RE: [issue report] pm8001 issues (was driver crashes with IOMMU enabled)

[<Ajish.Koshy@microchip.com>]

Hi John,
> 
> On 27/12/2021 13:26, Ajish.Koshy@microchip.com wrote:
> > Regarding maxcpus=1 issue, will check and try to reproduce the same on
> > x86 server.
> >
> > And for ARM issues, need to check internally as it was never tested
> > for the same.
> 
> I have found another issue. There is a potential use-after-free in
> pm8001_task_exec():
> 
> static int pm8001_task_exec()
> {
>         ...
>         case SAS_PROTOCOL_SSP:
>         atomic_inc(&pm8001_dev->running_req);
>         if (is_tmf)
>                 rc = pm8001_task_prep_ssp_tm(...);
>         else
>                 rc = pm8001_task_prep_ssp(pm8001_ha, ccb);
>         break;
>         ...
> 
>         if (rc) {
>                 pm8001_dbg(pm8001_ha, IO, "rc is %x\n", rc);
>                 atomic_dec(&pm8001_dev->running_req);
>                 goto err_out_tag;
>         }
>         /* TODO: select normal or high priority */
>         spin_lock(&t->task_state_lock); ****
>         t->task_state_flags |= SAS_TASK_AT_INITIATOR;
>         spin_unlock(&t->task_state_lock);
>         ...
> }
> 
> 
> Once the task is dispatched to HW at ****, it is completed async, i.e.
> it may be completed and freed at any point, even before the dispatch
> function returns. So it is illegal to touch the task at this point and the task
> state must be updated before final dispatch to the HW. If you enable KASAN
> you will prob see it yell like I saw.
> 

I too have similar thought here. After dispatch to HW, no point to touch the
task state. But since the code is in IO path, may need further testing. 

> Thanks,
> john

Thanks,
Ajish