From: John Garry <john.garry@huawei.com>
To: <Ajish.Koshy@microchip.com>, <jinpu.wang@ionos.com>,
<Viswas.G@microchip.com>
Cc: <linux-scsi@vger.kernel.org>, <vishakhavc@google.com>,
<ipylypiv@google.com>, <Ruksar.devadi@microchip.com>,
<damien.lemoal@opensource.wdc.com>,
<Vasanthalakshmi.Tharmarajan@microchip.com>
Subject: Re: [issue report] pm8001 issues (was driver crashes with IOMMU enabled)
Date: Thu, 6 Jan 2022 15:49:22 +0000 [thread overview]
Message-ID: <0cc0c435-b4f2-9c76-258d-865ba50a29dd@huawei.com> (raw)
In-Reply-To: <PH0PR11MB5112EBE80F9A4AD199866CA7EC429@PH0PR11MB5112.namprd11.prod.outlook.com>
On 27/12/2021 13:26, Ajish.Koshy@microchip.com wrote:
> Regarding maxcpus=1 issue, will check and try to reproduce the
> same on x86 server.
>
> And for ARM issues, need to check internally as it was never
> tested for the same.
I have found another issue. There is a potential use-after-free in
pm8001_task_exec():
static int pm8001_task_exec()
{
...
case SAS_PROTOCOL_SSP:
atomic_inc(&pm8001_dev->running_req);
if (is_tmf)
rc = pm8001_task_prep_ssp_tm(...);
else
rc = pm8001_task_prep_ssp(pm8001_ha, ccb);
break;
...
if (rc) {
pm8001_dbg(pm8001_ha, IO, "rc is %x\n", rc);
atomic_dec(&pm8001_dev->running_req);
goto err_out_tag;
}
/* TODO: select normal or high priority */
spin_lock(&t->task_state_lock); ****
t->task_state_flags |= SAS_TASK_AT_INITIATOR;
spin_unlock(&t->task_state_lock);
...
}
Once the task is dispatched to HW at ****, it is completed async, i.e.
it may be completed and freed at any point, even before the dispatch
function returns. So it is illegal to touch the task at this point and
the task state must be updated before final dispatch to the HW. If you
enable KASAN you will prob see it yell like I saw.
Thanks,
john
next prev parent reply other threads:[~2022-01-06 15:49 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-24 12:28 [issue report] pm8001 driver crashes with IOMMU enabled John Garry
2021-11-24 12:43 ` Jinpu Wang
2021-11-24 16:22 ` John Garry
2021-12-24 9:02 ` [issue report] pm8001 issues (was driver crashes with IOMMU enabled) John Garry
2021-12-24 11:58 ` John Garry
2021-12-27 13:26 ` Ajish.Koshy
2022-01-06 15:49 ` John Garry [this message]
2022-01-07 11:12 ` Ajish.Koshy
2022-01-10 20:21 ` John Garry
2022-01-11 12:40 ` Ajish.Koshy
2022-01-11 13:23 ` John Garry
2022-01-13 12:52 ` Ajish.Koshy
2022-01-13 14:17 ` John Garry
2022-01-14 18:21 ` John Garry
2022-01-17 13:56 ` Ajish.Koshy
2022-01-17 14:02 ` Ajish.Koshy
2022-01-18 15:49 ` John Garry
2022-01-19 13:49 ` Ajish.Koshy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0cc0c435-b4f2-9c76-258d-865ba50a29dd@huawei.com \
--to=john.garry@huawei.com \
--cc=Ajish.Koshy@microchip.com \
--cc=Ruksar.devadi@microchip.com \
--cc=Vasanthalakshmi.Tharmarajan@microchip.com \
--cc=Viswas.G@microchip.com \
--cc=damien.lemoal@opensource.wdc.com \
--cc=ipylypiv@google.com \
--cc=jinpu.wang@ionos.com \
--cc=linux-scsi@vger.kernel.org \
--cc=vishakhavc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).