diff mbox series

scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()

Message ID 20211201041627.1592487-1-ipylypiv@google.com
State New
Headers show
Series scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc() | expand

Commit Message

Igor Pylypiv Dec. 1, 2021, 4:16 a.m. UTC
Calling scsi_remove_host() before scsi_add_host() results in a crash:

 BUG: kernel NULL pointer dereference, address: 0000000000000108
 RIP: 0010:device_del+0x63/0x440
 Call Trace:
  device_unregister+0x17/0x60
  scsi_remove_host+0xee/0x2a0
  pm8001_pci_probe+0x6ef/0x1b90 [pm80xx]
  local_pci_probe+0x3f/0x90

We cannot call scsi_remove_host() in pm8001_alloc() because
scsi_add_host() have not been called yet at that point of time.

Function call tree:

  pm8001_pci_probe()
  |
  `- pm8001_pci_alloc()
  |  |
  |  `- pm8001_alloc()
  |     |
  |     `- scsi_remove_host()
  |
  `- scsi_add_host()

Fixes: 05c6c029a44d ("scsi: pm80xx: Increase number of supported queues")
Reviewed-by: Vishakha Channapattan <vishakhavc@google.com>
Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
---
 drivers/scsi/pm8001/pm8001_init.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Comments

Jinpu Wang Dec. 2, 2021, 8:17 a.m. UTC | #1
On Wed, Dec 1, 2021 at 5:16 AM Igor Pylypiv <ipylypiv@google.com> wrote:
>
> Calling scsi_remove_host() before scsi_add_host() results in a crash:
>
>  BUG: kernel NULL pointer dereference, address: 0000000000000108
>  RIP: 0010:device_del+0x63/0x440
>  Call Trace:
>   device_unregister+0x17/0x60
>   scsi_remove_host+0xee/0x2a0
>   pm8001_pci_probe+0x6ef/0x1b90 [pm80xx]
>   local_pci_probe+0x3f/0x90
>
> We cannot call scsi_remove_host() in pm8001_alloc() because
> scsi_add_host() have not been called yet at that point of time.
>
> Function call tree:
>
>   pm8001_pci_probe()
>   |
>   `- pm8001_pci_alloc()
>   |  |
>   |  `- pm8001_alloc()
>   |     |
>   |     `- scsi_remove_host()
>   |
>   `- scsi_add_host()
>
> Fixes: 05c6c029a44d ("scsi: pm80xx: Increase number of supported queues")
> Reviewed-by: Vishakha Channapattan <vishakhavc@google.com>
> Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
Thanks!
Acked-by: Jack Wang <jinpu.wang@ionos.com>
> ---
>  drivers/scsi/pm8001/pm8001_init.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/scsi/pm8001/pm8001_init.c b/drivers/scsi/pm8001/pm8001_init.c
> index bed8cc125544..fbfeb0b046dd 100644
> --- a/drivers/scsi/pm8001/pm8001_init.c
> +++ b/drivers/scsi/pm8001/pm8001_init.c
> @@ -282,12 +282,12 @@ static int pm8001_alloc(struct pm8001_hba_info *pm8001_ha,
>         if (rc) {
>                 pm8001_dbg(pm8001_ha, FAIL,
>                            "pm8001_setup_irq failed [ret: %d]\n", rc);
> -               goto err_out_shost;
> +               goto err_out;
>         }
>         /* Request Interrupt */
>         rc = pm8001_request_irq(pm8001_ha);
>         if (rc)
> -               goto err_out_shost;
> +               goto err_out;
>
>         count = pm8001_ha->max_q_num;
>         /* Queues are chosen based on the number of cores/msix availability */
> @@ -423,8 +423,6 @@ static int pm8001_alloc(struct pm8001_hba_info *pm8001_ha,
>         pm8001_tag_init(pm8001_ha);
>         return 0;
>
> -err_out_shost:
> -       scsi_remove_host(pm8001_ha->shost);
>  err_out_nodev:
>         for (i = 0; i < pm8001_ha->max_memcnt; i++) {
>                 if (pm8001_ha->memoryMap.region[i].virt_ptr != NULL) {
> --
> 2.34.0.rc2.393.gf8c9666880-goog
>
Martin K. Petersen Dec. 3, 2021, 3:03 a.m. UTC | #2
On Tue, 30 Nov 2021 20:16:27 -0800, Igor Pylypiv wrote:

> Calling scsi_remove_host() before scsi_add_host() results in a crash:
> 
>  BUG: kernel NULL pointer dereference, address: 0000000000000108
>  RIP: 0010:device_del+0x63/0x440
>  Call Trace:
>   device_unregister+0x17/0x60
>   scsi_remove_host+0xee/0x2a0
>   pm8001_pci_probe+0x6ef/0x1b90 [pm80xx]
>   local_pci_probe+0x3f/0x90
> 
> [...]

Applied to 5.16/scsi-fixes, thanks!

[1/1] scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()
      https://git.kernel.org/mkp/scsi/c/653926205741
diff mbox series

Patch

diff --git a/drivers/scsi/pm8001/pm8001_init.c b/drivers/scsi/pm8001/pm8001_init.c
index bed8cc125544..fbfeb0b046dd 100644
--- a/drivers/scsi/pm8001/pm8001_init.c
+++ b/drivers/scsi/pm8001/pm8001_init.c
@@ -282,12 +282,12 @@  static int pm8001_alloc(struct pm8001_hba_info *pm8001_ha,
 	if (rc) {
 		pm8001_dbg(pm8001_ha, FAIL,
 			   "pm8001_setup_irq failed [ret: %d]\n", rc);
-		goto err_out_shost;
+		goto err_out;
 	}
 	/* Request Interrupt */
 	rc = pm8001_request_irq(pm8001_ha);
 	if (rc)
-		goto err_out_shost;
+		goto err_out;
 
 	count = pm8001_ha->max_q_num;
 	/* Queues are chosen based on the number of cores/msix availability */
@@ -423,8 +423,6 @@  static int pm8001_alloc(struct pm8001_hba_info *pm8001_ha,
 	pm8001_tag_init(pm8001_ha);
 	return 0;
 
-err_out_shost:
-	scsi_remove_host(pm8001_ha->shost);
 err_out_nodev:
 	for (i = 0; i < pm8001_ha->max_memcnt; i++) {
 		if (pm8001_ha->memoryMap.region[i].virt_ptr != NULL) {