Patch "scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()" has been added to the 5.10-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-mpt3sas-fix-possible-resource-leaks-in-mpt3sas_.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2a8dbcaf8329e796809f6a9cddfb5538a1a429fe
Author: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Date:   Wed Nov 9 11:24:03 2022 +0800

    scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
    
    [ Upstream commit 78316e9dfc24906dd474630928ed1d3c562b568e ]
    
    In mpt3sas_transport_port_add(), if sas_rphy_add() returns error,
    sas_rphy_free() needs be called to free the resource allocated in
    sas_end_device_alloc(). Otherwise a kernel crash will happen:
    
    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108
    CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G        W          6.1.0-rc1+ #189
    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : device_del+0x54/0x3d0
    lr : device_del+0x37c/0x3d0
    Call trace:
     device_del+0x54/0x3d0
     attribute_container_class_device_del+0x28/0x38
     transport_remove_classdev+0x6c/0x80
     attribute_container_device_trigger+0x108/0x110
     transport_remove_device+0x28/0x38
     sas_rphy_remove+0x50/0x78 [scsi_transport_sas]
     sas_port_delete+0x30/0x148 [scsi_transport_sas]
     do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
     device_for_each_child+0x68/0xb0
     sas_remove_children+0x30/0x50 [scsi_transport_sas]
     sas_rphy_remove+0x38/0x78 [scsi_transport_sas]
     sas_port_delete+0x30/0x148 [scsi_transport_sas]
     do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
     device_for_each_child+0x68/0xb0
     sas_remove_children+0x30/0x50 [scsi_transport_sas]
     sas_remove_host+0x20/0x38 [scsi_transport_sas]
     scsih_remove+0xd8/0x420 [mpt3sas]
    
    Because transport_add_device() is not called when sas_rphy_add() fails, the
    device is not added. When sas_rphy_remove() is subsequently called to
    remove the device in the remove() path, a NULL pointer dereference happens.
    
    Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
    Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20221109032403.1636422-1-yangyingliang@xxxxxxxxxx
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
index 6ec5b7f33dfd..b58f4d9c296a 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
@@ -712,6 +712,8 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
 	if ((sas_rphy_add(rphy))) {
 		ioc_err(ioc, "failure at %s:%d/%s()!\n",
 			__FILE__, __LINE__, __func__);
+		sas_rphy_free(rphy);
+		rphy = NULL;
 	}
 
 	if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {