Re: [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths

Linux SCSI subsystem development
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Ranjan Kumar" <ranjan.kumar@broadcom.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths
Date: Fri, 26 Jun 2026 12:16:13 +0000	[thread overview]
Message-ID: <20260626121614.319A51F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626114109.43685-10-ranjan.kumar@broadcom.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Unhandled Error Path / NULL Pointer Dereference when adding host PHYs.
--

commit 5d2df761c30d63d86fc3554a56dabf8408d62592
Author: Ranjan Kumar <ranjan.kumar@broadcom.com>

mpi3mr: Fix SAS PHY cleanup in host addition error paths

When adding a SAS host, the driver allocates a PHY array and subsequently
creates individual SAS PHYs. If a later step fails, the error path exits
without cleaning up previously allocated resources, resulting in leaks of
both the PHY array and any registered SAS PHYs.

> diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
> index 1b793d86f7589..0236bbfcff6d9 100644
> --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
> +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
[ ... ]
> @@ -1264,7 +1265,7 @@ void mpi3mr_sas_host_add(struct mpi3mr_ioc *mrioc)
>  
>  		if (!(mpi3mr_get_hba_port_by_id(mrioc, port_id)))
>  			if (!mpi3mr_alloc_hba_port(mrioc, port_id))
> -				goto out;
> +				goto out_free_phy;
>  
>  		mrioc->sas_hba.phy[i].handle = mrioc->sas_hba.handle;
>  		mrioc->sas_hba.phy[i].phy_id = i;

[Severity: High]
This isn't a bug introduced by this patch, but is it safe to ignore the return
value of mpi3mr_add_host_phy() which is called just after this block?

If mpi3mr_add_host_phy() fails (e.g., at sas_phy_add()), it returns -1. At
this point, mr_sas_phy->remote_identify.sas_address is already populated with
the attached device's SAS address, but mr_sas_phy->phy is left as NULL.

Later, when the attached device triggers a device addition event,
mpi3mr_sas_port_add() successfully matches the failed PHY because the
remote_identify.sas_address is populated:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
		if ((mr_sas_node->phy[i].remote_identify.sas_address !=
		    mr_sas_port->remote_identify.sas_address) ||
		    (mr_sas_node->phy[i].hba_port != hba_port))
			continue;
    ...
}

It then unconditionally passes the NULL mr_sas_phy->phy to sas_port_add_phy(),
which dereferences it without checking, causing a kernel panic:

drivers/scsi/mpi3mr/mpi3mr_transport.c:mpi3mr_sas_port_add() {
    ...
		sas_port_add_phy(port, mr_sas_phy->phy);
    ...
}

Should mpi3mr_sas_host_add() handle the failure of mpi3mr_add_host_phy() and
jump to the new out_free_phy label?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626114109.43685-1-ranjan.kumar@broadcom.com?part=9

next prev parent reply	other threads:[~2026-06-26 12:16 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 11:40 [PATCH v1 00/10] mpi3mr: Few Enhancements and minor fixes Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 01/10] mpi3mr: Skip device shutdown during unload per controller configuration Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 02/10] mpi3mr: Update MPI Headers to revision 41 Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 03/10] mpi3mr: Add early timestamp synchronization after driver load Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 04/10] mpi3mr: Fix NVMe page size caching for non-operational devices Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 05/10] mpi3mr: Fix performance regression caused by extended IRQ poll sleep Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 06/10] mpi3mr: Fix memory leak on operational queue creation failure Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 07/10] mpi3mr: Fix firmware event reference leak during cleanup Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 08/10] mpi3mr: Fix SAS port allocation and registration error handling Ranjan Kumar
2026-06-26 12:06   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths Ranjan Kumar
2026-06-26 12:16   ` sashiko-bot [this message]
2026-06-26 11:41 ` [PATCH v1 10/10] mpi3mr: Driver version update to 8.18.0.8.50 Ranjan Kumar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260626121614.319A51F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=ranjan.kumar@broadcom.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox