[PATCH] scsi: target: cxgbit: fix refcount leak in __cxgbit_free_cdev_np
From: WenTao Liang
Date: Thu Jun 11 2026 - 08:24:34 EST
__cxgbit_free_cdev_np() calls cxgbit_get_cnp() to take a reference
on cnp for the duration of the firmware remove-server operation.
If cxgb4_remove_server() fails, the reference is correctly released
in the error path with cxgbit_put_cnp(). However, once past that
check, the reference is never released on any other path:
- when cxgbit_wait_for_reply() times out,
- when cxgbit_wait_for_reply() succeeds,
- or when cxgbit_wait_for_reply() returns another error.
All three paths return without dropping the reference, and no
called function consumes or releases the kref. The caller,
cxgbit_free_cdev_np(), does not balance the reference either.
Add the missing cxgbit_put_cnp() on the timeout and success paths,
and use a unified cleanup to handle all non-early-error returns.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 9730ffcb8957 ("cxgbit: add files for cxgbit.ko")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/target/iscsi/cxgbit/cxgbit_cm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/target/iscsi/cxgbit/cxgbit_cm.c b/drivers/target/iscsi/cxgbit/cxgbit_cm.c
index 146705845fa3..f8cd6457666b 100644
--- a/drivers/target/iscsi/cxgbit/cxgbit_cm.c
+++ b/drivers/target/iscsi/cxgbit/cxgbit_cm.c
@@ -544,8 +544,10 @@ __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
ret = cxgbit_wait_for_reply(cdev, &cnp->com.wr_wait,
0, 10, __func__);
- if (ret == -ETIMEDOUT)
+ if (ret == -ETIMEDOUT) {
+ cxgbit_put_cnp(cnp);
return ret;
+ }
if (ipv6 && cnp->com.cdev) {
struct sockaddr_in6 *sin6;
@@ -558,6 +560,7 @@ __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
cxgb4_free_stid(cdev->lldi.tids, stid,
cnp->com.local_addr.ss_family);
+ cxgbit_put_cnp(cnp);
return 0;
}
--
2.50.1 (Apple Git-155)