[PATCH] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()

[PATCH] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()

[Wenchao Hao]

port is allocated by sas_port_alloc_num() and rphy is allocated by
sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
so we need to check the rphy to avoid possible NULL pointer access.

If sas_rphy_add() called with failure rphy is set to NULL, we would
access the rphy in next lines which would also result NULL pointer
access.

Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks
in mpt3sas_transport_port_add()")

Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
---
 drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
index e5ecd6ada6cd..e8a4750f6ec4 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
@@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
 		goto out_fail;
 	}
 	port = sas_port_alloc_num(sas_node->parent_dev);
-	if ((sas_port_add(port))) {
+	if (!port || (sas_port_add(port))) {
 		ioc_err(ioc, "failure at %s:%d/%s()!\n",
 			__FILE__, __LINE__, __func__);
 		goto out_fail;
@@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
 			    mpt3sas_port->remote_identify.sas_address;
 	}
 
+	if (!rphy) {
+		ioc_err(ioc, "failure at %s:%d/%s()!\n",
+			__FILE__, __LINE__, __func__);
+		goto out_delete_port;
+	}
+
 	rphy->identify = mpt3sas_port->remote_identify;
 
 	if ((sas_rphy_add(rphy))) {
@@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
 			__FILE__, __LINE__, __func__);
 		sas_rphy_free(rphy);
 		rphy = NULL;
+		goto out_delete_port;
 	}
 
 	if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
@@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
 		    rphy_to_expander_device(rphy), hba_port->port_id);
 	return mpt3sas_port;
 
- out_fail:
+out_delete_port:
+	sas_port_delete(port);
+
+out_fail:
 	list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list,
 	    port_siblings)
 		list_del(&mpt3sas_phy->port_siblings);
-- 
2.32.0

Re: [PATCH] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()

[haowenchao (C)]

On 2023/2/25 18:01, Wenchao Hao wrote:
> port is allocated by sas_port_alloc_num() and rphy is allocated by
> sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
> so we need to check the rphy to avoid possible NULL pointer access.
> 
> If sas_rphy_add() called with failure rphy is set to NULL, we would
> access the rphy in next lines which would also result NULL pointer
> access.
> 
> Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks
> in mpt3sas_transport_port_add()")
> 
> Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
> ---
>   drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++--
>   1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> index e5ecd6ada6cd..e8a4750f6ec4 100644
> --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
> +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>   		goto out_fail;
>   	}
>   	port = sas_port_alloc_num(sas_node->parent_dev);
> -	if ((sas_port_add(port))) {
> +	if (!port || (sas_port_add(port))) {
>   		ioc_err(ioc, "failure at %s:%d/%s()!\n",
>   			__FILE__, __LINE__, __func__);
>   		goto out_fail;
> @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>   			    mpt3sas_port->remote_identify.sas_address;
>   	}
>   
> +	if (!rphy) {
> +		ioc_err(ioc, "failure at %s:%d/%s()!\n",
> +			__FILE__, __LINE__, __func__);
> +		goto out_delete_port;
> +	}
> +
>   	rphy->identify = mpt3sas_port->remote_identify;
>   
>   	if ((sas_rphy_add(rphy))) {
> @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>   			__FILE__, __LINE__, __func__);
>   		sas_rphy_free(rphy);
>   		rphy = NULL;
> +		goto out_delete_port;
>   	}
>   
>   	if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
> @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>   		    rphy_to_expander_device(rphy), hba_port->port_id);
>   	return mpt3sas_port;
>   
> - out_fail:
> +out_delete_port:
> +	sas_port_delete(port);
> +
> +out_fail:
>   	list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list,
>   	    port_siblings)
>   		list_del(&mpt3sas_phy->port_siblings);

friendly ping...

