From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E0233B0AE2; Mon, 23 Mar 2026 14:13:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774275185; cv=none; b=Cbhi4vgIx/OowZSLd9tkPbIQa7t6vCb4Ft3fPw15MdP31b/1pNELEBeTzE+gOMhfdYFrQeHNZuTcsUpswUyMvye0YUofshOOvOGJolSqGhPHynOjM06DAfU4/j3vI7B8QiEUl3Klxgi0Y2XNes40ngSDA43EOuPD50iM7o4+324= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774275185; c=relaxed/simple; bh=a0NC8bsB2qCPfgQt8euDjTw0tUu9ld+aByA8k1zEobI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aCpwd5UhtkObnqzpGPnIXe0c2xFxurbniz9t5juusUfakHguV0VavgvjmoqS5W0hsmWHvxZG6rNAfFmvSVcYtvKJqnzJQD3FgKftXBp4LQFvvyGGu3RBpTZEJwhHLAFw2RlFRKaEJuxNZfOx5rVTyl+Q0V+V2T3MLiiKNZh4cic= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=EbCmKobv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="EbCmKobv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 922ACC2BC9E; Mon, 23 Mar 2026 14:13:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1774275185; bh=a0NC8bsB2qCPfgQt8euDjTw0tUu9ld+aByA8k1zEobI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EbCmKobvXG41Kijf2ED2c6c9aeEGEDFV/OTg4woS9Y1s+2xs75cFoR9vYkuWRgK+F bztPS3riD5RASEMup2/Dh2K6YgHPkYU5jbuh29EgBeCH+M/wbjZljIpOaD+u50KJcr xwq0ISqlgAOvFKyUNVWuUXDtZrWEoqiEapeoHLTs= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Salomon Dushimirimana , Damien Le Moal , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 6.6 006/567] scsi: pm8001: Fix use-after-free in pm8001_queue_command() Date: Mon, 23 Mar 2026 14:38:46 +0100 Message-ID: <20260323134533.905909539@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260323134533.749096647@linuxfoundation.org> References: <20260323134533.749096647@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Salomon Dushimirimana [ Upstream commit 38353c26db28efd984f51d426eac2396d299cca7 ] Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled. Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") Signed-off-by: Salomon Dushimirimana Reviewed-by: Damien Le Moal Link: https://patch.msgid.link/20260213192806.439432-1-salomondush@google.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/pm8001/pm8001_sas.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c index 4daab8b6d6752..0f911228cb2f1 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -476,8 +476,9 @@ int pm8001_queue_command(struct sas_task *task, gfp_t gfp_flags) } else { task->task_done(task); } - rc = -ENODEV; - goto err_out; + spin_unlock_irqrestore(&pm8001_ha->lock, flags); + pm8001_dbg(pm8001_ha, IO, "pm8001_task_exec device gone\n"); + return 0; } ccb = pm8001_ccb_alloc(pm8001_ha, pm8001_dev, task); -- 2.51.0