Re: [PATCH] scsi: libsas: Fix dev_list race conditions with proper locking

Next message: Zhangjiaji: "[BUG REPORT] USE_AFTER_FREE in complete_emulated_mmio found by KASAN/Syzkaller fuzz test (v5.10.0)"
Previous message: Hillf Danton: "Re: [syzbot] [bluetooth?] WARNING in hci_connect_sco"
Next in thread: Chaohai Chen: "Re: [PATCH] scsi: libsas: Fix dev_list race conditions with proper locking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Damien Le Moal

Date: Sun Feb 01 2026 - 20:21:58 EST

On 1/31/26 20:19, Chaohai Chen wrote:
>>> + * We need to unlock before calling sas_unregister_dev() as it
>>> + * may sleep, but we hold a reference to prevent device removal.
>>
>> And why is that necessary ?
>>
> Because when unlocked, it is possible that the device has already been
> released by another thread. If there is no reference count, it will lead
> to used after free.

Please clearly explain the problem path. Your statements about "another thread"
is too vague.

>>> + */
>>> + spin_lock_irq(&port->dev_list_lock);
>>> list_for_each_entry_safe_reverse(dev, n, &port->dev_list, dev_list_node) {
>>> if (gone)
>>> set_bit(SAS_DEV_GONE, &dev->state);
>>> + kref_get(&dev->kref);
>>> + spin_unlock_irq(&port->dev_list_lock);
>>> +
>>> sas_unregister_dev(port, dev);
>>> + sas_put_device(dev);
>>> +
>>> + spin_lock_irq(&port->dev_list_lock);
>>> }
>>> + spin_unlock_irq(&port->dev_list_lock);

--
Damien Le Moal
Western Digital Research