lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <05c3fac5-b604-496b-b0eb-5b2dbd68e66c@kernel.org>
Date: Wed, 11 Feb 2026 10:28:41 +0900
From: Damien Le Moal <dlemoal@...nel.org>
To: Salomon Dushimirimana <salomondush@...gle.com>,
 Jack Wang <jinpu.wang@...ud.ionos.com>,
 "James E.J. Bottomley" <James.Bottomley@...senPartnership.com>,
 "Martin K. Petersen" <martin.petersen@...cle.com>
Cc: Damien Le Moal <damien.lemoal@...nsource.wdc.com>,
 John Garry <john.g.garry@...cle.com>, linux-scsi@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] scsi: pm8001: Fix use-after-free in
 pm8001_queue_command()

On 2/10/26 10:07, Salomon Dushimirimana wrote:
> Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()")
> refactors pm8001_queue_command(), however it introduces a potential
> cause of a double free scenario when it changes the function to return
> -ENODEV in case of phy down/device gone state.
> 
> In this path, pm8001_queue_command updates task status and calls
> task_done to indicate to upper layer that the task has been handled.
> However, this also frees the underlying sas task. A -ENODEV is then
> returned to the caller. When libsas sas_ata_qc_issue receives this error
> value, it assumes the task wasn't handled/queued by LLDD and proceeds to
> clean up and free the task again, resulting in a double free.
> 
> Since pm8001_queue_command handles the sas task in this case, it should
> return 0 to the caller indicating that the task has been handled.
> 
> Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()")
> Signed-off-by: Salomon Dushimirimana <salomondush@...gle.com>
> ---
>  drivers/scsi/pm8001/pm8001_sas.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
> index 6a8d35aea93a..0285ce6400dc 100644
> --- a/drivers/scsi/pm8001/pm8001_sas.c
> +++ b/drivers/scsi/pm8001/pm8001_sas.c
> @@ -525,8 +525,8 @@ int pm8001_queue_command(struct sas_task *task, gfp_t gfp_flags)
>  		} else {
>  			task->task_done(task);
>  		}
> -		rc = -ENODEV;
> -		goto err_out;
> +		spin_unlock_irqrestore(&pm8001_ha->lock, flags);
> +		return 0;

Can you add a pm8001_dbg() message call to signal this issue ? Otherwise, with
this change, we lose the existing message.

>  	}
>  
>  	ccb = pm8001_ccb_alloc(pm8001_ha, pm8001_dev, task);


-- 
Damien Le Moal
Western Digital Research

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