Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-20836: scsi: libsas: fix a race condition when smp task timeout · torvalds/linux@b90cd6f

An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.

CVE
#linux#oracle#intel#huawei

Permalink

Browse files

scsi: libsas: fix a race condition when smp task timeout

When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen.

Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not set. And remove the check of the return value of the del_timer(). Once the LLDD sets DONE, it must call task->done(), which will call smp_task_done()->complete() and the task will be completed and freed correctly.

Reported-by: chenxiang [email protected] Signed-off-by: Jason Yan [email protected] CC: John Garry [email protected] CC: Johannes Thumshirn [email protected] CC: Ewan Milne [email protected] CC: Christoph Hellwig [email protected] CC: Tomas Henzl [email protected] CC: Dan Williams [email protected] CC: Hannes Reinecke [email protected] Reviewed-by: Hannes Reinecke [email protected] Reviewed-by: John Garry [email protected] Reviewed-by: Johannes Thumshirn [email protected] Signed-off-by: Martin K. Petersen [email protected]

  • Loading branch information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907