Re: [PATCH] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()

[Martin K. Petersen]

Ranjan/Sreekanth,

> port is allocated by sas_port_alloc_num() and rphy is allocated by
> sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
> so we need to check the rphy to avoid possible NULL pointer access.
>
> If sas_rphy_add() called with failure rphy is set to NULL, we would
> access the rphy in next lines which would also result NULL pointer
> access.
>
> Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks
> in mpt3sas_transport_port_add()")

Please review!

-- 
Martin K. Petersen	Oracle Linux Engineering

Re: [PATCH] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()

[Sathya Prakash Veerichetty]

[-- Attachment #1: Type: text/plain, Size: 1563 bytes --]

On Mon, Mar 6, 2023 at 6:42 PM Martin K. Petersen
<martin.petersen@oracle.com> wrote:
>
>
> Ranjan/Sreekanth,
>
> > port is allocated by sas_port_alloc_num() and rphy is allocated by
> > sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
> > so we need to check the rphy to avoid possible NULL pointer access.
> >
> > If sas_rphy_add() called with failure rphy is set to NULL, we would
> > access the rphy in next lines which would also result NULL pointer
> > access.
> >
> > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks
> > in mpt3sas_transport_port_add()")
>
> Please review!
Looks good to me, please commit it for the 6.3 scsi_fixes

>
> --
> Martin K. Petersen      Oracle Linux Engineering

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4227 bytes --]

Re: [PATCH] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()

[Sathya Prakash Veerichetty]

[-- Attachment #1: Type: text/plain, Size: 3613 bytes --]

On Sat, Feb 25, 2023 at 3:02 AM Wenchao Hao <haowenchao2@huawei.com> wrote:
>
> port is allocated by sas_port_alloc_num() and rphy is allocated by
> sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
> so we need to check the rphy to avoid possible NULL pointer access.
>
> If sas_rphy_add() called with failure rphy is set to NULL, we would
> access the rphy in next lines which would also result NULL pointer
> access.
>
> Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks
> in mpt3sas_transport_port_add()")
>
> Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
> ---
>  drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> index e5ecd6ada6cd..e8a4750f6ec4 100644
> --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
> +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>                 goto out_fail;
>         }
>         port = sas_port_alloc_num(sas_node->parent_dev);
> -       if ((sas_port_add(port))) {
> +       if (!port || (sas_port_add(port))) {
>                 ioc_err(ioc, "failure at %s:%d/%s()!\n",
>                         __FILE__, __LINE__, __func__);
>                 goto out_fail;
> @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>                             mpt3sas_port->remote_identify.sas_address;
>         }
>
> +       if (!rphy) {
> +               ioc_err(ioc, "failure at %s:%d/%s()!\n",
> +                       __FILE__, __LINE__, __func__);
> +               goto out_delete_port;
> +       }
> +
>         rphy->identify = mpt3sas_port->remote_identify;
>
>         if ((sas_rphy_add(rphy))) {
> @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>                         __FILE__, __LINE__, __func__);
>                 sas_rphy_free(rphy);
>                 rphy = NULL;
> +               goto out_delete_port;
>         }
>
>         if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
> @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
>                     rphy_to_expander_device(rphy), hba_port->port_id);
>         return mpt3sas_port;
>
> - out_fail:
> +out_delete_port:
> +       sas_port_delete(port);
> +
> +out_fail:
>         list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list,
>             port_siblings)
>                 list_del(&mpt3sas_phy->port_siblings);
> --
> 2.32.0
>

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4227 bytes --]

Re: [PATCH] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()

[Martin K. Petersen]

On Sat, 25 Feb 2023 18:01:36 +0800, Wenchao Hao wrote:

> port is allocated by sas_port_alloc_num() and rphy is allocated by
> sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
> so we need to check the rphy to avoid possible NULL pointer access.
> 
> If sas_rphy_add() called with failure rphy is set to NULL, we would
> access the rphy in next lines which would also result NULL pointer
> access.
> 
> [...]

Applied to 6.3/scsi-fixes, thanks!

[1/1] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()
      https://git.kernel.org/mkp/scsi/c/d3c57724f156

-- 
Martin K. Petersen	Oracle Linux Engineering