From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, chenxiang <chenxiang66@hisilicon.com>,
Jason Yan <yanaijie@huawei.com>,
John Garry <john.garry@huawei.com>,
Johannes Thumshirn <jthumshirn@suse.de>,
Ewan Milne <emilne@redhat.com>, Christoph Hellwig <hch@lst.de>,
Tomas Henzl <thenzl@redhat.com>,
Dan Williams <dan.j.williams@intel.com>,
Hannes Reinecke <hare@suse.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 3.18 52/86] scsi: libsas: fix a race condition when smp task timeout
Date: Wed, 15 May 2019 12:55:29 +0200 [thread overview]
Message-ID: <20190515090652.571651333@linuxfoundation.org> (raw)
In-Reply-To: <20190515090642.339346723@linuxfoundation.org>
From: Jason Yan <yanaijie@huawei.com>
commit b90cd6f2b905905fb42671009dc0e27c310a16ae upstream.
When the lldd is processing the complete sas task in interrupt and set the
task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be
triggered at the same time. And smp_task_timedout() will complete the task
wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed
before lldd end the interrupt process. Thus a use-after-free will happen.
Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not
set. And remove the check of the return value of the del_timer(). Once the
LLDD sets DONE, it must call task->done(), which will call
smp_task_done()->complete() and the task will be completed and freed
correctly.
Reported-by: chenxiang <chenxiang66@hisilicon.com>
Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: John Garry <john.garry@huawei.com>
CC: Johannes Thumshirn <jthumshirn@suse.de>
CC: Ewan Milne <emilne@redhat.com>
CC: Christoph Hellwig <hch@lst.de>
CC: Tomas Henzl <thenzl@redhat.com>
CC: Dan Williams <dan.j.williams@intel.com>
CC: Hannes Reinecke <hare@suse.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: John Garry <john.garry@huawei.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Guenter Roeck <linux@roeck-us.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/libsas/sas_expander.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned l
unsigned long flags;
spin_lock_irqsave(&task->task_state_lock, flags);
- if (!(task->task_state_flags & SAS_TASK_STATE_DONE))
+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
task->task_state_flags |= SAS_TASK_STATE_ABORTED;
+ complete(&task->slow_task->completion);
+ }
spin_unlock_irqrestore(&task->task_state_lock, flags);
-
- complete(&task->slow_task->completion);
}
static void smp_task_done(struct sas_task *task)
{
- if (!del_timer(&task->slow_task->timer))
- return;
+ del_timer(&task->slow_task->timer);
complete(&task->slow_task->completion);
}
next prev parent reply other threads:[~2019-05-15 12:20 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 10:54 [PATCH 3.18 00/86] 3.18.140-stable review Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 01/86] MIPS: scall64-o32: Fix indirect syscall number load Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 02/86] trace: Fix preempt_enable_no_resched() abuse Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 03/86] sched/numa: Fix a possible divide-by-zero Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 04/86] ceph: ensure d_name stability in ceph_dentry_hash() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 05/86] sunrpc: dont mark uninitialised items as VALID Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 06/86] slip: make slhc_free() silently accept an error pointer Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 07/86] fs/proc/proc_sysctl.c: Fix a NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 08/86] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 09/86] netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 10/86] Revert "block/loop: Use global lock for ioctl() operation." Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 11/86] ipv4: add sanity checks in ipv4_link_failure() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 12/86] team: fix possible recursive locking when add slaves Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 13/86] net: stmmac: move stmmac_check_ether_addr() to driver probe Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 14/86] qlcnic: Avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 15/86] usb: gadget: net2280: Fix overrun of OUT messages Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 16/86] usb: gadget: net2272: Fix net2272_dequeue() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 17/86] net: ks8851: Dequeue RX packets explicitly Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 18/86] net: ks8851: Reassert reset pin if chip ID check fails Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 19/86] net: ks8851: Delay requesting IRQ until opened Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 20/86] net: ks8851: Set initial carrier state to down Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 21/86] net: ibm: fix possible object reference leak Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 22/86] scsi: qla4xxx: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 23/86] usb: u132-hcd: fix resource leak Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 24/86] ceph: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 25/86] scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 26/86] libata: fix using DMA buffers on stack Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 27/86] kconfig/[mn]conf: handle backspace (^H) key Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 28/86] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 29/86] ipv6: invert flowlabel sharing check in process and user mode Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 30/86] packet: validate msg_namelen in send directly Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 31/86] ipv6/flowlabel: wait rcu grace period before put_pid() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 32/86] USB: yurex: Fix protection fault after device removal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 33/86] USB: w1 ds2490: Fix bug caused by improper use of altsetting array Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 34/86] USB: core: Fix unterminated string returned by usb_string() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 35/86] USB: media: disable tlg2300 driver Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 36/86] USB: core: Fix bug caused by duplicate interface PM usage counter Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 37/86] HID: debug: fix race condition with between rdesc_show() and device removal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 38/86] rtc: sh: Fix invalid alarm warning for non-enabled alarm Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 39/86] igb: Fix WARN_ONCE on runtime suspend Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 40/86] bonding: show full hw address in sysfs for slave entries Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 41/86] jffs2: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 42/86] scsi: storvsc: Fix calculation of sub-channel count Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 43/86] hugetlbfs: fix memory leak for resv_map Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 44/86] xsysace: Fix error handling in ace_setup Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 45/86] ARM: orion: dont use using 64-bit DMA masks Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 46/86] ARM: iop: " Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 47/86] usb: usbip: fix isoc packet num validation in get_pipe Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 48/86] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 49/86] staging: iio: adt7316: fix the dac read calculation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 50/86] staging: iio: adt7316: fix the dac write calculation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 51/86] media: v4l2: i2c: ov7670: Fix PLL bypass register values Greg Kroah-Hartman
2019-05-15 10:55 ` Greg Kroah-Hartman [this message]
2019-05-15 10:55 ` [PATCH 3.18 53/86] ASoC:soc-pcm:fix a codec fixup issue in TDM case Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 54/86] ASoC: cs4270: Set auto-increment bit for register writes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 55/86] ASoC: tlv320aic32x4: Fix Common Pins Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 56/86] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 57/86] iommu/amd: Set exclusion range correctly Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 58/86] genirq: Prevent use-after-free and work list corruption Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 59/86] scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 60/86] Bluetooth: hidp: fix buffer overflow Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 61/86] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 62/86] timer/debug: Change /proc/timer_stats from 0644 to 0600 Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 63/86] netfilter: compat: initialize all fields in xt_init Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 64/86] platform/x86: sony-laptop: Fix unintentional fall-through Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 65/86] iio: adc: xilinx: fix potential use-after-free on remove Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 66/86] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 67/86] s390/dasd: Fix capacity calculation for large volumes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 68/86] s390/3270: fix lockdep false positive on view->lock Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 69/86] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 70/86] tools lib traceevent: Fix missing equality check for strcmp Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 71/86] init: initialize jump labels before command line option parsing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 72/86] s390: ctcm: fix ctcm_new_device error return code Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 73/86] selftests/net: correct the return value for run_netsocktests Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 74/86] gpu: ipu-v3: dp: fix CSC handling Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 75/86] Dont jump to compute_result state from check_result state Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 76/86] USB: serial: use variable for status Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 77/86] USB: serial: fix unthrottle races Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 78/86] bridge: Fix error path for kobject_init_and_add() Greg Kroah-Hartman
2019-05-15 20:48 ` Tobin C. Harding
2019-05-16 5:57 ` Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 79/86] net: ucc_geth - fix Oops when changing number of buffers in the ring Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 80/86] packet: Fix error path in packet_init Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 81/86] vlan: disable SIOCSHWTSTAMP in container Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 82/86] ipv4: Fix raw socket lookup for local traffic Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 83/86] bonding: fix arp_validate toggling in active-backup mode Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 84/86] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 85/86] drivers/virt/fsl_hypervisor.c: prevent integer overflow " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 86/86] powerpc/booke64: set RI in default MSR Greg Kroah-Hartman
2019-05-15 15:07 ` [PATCH 3.18 00/86] 3.18.140-stable review kernelci.org bot
2019-05-16 3:33 ` Guenter Roeck
2019-05-16 14:27 ` shuah
2019-05-16 14:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515090652.571651333@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chenxiang66@hisilicon.com \
--cc=dan.j.williams@intel.com \
--cc=emilne@redhat.com \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=john.garry@huawei.com \
--cc=jthumshirn@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
--cc=thenzl@redhat.com \
--cc=yanaijie@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).