On 27/12/2021 13:26, Ajish.Koshy@xxxxxxxxxxxxx wrote:
Regarding maxcpus=1 issue, will check and try to reproduce the
same on x86 server.
And for ARM issues, need to check internally as it was never
tested for the same.
I have found another issue. There is a potential use-after-free in
pm8001_task_exec():
static int pm8001_task_exec()
{
...
case SAS_PROTOCOL_SSP:
atomic_inc(&pm8001_dev->running_req);
if (is_tmf)
rc = pm8001_task_prep_ssp_tm(...);
else
rc = pm8001_task_prep_ssp(pm8001_ha, ccb);
break;
...
if (rc) {
pm8001_dbg(pm8001_ha, IO, "rc is %x\n", rc);
atomic_dec(&pm8001_dev->running_req);
goto err_out_tag;
}
/* TODO: select normal or high priority */
spin_lock(&t->task_state_lock); ****
t->task_state_flags |= SAS_TASK_AT_INITIATOR;
spin_unlock(&t->task_state_lock);
...
}
Once the task is dispatched to HW at ****, it is completed async, i.e.
it may be completed and freed at any point, even before the dispatch
function returns. So it is illegal to touch the task at this point and
the task state must be updated before final dispatch to the HW. If you
enable KASAN you will prob see it yell like I saw.
Thanks,
john
