Hi John,
>
> On 27/12/2021 13:26, Ajish.Koshy@xxxxxxxxxxxxx wrote:
> > Regarding maxcpus=1 issue, will check and try to reproduce the same on
> > x86 server.
> >
> > And for ARM issues, need to check internally as it was never tested
> > for the same.
>
> I have found another issue. There is a potential use-after-free in
> pm8001_task_exec():
>
> static int pm8001_task_exec()
> {
> ...
> case SAS_PROTOCOL_SSP:
> atomic_inc(&pm8001_dev->running_req);
> if (is_tmf)
> rc = pm8001_task_prep_ssp_tm(...);
> else
> rc = pm8001_task_prep_ssp(pm8001_ha, ccb);
> break;
> ...
>
> if (rc) {
> pm8001_dbg(pm8001_ha, IO, "rc is %x\n", rc);
> atomic_dec(&pm8001_dev->running_req);
> goto err_out_tag;
> }
> /* TODO: select normal or high priority */
> spin_lock(&t->task_state_lock); ****
> t->task_state_flags |= SAS_TASK_AT_INITIATOR;
> spin_unlock(&t->task_state_lock);
> ...
> }
>
>
> Once the task is dispatched to HW at ****, it is completed async, i.e.
> it may be completed and freed at any point, even before the dispatch
> function returns. So it is illegal to touch the task at this point and the task
> state must be updated before final dispatch to the HW. If you enable KASAN
> you will prob see it yell like I saw.
>
I too have similar thought here. After dispatch to HW, no point to touch the
task state. But since the code is in IO path, may need further testing.
> Thanks,
> john
Thanks,
Ajish
