Bug 254689 - ocs_fc: fix refcount leak bug in ocs_hw_io_abort()
Summary: ocs_fc: fix refcount leak bug in ocs_hw_io_abort()
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Ram Kishore Vegesna
Depends on:
Reported: 2021-04-01 06:43 UTC by Xiyu Yang
Modified: 2021-04-01 19:59 UTC (History)
2 users (show)

See Also:

patch (542 bytes, patch)
2021-04-01 06:43 UTC, Xiyu Yang
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Xiyu Yang 2021-04-01 06:43:07 UTC
Created attachment 223740 [details]

The reference counting issue happens in one error handling path of ocs_hw_io_abort(). When allocating a request tag fails (i.e., wqcb == NULL), the function forgets to decrease the refcount of "io_to_abort" increased by ocs_ref_get(), causing a refcount leak. 

Fix this issue by calling ocs_ref_put() when `wqcb == NULL`. The attached patch is generated using Git on the latest version of FreeBSD.
Comment 1 Mark Johnston freebsd_committer 2021-04-01 13:52:27 UTC
Seems reasonable to me, though it is not a security problem from what I can see.
Comment 2 Ram Kishore Vegesna freebsd_committer 2021-04-01 18:36:17 UTC
Hi Xiyu,

Thanks for pointing out the issue. The patch looks good.

I fixed this issue in our out-of-box ocs_fc driver. I will start merging pending  patches to the FreeBSD tree.

Comment 3 Mark Johnston freebsd_committer 2021-04-01 19:59:14 UTC
(In reply to Ram Kishore Vegesna from comment #2)
Thanks Ram!