* [PATCH v2] ntb: fix tx descriptor leak on dmaengine_submit failure
@ 2026-06-28 8:33 WenTao Liang
2026-06-29 4:37 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: WenTao Liang @ 2026-06-28 8:33 UTC (permalink / raw)
To: ntb
Cc: jdmason, dave.jiang, allenbh, linux-kernel, stable, WenTao Liang,
Greg KH
When dmaengine_submit fails after dma_set_unmap has been called, the
error path err_set_unmap only calls dmaengine_unmap_put once, but the
unmap object has two references (one from dmaengine_get_unmap_data and
one from dma_set_unmap held by the tx descriptor). The tx descriptor
itself is never freed, so its reference to unmap is never released,
causing a kref leak and a dangling pointer in the freed descriptor.
Replace dmaengine_unmap_put with dmaengine_desc_put(txd) in the
err_set_unmap path to properly release the tx descriptor, which will also
drop the unmap reference it holds.
Suggested-by: Greg KH <gregkh@linuxfoundation.org>
Fixes: 282a2feeb9bf ("NTB: Use DMA Engine to Transmit and Receive")
Cc: stable@vger.kernel.org
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
Changes in v2:
- Fix patch format based on reviewer feedback
- Resend to ntb@lists.linux.dev (remove invalid googlegroups address)
---
drivers/ntb/ntb_transport.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
index 7cabc82305d6..28091ec5a74e 100644
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -1572,7 +1572,7 @@ static int ntb_async_rx_submit(struct ntb_queue_entry *entry, void *offset)
return 0;
err_set_unmap:
- dmaengine_unmap_put(unmap);
+ dmaengine_desc_put(txd);
err_get_unmap:
dmaengine_unmap_put(unmap);
err:
@@ -1896,7 +1896,7 @@ static int ntb_async_tx_submit(struct ntb_transport_qp *qp,
return 0;
err_set_unmap:
- dmaengine_unmap_put(unmap);
+ dmaengine_desc_put(txd);
err_get_unmap:
dmaengine_unmap_put(unmap);
err:
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] ntb: fix tx descriptor leak on dmaengine_submit failure
2026-06-28 8:33 [PATCH v2] ntb: fix tx descriptor leak on dmaengine_submit failure WenTao Liang
@ 2026-06-29 4:37 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-06-29 4:37 UTC (permalink / raw)
To: WenTao Liang; +Cc: ntb, jdmason, dave.jiang, allenbh, linux-kernel, stable
On Sun, Jun 28, 2026 at 04:33:01PM +0800, WenTao Liang wrote:
> When dmaengine_submit fails after dma_set_unmap has been called, the
> error path err_set_unmap only calls dmaengine_unmap_put once, but the
> unmap object has two references (one from dmaengine_get_unmap_data and
> one from dma_set_unmap held by the tx descriptor). The tx descriptor
> itself is never freed, so its reference to unmap is never released,
> causing a kref leak and a dangling pointer in the freed descriptor.
>
> Replace dmaengine_unmap_put with dmaengine_desc_put(txd) in the
> err_set_unmap path to properly release the tx descriptor, which will also
> drop the unmap reference it holds.
>
> Suggested-by: Greg KH <gregkh@linuxfoundation.org>
No, I didn't suggest ANY of these patches.
Also you did not use Assisted-by:, why?
Please start small with just 1 patch that you can do properly, before
flooding us with lots.
Please go and reply to all of these where you incorrectly added my
suggested-by and ask for them to be dropped.
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-29 4:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-28 8:33 [PATCH v2] ntb: fix tx descriptor leak on dmaengine_submit failure WenTao Liang
2026-06-29 4:37 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox