending at the
SCSI mid-layer.
> diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c
> index e361fbb8f7235..b60afaeef68d0 100644
> --- a/drivers/scsi/mpi3mr/mpi3mr_os.c
> +++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
> @@ -399,6 +399,7 @@ void mpi3mr_cleanup_fwevt_list(struct mpi3mr_ioc *mrioc)
> */
[Severity: High]
This is a pre-existing issue, but does the lockless read of current_event
earlier in this function create a race condition with the firmware event
worker thread?
If a soft reset thread executes mpi3mr_cleanup_fwevt_list() and reads the
event into the fwevt pointer, and the worker thread finishes and frees the
event before this thread reaches the pending_at_sml check below, could
dereferencing fwevt result in a use-after-free?
> if (current_work() == &fwevt->work || fwevt->pending_at_sml) {
> fwevt->discard = 1;
> + mpi3mr_fwevt_put(fwevt);
[Severity: High]
Does this additional mpi3mr_fwevt_put() cause a double-free or use-after-free
when the active worker thread finishes its execution?
Looking at mpi3mr_fwevt_worker(), the worker thread retains ownership of the
event and appears to drop the reference itself after returning from the bottom
half handler:
mpi3mr_fwevt_worker() {
...
mpi3mr_fwevt_bh(fwevt->mrioc, fwevt);
/*
* Put fwevt reference count after
* dequeuing it from worker queue
*/
mpi3mr_fwevt_put(fwevt);
...
}
Since the worker thread relies on its own reference, will stealing the
reference here cause the count to reach zero prematurely while the worker is
still using the object?
> return;
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626114109.43685-1-ranjan.kumar@broadcom.com?part=7
next prev parent reply other threads:[~2026-06-26 12:03 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 11:40 [PATCH v1 00/10] mpi3mr: Few Enhancements and minor fixes Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 01/10] mpi3mr: Skip device shutdown during unload per controller configuration Ranjan Kumar
2026-06-26 12:03 ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 02/10] mpi3mr: Update MPI Headers to revision 41 Ranjan Kumar
2026-06-26 12:07 ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 03/10] mpi3mr: Add early timestamp synchronization after driver load Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 04/10] mpi3mr: Fix NVMe page size caching for non-operational devices Ranjan Kumar
2026-06-26 12:07 ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 05/10] mpi3mr: Fix performance regression caused by extended IRQ poll sleep Ranjan Kumar
2026-06-26 12:02 ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 06/10] mpi3mr: Fix memory leak on operational queue creation failure Ranjan Kumar
2026-06-26 12:02 ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 07/10] mpi3mr: Fix firmware event reference leak during cleanup Ranjan Kumar
2026-06-26 12:03 ` sashiko-bot [this message]
2026-06-26 11:41 ` [PATCH v1 08/10] mpi3mr: Fix SAS port allocation and registration error handling Ranjan Kumar
2026-06-26 12:06 ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths Ranjan Kumar
2026-06-26 12:16 ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 10/10] mpi3mr: Driver version update to 8.18.0.8.50 Ranjan Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626120304.EC29F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=ranjan.kumar@broadcom.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.