From nobody Mon Jun  8 04:24:33 2026
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com
 [209.85.216.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9976C3290C3
	for <linux-kernel@vger.kernel.org>; Sun,  7 Jun 2026 11:03:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.52
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780830226; cv=none;
 b=Han//bn5uLUjMOo4adqHvPKgEaxtJJidf81ngdrGK62StpvZgio0n8WpdqhPapAVbQ6MBK3ENM7AFviTXU/v8ON15ASFwk7d/EIHOgxgMoqZJCejY1e141JdD8Zf+UnUYr9z3o5Q+AcAre2VyA+d3A4fJJvU/3A7frRKAUGuOLU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780830226; c=relaxed/simple;
	bh=7TL9mox3kFnWg7MAxp78VEQJzb2DwRyijYkLdDkS2AY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=MOobsaHQfWIoYql31upbJRQpp149Ip2V2Qkc2kfqS+lGscPKKBvSAG4epPfQsoVKnrnVWiyUK/wrytMJYoa2ktVPYrizA27ghvJycZq8OP6qevD2+pu3z4JnUspLJjfPRWu4NJKOJQ75FNTWBzbpqNLMm5rsnLk206QSuLxR344=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Xk0Zxb/E; arc=none smtp.client-ip=209.85.216.52
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Xk0Zxb/E"
Received: by mail-pj1-f52.google.com with SMTP id
 98e67ed59e1d1-36baec934b6so2434726a91.0
        for <linux-kernel@vger.kernel.org>;
 Sun, 07 Jun 2026 04:03:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780830225; x=1781435025;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=MRYeS+3lgp5NTYUoJEOQjWZ0O0A5oiI8iTFU5nQK1KU=;
        b=Xk0Zxb/E5mNA//4EqGaC/1rS13aMVzxMuKxXRwhZziGyprYeDS0wlQEac/9ZJJI97T
         ST3x8Ox2i0sc+rqZWQFtR/2G7PQDyhKTxCdawSJTd6dA7aGS0E+aJ2x5G2e9+UHTlHDX
         fnkku1b+6CU6r5CSzW0RPtK9v4TP3QamtWDqE1b5sL81Ur21xj7fOFhSDd8120wK9q2/
         PRsvMIclerBtFikWI+/e3Mg2uxTeEPPvBlmgP184MRZT9vaJOuW7I68NmsJIAC0kRQ3J
         uMlt4Airf7RNdrfWVYa/+Ky82tH/9/zPy8XXksCuHgxhpRGFKuDSTlByISzYfcq7u8ge
         ecJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780830225; x=1781435025;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MRYeS+3lgp5NTYUoJEOQjWZ0O0A5oiI8iTFU5nQK1KU=;
        b=cwXz3Q7iCcMoXjPmM6JdNE70t1wQa+DCzB5OyMh765EDQ0xHP+CQW+2m8t1H1KALW0
         tPj1yPqOMxX4M8/hNwH197az5UESwveIu2SjqzJhZqNAZj9x24pxcV9pPjM/CnYPfB/J
         U9YBizbNTIJOlHdfr2pO2wNsxK8yI3vOYjzNetanwXuapwsPXjeJPOd62pRNgalnLhZg
         fk5Gba678fMYRsc22FlaB84Tfu5JD9eEBr7ThbVbK0GQeND0VTfRuljN2MuHT8Wnhy08
         K6wVmbKDpQF7Mm7d8Q5Dev1T/F8lF8lgy/cr1SRM0cMUr+qLOq2Kb4n7gLmd3s0JEk5a
         eKJg==
X-Forwarded-Encrypted: i=1;
 AFNElJ8kR8tt26l3ebh3H3h+OmZjpcR33mE9a6KvbYCc4Lh0URK1l5Qu65vaWfwrpctNQO75Kt8Hfw89BSOq8uA=@vger.kernel.org
X-Gm-Message-State: AOJu0YxtYPrz9jzqTWnyZ/4b+qyqUrmtaLWGtF6QVwhToVnV1g7uchDs
	AYMzwLxisxnRKFPdsqUQIUtYPp56q/u+0xW7kSNEwP3WYWt0MdaT4VUg
X-Gm-Gg: Acq92OGywKg37AEV5Vf5VM/ceuN310Mph34yV9BtQ7XCLvJjHlhQ6PTt8QKlFNMDuvG
	emQDZCdf7PR/wTGKrWWcOUiISFUsictbr6hvnpr01PedToKDdTriaHyd1C8F/VY4H6uTO4we2ZB
	YYY4giGr7ZxLkpUEo0P/zS+SHd/gECctymlWApwEe1K8BBYdNunCm/oRwrCe0zHNNGbjj52pxWr
	AfDtIDCZakYJ4MYjF2niJTm0ZwcFI6JnEIWh5onB8FndGpbJu5eR5v1NoFWcbM8Yvv04M95YPkM
	MAK2DcHS96DgTW723MPxEciWplqBOlml1ETbUN8FcXLz6mgTHf7Eu4gyXpPHWtWmQ1pT5YcpbPR
	rAzWxMcF48BVLUu3+b3W61Udz4zEIAWCwLra7sbjwHQPwHAFAg6ykLNTVe5BFBZPHm+TW6+BIOi
	clMFYvXfNt3M4PLhK8uxBLwSUruERtEtklJ4PbAiVp+IAky7nvp9YnwI3m8bFp6e8=
X-Received: by 2002:a17:90b:4a83:b0:368:864:62ad with SMTP id
 98e67ed59e1d1-3713029c115mr8369162a91.3.1780830224771;
        Sun, 07 Jun 2026 04:03:44 -0700 (PDT)
Received: from haichao.tail057a43.ts.net
 ([2001:da8:e000:1206:5d57:2cec:64ac:50a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6dba8521sm12124123a91.15.2026.06.07.04.03.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 07 Jun 2026 04:03:44 -0700 (PDT)
From: Ruoyu Wang <ruoyuw560@gmail.com>
To: Ketan Mukadam <ketan.mukadam@broadcom.com>,
	"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Ruoyu Wang <ruoyuw560@gmail.com>
Subject: [PATCH] scsi: be2iscsi: fix cleanup on memory allocation failure
Date: Sun,  7 Jun 2026 19:03:39 +0800
Message-ID: <20260607110339.3-1-ruoyuw560@gmail.com>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

