if cb_arg alloc failed, we can't release the struct orig_io_req refcount before we take it's refcount. As Saurav said, move the rec_err label down to avoid unnecessary refcount release and nullptr free. Signed-off-by: Lin Yi <teroincn@xxxxxxx> --- Changes in v2: - move the rec_err label down instead of moving kref_get. --- --- drivers/scsi/bnx2fc/bnx2fc_els.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/bnx2fc/bnx2fc_els.c b/drivers/scsi/bnx2fc/bnx2fc_els.c index 76e65a3..e33b94f 100644 --- a/drivers/scsi/bnx2fc/bnx2fc_els.c +++ b/drivers/scsi/bnx2fc/bnx2fc_els.c @@ -610,7 +610,6 @@ int bnx2fc_send_rec(struct bnx2fc_cmd *orig_io_req) rc = bnx2fc_initiate_els(tgt, ELS_REC, &rec, sizeof(rec), bnx2fc_rec_compl, cb_arg, r_a_tov); -rec_err: if (rc) { BNX2FC_IO_DBG(orig_io_req, "REC failed - release\n"); spin_lock_bh(&tgt->tgt_lock); @@ -618,6 +617,7 @@ int bnx2fc_send_rec(struct bnx2fc_cmd *orig_io_req) spin_unlock_bh(&tgt->tgt_lock); kfree(cb_arg); } +rec_err: return rc; } -- 1.9.1