From nobody Mon Dec 1 22:06:05 2025 Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8666A24DCF9 for ; Fri, 28 Nov 2025 14:47:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764341277; cv=none; b=hjUJLs1plfmvOdhHezO9+bqk1eWEWVDs8tsEPCB092qnWK1YHwdBBh4b9vXh+cNrMk/GhrozBdE/6mez0UsCuDOOZWqbEnCszB800Ash0uUAvGhZjYHbBp0YCke036LSU+xYNFu1pV8Zrovc19qdSKbfg33oJUFbu2kFkWjatgU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764341277; c=relaxed/simple; bh=kBsXaBTbTfKM2axj9Do1FbixYAYlvJ2ocJAHzb3rwog=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=peGkm7aG+R1Z4GFnwbZzKPdrLhB62PZXW6uv6MpquL7qG5xYieby1AZnPSuHG+lGzbATR6MMbEEPU7ZaG367Ab1q9qj3lR5Pb8z4zLxXWcP2LJeEE0X9ke6yu1zgakhj5zQFmIOg6B9o3mowQfrG80i/DB31bi6raYOh9Nrpg/4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Y40UwwV8; arc=none smtp.client-ip=209.85.167.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Y40UwwV8" Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-5957d7e0bf3so3136309e87.0 for ; Fri, 28 Nov 2025 06:47:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764341274; x=1764946074; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Q6/Fm/oVY95uFXuY2detaFQ/ocohpIH0USIsHRoZb9Q=; b=Y40UwwV8f93b/2anVNRU2FGNsOTTNhrozfofzHUHfYXVRjntSZAVok0FBAf35+Br6k YNkN4XMsql/b6dmbI+Iz3Uod3UYo1tRbmebWwog9NWoCPs1+EcM8RTjYg4qqxeb8CqMx HBbWQvb4TcTwfHPyHBNQhwUZnSc1urx1SUF8CPkCFnWGQEi7drfUSqY2FzJudSI5sX8g bHt+8OCtXI95VB269iQVAstQbM/xGU+KxcQ0NChNoJ1N0VonmalcmmiBAmcTg9q1Qu2g hcWssjaIuFpclqWa/hbKRGWsKhwzOGUTPx7qEfF5k4Bp/Q54WpT4fGd3OjoGH2MPDM8+ Ik3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764341274; x=1764946074; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Q6/Fm/oVY95uFXuY2detaFQ/ocohpIH0USIsHRoZb9Q=; b=V68xLcqpqVZB7l8G+XR4NwkY6Gc45P3U0utGzPtzTQGkQ+sZaGnMdSs5oXgWz4+HGY p+OX+437KuQGpF0FNqmq3Egxp1HqC6pgBM9qIxItSKyHv0WY2wcN8BNUBMrVceps2k8n CuorC3rQzC09XV07kNRB6ifQrzHfZWAz11CvWUkKW56EAlYZq76CHJwcSMM7yWe4lz9R qCjl+ThbSHVNJJ6Erbp210GReMEd5ifDj2a2Czz2JAqsMPmJoDrmqb23Xj1T8ILq3p4C okqd1K7sLtUA6q3JJM/FdMY0DN3wScuml/3+IWNqcgyWO/u9nSTFVRrUvXUiih3VtsMK Ta1g== X-Forwarded-Encrypted: i=1; AJvYcCU73wcM/pWiuCruZBsnp9UdsPJJhRpX1KtM6yuv+mKB7VzqMyVRK05/w25VjHhTWNfCzRJxiJ8utaPmOJw=@vger.kernel.org X-Gm-Message-State: AOJu0Yypm0mHgu9IBUK53hgHLMaqVMgPEE+tf7JsWFP7r+ANL+IHXi01 9EuFz5Pn4yG32I7uiDgAZnxXPk6vdYISHLyql5mWcsEPZF7TjkBlhGxX/PETpR4hTE2mWQ== X-Gm-Gg: ASbGncvMtV0CqH+nyHRWZICllIVN2J7hu3xgc2gpaaItY26m5TuUWQq7xfFVdvYYNj2 3ohduAmEpYQJgylCsNyM0nALHAMfgq1Pi/U8KmQuggEzTL0B76YDlSPRMBLTirSHl5DKLNNfQDz PKl9b3WP7yBCtM4tFlfkp0J0NXCyIpoL5IJIjTv5+ZjKMMII3K5e8pKph+3r2JvuxYDUpKg9U7I 3bhg42OI1rYnPBNcuRWJfpa5IX5qKY58DtD9u+Q9jmIUn4UTGwbvQf80F6ts6H8Dm/sk37r9r8E MkCFy66RMLPotoKZmyOSjgs4r87t5xuCmj+LDOvnImk4HwfEcMxZ33GG0HPTEcDBjTdvaf0qKsY D/EKmWJTCjfWciABg1FbIaehHIPo0fDckUfto5Kil6V5mbqCLmOjPek5aVaLyV9/NVIQYmwhbLb WeW/MkLfsvkh9BsG54l9u5Wd05wpYTi5x1rpMAUzTlddI9/07rrxHW83Jn X-Google-Smtp-Source: AGHT+IGri/Kcqai6Ho5kp6UE3YX9ridRldxzonTf7wiVODikqOhdC/WBm9NPMdz2N8FXWRU8ePEc8A== X-Received: by 2002:ac2:4e04:0:b0:595:90ce:df8e with SMTP id 2adb3069b0e04-596a3740821mr10547766e87.5.1764341273519; Fri, 28 Nov 2025 06:47:53 -0800 (PST) Received: from cherrypc.astracloud.ru (109-252-18-135.nat.spd-mgts.ru. [109.252.18.135]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-596bfa43e6csm1261533e87.54.2025.11.28.06.47.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 06:47:53 -0800 (PST) From: Nazar Kalashnikov To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Nazar Kalashnikov , Jack Wang , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Igor Pylypiv , Terrence Adams , Jack Wang Subject: [PATCH 5.10/5.15/6.1] scsi: pm80xx: Set phy->enable_completion only when we Date: Fri, 28 Nov 2025 17:48:15 +0300 Message-ID: <20251128144816.55522-1-sivartiwe@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Igor Pylypiv [ Upstream commit e4f949ef1516c0d74745ee54a0f4882c1f6c7aea ] pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash. Signed-off-by: Igor Pylypiv Signed-off-by: Terrence Adams Link: https://lore.kernel.org/r/20240627155924.2361370-2-tadamsjr@google.com Acked-by: Jack Wang Signed-off-by: Martin K. Petersen Signed-off-by: Nazar Kalashnikov --- Backport fix for CVE-2024-47666 drivers/scsi/pm8001/pm8001_sas.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_= sas.c index 765c5be6c84c..85c27f2f990f 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -163,7 +163,6 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enu= m phy_func func, unsigned long flags; pm8001_ha =3D sas_phy->ha->lldd_ha; phy =3D &pm8001_ha->phy[phy_id]; - pm8001_ha->phy[phy_id].enable_completion =3D &completion; switch (func) { case PHY_FUNC_SET_LINK_RATE: rates =3D funcdata; @@ -176,6 +175,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enu= m phy_func func, rates->maximum_linkrate; } if (pm8001_ha->phy[phy_id].phy_state =3D=3D PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion =3D &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -184,6 +184,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enu= m phy_func func, break; case PHY_FUNC_HARD_RESET: if (pm8001_ha->phy[phy_id].phy_state =3D=3D PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion =3D &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -192,6 +193,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enu= m phy_func func, break; case PHY_FUNC_LINK_RESET: if (pm8001_ha->phy[phy_id].phy_state =3D=3D PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion =3D &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } --=20 2.43.0