__cxgbit_free_cdev_np() calls cxgbit_get_cnp() which takes a kref
reference on the cnp structure. This reference is only released on
the immediate error path after cxgbit_get_cnp(). On the timeout path
and the normal completion path that successfully processes the NP,
the reference is never released via cxgbit_put_cnp(), leaking the
kref.

Add cxgbit_put_cnp(cnp) on the timeout and success paths to properly
release the kref reference.

Cc: stable@vger.kernel.org
Fixes: 9730ffcb8957 ("cxgbit: add files for cxgbit.ko")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>

---
Change in v2:
-Fix code error.
---
 drivers/target/iscsi/cxgbit/cxgbit_cm.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/target/iscsi/cxgbit/cxgbit_cm.c b/drivers/target/iscsi/cxgbit/cxgbit_cm.c
index 146705845fa3..f8cd6457666b 100644
--- a/drivers/target/iscsi/cxgbit/cxgbit_cm.c
+++ b/drivers/target/iscsi/cxgbit/cxgbit_cm.c
@@ -544,8 +544,10 @@ __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
 
 	ret = cxgbit_wait_for_reply(cdev, &cnp->com.wr_wait,
 				    0, 10, __func__);
-	if (ret == -ETIMEDOUT)
+	if (ret == -ETIMEDOUT) {
+		cxgbit_put_cnp(cnp);
 		return ret;
+	}
 
 	if (ipv6 && cnp->com.cdev) {
 		struct sockaddr_in6 *sin6;
@@ -558,6 +560,7 @@ __cxgbit_free_cdev_np(struct cxgbit_device *cdev, struct cxgbit_np *cnp)
 
 	cxgb4_free_stid(cdev->lldi.tids, stid,
 			cnp->com.local_addr.ss_family);
+	cxgbit_put_cnp(cnp);
 	return 0;
 }
 
-- 
2.34.1