From patchwork Mon Aug 19 14:21:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1973853 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WnZXw2flwz1yf6 for ; Tue, 20 Aug 2024 00:21:51 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sg3GQ-0005iQ-1l; Mon, 19 Aug 2024 14:21:42 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sg3GO-0005i5-GP for kernel-team@lists.ubuntu.com; Mon, 19 Aug 2024 14:21:40 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4DC003F2B5 for ; Mon, 19 Aug 2024 14:21:40 +0000 (UTC) Received: by mail-ed1-f70.google.com with SMTP id 4fb4d7f45d1cf-5bed8949b39so2034314a12.3 for ; Mon, 19 Aug 2024 07:21:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724077300; x=1724682100; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sCPgqyta3eoS0hEPlIKVyxen5FB5aR9fYudUwZ3NFL0=; b=Tt09V//PEoviQ0+ZPxxaKhDjRCoP8BPjaCWS5IHVGQBXGPPgeIFTs6P3b95PPdPRbG E0FuWYEsGwdh4a7Dzbm3mRmjvzHJimgvExmNmrfxG38QGHdYPk0/MVpLMf2Y16z1TElz B/6XpiCXqdBMakArR7/oHqTWR7eiiAA3ZxP88umZnHq+aP5UrNRvQKJYzgureUJ286++ 0FoBiVPpNQ36puiUHXLCoaOAlyC/cKkg8zUg9dsZtjSwou/yKyohBf6cJSYYmGH2PK75 tvnpY5Y2Ko/4qVkIm7q2lMGHuBw+xnaw6wyBNODSfmxXRe44bjJWekkB0m8xTS+JQfZq +WLA== X-Gm-Message-State: AOJu0YzCWG/ie4oqjoCSBRNl8OqgVA6tNLX3pmUASnggG5uu7dLpTteM 7Arv0UZN6uYFnIfv7es4hKV228v3Btj1v7N5oEo7cQ0KTMxD9M1IHcZTnT5GKaQyYk3dM/jYVU8 IEuIJ/bb1gmQnjUw6tO8khX0+MElg1ZT10HHsVSrFFpcSXvRZjgkdqNpNgFpoqUNd8FJabPvnqX 0NIxMAMD1sww== X-Received: by 2002:a05:6402:2809:b0:5be:fd66:edf3 with SMTP id 4fb4d7f45d1cf-5befd66f50cmr1608536a12.18.1724077299814; Mon, 19 Aug 2024 07:21:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IETSWWq07azMsu2C4qSaGw1uC9jTqBhK8IhkWasclmXEt10wg6Dsr8WmZBq4XfLYBSk/Rc30Q== X-Received: by 2002:a05:6402:2809:b0:5be:fd66:edf3 with SMTP id 4fb4d7f45d1cf-5befd66f50cmr1608509a12.18.1724077298996; Mon, 19 Aug 2024 07:21:38 -0700 (PDT) Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5bebbdfbb3fsm5627391a12.53.2024.08.19.07.21.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 07:21:38 -0700 (PDT) From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/2] scsi: pm80xx: Fix TMF task completion race condition Date: Mon, 19 Aug 2024 16:21:34 +0200 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Igor Pylypiv The TMF timeout timer may trigger at the same time when the response from a controller is being handled. When this happens the SAS task may get freed before the response processing is finished. Fix this by calling complete() only when SAS_TASK_STATE_DONE is not set. A similar race condition was fixed in commit b90cd6f2b905 ("scsi: libsas: fix a race condition when smp task timeout") Link: https://lore.kernel.org/r/20210707185945.35559-1-ipylypiv@google.com Reviewed-by: Vishakha Channapattan Acked-by: Jack Wang Signed-off-by: Igor Pylypiv Signed-off-by: Martin K. Petersen (backported from commit d712d3fb484b7fa8d1d57e9ca6f134bb9d8c18b1) [juergh: Adjusted context due to missing commit: 1b5d2793283d ("scsi: pm8001: Neaten debug logging macros and uses")] CVE-2022-48791 Signed-off-by: Juerg Haefliger --- drivers/scsi/pm8001/pm8001_sas.c | 34 ++++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c index 36f5bab09f73..25cf9db45d54 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -680,8 +680,7 @@ int pm8001_dev_found(struct domain_device *dev) void pm8001_task_done(struct sas_task *task) { - if (!del_timer(&task->slow_task->timer)) - return; + del_timer(&task->slow_task->timer); complete(&task->slow_task->completion); } @@ -689,9 +688,14 @@ static void pm8001_tmf_timedout(struct timer_list *t) { struct sas_task_slow *slow = from_timer(slow, t, timer); struct sas_task *task = slow->task; + unsigned long flags; - task->task_state_flags |= SAS_TASK_STATE_ABORTED; - complete(&task->slow_task->completion); + spin_lock_irqsave(&task->task_state_lock, flags); + if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { + task->task_state_flags |= SAS_TASK_STATE_ABORTED; + complete(&task->slow_task->completion); + } + spin_unlock_irqrestore(&task->task_state_lock, flags); } #define PM8001_TASK_TIMEOUT 20 @@ -746,13 +750,11 @@ static int pm8001_exec_internal_tmf_task(struct domain_device *dev, } res = -TMF_RESP_FUNC_FAILED; /* Even TMF timed out, return direct. */ - if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - PM8001_FAIL_DBG(pm8001_ha, - pm8001_printk("TMF task[%x]timeout.\n", - tmf->tmf)); - goto ex_err; - } + if (task->task_state_flags & SAS_TASK_STATE_ABORTED) { + PM8001_FAIL_DBG(pm8001_ha, + pm8001_printk("TMF task[%x]timeout.\n", + tmf->tmf)); + goto ex_err; } if (task->task_status.resp == SAS_TASK_COMPLETE && @@ -836,12 +838,10 @@ pm8001_exec_internal_task_abort(struct pm8001_hba_info *pm8001_ha, wait_for_completion(&task->slow_task->completion); res = TMF_RESP_FUNC_FAILED; /* Even TMF timed out, return direct. */ - if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { - if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - PM8001_FAIL_DBG(pm8001_ha, - pm8001_printk("TMF task timeout.\n")); - goto ex_err; - } + if (task->task_state_flags & SAS_TASK_STATE_ABORTED) { + PM8001_FAIL_DBG(pm8001_ha, + pm8001_printk("TMF task timeout.\n")); + goto ex_err; } if (task->task_status.resp == SAS_TASK_COMPLETE &&