| Message ID | 20221109032403.1636422-1-yangyingliang@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: mpt3sas: fix possible resource leaks in mpt3sas_transport_port_add() | expand |
On Wed, 9 Nov 2022 11:24:03 +0800, Yang Yingliang wrote: > In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, > sas_rphy_free() need be called to free the resource allocated in > sas_end_device_alloc(). > > Besides, it will lead a kernel crash: > > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 > CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 > pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : device_del+0x54/0x3d0 > lr : device_del+0x37c/0x3d0 > Call trace: > device_del+0x54/0x3d0 > attribute_container_class_device_del+0x28/0x38 > transport_remove_classdev+0x6c/0x80 > attribute_container_device_trigger+0x108/0x110 > transport_remove_device+0x28/0x38 > sas_rphy_remove+0x50/0x78 [scsi_transport_sas] > sas_port_delete+0x30/0x148 [scsi_transport_sas] > do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] > device_for_each_child+0x68/0xb0 > sas_remove_children+0x30/0x50 [scsi_transport_sas] > sas_rphy_remove+0x38/0x78 [scsi_transport_sas] > sas_port_delete+0x30/0x148 [scsi_transport_sas] > do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] > device_for_each_child+0x68/0xb0 > sas_remove_children+0x30/0x50 [scsi_transport_sas] > sas_remove_host+0x20/0x38 [scsi_transport_sas] > scsih_remove+0xd8/0x420 [mpt3sas] > > [...] Applied to 6.2/scsi-queue, thanks! [1/1] scsi: mpt3sas: fix possible resource leaks in mpt3sas_transport_port_add() https://git.kernel.org/mkp/scsi/c/78316e9dfc24
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c index 0681daee6c14..e5ecd6ada6cd 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c @@ -829,6 +829,8 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, if ((sas_rphy_add(rphy))) { ioc_err(ioc, "failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); + sas_rphy_free(rphy); + rphy = NULL; } if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, sas_rphy_free() need be called to free the resource allocated in sas_end_device_alloc(). Besides, it will lead a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_rphy_remove+0x50/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_rphy_remove+0x38/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] scsih_remove+0xd8/0x420 [mpt3sas] Because transport_add_device() is not called when sas_rphy_add() fails, the device is not added, but sas_rphy_remove() is called to remove the device in remove() path, then it causes null-ptr-deref. Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/scsi/mpt3sas/mpt3sas_transport.c | 2 ++ 1 file changed, 2 insertions(+)