Linux kernel -stable discussions
 help / color / mirror / Atom feed
* [PATCH] nvme: target: rdma: fix ndev refcount leak on queue connect
@ 2026-05-27  8:45 Wentao Liang
  2026-05-27 13:24 ` Christoph Hellwig
  2026-05-27 15:41 ` Keith Busch
  0 siblings, 2 replies; 3+ messages in thread
From: Wentao Liang @ 2026-05-27  8:45 UTC (permalink / raw)
  To: Christoph Hellwig, Sagi Grimberg, Chaitanya Kulkarni
  Cc: linux-nvme, linux-kernel, