From nobody Sat Feb 7 11:38:05 2026 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 87634322B64 for ; Tue, 20 Jan 2026 03:19:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768879188; cv=none; b=uQQ+pmEEYtb5YJU2DlJ+WBgPffWi0SfHg3DHFKFLouP5a95RTVHwzUSfgmKxyfHB+FuKfUcUKLsVrC0ciFc4bTCCNp3VuhlX3GHAxzSETbWTnjnOplldcGr4QP1Em8+WyAh03cmiRXpjO18pkciJnRQBG91fSuTuNIFrMAvHYqg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768879188; c=relaxed/simple; bh=uij0KN5FGYZqSIsR8p7toWwEIkqJUz3ny8m9h26hNWQ=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=WeeqzVS3xCRWhb4TSRYlPcl/H0Kzp15YoPtbpnYlSX5CYRTbhmstQ2Za5ZQr+ZYe0f8VrMf7q8LCI+tgd/PKr/UOdmKwt+9x00r+/VFuDzVhYrk80hdlmmo+xm2PdIAWNxtKynHWjjoDXaZbLuazSB2J83a1WTEu7taa+wcpXYA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fGL+tema; arc=none smtp.client-ip=209.85.221.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fGL+tema" Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-432d2885c85so381571f8f.0 for ; Mon, 19 Jan 2026 19:19:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768879185; x=1769483985; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=kDwHwfelgnuqMlLe+3UV/JtqzPKh28ncR9YWuP7/5MQ=; b=fGL+temaqD7jhjQEaijDWZzDe+oCTTgMW1HcgMdo4viXAElJh+oKiIGiuCvb5ACvzC LCfgVmsFoxm5r7kkgPbZTXwKS99cM7NiiwtSacpoh/XgPPro10vG+N+L9fBUNIlAWn/T H1ZPkb5cntMlEI0+XYoJY+gOaeFyuQUhgmAdtKwu8JFLUg0QjZX8BuDwUQAZJsQbKO4a pdqLA/JHIAmgCFS0QzfOcFp7Pu3T9fr5QpawxYj3ngTXU+lgkctd/4WRUcoafjRtuzAA rrY4GcrEwH382ig5Vq7QDu9S75C73mlHx1niCPaFOcWk0NMHr65iMYxzKXZWKBAQIQL3 sUbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768879185; x=1769483985; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kDwHwfelgnuqMlLe+3UV/JtqzPKh28ncR9YWuP7/5MQ=; b=LorjO5JflpiJqqb44HslskvbBb0GNROufrmZgeud/TQGVYo3UbSbbdlreP7W3e7/7C iOoflfuTtm61v0rN1Pom0RSNKpNZWfDlvYTz9p0nGbznWKkNMmsn34+V2B92H47RuP7B JU2EMwJtBC4B9hxYdk2XG24o0Ghy0EHy7UoZVsrMaLL5lbOutZODkII+jaE2Jmgp5UGX cXCWOIwYOR7vPdmo+6MaVdGa92MuK8Pnkpb5VdYPbuhddHE23iv5pvlvuu0jnRrNc00l yQGICFzH7pOteFV2Ub9SvlWTkpPDxAkqvfJE+dHLRenHnTAbC2g3cV0PshkCz2biW3KD O2Mw== X-Forwarded-Encrypted: i=1; AJvYcCVo0DFGnQ55xqnU3B2ejWkIBQyXatu13P7NfSi+H0QaDG5rh65frQxHDd/WcmUvnIgDmtORyr3nvJstg10=@vger.kernel.org X-Gm-Message-State: AOJu0Yycmyh09P6SLZMXWaD23H1qRCJsUpwuFle+mSZ0V+FE2mxNtZIA w3Jrb0UfFAmOeMr6nggqSE6oxwxrYan5rqh6jtj5krzrSy1Cdig4wIzf X-Gm-Gg: AY/fxX6m15ZMbpcpwQTOSFJ4HdXZA+PNPCksRPiDzscnbei0IU0JJhTw3virGIbmYI/ t6wjMsRn7a5pgU++TfB/VxJmWlXCl5D+0VROJnTZfvJtUz9PIXS/xlyeKewgLr95kZ1Kvy7JKvC LYAMmqDRGOBnnR+4qeZoZGO2VcDUYvmGQ07be9ZkhUcZZ62V5ok8b1POSM67yHRihGwkyE/4Rsb AJJ2l2gmAI9rFyRBamrEAgsW9xQiqa59maxIkTqbXqFaTv5xnXEbdzlJAdD/ApR0Afz5E9csVh8 jBzxLqWLbbys5mEBFzmjDStLECtTLlLKs7uQXhEv7KsjoypQ5Uiwt3eoE7BB9og6IiNnqZLJjEs AQ20+rOBUHAE6GTzYy5Ndtr/hZhRb957ttngNuiM34M9YOTfg7UQof9pXkRkEDcMxqZrctElkx7 fjzgCaStdJf98ZYBeRY4twJv35A0wwYkk9jxclLLmtChqpgLozT8ZcVPYjnumlvAeCvtOpGg== X-Received: by 2002:a05:600c:3483:b0:471:3b6:e24 with SMTP id 5b1f17b1804b1-4801e34fabfmr89913465e9.8.1768879184596; Mon, 19 Jan 2026 19:19:44 -0800 (PST) Received: from 3ce1e5d2d1b2.cse.ust.hk (191host009.mobilenet.cse.ust.hk. [143.89.191.9]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47f428acae8sm280541095e9.4.2026.01.19.19.19.