[PATCH] RDMA/cxgb4: fix refcounting leak in c4iw_ref_send_wait()

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Mon, 24 Jan 2022 15:25:02 +0300

Call c4iw_put_wr_wait() if c4iw_wait_for_reply() fails.  This
code uses kobject so the worst impact from this bug is a DoS.

Fixes: 2015f26cfade ("iw_cxgb4: add referencing to wait objects")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
>From static analysis.  Not tested.

 drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
index 12f33467c672..1dc0e00aba5f 100644
--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
+++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
@@ -297,11 +297,18 @@ static inline int c4iw_ref_send_wait(struct c4iw_rdev *rdev,
 		 qpid);
 	c4iw_get_wr_wait(wr_waitp);
 	ret = c4iw_ofld_send(rdev, skb);
-	if (ret) {
-		c4iw_put_wr_wait(wr_waitp);
-		return ret;
-	}
-	return c4iw_wait_for_reply(rdev, wr_waitp, hwtid, qpid, func);
+	if (ret)
+		goto put_wait;
+
+	ret = c4iw_wait_for_reply(rdev, wr_waitp, hwtid, qpid, func);
+	if (ret)
+		goto put_wait;
+
+	return 0;
+
+put_wait:
+	c4iw_put_wr_wait(wr_waitp);
+	return ret;
 }
 
 enum db_state {
-- 
2.20.1







