[PATCH] scsi: esas2r: fix refcount leak in esas2r

Linux SCSI subsystem development
 help / color / mirror / Atom feed

* [PATCH] scsi: esas2r: fix refcount leak in esas2r_resume()
@ 2026-06-11  6:41 WenTao Liang
  2026-06-11  6:53 ` sashiko-bot
  0 siblings, 1 reply; 2+ messages in thread
From: WenTao Liang @ 2026-06-11  6:41 UTC (permalink / raw)
  To: linuxdrivers, James.Bottomley, martin.petersen
  Cc: linux-scsi, linux-kernel, WenTao Liang, stable

In esas2r_resume(), the function unconditionally calls
esas2r_disable_chip_interrupts() which increments the adapter's
dis_ints_cnt atomic counter. The counter is supposed to be
decremented by esas2r_enable_chip_interrupts(), but this only
happens on the success path when AF2_IRQ_CLAIMED is set. If
esas2r_power_up() fails or AF2_IRQ_CLAIMED is not set, the
function returns via error_exit without calling
esas2r_enable_chip_interrupts(), leaving the counter permanently
incremented. This refcount leak means the next disable/enable
cycle will not properly unmask interrupts (counter goes 1->2 on
disable, 2->1 on enable, never reaching 0), breaking interrupt
operation.

Fix it by calling esas2r_enable_chip_interrupts() before jumping
to error_exit on both error paths.

Cc: stable@vger.kernel.org
Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
 drivers/scsi/esas2r/esas2r_init.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/esas2r/esas2r_init.c b/drivers/scsi/esas2r/esas2r_init.c
index 0a35f1953768..727ddcebec9f 100644
--- a/drivers/scsi/esas2r/esas2r_init.c
+++ b/drivers/scsi/esas2r/esas2r_init.c
@@ -683,6 +683,7 @@ static int __maybe_unused esas2r_resume(struct device *dev)
 	if (!esas2r_power_up(a, true)) {
 		esas2r_debug("yikes, esas2r_power_up failed");
 		rez = -ENOMEM;
+		esas2r_enable_chip_interrupts(a);
 		goto error_exit;
 	}

@@ -699,6 +700,7 @@ static int __maybe_unused esas2r_resume(struct device *dev)
 		esas2r_debug("yikes, unable to claim IRQ");
 		esas2r_log(ESAS2R_LOG_CRIT, "could not re-claim IRQ!");
 		rez = -ENOMEM;
+		esas2r_enable_chip_interrupts(a);
 		goto error_exit;
 	}

-- 
2.50.1 (Apple Git-155)

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] scsi: esas2r: fix refcount leak in esas2r_resume()
  2026-06-11  6:41 [PATCH] scsi: esas2r: fix refcount leak in esas2r_resume() WenTao Liang
@ 2026-06-11  6:53 ` sashiko-bot
  0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-11  6:53 UTC (permalink / raw)
  To: WenTao Liang; +Cc: linux-scsi

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The patch introduces a critical vulnerability in the IRQ claim failure path by blindly calling `esas2r_enable_chip_interrupts()`. Since `esas2r_power_up()` already decremented the `dis_ints_cnt` refcount on its success path, this additional call drops the refcount to 0, which physically unmasks hardware interrupts without a registered OS-level handler.
--

commit bcbf85bebac19683b875da8be0ef4e9cf5ebfcdd
Author: WenTao Liang <vulab@iscas.ac.cn>

scsi: esas2r: fix refcount leak in esas2r_resume()

This commit attempts to fix a refcount leak in esas2r_resume() by calling
esas2r_enable_chip_interrupts() on the error paths.

> diff --git a/drivers/scsi/esas2r/esas2r_init.c b/drivers/scsi/esas2r/esas2r_init.c
> index 0a35f19537680..727ddcebec9f9 100644
> --- a/drivers/scsi/esas2r/esas2r_init.c
> +++ b/drivers/scsi/esas2r/esas2r_init.c

[ ... ]

> @@ -699,6 +700,7 @@ static int __maybe_unused esas2r_resume(struct device *dev)
>  		esas2r_debug("yikes, unable to claim IRQ");
>  		esas2r_log(ESAS2R_LOG_CRIT, "could not re-claim IRQ!");
>  		rez = -ENOMEM;
> +		esas2r_enable_chip_interrupts(a);

[Severity: High]
Does this call to esas2r_enable_chip_interrupts() prematurely drop the
dis_ints_cnt refcount to 0 and physically unmask hardware interrupts?

If esas2r_power_up() succeeded earlier in this function, its internal success
path already decremented the dis_ints_cnt refcount back to 1.

If esas2r_claim_interrupts() subsequently fails to register an IRQ handler and
execution branches to this error path, calling esas2r_enable_chip_interrupts()
again drops the refcount from 1 to 0.

When the counter reaches 0, it writes ESAS2R_INT_ENB_MASK to the hardware
register to unmask interrupts. Since the OS explicitly refused to grant the
IRQ, will any generated hardware interrupt be left unhandled, leading to a
screaming interrupt on shared lines and forcing the kernel to disable the
shared IRQ line?

>  		goto error_exit;
>  	}
>

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260611064100.65731-1-vulab@iscas.ac.cn?part=1

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-11  6:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11  6:41 [PATCH] scsi: esas2r: fix refcount leak in esas2r_resume() WenTao Liang
2026-06-11  6:53 ` sashiko-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox