Re: [PATCH] scsi: pm8001: Fix potential TOCTOU race in pm8001_find_tag

Next message: Dave Hansen: "Re: [PATCH v4 0/3] Fix bugs and performance of kstack offset randomisation"
Previous message: Mark Brown: "Re: [PATCH v3 3/3] spi: xilinx: use device property accessors."
In reply to: James Bottomley: "Re: [PATCH] scsi: pm8001: Fix potential TOCTOU race in pm8001_find_tag"
Next in thread: James Bottomley: "Re: [PATCH] scsi: pm8001: Fix potential TOCTOU race in pm8001_find_tag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chengfeng Ye

Date: Mon Jan 19 2026 - 11:51:08 EST

> I don't get how a race is possible here. Before the query function
> begins, the sas logic calls abort task on the tag, which means the
> controller should ensure there are no further completion functions for
> it regardless of whether the abort succeeds or not.

Thanks a lot for looking into it!

Sorry that I might miss something as I am not very familiar with the
code. But I also notice the find_tag() function is also invoked inside
the abort function (and invoked before the completion). For the
find_tag() invoked inside the abort path will it be a race?
https://github.com/torvalds/linux/blob/master/drivers/scsi/pm8001/pm8001_sas.c#L1085

Best regards,
Chengfeng