Created attachment 223740 [details]
The reference counting issue happens in one error handling path of ocs_hw_io_abort(). When allocating a request tag fails (i.e., wqcb == NULL), the function forgets to decrease the refcount of "io_to_abort" increased by ocs_ref_get(), causing a refcount leak.
Fix this issue by calling ocs_ref_put() when `wqcb == NULL`. The attached patch is generated using Git on the latest version of FreeBSD.
Seems reasonable to me, though it is not a security problem from what I can see.
Thanks for pointing out the issue. The patch looks good.
I fixed this issue in our out-of-box ocs_fc driver. I will start merging pending patches to the FreeBSD tree.
(In reply to Ram Kishore Vegesna from comment #2)