* [bug report] scsi: megaraid_mbox: Reduce stack usage in megaraid_cmm_register()
@ 2026-05-30 14:03 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2026-05-30 14:03 UTC (permalink / raw)
To: Arnd Bergmann; +Cc: megaraidlinux.pdl, linux-scsi
Hello Arnd Bergmann,
Commit c1f7275b613b ("scsi: megaraid_mbox: Reduce stack usage in
megaraid_cmm_register()") from May 19, 2026 (linux-next), leads to
the following Smatch static checker warning:
drivers/scsi/megaraid/megaraid_mbox.c:3474 megaraid_cmm_register()
error: double free of 'adp' (line 3468)
drivers/scsi/megaraid/megaraid_mbox.c
3395 static int
3396 megaraid_cmm_register(adapter_t *adapter)
3397 {
3398 mraid_device_t *raid_dev = ADAP2RAIDDEV(adapter);
3399 mraid_mmadp_t *adp;
3400 scb_t *scb;
3401 mbox_ccb_t *ccb;
3402 int rval;
3403 int i;
3404
3405 // Allocate memory for the base list of scb for management module.
3406 adapter->uscb_list = kzalloc_objs(scb_t, MBOX_MAX_USER_CMDS);
3407 adp = kzalloc_obj(*adp);
3408
3409 if (!adapter->uscb_list || !adp) {
3410 con_log(CL_ANN, (KERN_WARNING
3411 "megaraid: out of memory, %s %d\n", __func__,
3412 __LINE__));
3413
3414 kfree(adapter->uscb_list);
3415 kfree(adp);
3416
3417 return -1;
3418 }
3419
3420
3421 // Initialize the synchronization parameters for resources for
3422 // commands for management module
3423 INIT_LIST_HEAD(&adapter->uscb_pool);
3424
3425 spin_lock_init(USER_FREE_LIST_LOCK(adapter));
3426
3427
3428
3429 // link all the packets. Note, CCB for commands, coming from the
3430 // commom management module, mailbox physical address are already
3431 // setup by it. We just need placeholder for that in our local command
3432 // control blocks
3433 for (i = 0; i < MBOX_MAX_USER_CMDS; i++) {
3434
3435 scb = adapter->uscb_list + i;
3436 ccb = raid_dev->uccb_list + i;
3437
3438 scb->ccb = (caddr_t)ccb;
3439 ccb->mbox64 = raid_dev->umbox64 + i;
3440 ccb->mbox = &ccb->mbox64->mbox32;
3441 ccb->raw_mbox = (uint8_t *)ccb->mbox;
3442
3443 scb->gp = 0;
3444
3445 // COMMAND ID 0 - (MBOX_MAX_SCSI_CMDS-1) ARE RESERVED FOR
3446 // COMMANDS COMING FROM IO SUBSYSTEM (MID-LAYER)
3447 scb->sno = i + MBOX_MAX_SCSI_CMDS;
3448
3449 scb->scp = NULL;
3450 scb->state = SCB_FREE;
3451 scb->dma_direction = DMA_NONE;
3452 scb->dma_type = MRAID_DMA_NONE;
3453 scb->dev_channel = -1;
3454 scb->dev_target = -1;
3455
3456 // put scb in the free pool
3457 list_add_tail(&scb->list, &adapter->uscb_pool);
3458 }
3459
3460 adp->unique_id = adapter->unique_id;
3461 adp->drvr_type = DRVRTYPE_MBOX;
3462 adp->drvr_data = (unsigned long)adapter;
3463 adp->pdev = adapter->pdev;
3464 adp->issue_uioc = megaraid_mbox_mm_handler;
3465 adp->timeout = MBOX_RESET_WAIT + MBOX_RESET_EXT_WAIT;
3466 adp->max_kioc = MBOX_MAX_USER_CMDS;
3467
3468 if ((rval = mraid_mm_register_adp(adp)) != 0) {
3469
3470 con_log(CL_ANN, (KERN_WARNING
3471 "megaraid mbox: did not register with CMM\n"));
3472
3473 kfree(adapter->uscb_list);
--> 3474 kfree(adp);
mraid_mm_register_adp() has a kfree() of the adapter on the the
error path. I suppose, someone could make the argument that the
original code was already buggy since kfreeing a stack variable isn't
going to end well...
3475 }
3476
3477 return rval;
3478 }
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-30 14:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-30 14:03 [bug report] scsi: megaraid_mbox: Reduce stack usage in megaraid_cmm_register() Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox