Re: [PATCH] fix: ntb: ntb_async_rx_submit: fix tx descriptor leak on dmaengine_submit failure

[Dave Jiang]

On 6/26/26 8:38 AM, WenTao Liang wrote:
> When dmaengine_submit fails after dma_set_unmap has been called, the
>   error path err_set_unmap only calls dmaengine_unmap_put once, but the
>   unmap object has two references (one from dmaengine_get_unmap_data and
>   one from dma_set_unmap held by the tx descriptor). The tx descriptor
>   itself is never freed, so its reference to unmap is never released,
>   causing a kref leak and a dangling pointer in the freed descriptor.
> 
> Replace dmaengine_unmap_put with dmaengine_desc_put(txd) in the
>   err_set_unmap path to properly release the tx descriptor, which will also
>   drop the unmap reference it holds.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 282a2feeb9bf ("NTB: Use DMA Engine to Transmit and Receive")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>

Can you please resend this to ntb@xxxxxxxxxxxxxxx? The googlegroups email has not been valid for a long time

DJ

> ---
>  drivers/ntb/ntb_transport.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
> index 7cabc82305d6..28091ec5a74e 100644
> --- a/drivers/ntb/ntb_transport.c
> +++ b/drivers/ntb/ntb_transport.c
> @@ -1572,7 +1572,7 @@ static int ntb_async_rx_submit(struct ntb_queue_entry *entry, void *offset)
>  	return 0;
>  
>  err_set_unmap:
> -	dmaengine_unmap_put(unmap);
> +	dmaengine_desc_put(txd);
>  err_get_unmap:
>  	dmaengine_unmap_put(unmap);
>  err:
> @@ -1896,7 +1896,7 @@ static int ntb_async_tx_submit(struct ntb_transport_qp *qp,
>  
>  	return 0;
>  err_set_unmap:
> -	dmaengine_unmap_put(unmap);
> +	dmaengine_desc_put(txd);
>  err_get_unmap:
>  	dmaengine_unmap_put(unmap);
>  err: