254689 – ocs_fc: fix refcount leak bug in ocs_hw_io_abort()

Bug 254689 - ocs_fc: fix refcount leak bug in ocs_hw_io_abort()

Summary: ocs_fc: fix refcount leak bug in ocs_hw_io_abort()

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Ram Kishore Vegesna

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-04-01 06:43 UTC by Xiyu Yang
Modified:	2021-04-01 19:59 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
patch (542 bytes, patch) 2021-04-01 06:43 UTC, Xiyu Yang	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Xiyu Yang 2021-04-01 06:43:07 UTC

Created attachment 223740 [details]
patch

The reference counting issue happens in one error handling path of ocs_hw_io_abort(). When allocating a request tag fails (i.e., wqcb == NULL), the function forgets to decrease the refcount of "io_to_abort" increased by ocs_ref_get(), causing a refcount leak. 

Fix this issue by calling ocs_ref_put() when `wqcb == NULL`. The attached patch is generated using Git on the latest version of FreeBSD.

Comment 1 Mark Johnston freebsd_committer

2021-04-01 13:52:27 UTC

Seems reasonable to me, though it is not a security problem from what I can see.

Comment 2 Ram Kishore Vegesna freebsd_committer

2021-04-01 18:36:17 UTC

Hi Xiyu,

Thanks for pointing out the issue. The patch looks good.

I fixed this issue in our out-of-box ocs_fc driver. I will start merging pending  patches to the FreeBSD tree.

Thanks,
Ram

Comment 3 Mark Johnston freebsd_committer

2021-04-01 19:59:14 UTC

(In reply to Ram Kishore Vegesna from comment #2)
Thanks Ram!