The function mvs_task_prep() defined in file drivers/scsi/mvsas/mv_sas.c returns 0 on success, or non-zero values on failures. It calls function pci_pool_alloc() and checks its return value against NULL (at line 794), and if the return value is NULL, the control flow jumps to label "err_out_tag", cleans allocated memory and returns variable rc. Function pci_pool_alloc() is called after the check of variable rc, so the value of rc must be 0. As a result, mvs_task_prep() will return 0 (indicates success) even the call to pci_pool_alloc() fails. I think it is better to assign "-ENOMEM" to rc when pci_pool_alloc() fails. Codes and comments related to this bug are summarised as follows. mvs_task_prep @@ drivers/scsi/mvsas/mv_sas.c 711 static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf, 712 struct mvs_tmf_task *tmf, int *pass) 713 { ... 719 int rc = 0; ... 783 rc = mvs_tag_alloc(mvi, &tag); 784 if (rc) 785 goto err_out; 786 787 slot = &mvi->slot_info[tag]; 788 789 task->lldd_task = NULL; 790 slot->n_elem = n_elem; 791 slot->slot_tag = tag; 792 793 slot->buf = pci_pool_alloc(mvi->dma_pool, GFP_ATOMIC, &slot->buf_dma); 794 if (!slot->buf) // insert "rc = -ENOMEM" here? 795 goto err_out_tag; ... 838 return rc; 839 840 err_out_slot_buf: 841 pci_pool_free(mvi->dma_pool, slot->buf, slot->buf_dma); 842 err_out_tag: 843 mvs_tag_free(mvi, tag); 844 err_out: 845 846 dev_printk(KERN_ERR, mvi->dev, "mvsas prep failed[%d]!\n", rc); 847 if (!sas_protocol_ata(task->task_proto)) 848 if (n_elem) 849 dma_unmap_sg(mvi->dev, task->scatter, n_elem, 850 task->data_dir); 851 prep_out: 852 return rc; 853 } Thanks very much!
Fixed in linux-v4.11. So I will close the bug.