| Message ID | 20230225100135.2109330-1-haowenchao2@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add() | expand |
On 2023/2/25 18:01, Wenchao Hao wrote: > port is allocated by sas_port_alloc_num() and rphy is allocated by > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > so we need to check the rphy to avoid possible NULL pointer access. > > If sas_rphy_add() called with failure rphy is set to NULL, we would > access the rphy in next lines which would also result NULL pointer > access. > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > in mpt3sas_transport_port_add()") > > Signed-off-by: Wenchao Hao <haowenchao2@huawei.com> > --- > drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c > index e5ecd6ada6cd..e8a4750f6ec4 100644 > --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c > +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c > @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > goto out_fail; > } > port = sas_port_alloc_num(sas_node->parent_dev); > - if ((sas_port_add(port))) { > + if (!port || (sas_port_add(port))) { > ioc_err(ioc, "failure at %s:%d/%s()!\n", > __FILE__, __LINE__, __func__); > goto out_fail; > @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > mpt3sas_port->remote_identify.sas_address; > } > > + if (!rphy) { > + ioc_err(ioc, "failure at %s:%d/%s()!\n", > + __FILE__, __LINE__, __func__); > + goto out_delete_port; > + } > + > rphy->identify = mpt3sas_port->remote_identify; > > if ((sas_rphy_add(rphy))) { > @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > __FILE__, __LINE__, __func__); > sas_rphy_free(rphy); > rphy = NULL; > + goto out_delete_port; > } > > if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { > @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > rphy_to_expander_device(rphy), hba_port->port_id); > return mpt3sas_port; > > - out_fail: > +out_delete_port: > + sas_port_delete(port); > + > +out_fail: > list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, > port_siblings) > list_del(&mpt3sas_phy->port_siblings); friendly ping...
Ranjan/Sreekanth, > port is allocated by sas_port_alloc_num() and rphy is allocated by > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > so we need to check the rphy to avoid possible NULL pointer access. > > If sas_rphy_add() called with failure rphy is set to NULL, we would > access the rphy in next lines which would also result NULL pointer > access. > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > in mpt3sas_transport_port_add()") Please review!
On Mon, Mar 6, 2023 at 6:42 PM Martin K. Petersen <martin.petersen@oracle.com> wrote: > > > Ranjan/Sreekanth, > > > port is allocated by sas_port_alloc_num() and rphy is allocated by > > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > > so we need to check the rphy to avoid possible NULL pointer access. > > > > If sas_rphy_add() called with failure rphy is set to NULL, we would > > access the rphy in next lines which would also result NULL pointer > > access. > > > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > > in mpt3sas_transport_port_add()") > > Please review! Looks good to me, please commit it for the 6.3 scsi_fixes > > -- > Martin K. Petersen Oracle Linux Engineering
On Sat, Feb 25, 2023 at 3:02 AM Wenchao Hao <haowenchao2@huawei.com> wrote: > > port is allocated by sas_port_alloc_num() and rphy is allocated by > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > so we need to check the rphy to avoid possible NULL pointer access. > > If sas_rphy_add() called with failure rphy is set to NULL, we would > access the rphy in next lines which would also result NULL pointer > access. > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > in mpt3sas_transport_port_add()") > > Signed-off-by: Wenchao Hao <haowenchao2@huawei.com> Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com> > --- > drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c > index e5ecd6ada6cd..e8a4750f6ec4 100644 > --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c > +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c > @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > goto out_fail; > } > port = sas_port_alloc_num(sas_node->parent_dev); > - if ((sas_port_add(port))) { > + if (!port || (sas_port_add(port))) { > ioc_err(ioc, "failure at %s:%d/%s()!\n", > __FILE__, __LINE__, __func__); > goto out_fail; > @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > mpt3sas_port->remote_identify.sas_address; > } > > + if (!rphy) { > + ioc_err(ioc, "failure at %s:%d/%s()!\n", > + __FILE__, __LINE__, __func__); > + goto out_delete_port; > + } > + > rphy->identify = mpt3sas_port->remote_identify; > > if ((sas_rphy_add(rphy))) { > @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > __FILE__, __LINE__, __func__); > sas_rphy_free(rphy); > rphy = NULL; > + goto out_delete_port; > } > > if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { > @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > rphy_to_expander_device(rphy), hba_port->port_id); > return mpt3sas_port; > > - out_fail: > +out_delete_port: > + sas_port_delete(port); > + > +out_fail: > list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, > port_siblings) > list_del(&mpt3sas_phy->port_siblings); > -- > 2.32.0 >
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c index e5ecd6ada6cd..e8a4750f6ec4 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, goto out_fail; } port = sas_port_alloc_num(sas_node->parent_dev); - if ((sas_port_add(port))) { + if (!port || (sas_port_add(port))) { ioc_err(ioc, "failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); goto out_fail; @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, mpt3sas_port->remote_identify.sas_address; } + if (!rphy) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); + goto out_delete_port; + } + rphy->identify = mpt3sas_port->remote_identify; if ((sas_rphy_add(rphy))) { @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, __FILE__, __LINE__, __func__); sas_rphy_free(rphy); rphy = NULL; + goto out_delete_port; } if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, rphy_to_expander_device(rphy), hba_port->port_id); return mpt3sas_port; - out_fail: +out_delete_port: + sas_port_delete(port); + +out_fail: list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, port_siblings) list_del(&mpt3sas_phy->port_siblings);
port is allocated by sas_port_alloc_num() and rphy is allocated by sas_end_device_alloc() or sas_expander_alloc() which may return NULL, so we need to check the rphy to avoid possible NULL pointer access. If sas_rphy_add() called with failure rphy is set to NULL, we would access the rphy in next lines which would also result NULL pointer access. Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()") Signed-off-by: Wenchao Hao <haowenchao2@huawei.com> --- drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)