From nobody Wed Feb 11 01:26:44 2026 Received: from mail-dy1-f201.google.com (mail-dy1-f201.google.com [74.125.82.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3F3F1662E7 for ; Tue, 10 Feb 2026 01:08:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770685694; cv=none; b=Tiuu5FtE4rAGXX9tCKN2qLVQ/9Gyf9hbInNFULPzlbqNlisTLPKZqdkKjBiGLqs0sqpYCDQ/tkLaZ28pzHS+idcdRHcQNSVJEs94nq6C8c3y6I8CQhaC2HzQxUo71SaRsooG3bqRCsgXOhyH9BVacQmHOoWVS0Tlno4qxJGmkEc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770685694; c=relaxed/simple; bh=qpRqxBhJqfNMX9A+JU9YKQsGjcp3vWVpz1Vcgm0lPzg=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=BXO8VGvO/li8kam8fhwGd2Ks7pJnkivlR0fbRhHiRqvxwLkeVfcaBK9vtl46bDJi1Q0T6J09nPzd8qGDGfDAn8gkx6SqqJD2nFkc1bQwdv82gI2cj4kHeY6H6sSD4QJaBWbFu3/9RsXHlBhh72zdIu02XsOiRFV42B4sAQ/AFH8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--salomondush.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=1GID2+lb; arc=none smtp.client-ip=74.125.82.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--salomondush.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="1GID2+lb" Received: by mail-dy1-f201.google.com with SMTP id 5a478bee46e88-2b866e72c00so183384eec.1 for ; Mon, 09 Feb 2026 17:08:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1770685693; x=1771290493; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=w81+u8wZURYMASLY8btCbrkOihzDHCsC71pJaMA3O7w=; b=1GID2+lbzTxrCdiOIxImfB4Lu03wuEi0SnP9MOGMgwqBF2G70lbbotsU+2ZAmhM29U wT6+k/EXYm6wtVIoyGGtY7D8U7KojAdJ0b5tDxRBYxwbeY608lN2DBB/l75n9+Q4f0Tf xet4xepvnm8euPBLo9sbM0H/UfBiOdywlkhE7cFNkXLcwGxosTYn3QEkgInlWuVcYhUG N/iZoyGFb0WJa/FAWv/94s8GYWj31f23ARa8q1qh16Z4+ubrTEXN/CHb0NUxJmNK5jQa AlhnkaAoKQGtj0+nIlkAIepGoX/mjDq6o5g7Y62OGGUqAek2MWi+F3Kv9Dwitg9z/8yg xcGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770685693; x=1771290493; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=w81+u8wZURYMASLY8btCbrkOihzDHCsC71pJaMA3O7w=; b=UXQkolE7Dx/PVb0urni09zAYshvw8og5M1LTSdPSXvJSTY3C1rV6Zu/4mbWYcSYAgb DkMqijzKRdvEKvtVcTH0DNRxaFyxs0NrbtyS1Pb/aowDzb5++S+NJFsVTSQP0RCe24Fj GK+H2f1+eCllK83qnJ2+Kee0ffzjzOudFLz7DC6kCT3kPH6f09pw0GQ/nSKDT72Du79C X/p7te3Ew9aZ5gdUTzxcxxwPb55gCquy2YtDjVbnAVbo0aWslLJ7q/bRzuOUuW954Vbd dR8VpsmcYAKtyOeNDfuxpsDajNyk9JQ3SZ0GDcxNIHt9QJPoYhMwKCbotMnSc2bGnwGI uYWQ== X-Forwarded-Encrypted: i=1; AJvYcCUC3BlGk6I1752ojlnMa5KQrfbpxquE0gBHOSGh+ygnWypICJZqL0QQpoQeTHRMkB3+uvddw+xNFSUVLSU=@vger.kernel.org X-Gm-Message-State: AOJu0YzR9GcrwvBxBP9l6Oh6RKHr7DPsztjcE7LN8tv7tk12rDnLpNne 3gVS/xnKD7JfRaiActPDUh1Arb7zbjWV93A1rj7Qrpllw1fLUySrt3KxOmwZjY5lhtBsgbIzzZa 62xZKpszl7J6b8S3+blLwtuq9dg== X-Received: from dyrz4.prod.google.com ([2002:a05:7300:8c04:b0:2ba:7ace:1fb7]) (user=salomondush job=prod-delivery.src-stubby-dispatcher) by 2002:a05:7300:3242:b0:2b8:26b8:3436 with SMTP id 5a478bee46e88-2b85647b1d5mr4701326eec.10.1770685692769; Mon, 09 Feb 2026 17:08:12 -0800 (PST) Date: Tue, 10 Feb 2026 01:07:54 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog Message-ID: <20260210010754.1824914-1-salomondush@google.com> Subject: [PATCH] scsi: pm8001: Fix use-after-free in pm8001_queue_command() From: Salomon Dushimirimana To: Jack Wang , "James E.J. Bottomley" , "Martin K. Petersen" Cc: Damien Le Moal , John Garry , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Salomon Dushimirimana Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying sas task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command handles the sas task in this case, it should return 0 to the caller indicating that the task has been handled. Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") Signed-off-by: Salomon Dushimirimana --- drivers/scsi/pm8001/pm8001_sas.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_= sas.c index 6a8d35aea93a..0285ce6400dc 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -525,8 +525,8 @@ int pm8001_queue_command(struct sas_task *task, gfp_t g= fp_flags) } else { task->task_done(task); } - rc =3D -ENODEV; - goto err_out; + spin_unlock_irqrestore(&pm8001_ha->lock, flags); + return 0; } =20 ccb =3D pm8001_ccb_alloc(pm8001_ha, pm8001_dev, task); --=20 2.53.0.rc2.204.g2597b5adb4-goog