Bug 254689

Summary: ocs_fc: fix refcount leak bug in ocs_hw_io_abort()
Product: Base System Reporter: Xiyu Yang <xiyuyang19>
Component: kernAssignee: Ram Kishore Vegesna <ram>
Status: Open ---    
Severity: Affects Some People CC: markj, ram
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch none

Description Xiyu Yang 2021-04-01 06:43:07 UTC
Created attachment 223740 [details]
patch

The reference counting issue happens in one error handling path of ocs_hw_io_abort(). When allocating a request tag fails (i.e., wqcb == NULL), the function forgets to decrease the refcount of "io_to_abort" increased by ocs_ref_get(), causing a refcount leak. 

Fix this issue by calling ocs_ref_put() when `wqcb == NULL`. The attached patch is generated using Git on the latest version of FreeBSD.
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2021-04-01 13:52:27 UTC
Seems reasonable to me, though it is not a security problem from what I can see.
Comment 2 Ram Kishore Vegesna freebsd_committer freebsd_triage 2021-04-01 18:36:17 UTC
Hi Xiyu,

Thanks for pointing out the issue. The patch looks good.

I fixed this issue in our out-of-box ocs_fc driver. I will start merging pending  patches to the FreeBSD tree.

Thanks,
Ram
Comment 3 Mark Johnston freebsd_committer freebsd_triage 2021-04-01 19:59:14 UTC
(In reply to Ram Kishore Vegesna from comment #2)
Thanks Ram!