[BUG] null-ptr-deref in mptlan_remove()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dingisoul <dingiso.kernel@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: Sathya Prakash <sathya.prakash@broadcom.com>,
	Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
	Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>,
	MPT-FusionLinux.pdl@broadcom.com
Subject: [BUG] null-ptr-deref in mptlan_remove()
Date: Sun, 19 Apr 2026 21:18:29 -0400	[thread overview]
Message-ID: <20260420011829.176936-1-dingiso.kernel@gmail.com> (raw)

Hi Kernel maintainers,

We found a null-ptr-deref in mptlan_remove() on commit
8a30aeb0d1b4e4aaf7f7bae72f20f2ae75385ccb (Mar 18 2026).

Please see the details below.

In mptlan_remove, dev is assigned from ioc->netdev and calculates
priv. If dev is uninitialized, priv becomes an invalid pointer, 
causing a crash when used inside cancel_delayed_work_sync().

static void
mptlan_remove(struct pci_dev *pdev)
{
	MPT_ADAPTER 		*ioc = pci_get_drvdata(pdev);
	struct net_device	*dev = ioc->netdev; // dev is uninitialized.
	struct mpt_lan_priv *priv = netdev_priv(dev);
	cancel_delayed_work_sync(&priv->post_buckets_task);
	if(dev != NULL) {
		unregister_netdev(dev);
		free_netdev(dev);
	}
}

Root cause analysis:

In mptlan_probe, if mpt_register_lan_device fails for all ports,
ioc->netdev remians uninitialized. The function returns error code
-ENODEV, but both callsites of this function do not check the return
code and handle this error case.

static int
mptlan_probe(struct pci_dev *pdev)
{
	MPT_ADAPTER 		*ioc = pci_get_drvdata(pdev);
	struct net_device	*dev;
	int			i;

	for (i = 0; i < ioc->facts.NumberOfPorts; i++) {
		dev = mpt_register_lan_device(ioc, i);
		if (!dev) {
			continue; // ioc->netdev is NULL.
		}
	
		ioc->netdev = dev;

		return 0;
	}

	return -ENODEV;
}

int
mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
{
	MPT_ADAPTER	*ioc;

	if (!cb_idx || cb_idx >= MPT_MAX_PROTOCOL_DRIVERS)
		return -EINVAL;

	MptDeviceDriverHandlers[cb_idx] = dd_cbfunc;

	/* call per pci device probe entry point */
	list_for_each_entry(ioc, &ioc_list, list) {
		if (dd_cbfunc->probe)
			dd_cbfunc->probe(ioc->pcidev); // Callsite 1.
	 }

	return 0;
}

int
mpt_attach(struct pci_dev *pdev, const struct pci_device_id *id)
{
        /* call per device driver probe entry point */
	for(cb_idx = 0; cb_idx < MPT_MAX_PROTOCOL_DRIVERS; cb_idx++) {
		if(MptDeviceDriverHandlers[cb_idx] &&
		  MptDeviceDriverHandlers[cb_idx]->probe) {
			MptDeviceDriverHandlers[cb_idx]->probe(pdev); // Callsite 2
		}
	}
}

The KASAN report for this bug is shown below:

