linux-kernel - [PATCH] scsi: pm8001: Fix data race in sysfs SAS address read

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-Id: <20260115171140.281969-1-cyeaa@connect.ust.hk>
Date: Thu, 15 Jan 2026 17:11:40 +0000
From: Chengfeng Ye <dg573847474@...il.com>
To: "James E . J . Bottomley" <James.Bottomley@...senPartnership.com>,
	"Martin K . Petersen" <martin.petersen@...cle.com>
Cc: Jack Wang <jinpu.wang@...ud.ionos.com>,
	linux-scsi@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Chengfeng Ye <dg573847474@...il.com>
Subject: [PATCH] scsi: pm8001: Fix data race in sysfs SAS address read

From: Chengfeng Ye <dg573847474@...il.com>

Fix a data race where sysfs read pm8001_ctl_host_sas_address_show() reads
pm8001_ha->sas_addr without synchronization while it can be written
from interrupt context in pm8001_mpi_get_nvmd_resp().

The write path is already protected by pm8001_ha->lock (held by
process_oq() when calling pm8001_mpi_get_nvmd_resp()),
but the sysfs read path accesses the 8-byte SAS address without
any synchronization, allowing torn reads.

Thread interleaving scenario:

           Thread A (sysfs read)     |    Thread B (interrupt context)
-------------------------------------+------------------------------------
pm8001_ctl_host_sas_address_show()  |
|- read sas_addr[0..3]               |
                                     | process_oq()
                                     | |- spin_lock_irqsave(&lock)
                                     | |- process_one_iomb()
                                     | |  |- pm8001_mpi_get_nvmd_resp()
                                     | |     |- memcpy(sas_addr, new, 8)
                                     | |        /* writes all 8 bytes */
                                     | |- spin_unlock_irqrestore(&lock)
|- read sas_addr[4..7]               |
   /* gets mix of old and new */    |

Fix by protecting the sysfs read with the same pm8001_ha->lock.

Signed-off-by: Chengfeng Ye <dg573847474@...il.com>
---
 drivers/scsi/pm8001/pm8001_ctl.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/pm8001/pm8001_ctl.c b/drivers/scsi/pm8001/pm8001_ctl.c
index cbfda8c04e95..e49f11969b3b 100644
--- a/drivers/scsi/pm8001/pm8001_ctl.c
+++ b/drivers/scsi/pm8001/pm8001_ctl.c
@@ -311,8 +311,15 @@ static ssize_t pm8001_ctl_host_sas_address_show(struct device *cdev,
 	struct Scsi_Host *shost = class_to_shost(cdev);
 	struct sas_ha_struct *sha = SHOST_TO_SAS_HA(shost);
 	struct pm8001_hba_info *pm8001_ha = sha->lldd_ha;
-	return sysfs_emit(buf, "0x%016llx\n",
-			be64_to_cpu(*(__be64 *)pm8001_ha->sas_addr));
+	unsigned long flags;
+	ssize_t ret;
+
+	spin_lock_irqsave(&pm8001_ha->lock, flags);
+	ret = sysfs_emit(buf, "0x%016llx\n",
+			 be64_to_cpu(*(__be64 *)pm8001_ha->sas_addr));
+	spin_unlock_irqrestore(&pm8001_ha->lock, flags);
+
+	return ret;
 }
 static DEVICE_ATTR(host_sas_address, S_IRUGO,
 		   pm8001_ctl_host_sas_address_show, NULL);
-- 
2.25.1