From nobody Thu Apr  9 23:25:12 2026
Received: from canpmsgout11.his.huawei.com (canpmsgout11.his.huawei.com
 [113.46.200.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F8F33090CA;
	Thu,  5 Mar 2026 06:40:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=113.46.200.226
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772692850; cv=none;
 b=ku9b5nk3G6c/R5NH+9CzwJLBbKpK6Ba6WqYfw0PZQn/58lAPaQuNRFKfaTYq8FQPUhpg8rAaiIL3WPnQybPqZ2X4/nICQkd16vGZKetbZ6MX1UwIbdSTd116DOvdj7dJ/7WzSXtVWyK7NomIzcJztp6V+gE9xaKtAVZyVDjkvgc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772692850; c=relaxed/simple;
	bh=RznNPgy3Ji15uzUc3u6YZxhguN3LRDyu6AI9/0INhfw=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=ZCsrCJG6+Q0mzIrJPAZx9FEnvRmXtYaMwDgTX1JS7Vp7aD67XyHN1n26U7pRkpYdji2/xd/LTen9KQALEdgZT9zRBGsZ6a25R80zIkgsN9lmVpqRHjLrC+7qo+t9ZPMuNERyPYVeSw4zycaQLydKKRM+Nc1+7NpFrfKBhbeMS34=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=quarantine dis=none) header.from=huawei.com;
 spf=pass smtp.mailfrom=h-partners.com;
 dkim=pass (1024-bit key) header.d=h-partners.com header.i=@h-partners.com
 header.b=WBICDuU3; arc=none smtp.client-ip=113.46.200.226
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=quarantine dis=none) header.from=huawei.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=h-partners.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=h-partners.com header.i=@h-partners.com
 header.b="WBICDuU3"
dkim-signature: v=1; a=rsa-sha256; d=h-partners.com; s=dkim;
	c=relaxed/relaxed; q=dns/txt;
	h=From;
	bh=RWWzJPIar5yJmtfHAXecvF1K8q5A3xeT4H3Tj97q0vc=;
	b=WBICDuU3I4TuWWKk7ear45jdaCS4OmO4tJufKvPFXpcoSHz76f+db9sZ8YK4TMFA4MuVjSOjM
	Xo7TymtZ3notuJ117Ed0Nw4lwdacICieL55wXVJ/r9vXwBtybJLQveL1sp0bHU3DIDaG3ZkjayA
	9Ch2LQLPAH3mGnjhqsXtIvI=
Received: from mail.maildlp.com (unknown [172.19.163.214])
	by canpmsgout11.his.huawei.com (SkyGuard) with ESMTPS id 4fRKYJ6M0WzKm5j;
	Thu,  5 Mar 2026 14:35:48 +0800 (CST)
Received: from kwepemh200005.china.huawei.com (unknown [7.202.181.112])
	by mail.maildlp.com (Postfix) with ESMTPS id 26BF140561;
	Thu,  5 Mar 2026 14:40:41 +0800 (CST)
Received: from localhost.localdomain (10.50.163.32) by
 kwepemh200005.china.huawei.com (7.202.181.112) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.11; Thu, 5 Mar 2026 14:40:40 +0800
From: Yihang Li <liyihang9@huawei.com>
To: <martin.petersen@oracle.com>, <James.Bottomley@HansenPartnership.com>
CC: <linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<yangxingui@h-partners.com>, <linuxarm@huawei.com>, <prime.zeng@huawei.com>,
	<liyihang9@h-partners.com>, <liuyonglong@huawei.com>
Subject: [PATCH] scsi: hisi_sas: Fix NULL pointer exception when do
 user_scan()
Date: Thu, 5 Mar 2026 14:40:39 +0800
Message-ID: <20260305064039.4096775-1-liyihang9@huawei.com>
X-Mailer: git-send-email 2.33.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: kwepems200002.china.huawei.com (7.221.188.68) To
 kwepemh200005.china.huawei.com (7.202.181.112)
Content-Type: text/plain; charset="utf-8"

From: Xingui Yang <yangxingui@huawei.com>

user_scan() invokes updated sas_user_scan() for channel 0, and if
successful, iteratively scans remaining channels (1 to shost->max_channel)
via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix
sas_user_scan() to handle wildcard and multi-channel scans"). However,
hisi_sas supports only one channel, and the current value of max_channel
is 1. sas_user_scan() for channel 1 will trigger the following NULL
pointer exception:

[  441.554662] Unable to handle kernel NULL pointer dereference at virtual =
address 00000000000008b0
[  441.554699] Mem abort info:
[  441.554710]   ESR =3D 0x0000000096000004
[  441.554718]   EC =3D 0x25: DABT (current EL), IL =3D 32 bits
[  441.554723]   SET =3D 0, FnV =3D 0
[  441.554726]   EA =3D 0, S1PTW =3D 0
[  441.554730]   FSC =3D 0x04: level 0 translation fault
[  441.554735] Data abort info:
[  441.554737]   ISV =3D 0, ISS =3D 0x00000004, ISS2 =3D 0x00000000
[  441.554742]   CM =3D 0, WnR =3D 0, TnD =3D 0, TagAccess =3D 0
[  441.554747]   GCS =3D 0, Overlay =3D 0, DirtyBit =3D 0, Xs =3D 0
[  441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=3D00000828377a6000
[  441.554757] [00000000000008b0] pgd=3D0000000000000000, p4d=3D00000000000=
00000
[  441.554769] Internal error: Oops: 0000000096000004 [#1]  SMP
[  441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hi=
si_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_p=
mu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu=
 tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hcl=
ge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm=
3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_reg=
ion_hash dm_log dm_mod
[  441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainte=
d 7.0.0-rc2+ #84 PREEMPT
[  441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=
=3D--)
[  441.698277] pc : sas_find_dev_by_rphy+0x44/0x118
[  441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118
[  441.707502] sp : ffff80009abbba40
[  441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c=
37c08
[  441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c=
37c00
[  441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a=
40000
[  441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 00000000000=
00020
[  441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000fff=
fffff
[  441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c=
3b26a
[  441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5e=
a94f4
[  441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 00000000000=
00030
[  441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000=
00000
[  441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 00000000000=
00000
[  441.782053] Call trace:
[  441.784488]  sas_find_dev_by_rphy+0x44/0x118 (P)
[  441.789095]  sas_target_alloc+0x24/0xb0
[  441.792920]  scsi_alloc_target+0x290/0x330
[  441.797010]  __scsi_scan_target+0x88/0x258
[  441.801096]  scsi_scan_channel+0x74/0xb8
[  441.805008]  scsi_scan_host_selected+0x170/0x188
[  441.809615]  sas_user_scan+0xfc/0x148
[  441.813267]  store_scan+0x10c/0x180
[  441.816743]  dev_attr_store+0x20/0x40
[  441.820398]  sysfs_kf_write+0x84/0xa8
[  441.824054]  kernfs_fop_write_iter+0x130/0x1c8
[  441.828487]  vfs_write+0x2c0/0x370
[  441.831880]  ksys_write+0x74/0x118
[  441.835271]  __arm64_sys_write+0x24/0x38
[  441.839182]  invoke_syscall+0x50/0x120
[  441.842919]  el0_svc_common.constprop.0+0xc8/0xf0
[  441.847611]  do_el0_svc+0x24/0x38
[  441.850913]  el0_svc+0x38/0x158
[  441.854043]  el0t_64_sync_handler+0xa0/0xe8
[  441.858214]  el0t_64_sync+0x1ac/0x1b0
[  441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)
[  441.867946] ---[ end trace 0000000000000000 ]---

Therefore, set max_channel to 0.

Fixes: e21fe3a52692 ("scsi: hisi_sas: add initialisation for v3 pci-based c=
ontroller")
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Signed-off-by: Yihang Li <liyihang9@huawei.com>
---
 drivers/scsi/hisi_sas/hisi_sas_main.c  | 2 +-
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/=
hisi_sas_main.c
index 30a9c6612651..c2b082f1252c 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -2578,7 +2578,7 @@ int hisi_sas_probe(struct platform_device *pdev,
 	shost->transportt =3D hisi_sas_stt;
 	shost->max_id =3D HISI_SAS_MAX_DEVICES;
 	shost->max_lun =3D ~0;
-	shost->max_channel =3D 1;
+	shost->max_channel =3D 0;
 	shost->max_cmd_len =3D HISI_SAS_MAX_CDB_LEN;
 	if (hisi_hba->hw->slot_index_alloc) {
 		shost->can_queue =3D HISI_SAS_MAX_COMMANDS;
diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas=
/hisi_sas_v3_hw.c
index 2f9e01717ef3..f69efc6494b8 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -4993,7 +4993,7 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct =
pci_device_id *id)
 	shost->transportt =3D hisi_sas_stt;
 	shost->max_id =3D HISI_SAS_MAX_DEVICES;
 	shost->max_lun =3D ~0;
-	shost->max_channel =3D 1;
+	shost->max_channel =3D 0;
 	shost->max_cmd_len =3D HISI_SAS_MAX_CDB_LEN;
 	shost->can_queue =3D HISI_SAS_UNRESERVED_IPTT;
 	shost->cmd_per_lun =3D HISI_SAS_UNRESERVED_IPTT;
--=20
2.33.0