[PATCH V2 4/4] pm80xx: make pm8001_mpi_set_nvmd_resp free of race condition

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

From: Viswas G <Viswas.G@microchip.com.com>
To: <linux-scsi@vger.kernel.org>
Cc: <Vasanthalakshmi.Tharmarajan@microchip.com>,
	<Viswas.G@microchip.com>, <Ruksar.devadi@microchip.com>,
	<martin.petersen@oracle.com>, <yuuzheng@google.com>,
	<vishakhavc@google.com>, <radha@google.com>,
	<akshatzen@google.com>, <jinpu.wang@cloud.ionos.com>
Subject: [PATCH V2 4/4] pm80xx: make pm8001_mpi_set_nvmd_resp free of race condition
Date: Fri, 30 Oct 2020 11:39:13 +0530	[thread overview]
Message-ID: <20201030060913.14886-5-Viswas.G@microchip.com.com> (raw)
In-Reply-To: <20201030060913.14886-1-Viswas.G@microchip.com.com>

From: yuuzheng <yuuzheng@google.com>

The use-after-free or null-pointer error occurs when the 251-byte
response data are copied from IOMB buffer to response message
buffer in function mp8001_mpi_set_nvmd_resp. pm8001_mpi_set_nvmd_resp
is a function to process the response of command set_nvmd_data_resp.
After sending the command set_nvmd_data, the caller begins to sleep by
calling wait_for_complete() and wait for the wake-up from calling
complete() in pm8001_mpi_set_nvmd_resp. In the current code,
the memcpy for response message buffer occurs after calling complete().
So, it is not protected by the use of wait_for_completion() and
complete().

Due to unexpected events (e.g., interrupt), if response buffer gets
freed before memcpy, the use-after-free error will occur.
To fix it, the complete() should be called after memcpy.

Signed-off-by: yuuzheng <yuuzheng@google.com>
Signed-off-by: Viswas G <Viswas.G@microchip.com>
Signed-off-by: Ruksar Devadi <Ruksar.devadi@microchip.com>
Signed-off-by: Radha Ramachandran <radha@google.com>
---
 drivers/scsi/pm8001/pm8001_hwi.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
index 9e9a546da959..2054c2b03d92 100644
--- a/drivers/scsi/pm8001/pm8001_hwi.c
+++ b/drivers/scsi/pm8001/pm8001_hwi.c
@@ -3279,10 +3279,15 @@ pm8001_mpi_get_nvmd_resp(struct pm8001_hba_info *pm8001_ha, void *piomb)
 		pm8001_ha->memoryMap.region[NVMD].virt_ptr,
 		fw_control_context->len);
 	kfree(ccb->fw_control_context);
+	/* To avoid race condition, complete should be
+	 * called after the message is copied to
+	 * fw_control_context->usrAddr
+	 */
+	complete(pm8001_ha->nvmd_completion);
+	PM8001_MSG_DBG(pm8001_ha, pm8001_printk("Set nvm data complete!\n"));
 	ccb->task = NULL;
 	ccb->ccb_tag = 0xFFFFFFFF;
 	pm8001_tag_free(pm8001_ha, tag);
-	complete(pm8001_ha->nvmd_completion);
 }

 int pm8001_mpi_local_phy_ctl(struct pm8001_hba_info *pm8001_ha, void *piomb)
-- 
2.16.3

next prev parent reply	other threads:[~2020-10-30  5:59 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-30  6:09 [PATCH V2 0/4] pm80xx updates Viswas G
2020-10-30  6:09 ` [PATCH V2 1/4] pm80xx: make mpi_build_cmd locking consistent Viswas G
2020-10-30  6:51   ` Jinpu Wang
2020-10-30  6:09 ` [PATCH V2 2/4] pm80xx: make running_req atomic Viswas G
2020-10-30  7:34   ` Jinpu Wang
2020-10-30  6:09 ` [PATCH V2 3/4] pm80xx: Avoid busywait in FW ready check Viswas G
2020-10-30  7:35   ` Jinpu Wang
2020-10-30  6:09 ` Viswas G [this message]
2020-10-30  7:44   ` [PATCH V2 4/4] pm80xx: make pm8001_mpi_set_nvmd_resp free of race condition Jinpu Wang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9e9a546da95 dfblob:2054c2b03d9 )
 OR (
bs:"[PATCH V2 4/4] pm80xx: make pm8001_mpi_set_nvmd_resp free of race condition" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201030060913.14886-5-Viswas.G@microchip.com.com \
    --to=viswas.g@microchip.com.com \
    --cc=Ruksar.devadi@microchip.com \
    --cc=Vasanthalakshmi.Tharmarajan@microchip.com \
    --cc=Viswas.G@microchip.com \
    --cc=akshatzen@google.com \
    --cc=jinpu.wang@cloud.ionos.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=radha@google.com \
    --cc=vishakhavc@google.com \
    --cc=yuuzheng@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox