drivers/target/iscsi/cxgbit/cxgbit_cm.c | 2 ++ 1 file changed, 2 insertions(+)
__cxgbit_free_cdev_np() calls cxgbit_get_cnp() which takes a kref
reference on the cnp structure. This reference is only released on
the immediate error path after cxgbit_get_cnp(). On the timeout path
and the normal completion path that successfully processes the NP,
the reference is never released via cxgbit_put_cnp(), leaking the
kref.
Add cxgbit_put_cnp(cnp) on the timeout and success paths to properly
release the kref reference.
Cc: stable@vger.kernel.org
Fixes: 9730ffcb8957 ("cxgbit: add files for cxgbit.ko")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
drivers/target/iscsi/cxgbit/cxgbit_cm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/target/iscsi/cxgbit/cxgbit_cm.c b/drivers/target/iscsi/cxgbit/cxgbit_cm.c
index 146705845fa3..11149d73c844 100644
--- a/drivers/target/iscsi/cxgbit/cxgbit_cm.c
+++ b/drivers/target/iscsi/cxgbit/cxgbit_cm.c
@@ -545,6 +545,7 @@ __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
ret = cxgbit_wait_for_reply(cdev, &cnp->com.wr_wait,
0, 10, __func__);
if (ret == -ETIMEDOUT)
+ cxgbit_put_cnp(cnp);
return ret;
if (ipv6 && cnp->com.cdev) {
@@ -558,6 +559,7 @@ __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
cxgb4_free_stid(cdev->lldi.tids, stid,
cnp->com.local_addr.ss_family);
+ cxgbit_put_cnp(cnp);
return 0;
}
--
2.34.1Hi Wentao,
kernel test robot noticed the following build warnings:
[auto build test WARNING on mkp-scsi/for-next]
[also build test WARNING on kees/for-next/pstore kees/for-next/kspp linus/master v7.1-rc5 next-20260527]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wentao-Liang/target-iscsi-cxgbit-fix-cnp-kref-leak-in-__cxgbit_free_cdev_np/20260527-184050
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
patch link: https://lore.kernel.org/r/20260527103823.869792-1-vulab%40iscas.ac.cn
patch subject: [PATCH] target: iscsi: cxgbit: fix cnp kref leak in __cxgbit_free_cdev_np()
config: x86_64-rhel-9.4-rust (https://download.01.org/0day-ci/archive/20260528/202605280601.qcftuh6t-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
rustc: rustc 1.88.0 (6b00bc388 2025-06-23)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260528/202605280601.qcftuh6t-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605280601.qcftuh6t-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/target/iscsi/cxgbit/cxgbit_cm.c:549:3: warning: misleading indentation; statement is not part of the previous 'if' [-Wmisleading-indentation]
549 | return ret;
| ^
drivers/target/iscsi/cxgbit/cxgbit_cm.c:547:2: note: previous statement is here
547 | if (ret == -ETIMEDOUT)
| ^
1 warning generated.
vim +/if +549 drivers/target/iscsi/cxgbit/cxgbit_cm.c
9730ffcb8957e1c Varun Prakash 2016-04-20 516
9730ffcb8957e1c Varun Prakash 2016-04-20 517 static int
9730ffcb8957e1c Varun Prakash 2016-04-20 518 __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
9730ffcb8957e1c Varun Prakash 2016-04-20 519 {
9730ffcb8957e1c Varun Prakash 2016-04-20 520 int stid, ret;
9730ffcb8957e1c Varun Prakash 2016-04-20 521 bool ipv6 = false;
9730ffcb8957e1c Varun Prakash 2016-04-20 522
9730ffcb8957e1c Varun Prakash 2016-04-20 523 stid = cxgbit_np_hash_del(cdev, cnp);
9730ffcb8957e1c Varun Prakash 2016-04-20 524 if (stid < 0)
9730ffcb8957e1c Varun Prakash 2016-04-20 525 return -EINVAL;
9730ffcb8957e1c Varun Prakash 2016-04-20 526 if (!test_bit(CDEV_STATE_UP, &cdev->flags))
9730ffcb8957e1c Varun Prakash 2016-04-20 527 return -EINVAL;
9730ffcb8957e1c Varun Prakash 2016-04-20 528
9730ffcb8957e1c Varun Prakash 2016-04-20 529 if (cnp->np->np_sockaddr.ss_family == AF_INET6)
9730ffcb8957e1c Varun Prakash 2016-04-20 530 ipv6 = true;
9730ffcb8957e1c Varun Prakash 2016-04-20 531
9730ffcb8957e1c Varun Prakash 2016-04-20 532 cxgbit_get_cnp(cnp);
9730ffcb8957e1c Varun Prakash 2016-04-20 533 cxgbit_init_wr_wait(&cnp->com.wr_wait);
9730ffcb8957e1c Varun Prakash 2016-04-20 534 ret = cxgb4_remove_server(cdev->lldi.ports[0], stid,
9730ffcb8957e1c Varun Prakash 2016-04-20 535 cdev->lldi.rxq_ids[0], ipv6);
9730ffcb8957e1c Varun Prakash 2016-04-20 536
9730ffcb8957e1c Varun Prakash 2016-04-20 537 if (ret > 0)
9730ffcb8957e1c Varun Prakash 2016-04-20 538 ret = net_xmit_errno(ret);
9730ffcb8957e1c Varun Prakash 2016-04-20 539
9730ffcb8957e1c Varun Prakash 2016-04-20 540 if (ret) {
9730ffcb8957e1c Varun Prakash 2016-04-20 541 cxgbit_put_cnp(cnp);
9730ffcb8957e1c Varun Prakash 2016-04-20 542 return ret;
9730ffcb8957e1c Varun Prakash 2016-04-20 543 }
9730ffcb8957e1c Varun Prakash 2016-04-20 544
9730ffcb8957e1c Varun Prakash 2016-04-20 545 ret = cxgbit_wait_for_reply(cdev, &cnp->com.wr_wait,
9730ffcb8957e1c Varun Prakash 2016-04-20 546 0, 10, __func__);
9730ffcb8957e1c Varun Prakash 2016-04-20 547 if (ret == -ETIMEDOUT)
956027c993d5b20 Wentao Liang 2026-05-27 548 cxgbit_put_cnp(cnp);
9730ffcb8957e1c Varun Prakash 2016-04-20 @549 return ret;
9730ffcb8957e1c Varun Prakash 2016-04-20 550
9730ffcb8957e1c Varun Prakash 2016-04-20 551 if (ipv6 && cnp->com.cdev) {
9730ffcb8957e1c Varun Prakash 2016-04-20 552 struct sockaddr_in6 *sin6;
9730ffcb8957e1c Varun Prakash 2016-04-20 553
9730ffcb8957e1c Varun Prakash 2016-04-20 554 sin6 = (struct sockaddr_in6 *)&cnp->com.local_addr;
9730ffcb8957e1c Varun Prakash 2016-04-20 555 cxgb4_clip_release(cdev->lldi.ports[0],
9730ffcb8957e1c Varun Prakash 2016-04-20 556 (const u32 *)&sin6->sin6_addr.s6_addr,
9730ffcb8957e1c Varun Prakash 2016-04-20 557 1);
9730ffcb8957e1c Varun Prakash 2016-04-20 558 }
9730ffcb8957e1c Varun Prakash 2016-04-20 559
9730ffcb8957e1c Varun Prakash 2016-04-20 560 cxgb4_free_stid(cdev->lldi.tids, stid,
9730ffcb8957e1c Varun Prakash 2016-04-20 561 cnp->com.local_addr.ss_family);
956027c993d5b20 Wentao Liang 2026-05-27 562 cxgbit_put_cnp(cnp);
9730ffcb8957e1c Varun Prakash 2016-04-20 563 return 0;
9730ffcb8957e1c Varun Prakash 2016-04-20 564 }
9730ffcb8957e1c Varun Prakash 2016-04-20 565
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Wentao,
kernel test robot noticed the following build warnings:
[auto build test WARNING on mkp-scsi/for-next]
[also build test WARNING on kees/for-next/pstore kees/for-next/kspp linus/master v7.1-rc5 next-20260527]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wentao-Liang/target-iscsi-cxgbit-fix-cnp-kref-leak-in-__cxgbit_free_cdev_np/20260527-184050
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
patch link: https://lore.kernel.org/r/20260527103823.869792-1-vulab%40iscas.ac.cn
patch subject: [PATCH] target: iscsi: cxgbit: fix cnp kref leak in __cxgbit_free_cdev_np()
config: x86_64-rhel-9.4 (https://download.01.org/0day-ci/archive/20260528/202605280336.gXG4Wlij-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260528/202605280336.gXG4Wlij-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605280336.gXG4Wlij-lkp@intel.com/
All warnings (new ones prefixed by >>):
drivers/target/iscsi/cxgbit/cxgbit_cm.c: In function '__cxgbit_free_cdev_np':
>> drivers/target/iscsi/cxgbit/cxgbit_cm.c:547:9: warning: this 'if' clause does not guard... [-Wmisleading-indentation]
547 | if (ret == -ETIMEDOUT)
| ^~
drivers/target/iscsi/cxgbit/cxgbit_cm.c:549:17: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
549 | return ret;
| ^~~~~~
vim +/if +547 drivers/target/iscsi/cxgbit/cxgbit_cm.c
9730ffcb8957e1 Varun Prakash 2016-04-20 516
9730ffcb8957e1 Varun Prakash 2016-04-20 517 static int
9730ffcb8957e1 Varun Prakash 2016-04-20 518 __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
9730ffcb8957e1 Varun Prakash 2016-04-20 519 {
9730ffcb8957e1 Varun Prakash 2016-04-20 520 int stid, ret;
9730ffcb8957e1 Varun Prakash 2016-04-20 521 bool ipv6 = false;
9730ffcb8957e1 Varun Prakash 2016-04-20 522
9730ffcb8957e1 Varun Prakash 2016-04-20 523 stid = cxgbit_np_hash_del(cdev, cnp);
9730ffcb8957e1 Varun Prakash 2016-04-20 524 if (stid < 0)
9730ffcb8957e1 Varun Prakash 2016-04-20 525 return -EINVAL;
9730ffcb8957e1 Varun Prakash 2016-04-20 526 if (!test_bit(CDEV_STATE_UP, &cdev->flags))
9730ffcb8957e1 Varun Prakash 2016-04-20 527 return -EINVAL;
9730ffcb8957e1 Varun Prakash 2016-04-20 528
9730ffcb8957e1 Varun Prakash 2016-04-20 529 if (cnp->np->np_sockaddr.ss_family == AF_INET6)
9730ffcb8957e1 Varun Prakash 2016-04-20 530 ipv6 = true;
9730ffcb8957e1 Varun Prakash 2016-04-20 531
9730ffcb8957e1 Varun Prakash 2016-04-20 532 cxgbit_get_cnp(cnp);
9730ffcb8957e1 Varun Prakash 2016-04-20 533 cxgbit_init_wr_wait(&cnp->com.wr_wait);
9730ffcb8957e1 Varun Prakash 2016-04-20 534 ret = cxgb4_remove_server(cdev->lldi.ports[0], stid,
9730ffcb8957e1 Varun Prakash 2016-04-20 535 cdev->lldi.rxq_ids[0], ipv6);
9730ffcb8957e1 Varun Prakash 2016-04-20 536
9730ffcb8957e1 Varun Prakash 2016-04-20 537 if (ret > 0)
9730ffcb8957e1 Varun Prakash 2016-04-20 538 ret = net_xmit_errno(ret);
9730ffcb8957e1 Varun Prakash 2016-04-20 539
9730ffcb8957e1 Varun Prakash 2016-04-20 540 if (ret) {
9730ffcb8957e1 Varun Prakash 2016-04-20 541 cxgbit_put_cnp(cnp);
9730ffcb8957e1 Varun Prakash 2016-04-20 542 return ret;
9730ffcb8957e1 Varun Prakash 2016-04-20 543 }
9730ffcb8957e1 Varun Prakash 2016-04-20 544
9730ffcb8957e1 Varun Prakash 2016-04-20 545 ret = cxgbit_wait_for_reply(cdev, &cnp->com.wr_wait,
9730ffcb8957e1 Varun Prakash 2016-04-20 546 0, 10, __func__);
9730ffcb8957e1 Varun Prakash 2016-04-20 @547 if (ret == -ETIMEDOUT)
956027c993d5b2 Wentao Liang 2026-05-27 548 cxgbit_put_cnp(cnp);
9730ffcb8957e1 Varun Prakash 2016-04-20 549 return ret;
9730ffcb8957e1 Varun Prakash 2016-04-20 550
9730ffcb8957e1 Varun Prakash 2016-04-20 551 if (ipv6 && cnp->com.cdev) {
9730ffcb8957e1 Varun Prakash 2016-04-20 552 struct sockaddr_in6 *sin6;
9730ffcb8957e1 Varun Prakash 2016-04-20 553
9730ffcb8957e1 Varun Prakash 2016-04-20 554 sin6 = (struct sockaddr_in6 *)&cnp->com.local_addr;
9730ffcb8957e1 Varun Prakash 2016-04-20 555 cxgb4_clip_release(cdev->lldi.ports[0],
9730ffcb8957e1 Varun Prakash 2016-04-20 556 (const u32 *)&sin6->sin6_addr.s6_addr,
9730ffcb8957e1 Varun Prakash 2016-04-20 557 1);
9730ffcb8957e1 Varun Prakash 2016-04-20 558 }
9730ffcb8957e1 Varun Prakash 2016-04-20 559
9730ffcb8957e1 Varun Prakash 2016-04-20 560 cxgb4_free_stid(cdev->lldi.tids, stid,
9730ffcb8957e1 Varun Prakash 2016-04-20 561 cnp->com.local_addr.ss_family);
956027c993d5b2 Wentao Liang 2026-05-27 562 cxgbit_put_cnp(cnp);
9730ffcb8957e1 Varun Prakash 2016-04-20 563 return 0;
9730ffcb8957e1 Varun Prakash 2016-04-20 564 }
9730ffcb8957e1 Varun Prakash 2016-04-20 565
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2026 Red Hat, Inc.