From nobody Thu Apr 2 22:23:01 2026 Received: from mail-dy1-f202.google.com (mail-dy1-f202.google.com [74.125.82.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7538F288514 for ; Fri, 13 Feb 2026 19:28:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771010893; cv=none; b=m+pqQa84hnw4NUJTQW/soR5DmMJjpP0xwKAWG34RBU0kxE83ciELfuavNEsy7VtgTW3Lnzf4LuibTSkyYIr4vr2yrG13VpyVTmHxMLpgRU1xJC7y5PwMSQlrxMrwSeAlqZWD22x9WDJ4SDZsdngsb7f0PCoKTIQNhYceuvL5KX0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771010893; c=relaxed/simple; bh=UjPW0uVC2RWu7xh9+kmvnIIFZpqlM8pLv8XfawnKCxM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ks6vOAkNmiGFj+qsT6DOu27zDfWwsadQSvxuBioPHZurPSVfkqEAZc/Hi1uDJVwQvwnHNKHdPdruFAmbu0NgiwgmVbfToC0cGyZ/G/k6AX820X9t3zruoqx84/H00EhmpamH7WTHYXESyJHlgQ/BT4yzyjSrXWRMr24CRZnNNI4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--salomondush.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Yhkimedf; arc=none smtp.client-ip=74.125.82.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--salomondush.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Yhkimedf" Received: by mail-dy1-f202.google.com with SMTP id 5a478bee46e88-2ba87c0e198so1127846eec.1 for ; Fri, 13 Feb 2026 11:28:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1771010891; x=1771615691; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=2WKcVaD9Ft2wlm83LrNWA0nU10pfi9iyt0eM/oNmk6A=; b=Yhkimedfc5pWyHBEPS8viZNbgwcANmvNsnXClEyGjdnqknLXbJXCgwbUSBkhzOxI8j IWtTzAhgMOr+5BsKJvojdjI31va/hohENQ9e4nPrynIaJ/BqxEXFym26FiOPhS8o3I8p HgcdQFVHM51GD4U0ID9jZp888M+cZIfti7i9+vREGVMMAGOnRmwg/z49msDVXK/Bwc/o 5csxgT38/pYdyYtWkCmTschv9jPRGaJHXgNmmr+vY0wLO4DOgI3oIx/ia1SfV1bFMiBC PKLW7Y4Bp9tBSy3ME2ubyIth8JkNPYr8A0li+cgUqiI5S7ItuO5YCmfQqZY2PojA+SG9 1Z9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771010891; x=1771615691; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2WKcVaD9Ft2wlm83LrNWA0nU10pfi9iyt0eM/oNmk6A=; b=tYK4Jc6kvCm0Ny4cx3EPIMzeCWGNU0bl+8mXw0xobOZmrLNppHYPUF1Cja9axg/z9d 5YZyhCJ1GGmUUL2z7nuny6t3X0VQtM+OUFZCMPFz4fhFfyHX90mWcXcwenqPMe7GpLbI 96q73K3fQao9Irlpnj2l6yn3Lv+31zP5LmKIT3hxho03bOzwNda0BgOBBeazGFmy277K U3ueqdDvzvm2a6Y9bmMUuxk74s2vIzQlkZXa2FMmgaPd0ayttIml0lkdDKP7Anvs4fUm j74650okWsuqXN0FpSZ3HOF2imlvyCU1krZFYrpxk1kxDaLmK57VNA4tzathi1p5yM9+ vbTQ== X-Forwarded-Encrypted: i=1; AJvYcCUacDOT7hf7Do+HqFcdhPe/ovLL9E5fkCtSaBtPUnoMTCciL76BxRsXfNmHBWjObE6HQ2EIZDtCzfCfxgY=@vger.kernel.org X-Gm-Message-State: AOJu0YzpUWpN0VaKbgSJjQRiz3mIgFUUDcYwqD9NG5SxU7ds8x99qAMA flWr++3VGjdHuXQgXzCoR9d+7nYCPPwLMxIUFA05gENlqoiQZuupLvYs5EHD4At9+AuejI+hIxu 04kQ06aIKn9hWhUrICxR5I1NAag== X-Received: from dybmf43.prod.google.com ([2002:a05:7301:92b:b0:2ba:a6e4:cb81]) (user=salomondush job=prod-delivery.src-stubby-dispatcher) by 2002:a05:7300:23cc:b0:2ba:769b:813e with SMTP id 5a478bee46e88-2baba13689dmr1357345eec.38.1771010891196; Fri, 13 Feb 2026 11:28:11 -0800 (PST) Date: Fri, 13 Feb 2026 19:28:06 +0000 In-Reply-To: <20260213192214.437871-1-salomondush@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260213192214.437871-1-salomondush@google.com> X-Mailer: git-send-email 2.53.0.273.g2a3d683680-goog Message-ID: <20260213192806.439432-1-salomondush@google.com> Subject: [PATCH v3] scsi: pm8001: Fix use-after-free in pm8001_queue_command() From: Salomon Dushimirimana To: salomondush@google.com Cc: James.Bottomley@HansenPartnership.com, damien.lemoal@opensource.wdc.com, dlemoal@kernel.org, jinpu.wang@cloud.ionos.com, john.g.garry@oracle.com, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, martin.petersen@oracle.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying sas task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command handles the sas task in this case, it should return 0 to the caller indicating that the task has been handled. Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") Signed-off-by: Salomon Dushimirimana Reviewed-by: Damien Le Moal --- Changelog since v2: - Added this changelog section Changelog since v3: - Added debug messsage to signal device gone issue drivers/scsi/pm8001/pm8001_sas.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_= sas.c index 6a8d35aea93a..645524f3fe2d 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -525,8 +525,9 @@ int pm8001_queue_command(struct sas_task *task, gfp_t g= fp_flags) } else { task->task_done(task); } - rc =3D -ENODEV; - goto err_out; + spin_unlock_irqrestore(&pm8001_ha->lock, flags); + pm8001_dbg(pm8001_ha, IO, "pm8001_task_exec device gone\n"); + return 0; } =20 ccb =3D pm8001_ccb_alloc(pm8001_ha, pm8001_dev, task); --=20 2.53.0.273.g2a3d683680-goog