_scsih_pcie_device_remove_by_handle() invokes
__mpt3sas_get_pdev_by_handle(), which returns a reference of the
specified _pcie_device object to "pcie_device" with increased refcnt.
When _scsih_pcie_device_remove_by_handle() returns, local variable
"pcie_device" becomes invalid, so the refcount should be decreased to
keep refcount balanced.
The reference counting issue happens in one normal path of
_scsih_pcie_device_remove_by_handle(). When remove pcie device, the
function forgets to decrease the refcnt increased by
__mpt3sas_get_pdev_by_handle(), causing a refcnt leak.
Fix this issue by calling pcie_device_put() before
_scsih_pcie_device_remove_by_handle() returns.
Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
---
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index c597d544eb39..a1e69daffc1b 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -1159,7 +1159,6 @@ _scsih_pcie_device_remove_by_handle(struct MPT3SAS_ADAPTER *ioc, u16 handle)
spin_unlock_irqrestore(&ioc->pcie_device_lock, flags);
if (was_on_pcie_device_list) {
_scsih_pcie_device_remove_from_sml(ioc, pcie_device);
- pcie_device_put(pcie_device);
}
/*
@@ -1169,6 +1168,8 @@ _scsih_pcie_device_remove_by_handle(struct MPT3SAS_ADAPTER *ioc, u16 handle)
*/
if (update_latency)
_scsih_set_nvme_max_shutdown_latency(ioc);
+ if (pcie_device)
+ pcie_device_put(pcie_device);
}
/**
--
2.7.4
