Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1574873pxb; Sat, 29 Jan 2022 10:00:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJyCLvzNmEBx4u10Z7PE6uUBP3vsfxbdv0wqHYs+i706F9fDWQd3eY6CDoKD3neiAPcKc4TQ X-Received: by 2002:a17:907:72c6:: with SMTP id du6mr11702437ejc.224.1643479235823; Sat, 29 Jan 2022 10:00:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643479235; cv=none; d=google.com; s=arc-20160816; b=CxRk3/HqtEx8Z6+e6BITJLajebNJPQFb8TZ1ME8Pdm5WVAW9M9TX8ereRslXDFdkuf jOJb/Az2wvMpUpmPDGVK57fK7UA7YWdki4tmbfnhwNHqR0RZYDaeEd5s2hnyphWaFGuR yFJO4mt0w+my0BeR+6iZSGxkbs74RG6YejxBBDFe2iZvXwT983/6JUPaEnk5th9XNOZJ 7MtoG13kfUxa7Y4b6OQiFf3ZKepvFsy7SqXUZ5Ca1RZtIBqxrfWLzuMkLkJdF/Ev1dYp GAzQiMpH2jElEE1trojp1TsjlLd0brxf1ld45r9la9RKiHE9pczHtyLkiRwwfxbHhuF9 VOtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=yFLcWL3wX5JaPY+f6874i39mL+yX89VQGClimCfIyOo=; b=kP80KmJ0XjZVFuOr7+QSIA0QK9oKMF5fBqmC7g6ZQDJzq2y9nrV7hzL1hwXTIEVOTi C6SoURSSWbpxnORe4xKf5StZNZPWuscS6g5fQZeNY3q0dy+GC2sN7AEnU/1wZOQVqV9F 9C+CClNDdQNMsVq4zOnWUNsWVRrAOcxxxlPGtff+2gQ5VhBFO/xraagwOY8YaWpPTuYB gBMOnuLk0bHSnXhy5gWldqc+Us0XMwn0gagqLBEro6t+tgD8iZmL3zHa4nB12Tu1/Hum tb0FSEciiESP/LExTc0pExby8YLfVYbPZqRqOlTMbGq97XOhhTYCHYORd3k8Ih/LwLW1 +Teg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ionos.com header.s=google header.b=QZWjuNgX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ionos.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g9si5447667edt.243.2022.01.29.10.00.10; Sat, 29 Jan 2022 10:00:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ionos.com header.s=google header.b=QZWjuNgX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ionos.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346359AbiA1GSz (ORCPT + 99 others); Fri, 28 Jan 2022 01:18:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346347AbiA1GSy (ORCPT ); Fri, 28 Jan 2022 01:18:54 -0500 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7EEDEC06173B for ; Thu, 27 Jan 2022 22:18:54 -0800 (PST) Received: by mail-ed1-x52b.google.com with SMTP id m11so7656327edi.13 for ; Thu, 27 Jan 2022 22:18:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ionos.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yFLcWL3wX5JaPY+f6874i39mL+yX89VQGClimCfIyOo=; b=QZWjuNgXqs/vw6fCwwQiNjeKFhsEDRgn5oncd3dqBQfIRYQMsKCfBDuTFU1/Abwyud Wzcuyubs8Jum6GaZE73JoRcTyODomaJvxBW+UfVBt1KCTBleHkWycogXHw/5OZZJe1Nq 9PCBBZR8QtRvb08+12Oi7p88WxjuqWDvxq2BElLJpU2lXoy2TM7LJj4fWJ5nBJCutXK0 M0evGGJHYL7bV7m9b8qvVGoou5cGK4ZY+O21wxGf87lnFHsjW26f6pavx2lzwYvm1ldX v763IBpQJJlrROXry70+Ta0zKPXu4budn+iH9LV0NAxXZYhpp1R2wbE6KhLS10sjE9jc hRqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yFLcWL3wX5JaPY+f6874i39mL+yX89VQGClimCfIyOo=; b=5YN7Ws1cObAxqln73hTLBxlaVH4wenfTPY3fzUAZ5V5rLg3ky4fdhEJLICZeHc21+x VO3StWVjVy02CAbe77p6/6QFpJ64i+ckEqAnC5OkbWCScbOBZfjIATypNpKtSFWQRAkf k7PfWDUqvsSTQbSL8en/OzBSpRhx37MTOKF73HHaHD/lfGNqWoBEwoaltVYWYJ04Row1 kd7jwtD58uBrpzgSqqKr+1DZcHpmKMlIZX0J48BhjiX2C1xUII06omYpRjPVKm4HmY2Y /SJ5PfoA+BmDC64cIXkl+Vd3kMXTlCprQguUt9uERevWo5USTM0gv7lUqPzbaheRlED7 