| Message ID | 20230225100135.2109330-1-haowenchao2@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1415697wrd;
Sat, 25 Feb 2023 02:15:39 -0800 (PST)
X-Google-Smtp-Source:
AK7set8E3dDbsjqeBqcrKITxuMkstLpu6GBYGfCsmNxFbAqR1fTCb9asFq7l7BIpH5UzyyW2CzS2
X-Received: by 2002:a05:6a20:160e:b0:c7:6f26:ca2 with SMTP id
l14-20020a056a20160e00b000c76f260ca2mr16147911pzj.58.1677320139164;
Sat, 25 Feb 2023 02:15:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1677320139; cv=none;
d=google.com; s=arc-20160816;
b=ybQebOi/xCofnpLzkDMvi/Zk4kD+lr2cuu9O5KaLNN3c+rQBhCnJ/l9n8yy1pfdMqA
wrLboHx5snKBJXQjQZmYjiEAMSjKJYoAxzJNx48LMxcc917EEjGWlHcobgSj7qe42hax
DJMIBQxw5PVfc6+O4E4kCn+jT+sxTXjj/x4l6PzcI9tsH3VKKZ2rUWTdURNfmOj3bUjE
PHA0ZpIiDM8kVbeQNYLwvsSCFbFvPMIDoTPngevC6swtxzwiPyCp4doFRexRFGXXjTib
7hvEpIUDjU42E8Oy0mqFKpF4qJl1KPyF0cSDaHSBFcUS38JhFl37NFpKgcSzLbf694p8
j9TQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=chAXv69Iu9Tty50K+mb1PwBDpukBxO2mZ0eONCcVBO4=;
b=vVMbSroZwv0IOIwjW1MFNisENsBeVs+UWJImqhkpXcevTxf4ndfs0qoNiLiyZPP0nR
XKnesMDm0bc6t0koEEzPh01hUsIDdJK0QYGhfpczovxm6L3J9r1IHDUhRIGs9KSPe/aL
9E34SIp777zVPAB0dE/uzwvSxT3xHJEVUgcZ3eelt/E5BUMyFC+Ef5NQmauUOVlkVbQk
DRD3hf9igEMmpJVjgS1ilVghSIwetU0MX1tMTtEWh5f3WUkb+1v/Dcq+NK2K2CrS/K+W
HEB7dl3zLXx318ovv/7zS4dLSznV13k8nx6GJdZsdJGuwVmK4CIxiK/tJoG3oa5W5rhV
gCOg==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
4-20020a630b04000000b004fbbdf262d6si1411369pgl.414.2023.02.25.02.15.24;
Sat, 25 Feb 2023 02:15:39 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229567AbjBYKCZ (ORCPT <rfc822;guoshuai5156@gmail.com>
+ 99 others); Sat, 25 Feb 2023 05:02:25 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58996 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229379AbjBYKCY (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 25 Feb 2023 05:02:24 -0500
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1447E1DBA1;
Sat, 25 Feb 2023 02:02:23 -0800 (PST)
Received: from kwepemm600012.china.huawei.com (unknown [172.30.72.53])
by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4PP2LB2ly7znWVT;
Sat, 25 Feb 2023 17:59:46 +0800 (CST)
Received: from build.huawei.com (10.175.101.6) by
kwepemm600012.china.huawei.com (7.193.23.74) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.17; Sat, 25 Feb 2023 18:02:19 +0800
From: Wenchao Hao <haowenchao2@huawei.com>
To: Sathya Prakash <sathya.prakash@broadcom.com>,
Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
Suganath Prabu Subramani
<suganath-prabu.subramani@broadcom.com>,
"James E . J . Bottomley" <jejb@linux.ibm.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
<MPT-FusionLinux.pdl@broadcom.com>, <linux-scsi@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
CC: <linfeilong@huawei.com>, Wenchao Hao <haowenchao2@huawei.com>
Subject: [PATCH] scsi: mpt3sas: fix NULL pointer access in
mpt3sas_transport_port_add()
Date: Sat, 25 Feb 2023 18:01:36 +0800
Message-ID: <20230225100135.2109330-1-haowenchao2@huawei.com>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.175.101.6]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
kwepemm600012.china.huawei.com (7.193.23.74)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758797642195206446?=
X-GMAIL-MSGID: =?utf-8?q?1758797642195206446?=
|
| Series |
scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add()
|
|
Commit Message
Wenchao Hao
Feb. 25, 2023, 10:01 a.m. UTC
port is allocated by sas_port_alloc_num() and rphy is allocated by
sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
so we need to check the rphy to avoid possible NULL pointer access.
If sas_rphy_add() called with failure rphy is set to NULL, we would
access the rphy in next lines which would also result NULL pointer
access.
Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks
in mpt3sas_transport_port_add()")
Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
---
drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
Comments
On 2023/2/25 18:01, Wenchao Hao wrote: > port is allocated by sas_port_alloc_num() and rphy is allocated by > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > so we need to check the rphy to avoid possible NULL pointer access. > > If sas_rphy_add() called with failure rphy is set to NULL, we would > access the rphy in next lines which would also result NULL pointer > access. > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > in mpt3sas_transport_port_add()") > > Signed-off-by: Wenchao Hao <haowenchao2@huawei.com> > --- > drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c > index e5ecd6ada6cd..e8a4750f6ec4 100644 > --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c > +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c > @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > goto out_fail; > } > port = sas_port_alloc_num(sas_node->parent_dev); > - if ((sas_port_add(port))) { > + if (!port || (sas_port_add(port))) { > ioc_err(ioc, "failure at %s:%d/%s()!\n", > __FILE__, __LINE__, __func__); > goto out_fail; > @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > mpt3sas_port->remote_identify.sas_address; > } > > + if (!rphy) { > + ioc_err(ioc, "failure at %s:%d/%s()!\n", > + __FILE__, __LINE__, __func__); > + goto out_delete_port; > + } > + > rphy->identify = mpt3sas_port->remote_identify; > > if ((sas_rphy_add(rphy))) { > @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > __FILE__, __LINE__, __func__); > sas_rphy_free(rphy); > rphy = NULL; > + goto out_delete_port; > } > > if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { > @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > rphy_to_expander_device(rphy), hba_port->port_id); > return mpt3sas_port; > > - out_fail: > +out_delete_port: > + sas_port_delete(port); > + > +out_fail: > list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, > port_siblings) > list_del(&mpt3sas_phy->port_siblings); friendly ping...
Ranjan/Sreekanth, > port is allocated by sas_port_alloc_num() and rphy is allocated by > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > so we need to check the rphy to avoid possible NULL pointer access. > > If sas_rphy_add() called with failure rphy is set to NULL, we would > access the rphy in next lines which would also result NULL pointer > access. > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > in mpt3sas_transport_port_add()") Please review!
On Mon, Mar 6, 2023 at 6:42 PM Martin K. Petersen <martin.petersen@oracle.com> wrote: > > > Ranjan/Sreekanth, > > > port is allocated by sas_port_alloc_num() and rphy is allocated by > > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > > so we need to check the rphy to avoid possible NULL pointer access. > > > > If sas_rphy_add() called with failure rphy is set to NULL, we would > > access the rphy in next lines which would also result NULL pointer > > access. > > > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > > in mpt3sas_transport_port_add()") > > Please review! Looks good to me, please commit it for the 6.3 scsi_fixes > > -- > Martin K. Petersen Oracle Linux Engineering
On Sat, Feb 25, 2023 at 3:02 AM Wenchao Hao <haowenchao2@huawei.com> wrote: > > port is allocated by sas_port_alloc_num() and rphy is allocated by > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > so we need to check the rphy to avoid possible NULL pointer access. > > If sas_rphy_add() called with failure rphy is set to NULL, we would > access the rphy in next lines which would also result NULL pointer > access. > > Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks > in mpt3sas_transport_port_add()") > > Signed-off-by: Wenchao Hao <haowenchao2@huawei.com> Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com> > --- > drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c > index e5ecd6ada6cd..e8a4750f6ec4 100644 > --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c > +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c > @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > goto out_fail; > } > port = sas_port_alloc_num(sas_node->parent_dev); > - if ((sas_port_add(port))) { > + if (!port || (sas_port_add(port))) { > ioc_err(ioc, "failure at %s:%d/%s()!\n", > __FILE__, __LINE__, __func__); > goto out_fail; > @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > mpt3sas_port->remote_identify.sas_address; > } > > + if (!rphy) { > + ioc_err(ioc, "failure at %s:%d/%s()!\n", > + __FILE__, __LINE__, __func__); > + goto out_delete_port; > + } > + > rphy->identify = mpt3sas_port->remote_identify; > > if ((sas_rphy_add(rphy))) { > @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > __FILE__, __LINE__, __func__); > sas_rphy_free(rphy); > rphy = NULL; > + goto out_delete_port; > } > > if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { > @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > rphy_to_expander_device(rphy), hba_port->port_id); > return mpt3sas_port; > > - out_fail: > +out_delete_port: > + sas_port_delete(port); > + > +out_fail: > list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, > port_siblings) > list_del(&mpt3sas_phy->port_siblings); > -- > 2.32.0 >
On Sat, 25 Feb 2023 18:01:36 +0800, Wenchao Hao wrote: > port is allocated by sas_port_alloc_num() and rphy is allocated by > sas_end_device_alloc() or sas_expander_alloc() which may return NULL, > so we need to check the rphy to avoid possible NULL pointer access. > > If sas_rphy_add() called with failure rphy is set to NULL, we would > access the rphy in next lines which would also result NULL pointer > access. > > [...] Applied to 6.3/scsi-fixes, thanks! [1/1] scsi: mpt3sas: fix NULL pointer access in mpt3sas_transport_port_add() https://git.kernel.org/mkp/scsi/c/d3c57724f156
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c index e5ecd6ada6cd..e8a4750f6ec4 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, goto out_fail; } port = sas_port_alloc_num(sas_node->parent_dev); - if ((sas_port_add(port))) { + if (!port || (sas_port_add(port))) { ioc_err(ioc, "failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); goto out_fail; @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, mpt3sas_port->remote_identify.sas_address; } + if (!rphy) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); + goto out_delete_port; + } + rphy->identify = mpt3sas_port->remote_identify; if ((sas_rphy_add(rphy))) { @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, __FILE__, __LINE__, __func__); sas_rphy_free(rphy); rphy = NULL; + goto out_delete_port; } if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, rphy_to_expander_device(rphy), hba_port->port_id); return mpt3sas_port; - out_fail: +out_delete_port: + sas_port_delete(port); + +out_fail: list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list, port_siblings) list_del(&mpt3sas_phy->port_siblings);