From nobody Sun Feb 8 04:34:48 2026 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB9E32222AC for ; Sat, 17 Jan 2026 10:20:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768645202; cv=none; b=G35BMacQ0r86cg0bv+TNQA5AFCdFhVXkv2Q2w00HJtPpdWACD3S3T6bTuZkh9xcnaLmuaWn5CCZtbWI6y3JOLDf+dLxGxNqdZ2tPt63jsmMSx3hdZPvkVgT6ISti+Pa+agK4ThS/ZYJe0REUZ1odLRwxJ1iQ+Dmh8CDQ1zJz9mQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768645202; c=relaxed/simple; bh=SgRySSIaJ7uxXomF0kuxxtEg+GQkRKe14Ludft80NUM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=dQ89eg5IShaeTPnKwEhSvVR4goMoVVFsQpJZ5JIEJDQeH1pRTGAQcRJ4LXAsyc6tUhMGETnn+JTUOq67zsmDKp8zJ3lUeKN5S+VC5L0XIyUPnE59QfnR3AniwIxzkwggA1sTpwZTIDfHRrBFzZzLFH9nZy9uYq8PIDhImyHz3uA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IPm6tq8G; arc=none smtp.client-ip=209.85.221.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IPm6tq8G" Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-432d2885c85so149939f8f.0 for ; Sat, 17 Jan 2026 02:20:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768645199; x=1769249999; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=QRSQb7cGrtgfOhLkWk2KQRl7frQVEvtr+QRGRO51K5s=; b=IPm6tq8G2GAgbCmD8RBxmoVD1UcYICaXZO+Xp4KSeUlROrFB2c/TrPkPAVQQGcYTRz oqkcANBwOn+bD8owJjjKehBmftIlL16rbe6S35+4Qf4sY+S52ZflT6+mCTjvuZdXUIul eJDDNPUlvM5K+o865QBy18DAYKQqqkXRv2btBy45wLclRPxnV/I+NxFUJo0foYdVdrqT dax9afMzUh9s2EqxCIoyK1GgSMCBAhVAOZWntcRd86FWB0YfYpigPdjoodLwQ036pWll 0eHmp74ilWO2wtQ/xUDHRVixyMHNDWysdPAt2wy17CRWfYWnaGGstln9T3IpSwNE6NhD 4p5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768645199; x=1769249999; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=QRSQb7cGrtgfOhLkWk2KQRl7frQVEvtr+QRGRO51K5s=; b=U/aHTY/tHPBX+6FALvBygIaGKDpcNA7Kv5YXj1+YirbNuDo6/f4BKl+L8p1beFNHUk E9gSQ4Sut4+mtM8ZGsrQmJ4/hfskUENrx5nY3cbxEi8mhkIbYwWIQyVLgeDbSGUz+9iM 9Bb6WwKMp7caqPnFQlAvVSYfXBaTxOO7yPr0ERbtgzC6VE+Ex51FBRkWliwodlR3hWju FSuqsS//yqfpM2P3D2znemEQPYwJSQtsGUOZQ8eNRR908BgPte+9Qq0pwKNWlTOiV1Uh iGytgjwEw3r2q3gJXiDFCgMFXRHjeOqCaOfft1ydcmOigmOIwqPMVPjPQIbDtmXy1TvT XP2Q== X-Forwarded-Encrypted: i=1; AJvYcCW1laMGELwWrHLwZom9Y14pC2tmyvfmXS3glJ2487+72URh9ByXcgyNaNHG2KjZuyOc556DSTjFLGUZDwE=@vger.kernel.org X-Gm-Message-State: AOJu0Yy3IheyfJ3KrXRnhoYyj2XQvcV+EaLXeRE0LPkA/IONvqtQOCy1 2e4luOSLbzcLytgsiIGgI7MZr0aRRWgHpNy7tnL+G6S8vqvypYszf0Ev3AsdkOna X-Gm-Gg: AY/fxX5qcwWGOKH5pf2LM/VdxBte2M0BJABuH5VD4xzhsh8AogACWMUrCCHa8RcxGnH EJ5hvVjEEligiezcFqJMCp46piUFStcJsKdxBABsbjSX8P+rg/ycFvlufQQUJ9oLbVSZIzFN07v rEalcRJcggkAJ/gpgXugeLgm67IAkYXZcHLaq5BFHTnKFiXIMbNvxPaGnjStYY6GYOmDjJfF7/u WvzvXk/UCS8Nex2mzcoSg2LmOfs5QYBw9ntm2ANgBOUVKsGps07de/DxPhUd5tz0X74BvgRSY/j X5Ofn9HoFvom4HiIWaF4aCpvgOHERV0SjbtGF1JknQiaiPYgywswFS318s+Q64QlhU7ncpRM8lf jEIcLkPx7SmoxXR6fz6UKWOj81l5Ezmu13tGsqQ2zFTy/k64dd09iHzvszdwERK5Vc34lJ1X90d A1nV0AxE3oDgEIpbkRMyfpH7enFR8M6lp9DnAwluFjuffqDBrydZmN4z2De1U= X-Received: by 2002:a05:600c:3483:b0:471:3b6:e24 with SMTP id 5b1f17b1804b1-4801e34fabfmr37473175e9.8.1768645198911; Sat, 17 Jan 2026 02:19:58 -0800 (PST) Received: from 3ce1e5d2d1b2.cse.ust.hk (191host009.mobilenet.cse.ust.hk. [143.89.191.9]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47f429071a2sm140368405e9.11.2026.01.17.02.19.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 02:19:58 -0800 (PST) From: Chengfeng Ye To: "James E . J . Bottomley" , "Martin K . Petersen" , Jack Wang Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Chengfeng Ye Subject: [PATCH] scsi: pm8001: Fix potential TOCTOU race in pm8001_find_tag Date: Sat, 17 Jan 2026 10:19:48 +0000 Message-Id: <20260117101948.297411-1-dg573847474@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A potential time-of-check-time-of-use (TOCTOU) race condition in pm8001_find_tag() where task->lldd_task is checked for non-NULL and then dereferenced without synchronization to ensure atomicity. Since the check of NULL and dereference in pm8001_find_tag() is not executed atomically, a race could occur if the callback is executed in response to an error or timeout on a SAS task issued from the SCSI midlayer, while the SAS command is completed and calls pm8001_ccb_task_free(), which sets task->lldd_task to NULL, resulting in a null pointer being dereferenced in pm8001_find_tag(). Possible race scenario: CPU0 (Error Handler) CPU1 (Interrupt Handler) -------------------- ------------------------ [SCSI command timeout/error] sas_scsi_recover_host() sas_scsi_find_task() lldd_query_task() pm8001_query_task() pm8001_find_tag() if (task->lldd_task) [Hardware interrupt] mpi_ssp_completion() pm8001_ccb_task_free() task->lldd_task =3D NULL ccb =3D task->lldd_task *tag =3D ccb->ccb_tag <- NULL dereference Fix this by using READ_ONCE() to read task->lldd_task exactly once, eliminating the TOCTOU window. Also use WRITE_ONCE() in pm8001_ccb_task_free() for proper memory ordering. Signed-off-by: Chengfeng Ye --- drivers/scsi/pm8001/pm8001_sas.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_= sas.c index 6a8d35aea93a..2d73e65db4c0 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -49,9 +49,10 @@ */ static int pm8001_find_tag(struct sas_task *task, u32 *tag) { - if (task->lldd_task) { - struct pm8001_ccb_info *ccb; - ccb =3D task->lldd_task; + struct pm8001_ccb_info *ccb; + + ccb =3D READ_ONCE(task->lldd_task); + if (ccb) { *tag =3D ccb->ccb_tag; return 1; } @@ -617,7 +618,7 @@ void pm8001_ccb_task_free(struct pm8001_hba_info *pm800= 1_ha, pm8001_dev ? atomic_read(&pm8001_dev->running_req) : -1); } =20 - task->lldd_task =3D NULL; + WRITE_ONCE(task->lldd_task, NULL); pm8001_ccb_free(pm8001_ha, ccb); } =20 --=20 2.25.1