beiscsi_alloc_mem() builds each memory descriptor from DMA chunks
recorded in the temporary mem_arr_orig array. After all chunks for the
current descriptor have been allocated, the code allocates
mem_descr->mem_array and copies the temporary descriptors into it.

If mem_descr->mem_array allocation fails, or if DMA allocation fails
after some chunks have been allocated for the current descriptor, the
error path records the current chunk count in mem_descr->num_elements and
then dereferences mem_descr->mem_array. That pointer has not been
allocated for the current descriptor, so the cleanup path can dereference
NULL and also fail to release the current DMA chunks.

Release the current descriptor chunks from mem_arr_orig first, then walk
backward over the descriptors that were fully initialized earlier.

Fixes: 6733b39a1301 ("[SCSI] be2iscsi: add 10Gbps iSCSI - BladeEngine 2 dri=
ver")
Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com>
---
 drivers/scsi/be2iscsi/be_main.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_mai=
n.c
index fd18d4d3d..31c617bb6 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -2549,8 +2549,18 @@ static int beiscsi_alloc_mem(struct beiscsi_hba *phb=
a)
 	kfree(mem_arr_orig);
 	return 0;
 free_mem:
-	mem_descr->num_elements =3D j;
-	while ((i) || (j)) {
+	while (j) {
+		j--;
+		bus_add =3D mem_arr_orig[j].bus_address.u.a64.address;
+		dma_free_coherent(&phba->pcidev->dev,
+				  mem_arr_orig[j].size,
+				  mem_arr_orig[j].virtual_address,
+				  bus_add);
+	}
+
+	while (i) {
+		i--;
+		mem_descr--;
 		for (j =3D mem_descr->num_elements; j > 0; j--) {
 			dma_free_coherent(&phba->pcidev->dev,
 					    mem_descr->mem_array[j - 1].size,
@@ -2560,11 +2570,7 @@ free_mem:
 					    mem_array[j - 1].
 					    bus_address.u.a64.address);
 		}
-		if (i) {
-			i--;
-			kfree(mem_descr->mem_array);
-			mem_descr--;
-		}
+		kfree(mem_descr->mem_array);
 	}
 	kfree(mem_arr_orig);
 	kfree(phba->init_mem);
--=20
2.51.0