[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
** Changed in: linux (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Invalid Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Status in linux source package in Disco: Fix Released Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: New Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Status in linux source package in Disco: Fix Released Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
This bug was fixed in the package linux - 4.19.0-12.13 --- linux (4.19.0-12.13) disco; urgency=medium * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664) * kernel oops in bcache module (LP: #1793901) - SAUCE: bcache: never writeback a discard operation * Disco update: 4.19.18 upstream stable release (LP: #1813611) - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address - mlxsw: spectrum: Disable lag port TX before removing it - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion - net: dsa: mv88x6xxx: mv88e6390 errata - net, skbuff: do not prefer skb allocation fails early - qmi_wwan: add MTU default to qmap network interface - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses - net: clear skb->tstamp in bridge forwarding path - netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets - gpio: pl061: Move irq_chip definition inside struct pl061 - drm/amd/display: Guard against null stream_state in set_crc_source - drm/amdkfd: fix interrupt spin lock - ixgbe: allow IPsec Tx offload in VEPA mode - platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey - e1000e: allow non-monotonic SYSTIM readings - usb: typec: tcpm: Do not disconnect link for self powered devices - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh - of: overlay: add missing of_node_put() after add new node to changeset - writeback: don't decrement wb->refcnt if !wb->bdi - serial: set suppress_bind_attrs flag only if builtin - bpf: Allow narrow loads with offset > 0 - ALSA: oxfw: add support for APOGEE duet FireWire - x86/mce: Fix -Wmissing-prototypes warnings - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur - crypto: ecc - regularize scalar for scalar multiplication - arm64: perf: set suppress_bind_attrs flag to true - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table - samples: bpf: fix: error handling regarding kprobe_events - usb: gadget: udc: renesas_usb3: add a safety connection way for forced_b_device - fpga: altera-cvp: fix probing for multiple FPGAs on the bus - selinux: always allow mounting submounts - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined - scsi: qedi: Check for session online before getting iSCSI TLV data. - drm/amdgpu: Reorder uvd ring init before uvd resume - rxe: IB_WR_REG_MR does not capture MR's iova field - efi/libstub: Disable some warnings for x86{,_64} - jffs2: Fix use of uninitialized delayed_work, lockdep breakage - clk: imx: make mux parent strings const - pstore/ram: Do not treat empty buffers as valid - media: uvcvideo: Refactor teardown of uvc on USB disconnect - powerpc/xmon: Fix invocation inside lock region - powerpc/pseries/cpuidle: Fix preempt warning - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info - ASoC: use dma_ops of parent device for acp_audio_dma - media: venus: core: Set dma maximum segment size - staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io' - net: call sk_dst_reset when set SO_DONTROUTE - scsi: target: use consistent left-aligned ASCII INQUIRY data - scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long enough - selftests: do not macro-expand failed assertion expressions - arm64: kasan: Increase stack size for KASAN_EXTRA - clk: imx6q: reset exclusive gates on init - arm64: Fix minor issues with the dcache_by_line_op macro - bpf: relax verifier restriction on BPF_MOV | BPF_ALU - kconfig: fix file name and line number of warn_ignored_character() - kconfig: fix memory leak when EOF is encountered in quotation - mmc: atmel-mci: do not assume idle after atmci_request_end - btrfs: volumes: Make sure there is no overlap of dev extents at mount time - btrfs: alloc_chunk: fix more DUP stripe size handling - btrfs: fix use-after-free due to race between replace start and cancel - btrfs: improve error handling of btrfs_add_link - tty/serial: do not free trasnmit buffer page under port lock - perf intel-pt: Fix error with config term "pt=0" - perf tests ARM: Disable breakpoint tests 32-bit - perf svghelper: Fix unchecked usage of strncpy() - perf parse-events: Fix unchecked usage of strncpy() - perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX - netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set - netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine - netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine - x86/topology: Use total_cpus for max logical packages calculation - dm crypt: use u64 instead of sector_t t
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
This bug was fixed in the package linux - 4.18.0-14.15 --- linux (4.18.0-14.15) cosmic; urgency=medium * linux: 4.18.0-14.15 -proposed tracker (LP: #1811406) * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998) - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait - blk-wbt: move disable check into get_limit() - blk-wbt: use wq_has_sleeper() for wq active check - blk-wbt: fix has-sleeper queueing check - blk-wbt: abstract out end IO completion handler - blk-wbt: improve waking of tasks * To reduce the Realtek USB cardreader power consumption (LP: #1811337) - mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM - mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led - mmc: rtsx_usb_sdmmc: Re-work runtime PM support - mmc: rtsx_usb_sdmmc: Re-work card detection/removal support - memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function - misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection - memstick: Prevent memstick host from getting runtime suspended during card detection - memstick: rtsx_usb_ms: Use ms_dev() helper - memstick: rtsx_usb_ms: Support runtime power management * Support non-strict iommu mode on arm64 (LP: #1806488) - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() - iommu/arm-smmu-v3: Implement flush_iotlb_all hook - iommu/dma: Add support for non-strict mode - iommu: Add "iommu.strict" command line option - iommu/io-pgtable-arm: Add support for non-strict mode - iommu/arm-smmu-v3: Add support for non-strict mode - iommu/io-pgtable-arm-v7s: Add support for non-strict mode - iommu/arm-smmu: Support non-strict mode * [Regression] crashkernel fails on HiSilicon D05 (LP: #1806766) - efi: honour memory reservations passed via a linux specific config table - efi/arm: libstub: add a root memreserve config table - efi: add API to reserve memory persistently across kexec reboot - irqchip/gic-v3-its: Change initialization ordering for LPIs - irqchip/gic-v3-its: Simplify LPI_PENDBASE_SZ usage - irqchip/gic-v3-its: Split property table clearing from allocation - irqchip/gic-v3-its: Move pending table allocation to init time - irqchip/gic-v3-its: Keep track of property table's PA and VA - irqchip/gic-v3-its: Allow use of pre-programmed LPI tables - irqchip/gic-v3-its: Use pre-programmed redistributor tables with kdump kernels - irqchip/gic-v3-its: Check that all RDs have the same property table - irqchip/gic-v3-its: Register LPI tables with EFI config table - irqchip/gic-v3-its: Allow use of LPI tables in reserved memory - arm64: memblock: don't permit memblock resizing until linear mapping is up - efi/arm: Defer persistent reservations until after paging_init() - efi: Permit calling efi_mem_reserve_persistent() from atomic context - efi: Prevent GICv3 WARN() by mapping the memreserve table before first use * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335) - pinctrl: cannonlake: Fix community ordering for H variant - pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant * Add Cavium ThunderX2 SoC UNCORE PMU driver (LP: #1811200) - Documentation: perf: Add documentation for ThunderX2 PMU uncore driver - drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver - [Config] New config CONFIG_THUNDERX2_PMU=m * iptables connlimit allows more connections than the limit when using multiple CPUs (LP: #1811094) - netfilter: nf_conncount: don't skip eviction when age is negative * CVE-2018-16882 - KVM: Fix UAF in nested posted interrupt processing * Cannot initialize ATA disk if IDENTIFY command fails (LP: #1809046) - scsi: libsas: check the ata device status by ata_dev_enabled() * scsi: libsas: fix a race condition when smp task timeout (LP: #1808912) - scsi: libsas: fix a race condition when smp task timeout * CVE-2018-14625 - vhost/vsock: fix use-after-free in network stack callers * Fix and issue that LG I2C touchscreen stops working after reboot (LP: #1805085) - HID: i2c-hid: Disable runtime PM for LG touchscreen * Drivers: hv: vmbus: Offload the handling of channels to two workqueues (LP: #1807757) - Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() - Drivers: hv: vmbus: Offload the handling of channels to two workqueues * Disable LPM for Raydium Touchscreens (LP: #1802248) - USB: quirks: Add no-lpm quirk for Raydium touchscreens * Power leakage at S5 with Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (LP: #1805607) - SAUCE: ath10k: provide reset function for QCA9377 chip * CVE-2018-19407 - KVM: X86: Fix scan ioapic use-before-initialization * Fix USB2 device wrongly detected as USB1 (LP: #1806534) - xhci: Add quirk to workaround the errata
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
This bug was fixed in the package linux - 4.15.0-44.47 --- linux (4.15.0-44.47) bionic; urgency=medium * linux: 4.15.0-44.47 -proposed tracker (LP: #1811419) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998) - blk-wbt: pass in enum wbt_flags to get_rq_wait() - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait - blk-wbt: move disable check into get_limit() - blk-wbt: use wq_has_sleeper() for wq active check - blk-wbt: fix has-sleeper queueing check - blk-wbt: abstract out end IO completion handler - blk-wbt: improve waking of tasks * To reduce the Realtek USB cardreader power consumption (LP: #1811337) - mmc: sdhci: Disable 1.8v modes (HS200/HS400/UHS) if controller can't support 1.8v - mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM - mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led - mmc: rtsx_usb: Use MMC_CAP2_NO_SDIO - mmc: rtsx_usb: Enable MMC_CAP_ERASE to allow erase/discard/trim requests - mmc: rtsx_usb_sdmmc: Re-work runtime PM support - mmc: rtsx_usb_sdmmc: Re-work card detection/removal support - memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function - misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection - memstick: Prevent memstick host from getting runtime suspended during card detection - memstick: rtsx_usb_ms: Use ms_dev() helper - memstick: rtsx_usb_ms: Support runtime power management * Support non-strict iommu mode on arm64 (LP: #1806488) - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() - iommu/arm-smmu-v3: Implement flush_iotlb_all hook - iommu/dma: Add support for non-strict mode - iommu: Add "iommu.strict" command line option - iommu/io-pgtable-arm: Add support for non-strict mode - iommu/arm-smmu-v3: Add support for non-strict mode - iommu/io-pgtable-arm-v7s: Add support for non-strict mode - iommu/arm-smmu: Support non-strict mode * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335) - pinctrl: cannonlake: Fix community ordering for H variant - pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant * Add Cavium ThunderX2 SoC UNCORE PMU driver (LP: #1811200) - perf: Export perf_event_update_userpage - Documentation: perf: Add documentation for ThunderX2 PMU uncore driver - drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver - [Config] New config CONFIG_THUNDERX2_PMU=m * Update hisilicon SoC-specific drivers (LP: #1810457) - SAUCE: Revert "net: hns3: Updates RX packet info fetch in case of multi BD" - Revert "UBUNTU: SAUCE: {topost} net: hns3: separate roce from nic when resetting" - Revert "UBUNTU: SAUCE: {topost} net: hns3: Use roce handle when calling roce callback function" - Revert "UBUNTU: SAUCE: {topost} net: hns3: Add calling roce callback function when link status change" - Revert "UBUNTU: SAUCE: {topost} net: hns3: optimize the process of notifying roce client" - Revert "UBUNTU: SAUCE: {topost} net: hns3: Add pf reset for hip08 RoCE" - scsi: hisi_sas: Remove depends on HAS_DMA in case of platform dependency - ethernet: hisilicon: hns: hns_dsaf_mac: Use generic eth_broadcast_addr - scsi: hisi_sas: consolidate command check in hisi_sas_get_ata_protocol() - scsi: hisi_sas: remove some unneeded structure members - scsi: hisi_sas: Introduce hisi_sas_phy_set_linkrate() - net: hns: Fix the process of adding broadcast addresses to tcam - net: hns3: remove redundant variable 'protocol' - scsi: hisi_sas: Drop hisi_sas_slot_abort() - net: hns: Make many functions static - net: hns: make hns_dsaf_roce_reset non static - net: hisilicon: hns: Replace mdelay() with msleep() - net: hns3: fix return value error while hclge_cmd_csq_clean failed - net: hns: remove redundant variables 'max_frm' and 'tmp_mac_key' - net: hns: Mark expected switch fall-through - net: hns3: Mark expected switch fall-through - net: hns3: Remove tx ring BD len register in hns3_enet - net: hns: modify variable type in hns_nic_reuse_page - net: hns: use eth_get_headlen interface instead of hns_nic_get_headlen - net: hns3: modify variable type in hns3_nic_reuse_page - net: hns3: Fix for vf vlan delete failed problem - net: hns3: Fix for multicast failure - net: hns3: Fix error of checking used vlan id - net: hns3: Implement shutdown ops in hns3 pci driver - net: hns3: Fix for loopback selftest failed problem - net: hns3: Fix ping exited problem when doing lp selftest - net: hns3: Preserve vlan 0 in hardware table - net: hns3: Only update mac configuation when necessary - net: hns3: Change the dst mac addr of loopback packet - net: hns3: Remove redundant codes of query ad
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
The -proposed kernel works fine. Thanks. ** Tags removed: verification-needed-bionic verification-needed-cosmic ** Tags added: verification-done-bionic verification-done-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed- cosmic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-cosmic ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Cosmic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
** Changed in: linux (Ubuntu Disco) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Status in linux source package in Disco: Fix Committed Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
** Changed in: linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux (Ubuntu Cosmic) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Status in linux source package in Disco: In Progress Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1808912] Re: scsi: libsas: fix a race condition when smp task timeout
** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Disco) Importance: Undecided Assignee: Ike Panhc (ikepanhc) Status: Incomplete ** Changed in: linux (Ubuntu Disco) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1808912 Title: scsi: libsas: fix a race condition when smp task timeout Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: New Status in linux source package in Cosmic: New Status in linux source package in Disco: In Progress Bug description: [Impact] When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. [Test Case] This is hard to reproduce, so regression test only. [Fix] b90cd6f2b9 scsi: libsas: fix a race condition when smp task timeout [Regression Risk] Only 2 line moved in libsas and maintainer has reviewed/approved. I will say it's low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1808912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp