[PATCH] [SCSI] advansys: fix host resource leak in EISA probe error path

[PATCH] [SCSI] advansys: fix host resource leak in EISA probe error path

[Guangshuo Li]

A manual code audit found that advansys_eisa_probe() frees saved
Scsi_Host objects directly in its error path.

Those hosts have already been successfully initialized by
advansys_board_found(), so freeing them directly bypasses the normal
teardown path and leaks host resources such as IRQs, DMA or MMIO
resources, and the Scsi_Host release path.

Fix this by releasing the saved hosts with advansys_release() and
dropping their corresponding I/O regions before freeing the probe data.

Fixes: d361db483241 ("[SCSI] advansys: Sort out irq number mess")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/scsi/advansys.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c
index fcf059bf41e8..022a8190ae31 100644
--- a/drivers/scsi/advansys.c
+++ b/drivers/scsi/advansys.c
@@ -11373,9 +11373,17 @@ static int advansys_eisa_probe(struct device *dev)
 	return 0;
 
  free_data:
-	kfree(data->host[0]);
-	kfree(data->host[1]);
-	kfree(data);
+	for (i = 0; i < 2; i++) {
+		struct Scsi_Host *shost = data->host[i];
+		int ioport;
+
+		if (!shost)
+			continue;
+
+		ioport = shost->io_port;
+		advansys_release(shost);
+		release_region(ioport, ASC_IOADR_GAP);
+	}
  fail:
 	return err;
 }
-- 
2.43.0

Re: [PATCH] [SCSI] advansys: fix host resource leak in EISA probe error path

[Matthew Wilcox]

On Fri, Apr 17, 2026 at 12:59:35AM +0800, Guangshuo Li wrote:
> A manual code audit found that advansys_eisa_probe() frees saved
> Scsi_Host objects directly in its error path.

I've been told all your patches are AI slop, I'm not reviewing this.

Re: [PATCH] [SCSI] advansys: fix host resource leak in EISA probe error path

[Guangshuo Li]

Hi Matthew,

On Fri, 17 Apr 2026 at 01:43, Matthew Wilcox <willy@infradead.org> wrote:
>
> On Fri, Apr 17, 2026 at 12:59:35AM +0800, Guangshuo Li wrote:
> > A manual code audit found that advansys_eisa_probe() frees saved
> > Scsi_Host objects directly in its error path.

I understand the concern. This issue was found through my own manual
review of the error handling path in `advansys_eisa_probe()`.

Specifically, I first compared the error handling path in
`advansys_eisa_probe()` with the normal cleanup path in
`advansys_eisa_remove()`, and noticed that they release saved
`Scsi_Host` objects differently.

In `advansys_eisa_remove()`, each saved host is released through
`advansys_release(shost)`. Following that path shows that
`advansys_release()` eventually releases the SCSI host through
`scsi_host_put()`, which drops the embedded device reference and
invokes the SCSI host release callback, `scsi_host_dev_release()`,
when the reference count reaches zero.

That release callback does more than just `kfree(shost)`. It also
releases resources associated with the `Scsi_Host`, such as the host
IDA index, `shost_data`, and other host-side state managed by the SCSI
core.

However, the `free_data` path in `advansys_eisa_probe()` frees the
saved `data->host[]` entries directly with `kfree()`. My concern is
that this bypasses the `scsi_host_put()` / `scsi_host_dev_release()`
path and may therefore leak resources associated with the initialized
SCSI host.

That is why the patch changes the error path to release saved hosts
through `advansys_release(shost)` instead of directly freeing the
saved host pointers.

I also noticed that I accidentally removed the final `kfree(data)`
while preparing the patch. That was an unintended editing mistake, and
if the proposed cleanup approach is acceptable, I will fix it in v2.

> I've been told all your patches are AI slop, I'm not reviewing this.

If possible, could you please share what your assessment is based on?

Also, if there is any technical issue with this patch, I would
appreciate it if you could point it out concretely. I’m happy to
revise the patch if there is something incorrect in the analysis or in
the fix itself.

Thanks,
Guangshuo

Re: [PATCH] [SCSI] advansys: fix host resource leak in EISA probe error path

[Hannes Reinecke]

On 4/16/26 18:59, Guangshuo Li wrote:
> A manual code audit found that advansys_eisa_probe() frees saved
> Scsi_Host objects directly in its error path.
> 
> Those hosts have already been successfully initialized by
> advansys_board_found(), so freeing them directly bypasses the normal
> teardown path and leaks host resources such as IRQs, DMA or MMIO
> resources, and the Scsi_Host release path.
> 
> Fix this by releasing the saved hosts with advansys_release() and
> dropping their corresponding I/O regions before freeing the probe data.
> 
> Fixes: d361db483241 ("[SCSI] advansys: Sort out irq number mess")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
>   drivers/scsi/advansys.c | 14 +++++++++++---
>   1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c
> index fcf059bf41e8..022a8190ae31 100644
> --- a/drivers/scsi/advansys.c
> +++ b/drivers/scsi/advansys.c
> @@ -11373,9 +11373,17 @@ static int advansys_eisa_probe(struct device *dev)
>   	return 0;
>   
>    free_data:
> -	kfree(data->host[0]);
> -	kfree(data->host[1]);
> -	kfree(data);
> +	for (i = 0; i < 2; i++) {
> +		struct Scsi_Host *shost = data->host[i];
> +		int ioport;
> +
> +		if (!shost)
> +			continue;
> +
> +		ioport = shost->io_port;
> +		advansys_release(shost);
> +		release_region(ioport, ASC_IOADR_GAP);
> +	}
>    fail:
>   	return err;
>   }

You must be kidding ... EISA is died over a decade ago.

If you _really_ are concerned about this please remove EISA support 
completely from the driver.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.com                               +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

Re: [PATCH] [SCSI] advansys: fix host resource leak in EISA probe error path

[Guangshuo Li]

Hi Hannes,

Thanks for the feedback.

On Fri, 17 Apr 2026 at 13:56, Hannes Reinecke <hare@suse.com> wrote:
>
>
> You must be kidding ... EISA is died over a decade ago.
>
> If you _really_ are concerned about this please remove EISA support
> completely from the driver.
>

I agree that EISA is obsolete, and I understand that this path is
unlikely to matter on modern systems. My intent was simply to clean up
an inconsistency I noticed while reviewing the existing error handling
code.

If maintaining the EISA path is not worthwhile, I’m fine with dropping
this patch. I can also take a look at what removing the EISA support
would involve.

Thanks,
Guangshuo

Re: [PATCH] [SCSI] advansys: fix host resource leak in EISA probe error path

[Hannes Reinecke]

On 4/17/26 08:29, Guangshuo Li wrote:
> Hi Hannes,
> 
> Thanks for the feedback.
> 
> On Fri, 17 Apr 2026 at 13:56, Hannes Reinecke <hare@suse.com> wrote:
>>
>>
>> You must be kidding ... EISA is died over a decade ago.
>>
>> If you _really_ are concerned about this please remove EISA support
>> completely from the driver.
>>
> 
> I agree that EISA is obsolete, and I understand that this path is
> unlikely to matter on modern systems. My intent was simply to clean up
> an inconsistency I noticed while reviewing the existing error handling
> code.
> 
> If maintaining the EISA path is not worthwhile, I’m fine with dropping
> this patch. I can also take a look at what removing the EISA support
> would involve.
> 
Please, drop the patch, and rather invest time to check how to drop
EISA support. Fixing issues for code paths which are never exercised
is a bit pointless.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.com                               +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich