| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5867eb0a-f42b-fac8-7ca7-e051a933fbaf@huawei.com>
Date: Tue, 28 Feb 2023 22:49:08 +0800
From: "haowenchao (C)" <haowenchao2@...wei.com>
To: Sathya Prakash <sathya.prakash@...adcom.com>,
Sreekanth Reddy <sreekanth.reddy@...adcom.com>,
Suganath Prabu Subramani
<suganath-prabu.subramani@...adcom.com>,
"James E . J . Bottomley" <jejb@...ux.ibm.com>,
"Martin K . Petersen" <martin.petersen@...cle.com>,
<MPT-FusionLinux.pdl@...adcom.com>, <linux-scsi@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
CC: <linfeilong@...wei.com>
Subject: Re: [PATCH] scsi: mpt3sas: fix NULL pointer access in
mpt3sas_transport_port_add()
On 2023/2/25 18:01, Wenchao Hao wrote:
> port is allocated by sas_port_alloc_num() and rphy is allocated by
> sas_end_device_alloc() or sas_expander_alloc() which may return NULL,
> so we need to check the rphy to avoid possible NULL pointer access.
>
> If sas_rphy_add() called with failure rphy is set to NULL, we would
> access the rphy in next lines which would also result NULL pointer
> access.
>
> Fix commit 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks
> in mpt3sas_transport_port_add()")
>
> Signed-off-by: Wenchao Hao <haowenchao2@...wei.com>
> ---
> drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> index e5ecd6ada6cd..e8a4750f6ec4 100644
> --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
> +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
> @@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
> goto out_fail;
> }
> port = sas_port_alloc_num(sas_node->parent_dev);
> - if ((sas_port_add(port))) {
> + if (!port || (sas_port_add(port))) {
> ioc_err(ioc, "failure at %s:%d/%s()!\n",
> __FILE__, __LINE__, __func__);
> goto out_fail;
> @@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
> mpt3sas_port->remote_identify.sas_address;
> }
>
> + if (!rphy) {
> + ioc_err(ioc, "failure at %s:%d/%s()!\n",
> + __FILE__, __LINE__, __func__);
> + goto out_delete_port;
> + }
> +
> rphy->identify = mpt3sas_port->remote_identify;
>
> if ((sas_rphy_add(rphy))) {
> @@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
> __FILE__, __LINE__, __func__);
> sas_rphy_free(rphy);
> rphy = NULL;
> + goto out_delete_port;
> }
>
> if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
> @@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
> rphy_to_expander_device(rphy), hba_port->port_id);
> return mpt3sas_port;
>
> - out_fail:
> +out_delete_port:
> + sas_port_delete(port);
> +
> +out_fail:
> list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list,
> port_siblings)
> list_del(&mpt3sas_phy->port_siblings);
friendly ping...
Powered by blists - more mailing lists