Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp112048pxb;
        Thu, 27 Jan 2022 16:29:42 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwdhH1F56hB2jc97d1uCLAeaZYNK9ieaYdz6RpXeVdow9+gd4nEl+rEmDqwQydVOhjkWf4K
X-Received: by 2002:a17:907:924d:: with SMTP id kb13mr4759384ejb.507.1643329782643;
        Thu, 27 Jan 2022 16:29:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643329782; cv=none;
        d=google.com; s=arc-20160816;
        b=EEWQMfLzC1Q/qxMJWiyowg8dVy27rVAF9F2UMsRxTTodb6uiBxW0vvxQTf26Evbuf5
         1g/mijZw0pGRozBmYUWBdvTgRF3i86A3DFgKeBQySoNXh3O805H5mYSDc8HxUTwSXWE+
         urpKgJ5juVrYxAF33lwrg0yUmkwlFWCXrCZFZ8f7DyeTMfWQc51NJkOJJ8P5/27zV1Sk
         6EWLStFj/zrMTu89Y6HDGq67DYa0r8Fv6G2h5WfwCVggkXny+u0gxxsXc4j78UvHJc9T
         uQJByuxQ/mNTKIZjmHfriWlyF9FS29Y19bsOF50yVY96pcPMVm9zuSXsFkuOWyM9J7Ps
         wQhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=hH0tc/P/njuobnwFjcYiCg4JgvT7zuK934lKGRa+qm0=;
        b=SYWP93EUeypWWHVCJpx18Un9ydPZwSG4AxEAC2sM2PVbVoz86c1uIQphJNcIX1640d
         P0OY0uhhwa49VihTjw6Z0MnqZGwW69g6RtqbfheK7SdUEsi7fuPqoRB6r+FM/t0tPCzC
         P3HxkFImaYNyQ4ktZbMO2t4uO/P1H6AEz5akLygbW43Y8Fv2gDpenFwqIjN6WDlcHinv
         deid2h76zXSpUmvwARCKpjS/xs0WnjFqhJMVK9GyWdAPL/E3qBcaowF1iI1pYdkrriGj
         dp7PDjynkX8AnPpZaHX722uIvbCs62wG3AXL/SWMpBlXKdBdRRzPY46PUKwRUsG4XPS6
         kDBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u20si2032240eju.808.2022.01.27.16.29.18;
        Thu, 27 Jan 2022 16:29:42 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241669AbiA0NSk (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Thu, 27 Jan 2022 08:18:40 -0500
Received: from frasgout.his.huawei.com ([185.176.79.56]:4527 "EHLO
        frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241637AbiA0NSf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Jan 2022 08:18:35 -0500
Received: from fraeml704-chm.china.huawei.com (unknown [172.18.147.226])
        by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Jl1KL71wQz6GCwl;
        Thu, 27 Jan 2022 21:15:02 +0800 (CST)
Received: from lhreml724-chm.china.huawei.com (10.201.108.75) by
 fraeml704-chm.china.huawei.com (10.206.15.53) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.2308.21; Thu, 27 Jan 2022 14:18:33 +0100
Received: from localhost.localdomain (10.69.192.58) by
 lhreml724-chm.china.huawei.com (10.201.108.75) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.21; Thu, 27 Jan 2022 13:18:31 +0000
From:   John Garry <john.garry@huawei.com>
To:     <jinpu.wang@cloud.ionos.com>, <jejb@linux.ibm.com>,
        <martin.petersen@oracle.com>, <damien.lemoal@opensource.wdc.com>,
        <Ajish.Koshy@microchip.com>
CC:     <linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <Viswas.G@microchip.com>, <chenxiang66@hisilicon.com>,
        John Garry <john.garry@huawei.com>
Subject: [PATCH 2/3] scsi: pm8001: Fix use-after-free for aborted TMF sas_task
Date:   Thu, 27 Jan 2022 21:12:51 +0800
Message-ID: <1643289172-165636-3-git-send-email-john.garry@huawei.com>
X-Mailer: git-send-email 2.8.1
In-Reply-To: <1643289172-165636-1-git-send-email-john.garry@huawei.com>
References: <1643289172-165636-1-git-send-email-john.garry@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.69.192.58]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 lhreml724-chm.china.huawei.com (10.201.108.75)
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Currently a use-after-free may occur if a TMF sas_task is aborted before
we handle the IO completion in mpi_ssp_completion(). The abort occurs due
to timeout.

When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the
sas_task is freed in pm8001_exec_internal_tmf_task().

However, if the IO completion occurs later, the IO completion still thinks
that the sas_task is available. Fix this by clearing the ccb->task if
the TMF times out - the IO completion handler does nothing if this pointer
is cleared.

Signed-off-by: John Garry <john.garry@huawei.com>
---

Note: For hisi_sas driver we already do something similar. However there
we also flush the completion queue interrupt to ensure that there is no
race in clearing the task pointer. Please advise if/how something similar
can be done here.

 drivers/scsi/pm8001/pm8001_sas.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index 160ee8b228c9..32edda3e55c6 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -769,8 +769,13 @@ static int pm8001_exec_internal_tmf_task(struct domain_device *dev,
 		res = -TMF_RESP_FUNC_FAILED;
 		/* Even TMF timed out, return direct. */
 		if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
+			struct pm8001_ccb_info *ccb = task->lldd_task;
+
 			pm8001_dbg(pm8001_ha, FAIL, "TMF task[%x]timeout.\n",
 				   tmf->tmf);
+
+			if (ccb)
+				ccb->task = NULL;
 			goto ex_err;
 		}
 
-- 
2.26.2