[PATCH] scsi: lpfc: Fix improper handling of refcount in lpfc_bsg_hba_get_event()

Qiu-ji Chen <chenqiuji666@xxxxxxxxx> · Tue, 5 Nov 2024 21:09:02 +0800

This patch addresses a reference count handling issue in the 
lpfc_bsg_hba_get_event() function. In the branch 
if (evt->reg_id == event_req->ev_reg_id), the function calls 
lpfc_bsg_event_ref(), which increments the reference count of the relevant 
resources. However, in the branch if (evt_dat == NULL), a goto statement 
directly jumps to the function’s final goto block, skipping the release 
operations at the end of the function. This means that, if the condition 
if (evt_dat == NULL) is met, the function fails to correctly release the 
resources acquired by lpfc_bsg_event_ref(), leading to a reference count 
leak.

To fix this issue, we added a new block job_error_unref before the 
job_error block. When the condition if (evt_dat == NULL) is met, the 
function will enter the job_error_unref block, ensuring that the previously
allocated resources are properly released, thereby preventing the reference
count leak.

This bug was identified by an experimental static analysis tool developed
by our team. The tool specializes in analyzing reference count operations
and detecting potential issues where resources are not properly managed.
In this case, the tool flagged the missing release operation as a
potential problem, which led to the development of this patch.

Fixes: 4cc0e56e977f ("[SCSI] lpfc 8.3.8: (BSG3) Modify BSG commands to operate asynchronously")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Qiu-ji Chen <chenqiuji666@xxxxxxxxx>
---
 drivers/scsi/lpfc/lpfc_bsg.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
index 85059b83ea6b..832a5a6dd85f 100644
--- a/drivers/scsi/lpfc/lpfc_bsg.c
+++ b/drivers/scsi/lpfc/lpfc_bsg.c
@@ -1294,7 +1294,7 @@ lpfc_bsg_hba_get_event(struct bsg_job *job)
 	if (evt_dat == NULL) {
 		bsg_reply->reply_payload_rcv_len = 0;
 		rc = -ENOENT;
-		goto job_error;
+		goto job_error_unref;
 	}
 
 	if (evt_dat->len > job->request_payload.payload_len) {
@@ -1329,6 +1329,10 @@ lpfc_bsg_hba_get_event(struct bsg_job *job)
 		       bsg_reply->reply_payload_rcv_len);
 	return 0;
 
+job_err_unref:
+	spin_lock_irqsave(&phba->ct_ev_lock, flags);
+	lpfc_bsg_event_unref(evt);
+	spin_unlock_irqrestore(&phba->ct_ev_lock, flags);
 job_error:
 	job->dd_data = NULL;
 	bsg_reply->result = rc;
-- 
2.34.1








