lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ae5cae8b3c4e71cf23b6f48453797ac48bea5914.camel@HansenPartnership.com>
Date: Mon, 19 Jan 2026 11:39:33 -0500
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Chengfeng Ye <dg573847474@...il.com>, "Martin K . Petersen"
	 <martin.petersen@...cle.com>, Jack Wang <jinpu.wang@...ud.ionos.com>
Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] scsi: pm8001: Fix potential TOCTOU race in
 pm8001_find_tag

On Sat, 2026-01-17 at 10:19 +0000, Chengfeng Ye wrote:
> A potential time-of-check-time-of-use (TOCTOU) race condition in
> pm8001_find_tag() where task->lldd_task is checked for non-NULL
> and then dereferenced without synchronization to ensure atomicity.
> 
> Since the check of NULL and dereference in pm8001_find_tag() is not
> executed atomically, a race could occur if the callback is executed
> in
> response to an error or timeout on a SAS task issued from the SCSI
> midlayer, while the SAS command is completed and calls
> pm8001_ccb_task_free(), which sets task->lldd_task to NULL, resulting
> in a null pointer being dereferenced in pm8001_find_tag().
> 
> Possible race scenario:
>  CPU0 (Error Handler)           CPU1 (Interrupt Handler)
>   --------------------           ------------------------
>   [SCSI command timeout/error]
>   sas_scsi_recover_host()
>     sas_scsi_find_task()
>       lldd_query_task()
>         pm8001_query_task()
>           pm8001_find_tag()
>             if (task->lldd_task)
>                                    [Hardware interrupt]
>                                      mpi_ssp_completion()
>                                        pm8001_ccb_task_free()
>                                          task->lldd_task = NULL
>             ccb = task->lldd_task
>             *tag = ccb->ccb_tag
>             <- NULL dereference
> 

I don't get how a race is possible here.  Before the query function
begins, the sas logic calls abort task on the tag, which means the
controller should ensure there are no further completion functions for
it regardless of whether the abort succeeds or not.

Regards,

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