Rn3w== X-Gm-Message-State: AOAM530JLDfPbTXzh3lCWIiiMkZMp4uErsL4bLDb6TxecwgdtAH760aG CIFJBEPifhKWLjfzYXc+VpY7FDwJ+TYSzMNpiVGNvQ== X-Received: by 2002:aa7:da4b:: with SMTP id w11mr6786109eds.118.1643350733042; Thu, 27 Jan 2022 22:18:53 -0800 (PST) MIME-Version: 1.0 References: <1643289172-165636-1-git-send-email-john.garry@huawei.com> <1643289172-165636-4-git-send-email-john.garry@huawei.com> In-Reply-To: <1643289172-165636-4-git-send-email-john.garry@huawei.com> From: Jinpu Wang Date: Fri, 28 Jan 2022 07:18:42 +0100 Message-ID: Subject: Re: [PATCH 3/3] scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task To: John Garry Cc: jinpu.wang@ionos.com, jejb@linux.ibm.com, martin.petersen@oracle.com, damien.lemoal@opensource.wdc.com, Ajish.Koshy@microchip.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Viswas.G@microchip.com, chenxiang66@hisilicon.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 27, 2022 at 2:18 PM John Garry wrote: > > Currently a use-after-free may occur if a sas_task is aborted by the upper > layer before we handle the IO completion in mpi_ssp_completion() or > mpi_sata_completion(). > > In this case, the following are the two steps in handling those IO > completions: > - call complete() to inform the upper layer handler of completion of > the IO > - release driver resources associated with the sas_task in > pm8001_ccb_task_free() call > > When complete() is called, the upper layer may free the sas_task. As such, > we should not touch the associated sas_task afterwards, but we do so in > the pm8001_ccb_task_free() call. > > Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering. > > Signed-off-by: John Garry Thx John! Acked-by: Jack Wang > --- > drivers/scsi/pm8001/pm80xx_hwi.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c > index ce38a2298e75..1134e86ac928 100644 > --- a/drivers/scsi/pm8001/pm80xx_hwi.c > +++ b/drivers/scsi/pm8001/pm80xx_hwi.c > @@ -2185,9 +2185,9 @@ mpi_ssp_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) > pm8001_dbg(pm8001_ha, FAIL, > "task 0x%p done with io_status 0x%x resp 0x%x stat 0x%x but aborted by upper layer!\n", > t, status, ts->resp, ts->stat); > + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); > if (t->slow_task) > complete(&t->slow_task->completion); > - pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); > } else { > spin_unlock_irqrestore(&t->task_state_lock, flags); > pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); > @@ -2794,9 +2794,9 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, > pm8001_dbg(pm8001_ha, FAIL, > "task 0x%p done with io_status 0x%x resp 0x%x stat 0x%x but aborted by upper layer!\n", > t, status, ts->resp, ts->stat); > + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); > if (t->slow_task) > complete(&t->slow_task->completion); > - pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); > } else { > spin_unlock_irqrestore(&t->task_state_lock, flags); > spin_unlock_irqrestore(&circularQ->oq_lock, > -- > 2.26.2 >