Re: [PATCH v1 08/10] mpi3mr: Fix SAS port allocation and registration error handling

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Ranjan Kumar" <ranjan.kumar@broadcom.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v1 08/10] mpi3mr: Fix SAS port allocation and registration error handling
Date: Fri, 26 Jun 2026 12:06:44 +0000	[thread overview]
Message-ID: <20260626120645.027D61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626114109.43685-9-ranjan.kumar@broadcom.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [High] The reference to the target device (`tgtdev`) is leaked and the `pend_sas_rphy_add` state remains inconsistent on error paths.
- [High] Missing NULL pointer check after `rphy` allocation leads to a guaranteed NULL pointer dereference on allocation failure.
- [High] Failure of `sas_rphy_add()` is ignored, leaving the driver and device model in an invalid state.
--

commit 2228b7db89a5c405d93e9a1b01afe8d02a73da5c
Author: Ranjan Kumar <ranjan.kumar@broadcom.com>

mpi3mr: Fix SAS port allocation and registration error handling

During SAS port creation, the driver does not verify successful port
allocation before attempting registration, which can lead to a NULL
pointer dereference. Additionally, if registration fails, the allocated
port is not freed, resulting in a memory leak.

> diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
> index 240f67a8e2e3b..1b793d86f7589 100644
> --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
> +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
> @@ -1428,9 +1428,15 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc,
>  	}
>  
>  	port = sas_port_alloc_num(mr_sas_node->parent_dev);
> +	if (!port) {
> +		ioc_err(mrioc, "failure at %s:%d/%s() (sas_port_alloc)!\n",
> +		    __FILE__, __LINE__, __func__);
> +		goto out_fail;

[Severity: High]
This is a pre-existing issue, but does jumping to out_fail here leak the
tgtdev reference?

If mpi3mr_sas_port_add() is called for a SAS_END_DEVICE, it acquires a
reference to tgtdev earlier in the function:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
    if (mr_sas_port->remote_identify.device_type == SAS_END_DEVICE) {
        tgtdev = mpi3mr_get_tgtdev_by_addr(mrioc,
            mr_sas_port->remote_identify.sas_address,
            mr_sas_port->hba_port);
    ...
}

When sas_port_alloc_num() fails and the code jumps to out_fail, it frees
mr_sas_port but misses the necessary mpi3mr_tgtdev_put(tgtdev) cleanup:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
 out_fail:
    list_for_each_entry_safe(mr_sas_phy, next, &mr_sas_port->phy_list,
        port_siblings)
        list_del(&mr_sas_phy->port_siblings);
    kfree(mr_sas_port);
    return NULL;
}

Will this lead to a resource leak of the tgtdev structure that prevents
device removal?

> +	}
>  	if ((sas_port_add(port))) {
>  		ioc_err(mrioc, "failure at %s:%d/%s()!\n",
>  		    __FILE__, __LINE__, __func__);
> +		sas_port_free(port);
>  		goto out_fail;

[Severity: High]
This is a pre-existing issue, but this path also appears to leak the tgtdev
reference in the same way as described above when sas_port_add() fails.

>  	}

[Severity: High]
This is a pre-existing issue, but can this function unconditionally
dereference rphy if the allocation fails?

Further down in mpi3mr_sas_port_add(), rphy is allocated but immediately
dereferenced without a check:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
    if (mr_sas_port->remote_identify.device_type == SAS_END_DEVICE) {
        rphy = sas_end_device_alloc(port);
        tgtdev->dev_spec.sas_sata_inf.rphy = rphy;
    } else {
        rphy = sas_expander_alloc(port,
            mr_sas_port->remote_identify.device_type);
    }
    rphy->identify = mr_sas_port->remote_identify;
    ...
}

If sas_end_device_alloc() or sas_expander_alloc() return NULL under memory
pressure, wouldn't the assignment to rphy->identify cause a kernel panic?

[Severity: High]
This is a pre-existing issue, but is the driver left in an invalid state if
sas_rphy_add() fails?

Later in the same function, the return value of sas_rphy_add() is caught
but ignored:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
    if ((sas_rphy_add(rphy))) {
        ioc_err(mrioc, "failure at %s:%d/%s()!\n",
            __FILE__, __LINE__, __func__);
    }
    ...
}

If sas_rphy_add() fails, does the driver leak the rphy memory since
sas_port_delete() won't free it if it wasn't successfully added?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626114109.43685-1-ranjan.kumar@broadcom.com?part=8

next prev parent reply	other threads:[~2026-06-26 12:06 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 11:40 [PATCH v1 00/10] mpi3mr: Few Enhancements and minor fixes Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 01/10] mpi3mr: Skip device shutdown during unload per controller configuration Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 02/10] mpi3mr: Update MPI Headers to revision 41 Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 03/10] mpi3mr: Add early timestamp synchronization after driver load Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 04/10] mpi3mr: Fix NVMe page size caching for non-operational devices Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 05/10] mpi3mr: Fix performance regression caused by extended IRQ poll sleep Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 06/10] mpi3mr: Fix memory leak on operational queue creation failure Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 07/10] mpi3mr: Fix firmware event reference leak during cleanup Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 08/10] mpi3mr: Fix SAS port allocation and registration error handling Ranjan Kumar
2026-06-26 12:06   ` sashiko-bot [this message]
2026-06-26 11:41 ` [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths Ranjan Kumar
2026-06-26 12:16   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 10/10] mpi3mr: Driver version update to 8.18.0.8.50 Ranjan Kumar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260626120645.027D61F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=ranjan.kumar@broadcom.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.