Re: [PATCH] scsi: pm8001: Fix use-after-free in pm8001_queue_command()

[Damien Le Moal <dlemoal@kernel.org>]

On 2/10/26 10:07, Salomon Dushimirimana wrote:
> Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()")
> refactors pm8001_queue_command(), however it introduces a potential
> cause of a double free scenario when it changes the function to return
> -ENODEV in case of phy down/device gone state.
> 
> In this path, pm8001_queue_command updates task status and calls
> task_done to indicate to upper layer that the task has been handled.
> However, this also frees the underlying sas task. A -ENODEV is then
> returned to the caller. When libsas sas_ata_qc_issue receives this error
> value, it assumes the task wasn't handled/queued by LLDD and proceeds to
> clean up and free the task again, resulting in a double free.
> 
> Since pm8001_queue_command handles the sas task in this case, it should
> return 0 to the caller indicating that the task has been handled.
> 
> Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()")
> Signed-off-by: Salomon Dushimirimana <salomondush@google.com>
> ---
>  drivers/scsi/pm8001/pm8001_sas.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
> index 6a8d35aea93a..0285ce6400dc 100644
> --- a/drivers/scsi/pm8001/pm8001_sas.c
> +++ b/drivers/scsi/pm8001/pm8001_sas.c
> @@ -525,8 +525,8 @@ int pm8001_queue_command(struct sas_task *task, gfp_t gfp_flags)
>  		} else {
>  			task->task_done(task);
>  		}
> -		rc = -ENODEV;
> -		goto err_out;
> +		spin_unlock_irqrestore(&pm8001_ha->lock, flags);
> +		return 0;

Can you add a pm8001_dbg() message call to signal this issue ? Otherwise, with
this change, we lose the existing message.

>  	}
>  
>  	ccb = pm8001_ccb_alloc(pm8001_ha, pm8001_dev, task);


-- 
Damien Le Moal
Western Digital Research