Summary: | ocs_fc: fix refcount leak bug in ocs_hw_io_abort() | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Xiyu Yang <xiyuyang19> | ||||
Component: | kern | Assignee: | Ram Kishore Vegesna <ram> | ||||
Status: | Open --- | ||||||
Severity: | Affects Some People | CC: | markj, ram | ||||
Priority: | --- | ||||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Seems reasonable to me, though it is not a security problem from what I can see. Hi Xiyu, Thanks for pointing out the issue. The patch looks good. I fixed this issue in our out-of-box ocs_fc driver. I will start merging pending patches to the FreeBSD tree. Thanks, Ram (In reply to Ram Kishore Vegesna from comment #2) Thanks Ram! |
Created attachment 223740 [details] patch The reference counting issue happens in one error handling path of ocs_hw_io_abort(). When allocating a request tag fails (i.e., wqcb == NULL), the function forgets to decrease the refcount of "io_to_abort" increased by ocs_ref_get(), causing a refcount leak. Fix this issue by calling ocs_ref_put() when `wqcb == NULL`. The attached patch is generated using Git on the latest version of FreeBSD.