If sas_phy_alloc() returns error in sas_register_phys(), the phys that have been added are not deleted, so the memory of them are leaked, also, this leads the list of phy_attr_cont is not empty, it tiggers a BUG while calling sas_release_transport() in hisi_sas_exit() when removing module. kernel BUG at ./include/linux/transport_class.h:92! CPU: 8 PID: 38014 Comm: rmmod Kdump: loaded Not tainted 6.1.0-rc1+ #176 Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.58 10/24/2018 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sas_release_transport+0x78/0x84 [scsi_transport_sas] lr : sas_release_transport+0x2c/0x84 [scsi_transport_sas] Call trace: sas_release_transport+0x78/0x84 [scsi_transport_sas] hisi_sas_exit+0x1c/0x9a8 [hisi_sas_main] __arm64_sys_delete_module+0x19c/0x358 Fix this by deleting the phys that have been added if sas_phy_alloc() returns error. Besides, if sas_phy_add() fails in sas_register_phys(), the phy->dev is not added to the klist_children of shost_gendev, so the phy can not be delete in sas_remove_children(), the phy and name memory allocated in sas_phy_alloc() are leaked. Fix this by checking and handling return value of sas_phy_add() in sas_register_phys(), call sas_phy_free() in the error path. Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx> --- drivers/scsi/libsas/sas_phy.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/libsas/sas_phy.c b/drivers/scsi/libsas/sas_phy.c index a0d592d11dfb..84853576eb78 100644 --- a/drivers/scsi/libsas/sas_phy.c +++ b/drivers/scsi/libsas/sas_phy.c @@ -115,6 +115,7 @@ static void sas_phye_shutdown(struct work_struct *work) int sas_register_phys(struct sas_ha_struct *sas_ha) { + int ret; int i; /* Now register the phys. */ @@ -132,8 +133,10 @@ int sas_register_phys(struct sas_ha_struct *sas_ha) phy->frame_rcvd_size = 0; phy->phy = sas_phy_alloc(&sas_ha->core.shost->shost_gendev, i); - if (!phy->phy) - return -ENOMEM; + if (!phy->phy) { + ret = -ENOMEM; + goto err_out; + } phy->phy->identify.initiator_port_protocols = phy->iproto; @@ -146,10 +149,20 @@ int sas_register_phys(struct sas_ha_struct *sas_ha) phy->phy->maximum_linkrate = SAS_LINK_RATE_UNKNOWN; phy->phy->negotiated_linkrate = SAS_LINK_RATE_UNKNOWN; - sas_phy_add(phy->phy); + ret = sas_phy_add(phy->phy); + if (ret) { + sas_phy_free(phy->phy); + goto err_out; + } } return 0; + +err_out: + while (i--) + sas_phy_delete(sas_ha->sas_phy[i]->phy); + + return ret; } const work_func_t sas_phy_event_fns[PHY_NUM_EVENTS] = { -- 2.25.1