From: sashiko-bot@kernel.org
To: "WenTao Liang" <vulab@iscas.ac.cn>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH] scsi: mpt3sas: fix refcount leak in mpt3sas_transport_port_add()
Date: Thu, 11 Jun 2026 08:56:54 +0000 [thread overview]
Message-ID: <20260611085654.AD3D21F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611084324.70303-1-vulab@iscas.ac.cn>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] The `phy_belongs_to_port` flag is left set to 1 on PHY objects if the port addition fails midway, permanently orphaning the phys.
- [Medium] The allocated `struct sas_port` object is leaked if `sas_port_add()` fails.
--
commit 9f7a04ec16ac25a146b4b86266e9c7e403ae4717
Author: WenTao Liang <vulab@iscas.ac.cn>
scsi: mpt3sas: fix refcount leak in mpt3sas_transport_port_add()
In mpt3sas_transport_port_add(), after acquiring the sas_device by
calling mpt3sas_get_sdev_by_addr(), several error paths leak the reference.
> diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> index e74a526efa8db..f831d48235031 100644
> --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
> +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> @@ -869,6 +869,8 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
> list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list,
> port_siblings)
> list_del(&mpt3sas_phy->port_siblings);
[Severity: Medium]
This is a pre-existing issue, but does this error path leak the sas_port
object?
If sas_port_add(port) fails earlier in mpt3sas_transport_port_add(), the code
jumps here to the out_fail label. It looks like sas_port_free(port) needs
to be called to release the un-added object and its underlying device, but
it appears to be missing from this cleanup block.
[Severity: High]
This is a pre-existing issue, but is the phy_belongs_to_port flag left in
an incorrect state on failure?
Earlier in mpt3sas_transport_port_add(), the phys are added to the port:
sas_port_add_phy(port, mpt3sas_phy->phy);
mpt3sas_phy->phy_belongs_to_port = 1;
If a subsequent operation like sas_rphy_add() fails, the code falls through to
this block. The phys are removed from mpt3sas_port->phy_list via list_del(),
but the phy_belongs_to_port flag remains set to 1.
Since these phys reside in the persistent sas_node->phy[] array, will they
be permanently ignored during future discovery or port addition attempts
because the flag was not reverted to 0?
> + if (sas_device)
> + sas_device_put(sas_device);
> kfree(mpt3sas_port);
> return NULL;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611084324.70303-1-vulab@iscas.ac.cn?part=1
prev parent reply other threads:[~2026-06-11 8:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 8:43 [PATCH] scsi: mpt3sas: fix refcount leak in mpt3sas_transport_port_add() WenTao Liang
2026-06-11 8:56 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611085654.AD3D21F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.