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 19:19:44 -0800 (PST) From: Chengfeng Ye To: "James E . J . Bottomley" , "Martin K . Petersen" , Jack Wang Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Chengfeng Ye Subject: [PATCH v2] scsi: pm8001: Fix potential TOCTOU race in pm8001_find_tag Date: Tue, 20 Jan 2026 03:17:38 +0000 Message-Id: <20260120031738.331225-1-dg573847474@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A potential time-of-check-time-of-use (TOCTOU) race condition in pm8001_find_tag() where task->lldd_task is checked for non-NULL and then dereferenced without synchronization to ensure atomicity. Since the check of NULL and dereference in pm8001_find_tag() is not executed atomically, a race could occur if the callback is executed in response to an error or timeout on a SAS task issued from the SCSI midlayer, while the SAS command is completed and calls pm8001_ccb_task_free(), which sets task->lldd_task to NULL, resulting in a null pointer being dereferenced in pm8001_find_tag(). Possible race scenario: CPU0 (Error Handler) CPU1 (Interrupt Handler) -------------------- ------------------------ [SCSI command timeout/error] sas_scsi_recover_host() sas_scsi_find_task() lldd_abort_task() pm8001_abort_task() pm8001_find_tag() if (task->lldd_task) [Hardware interrupt] mpi_ssp_completion() pm8001_ccb_task_free() task->lldd_task =3D NULL ccb =3D task->lldd_task *tag =3D ccb->ccb_tag <- NULL dereference Fix this by using READ_ONCE() to read task->lldd_task exactly once, eliminating the TOCTOU window. Also use WRITE_ONCE() in pm8001_ccb_task_free() for proper memory ordering. Signed-off-by: Chengfeng Ye --- v2:=20 - Correctify commit message to focus on abort_task() path - Check return value of find_tag() to handle race with pm8001_ccb_free() drivers/scsi/pm8001/pm8001_sas.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_= sas.c index 6a8d35aea93a..314945c89977 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -49,9 +49,10 @@ */ static int pm8001_find_tag(struct sas_task *task, u32 *tag) { - if (task->lldd_task) { - struct pm8001_ccb_info *ccb; - ccb =3D task->lldd_task; + struct pm8001_ccb_info *ccb; + + ccb =3D READ_ONCE(task->lldd_task); + if (ccb) { *tag =3D ccb->ccb_tag; return 1; } @@ -617,7 +618,7 @@ void pm8001_ccb_task_free(struct pm8001_hba_info *pm800= 1_ha, pm8001_dev ? atomic_read(&pm8001_dev->running_req) : -1); } =20 - task->lldd_task =3D NULL; + WRITE_ONCE(task->lldd_task, NULL); pm8001_ccb_free(pm8001_ha, ccb); } =20 @@ -1083,7 +1084,7 @@ int pm8001_abort_task(struct sas_task *task) } =20 ret =3D pm8001_find_tag(task, &tag); - if (ret =3D=3D 0) { + if (ret =3D=3D 0 || tag =3D=3D PM8001_INVALID_TAG) { pm8001_info(pm8001_ha, "no tag for task:%p\n", task); return TMF_RESP_FUNC_FAILED; } --=20 2.25.1