Re: [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Ranjan Kumar" <ranjan.kumar@broadcom.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths
Date: Fri, 26 Jun 2026 12:16:13 +0000	[thread overview]
Message-ID: <20260626121614.319A51F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626114109.43685-10-ranjan.kumar@broadcom.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Unhandled Error Path / NULL Pointer Dereference when adding host PHYs.
--

commit 5d2df761c30d63d86fc3554a56dabf8408d62592
Author: Ranjan Kumar <ranjan.kumar@broadcom.com>

mpi3mr: Fix SAS PHY cleanup in host addition error paths

When adding a SAS host, the driver allocates a PHY array and subsequently
creates individual SAS PHYs. If a later step fails, the error path exits
without cleaning up previously allocated resources, resulting in leaks of
both the PHY array and any registered SAS PHYs.

> diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
> index 1b793d86f7589..0236bbfcff6d9 100644
> --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
> +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
[ ... ]
> @@ -1264,7 +1265,7 @@ void mpi3mr_sas_host_add(struct mpi3mr_ioc *mrioc)
>  
>  		if (!(mpi3mr_get_hba_port_by_id(mrioc, port_id)))
>  			if (!mpi3mr_alloc_hba_port(mrioc, port_id))
> -				goto out;
> +				goto out_free_phy;
>  
>  		mrioc->sas_hba.phy[i].handle = mrioc->sas_hba.handle;
>  		mrioc->sas_hba.phy[i].phy_id = i;

[Severity: High]
This isn't a bug introduced by this patch, but is it safe to ignore the return
value of mpi3mr_add_host_phy() which is called just after this block?

If mpi3mr_add_host_phy() fails (e.g., at sas_phy_add()), it returns -1. At
this point, mr_sas_phy->remote_identify.sas_address is already populated with
the attached device's SAS address, but mr_sas_phy->phy is left as NULL.

Later, when the attached device triggers a device addition event,
mpi3mr_sas_port_add() successfully matches the failed PHY because the
remote_identify.sas_address is populated:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
		if ((mr_sas_node->phy[i].remote_identify.sas_address !=
		    mr_sas_port->remote_identify.sas_address) ||
		    (mr_sas_node->phy[i].hba_port != hba_port))
			continue;
    ...
}

It then unconditionally passes the NULL mr_sas_phy->phy to sas_port_add_phy(),
which dereferences it without checking, causing a kernel panic:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
		sas_port_add_phy(port, mr_sas_phy->phy);
    ...
}

Should mpi3mr_sas_host_add() handle the failure of mpi3mr_add_host_phy() and
jump to the new out_free_phy label?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626114109.43685-1-ranjan.kumar@broadcom.com?part=9

next prev parent reply	other threads:[~2026-06-26 12:16 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 11:40 [PATCH v1 00/10] mpi3mr: Few Enhancements and minor fixes Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 01/10] mpi3mr: Skip device shutdown during unload per controller configuration Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 02/10] mpi3mr: Update MPI Headers to revision 41 Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 03/10] mpi3mr: Add early timestamp synchronization after driver load Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 04/10] mpi3mr: Fix NVMe page size caching for non-operational devices Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 05/10] mpi3mr: Fix performance regression caused by extended IRQ poll sleep Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 06/10] mpi3mr: Fix memory leak on operational queue creation failure Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 07/10] mpi3mr: Fix firmware event reference leak during cleanup Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 08/10] mpi3mr: Fix SAS port allocation and registration error handling Ranjan Kumar
2026-06-26 12:06   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths Ranjan Kumar
2026-06-26 12:16   ` sashiko-bot [this message]
2026-06-26 11:41 ` [PATCH v1 10/10] mpi3mr: Driver version update to 8.18.0.8.50 Ranjan Kumar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260626121614.319A51F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=ranjan.kumar@broadcom.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.