| Message ID | 20221107115401.3399891-1-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] scsi: scsi_transport_sas: fix error handling in sas_phy_add() | expand |
On 07/11/2022 11:54, Yang Yingliang wrote: > If transport_add_device() fails in sas_phy_add(), but it's not handled, The wording is hard to understand here. Omit "but" and it's becomes a bit more readable... > it will lead kernel crash because of trying to delete not added device > in transport_remove_device() called from sas_remove_host(). > > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 > CPU: 61 PID: 42829 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc1+ #173 > pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : device_del+0x54/0x3d0 > lr : device_del+0x37c/0x3d0 > Call trace: > device_del+0x54/0x3d0 > attribute_container_class_device_del+0x28/0x38 > transport_remove_classdev+0x6c/0x80 > attribute_container_device_trigger+0x108/0x110 > transport_remove_device+0x28/0x38 > sas_phy_delete+0x30/0x60 [scsi_transport_sas] > do_sas_phy_delete+0x6c/0x80 [scsi_transport_sas] > device_for_each_child+0x68/0xb0 > sas_remove_children+0x40/0x50 [scsi_transport_sas] > sas_remove_host+0x20/0x38 [scsi_transport_sas] > hisi_sas_remove+0x40/0x68 [hisi_sas_main] > hisi_sas_v2_remove+0x20/0x30 [hisi_sas_v2_hw] > platform_remove+0x2c/0x60 > > Fix this by checking and handling return value of transport_add_device() > in sas_phy_add(). > > Fixes: c7ebbbce366c ("[SCSI] SAS transport class") > Suggested-by: John Garry <john.g.garry@oracle.com> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Apart from comment about commit message: Reviewed-by: John Garry <john.g.garry@oracle.com> > --- > v1 -> v2: > Update title and refactor the error handling suggested by John. > --- > drivers/scsi/scsi_transport_sas.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c > index 2f88c61216ee..74b99f2b0b74 100644 > --- a/drivers/scsi/scsi_transport_sas.c > +++ b/drivers/scsi/scsi_transport_sas.c > @@ -722,12 +722,17 @@ int sas_phy_add(struct sas_phy *phy) > int error; > > error = device_add(&phy->dev); > - if (!error) { > - transport_add_device(&phy->dev); > - transport_configure_device(&phy->dev); > + if (error) > + return error; > + > + error = transport_add_device(&phy->dev); > + if (error) { > + device_del(&phy->dev); > + return error; > } > + transport_configure_device(&phy->dev); > > - return error; > + return 0; > } > EXPORT_SYMBOL(sas_phy_add); >
On 2022/11/7 19:54, Yang Yingliang wrote: > If transport_add_device() fails in sas_phy_add(), but it's not handled, > it will lead kernel crash because of trying to delete not added device > in transport_remove_device() called from sas_remove_host(). > > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 > CPU: 61 PID: 42829 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc1+ #173 > pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : device_del+0x54/0x3d0 > lr : device_del+0x37c/0x3d0 > Call trace: > device_del+0x54/0x3d0 > attribute_container_class_device_del+0x28/0x38 > transport_remove_classdev+0x6c/0x80 > attribute_container_device_trigger+0x108/0x110 > transport_remove_device+0x28/0x38 > sas_phy_delete+0x30/0x60 [scsi_transport_sas] > do_sas_phy_delete+0x6c/0x80 [scsi_transport_sas] > device_for_each_child+0x68/0xb0 > sas_remove_children+0x40/0x50 [scsi_transport_sas] > sas_remove_host+0x20/0x38 [scsi_transport_sas] > hisi_sas_remove+0x40/0x68 [hisi_sas_main] > hisi_sas_v2_remove+0x20/0x30 [hisi_sas_v2_hw] > platform_remove+0x2c/0x60 > > Fix this by checking and handling return value of transport_add_device() > in sas_phy_add(). > > Fixes: c7ebbbce366c ("[SCSI] SAS transport class") > Suggested-by: John Garry <john.g.garry@oracle.com> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > v1 -> v2: > Update title and refactor the error handling suggested by John. > --- > drivers/scsi/scsi_transport_sas.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) Looks good, Reviewed-by: Jason Yan <yanaijie@huawei.com>
diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c index 2f88c61216ee..74b99f2b0b74 100644 --- a/drivers/scsi/scsi_transport_sas.c +++ b/drivers/scsi/scsi_transport_sas.c @@ -722,12 +722,17 @@ int sas_phy_add(struct sas_phy *phy) int error; error = device_add(&phy->dev); - if (!error) { - transport_add_device(&phy->dev); - transport_configure_device(&phy->dev); + if (error) + return error; + + error = transport_add_device(&phy->dev); + if (error) { + device_del(&phy->dev); + return error; } + transport_configure_device(&phy->dev); - return error; + return 0; } EXPORT_SYMBOL(sas_phy_add);
If transport_add_device() fails in sas_phy_add(), but it's not handled, it will lead kernel crash because of trying to delete not added device in transport_remove_device() called from sas_remove_host(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 61 PID: 42829 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc1+ #173 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_phy_delete+0x30/0x60 [scsi_transport_sas] do_sas_phy_delete+0x6c/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x40/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] hisi_sas_remove+0x40/0x68 [hisi_sas_main] hisi_sas_v2_remove+0x20/0x30 [hisi_sas_v2_hw] platform_remove+0x2c/0x60 Fix this by checking and handling return value of transport_add_device() in sas_phy_add(). Fixes: c7ebbbce366c ("[SCSI] SAS transport class") Suggested-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- v1 -> v2: Update title and refactor the error handling suggested by John. --- drivers/scsi/scsi_transport_sas.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)