Headline
CVE-2018-20836: scsi: libsas: fix a race condition when smp task timeout · torvalds/linux@b90cd6f
An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.
Permalink
Browse files
scsi: libsas: fix a race condition when smp task timeout
When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen.
Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not set. And remove the check of the return value of the del_timer(). Once the LLDD sets DONE, it must call task->done(), which will call smp_task_done()->complete() and the task will be completed and freed correctly.
Reported-by: chenxiang [email protected] Signed-off-by: Jason Yan [email protected] CC: John Garry [email protected] CC: Johannes Thumshirn [email protected] CC: Ewan Milne [email protected] CC: Christoph Hellwig [email protected] CC: Tomas Henzl [email protected] CC: Dan Williams [email protected] CC: Hannes Reinecke [email protected] Reviewed-by: Hannes Reinecke [email protected] Reviewed-by: John Garry [email protected] Reviewed-by: Johannes Thumshirn [email protected] Signed-off-by: Martin K. Petersen [email protected]
- Loading branch information