From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: yuuzheng <yuuzheng@google.com>,
Jack Wang <jinpu.wang@cloud.ionos.com>,
Viswas G <Viswas.G@microchip.com>,
Ruksar Devadi <Ruksar.devadi@microchip.com>,
Radha Ramachandran <radha@google.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 05/38] scsi: pm80xx: Fix pm8001_mpi_get_nvmd_resp() race condition
Date: Tue, 22 Dec 2020 21:24:43 -0500 [thread overview]
Message-ID: <20201223022516.2794471-5-sashal@kernel.org> (raw)
In-Reply-To: <20201223022516.2794471-1-sashal@kernel.org>
From: yuuzheng <yuuzheng@google.com>
[ Upstream commit 1f889b58716a5f5e3e4fe0e6742c1a4472f29ac1 ]
A use-after-free or null-pointer error occurs when the 251-byte response
data is copied from IOMB buffer to response message buffer in function
pm8001_mpi_get_nvmd_resp().
After sending the command get_nvmd_data(), the caller begins to sleep by
calling wait_for_complete() and waits for the wake-up from calling
complete() in pm8001_mpi_get_nvmd_resp(). Due to unexpected events (e.g.,
interrupt), if response buffer gets freed before memcpy(), a use-after-free
error will occur. To fix this, the complete() should be called after
memcpy().
Link: https://lore.kernel.org/r/20201102165528.26510-5-Viswas.G@microchip.com.com
Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com>
Signed-off-by: yuuzheng <yuuzheng@google.com>
Signed-off-by: Viswas G <Viswas.G@microchip.com>
Signed-off-by: Ruksar Devadi <Ruksar.devadi@microchip.com>
Signed-off-by: Radha Ramachandran <radha@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_hwi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
index b3490b4a046a2..d431efb300b6f 100644
--- a/drivers/scsi/pm8001/pm8001_hwi.c
+++ b/drivers/scsi/pm8001/pm8001_hwi.c
@@ -3196,10 +3196,15 @@ pm8001_mpi_get_nvmd_resp(struct pm8001_hba_info *pm8001_ha, void *piomb)
pm8001_ha->memoryMap.region[NVMD].virt_ptr,
fw_control_context->len);
kfree(ccb->fw_control_context);
+ /* To avoid race condition, complete should be
+ * called after the message is copied to
+ * fw_control_context->usrAddr
+ */
+ complete(pm8001_ha->nvmd_completion);
+ PM8001_MSG_DBG(pm8001_ha, pm8001_printk("Set nvm data complete!\n"));
ccb->task = NULL;
ccb->ccb_tag = 0xFFFFFFFF;
pm8001_tag_free(pm8001_ha, tag);
- complete(pm8001_ha->nvmd_completion);
}
int pm8001_mpi_local_phy_ctl(struct pm8001_hba_info *pm8001_ha, void *piomb)
--
2.27.0
next prev parent reply other threads:[~2020-12-23 2:26 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-23 2:24 [PATCH AUTOSEL 4.4 01/38] locks: Fix UBSAN undefined behaviour in flock64_to_posix_lock Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 02/38] tomoyo: fix clang pointer arithmetic warning Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 03/38] staging: wimax: depends on NET Sasha Levin
2020-12-23 2:38 ` Jakub Kicinski
2020-12-23 14:14 ` Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 04/38] scsi: pm80xx: Avoid busywait in FW ready check Sasha Levin
2020-12-23 2:24 ` Sasha Levin [this message]
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 06/38] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 07/38] mips: ar7: add missing iounmap() on error in ar7_gpio_init Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 08/38] locktorture: Prevent hangs for invalid arguments Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 09/38] rcutorture: " Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 10/38] drm: panel: simple: add missing platform_driver_unregister() in panel_simple_init Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 11/38] Bluetooth: hidp: use correct wait queue when removing ctrl_wait Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 12/38] net: skb_vlan_untag(): don't reset transport offset if set by GRO layer Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 13/38] MIPS: BMC47xx: fix kconfig dependency bug for BCM47XX_SSB Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 14/38] jfs: Fix memleak in dbAdjCtl Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 15/38] media: zr364xx: propagate errors from zr364xx_start_readpipe() Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 16/38] media: isif: reset global state Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 17/38] mmc: tmio: do not print real IOMEM pointer Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 18/38] ARM: OMAP2+: Fix memleak in omap2xxx_clkt_vps_init Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 19/38] tick/broadcast: Serialize access to tick_next_period Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 20/38] ALSA: usb-audio: Don't call usb_set_interface() at trigger callback Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 21/38] rxrpc: Don't leak the service-side session key to userspace Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 22/38] ARM: dts: hisilicon: fix errors detected by snps-dw-apb-uart.yaml Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 23/38] ARM: dts: hisilicon: fix errors detected by usb yaml Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 24/38] ARM: dts: hisilicon: fix errors detected by simple-bus.yaml Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 25/38] brcmsmac: ampdu: Check BA window size before checking block ack Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 26/38] iommu/tegra-smmu: Expand mutex protection range Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 27/38] crypto: qce - Fix SHA result buffer corruption issues Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 28/38] media: gp8psk: initialize stats at power control logic Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 29/38] net/lapb: fix t1 timer handling for LAPB_STATE_0 Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 30/38] x86/mce: Panic for LMCE only if mca_cfg.tolerant < 3 Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 31/38] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 32/38] misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 33/38] iwlwifi: trans: consider firmware dead after errors Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 34/38] iwlwifi: add an extra firmware state in the transport Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 35/38] mac80211: disallow band-switch during CSA Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 36/38] mac80211: don't filter out beacons once we start CSA Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 37/38] ALSA: hda/hdmi: packet buffer index must be set before reading value Sasha Levin
2020-12-23 2:25 ` [PATCH AUTOSEL 4.4 38/38] PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201223022516.2794471-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Ruksar.devadi@microchip.com \
--cc=Viswas.G@microchip.com \
--cc=jinpu.wang@cloud.ionos.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=radha@google.com \
--cc=stable@vger.kernel.org \
--cc=yuuzheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).