Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1182435yba; Thu, 9 May 2019 12:07:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqywn3Pq9p1285fqBr+UfrWDLaGVp7NOqKEZoK2XlLvbb7V5SUbLlfirh/C7UpA1hgKaha/U X-Received: by 2002:a65:5cc8:: with SMTP id b8mr7648986pgt.36.1557428835271; Thu, 09 May 2019 12:07:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557428835; cv=none; d=google.com; s=arc-20160816; b=dQM7q4aGx76eDHvQhT31z9L08kTvbtSIhCjk0BPN3RRzZZLzP22JDIexux0pF9bc+W H1UudY/6UJw0ZU9UhFKvIZNAmNZq/V7qKle+cHJUXUcnR3/mQwMcbrcPFgNtkklSUR2m ICSULgnZismzJtbUjGHoB75cqAgPtqhDBa09+trPFy2RTNW+eei77CLO3zVd9uevMXrN hrpbYcDxrmTIMM6KrbovspqMGmBmS0/iHDaLPumi5yDpMzEcWLBHm77Q/f4o1dQvORQS pXS0OeH2AIweZNAJg7d6xhKcYzu1Q/8VhaT0ZfDwCVmEGVQ8pMbWUqu72yyjvqfNDOAP 0Xxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pBDChFr6lHyqVUd8REOHvCnDcx0lzO3Su7kCV4aBnJA=; b=OxTQpEaZN61PAMOrXOAQ1XaKo19ls3RMmB/eNQwZYMosqSFoQTa2N56d9+LOGPQSB8 sXAlBDH7a25jfU6APB4ppE+slMVwC1sfxgXX6xGIiHI0/Vbirimuj9AoxSOQwO/eIzQW 4SoM7tgCwHj9ifQFZXkPwNgL3fUKDz9ImfLEsgXLH12oecH3lwPYGxHTOz0G+rSU5oTB /vr+ZXb++uc0wiM2YDJUEflrVTu/BigbhnPeV2/l21Ci9UJ7gvi1BiabZc6sZReU2jLv DKnQSSKxPgSXsdhgt3HAnnEltsovwmdLFJhn2QXI2HLrnVteX5Ily325qn9umZ1xbAUZ cclQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BUo64gfq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ce12si4825393plb.46.2019.05.09.12.06.59; Thu, 09 May 2019 12:07:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BUo64gfq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727733AbfEISrK (ORCPT + 99 others); Thu, 9 May 2019 14:47:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:39556 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727306AbfEISrG (ORCPT ); Thu, 9 May 2019 14:47:06 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 88133217F5; Thu, 9 May 2019 18:47:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557427626; bh=2kJoZ+cjfSzkpzoetEwzeleoVs2fuDkITfPVv3PmI4M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BUo64gfq81yb3S/PhakiBB8yWGRnRASCr7Iqt0wrJuXQ5eNvUMWbCN4ADUa1wHvMJ 05UlK83eHgFb0W5RINaK+pCmUu+1SuZIf5x100R9PoSHRN5xBZy+XGkceGCjbp2PyA xM2RROEty7Dvkxv2RNqoLM9dWQxK519KELLqbxQg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, chenxiang , Jason Yan , John Garry , Johannes Thumshirn , Ewan Milne , Christoph Hellwig , Tomas Henzl , Dan Williams , Hannes Reinecke , "Martin K. Petersen" Subject: [PATCH 4.19 02/66] scsi: libsas: fix a race condition when smp task timeout Date: Thu, 9 May 2019 20:41:37 +0200 Message-Id: <20190509181301.995626693@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190509181301.719249738@linuxfoundation.org> References: <20190509181301.719249738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason Yan commit b90cd6f2b905905fb42671009dc0e27c310a16ae upstream. When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not set. And remove the check of the return value of the del_timer(). Once the LLDD sets DONE, it must call task->done(), which will call smp_task_done()->complete() and the task will be completed and freed correctly. Reported-by: chenxiang Signed-off-by: Jason Yan CC: John Garry CC: Johannes Thumshirn CC: Ewan Milne CC: Christoph Hellwig CC: Tomas Henzl CC: Dan Williams CC: Hannes Reinecke Reviewed-by: Hannes Reinecke Reviewed-by: John Garry Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Cc: Guenter Roeck --- drivers/scsi/libsas/sas_expander.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) --- a/drivers/scsi/libsas/sas_expander.c +++ b/drivers/scsi/libsas/sas_expander.c @@ -48,17 +48,16 @@ static void smp_task_timedout(struct tim unsigned long flags; spin_lock_irqsave(&task->task_state_lock, flags); - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) + if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { task->task_state_flags |= SAS_TASK_STATE_ABORTED; + complete(&task->slow_task->completion); + } spin_unlock_irqrestore(&task->task_state_lock, flags); - - complete(&task->slow_task->completion); } static void smp_task_done(struct sas_task *task) { - if (!del_timer(&task->slow_task->timer)) - return; + del_timer(&task->slow_task->timer); complete(&task->slow_task->completion); }