[ T8493] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000168: 0000 [#1] SMP KASAN PTI
[ T8493] KASAN: null-ptr-deref in range [0x0000000000000b40-0x0000000000000b47]
[ T8493] CPU: 0 UID: 0 PID: 8493 Comm: bash Not tainted 7.0.0-rc4-00091-g8a30aeb0d1b4-dirty #71 PREEMPT(full)
[ T8493] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ T8493] RIP: 0010:timer_is_static_object (kernel/time/timer.c:691)
[ T8493] Code: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 41 57 41 56 53 48 89 fb 49 bf 00 00 00 00 00 fc ff df 4c 8d 77 08 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 74 08 4c 89 f7 e8 2f cf 69 00 49 83 3e 00 74 04 31
[ T8493] RSP: 0018:ffff88810b787828 EFLAGS: 00010002
[ T8493] RAX: 0000000000000168 RBX: 0000000000000b38 RCX: 0000000000000001
[ T8493] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000b38
[ T8493] RBP: ffffffff90a3a9c0 R08: 0000000000000003 R09: 0000000000000004
[ T8493] R10: dffffc0000000000 R11: ffffffff819006d0 R12: dffffc0000000000
[ T8493] R13: fffffffffffffffe R14: 0000000000000b40 R15: dffffc0000000000
[ T8493] FS:  00007f20bbc20740(0000) GS:ffff8880d355f000(0000) knlGS:0000000000000000
[ T8493] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ T8493] CR2: 000055ef66b31620 CR3: 0000000107c04000 CR4: 00000000000006f0
[ T8493] Call Trace:
[ T8493]  <TASK>
[ T8493]  debug_object_assert_init (lib/debugobjects.c:696 lib/debugobjects.c:1025)
[ T8493]  __timer_delete (./include/linux/list.h:975 ./include/linux/timer.h:147 kernel/time/timer.c:1379)
[ T8493]  work_grab_pending (kernel/workqueue.c:2080 kernel/workqueue.c:2173)
[ T8493]  __cancel_work (kernel/workqueue.c:4419)
[ T8493]  cancel_delayed_work_sync (kernel/workqueue.c:4436 kernel/workqueue.c:4522)
[ T8493]  mptlan_remove (drivers/message/fusion/mptlan.c:1433)
[ T8493]  mpt_detach (drivers/message/fusion/mptbase.c:?)
[ T8493]  pci_device_remove (./include/linux/pm_runtime.h:133 drivers/pci/pci-driver.c:504)
[ T8493]  device_release_driver_internal (drivers/base/dd.c:? drivers/base/dd.c:1284 drivers/base/dd.c:1307)
[ T8493]  unbind_store (drivers/base/bus.c:249)
[ T8493]  kernfs_fop_write_iter (fs/kernfs/file.c:352)
[ T8493]  vfs_write (fs/read_write.c:596 fs/read_write.c:688)
[ T8493]  ksys_write (fs/read_write.c:?)
[ T8493]  do_syscall_64 (arch/x86/entry/syscall_64.c:?)
[ T8493]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ T8493] RIP: 0033:0x7f20bbd0e473
[ T8493] Code: 8b 15 21 2a 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
[ T8493] RSP: 002b:00007ffe77315a08 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ T8493] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f20bbd0e473
[ T8493] RDX: 000000000000000d RSI: 0000564ac2f86da0 RDI: 0000000000000001
[ T8493] RBP: 0000564ac2f86da0 R08: 000000000000000a R09: 00007f20bbdf1be0
[ T8493] R10: 0000000000000080 R11: 0000000000000246 R12: 000000000000000d
[ T8493] R13: 00007f20bbdf26a0 R14: 000000000000000d R15: 00007f20bbded880
[ T8493]  </TASK>
[ T8493] Modules linked in:
[ T8493] ---[ end trace 0000000000000000 ]---
[ T8493] RIP: 0010:timer_is_static_object (kernel/time/timer.c:691)
[ T8493] Code: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 41 57 41 56 53 48 89 fb 49 bf 00 00 00 00 00 fc ff df 4c 8d 77 08 4c 89 f0 48 c1 e8 03 <42> 80 3c 38 00 74 08 4c 89 f7 e8 2f cf 69 00 49 83 3e 00 74 04 31
[ T8493] RSP: 0018:ffff88810b787828 EFLAGS: 00010002
[ T8493] RAX: 0000000000000168 RBX: 0000000000000b38 RCX: 0000000000000001
[ T8493] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000b38
[ T8493] RBP: ffffffff90a3a9c0 R08: 0000000000000003 R09: 0000000000000004
[ T8493] R10: dffffc0000000000 R11: ffffffff819006d0 R12: dffffc0000000000
[ T8493] R13: fffffffffffffffe R14: 0000000000000b40 R15: dffffc0000000000
[ T8493] FS:  00007f20bbc20740(0000) GS:ffff8880d355f000(0000) knlGS:0000000000000000
[ T8493] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ T8493] CR2: 000055ef66b31620 CR3: 0000000107c04000 CR4: 00000000000006f0
[ T8493] note: bash[8493] exited with irqs disabled
[ T8493] note: bash[8493] exited with preempt_count 1

Please let us know if you need any additional information.

Thanks.

next             reply	other threads:[~2026-04-20  1:18 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-20  1:18 Dingisoul [this message]
2026-04-22  0:49 ` [BUG] null-ptr-deref in mptlan_remove() Martin K. Petersen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260420011829.176936-1-dingiso.kernel@gmail.com \
    --to=dingiso.kernel@gmail.com \
    --cc=MPT-FusionLinux.pdl@broadcom.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=sathya.prakash@broadcom.com \
    --cc=sreekanth.reddy@broadcom.com \
    --cc=suganath-prabu.subramani@broadcom.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.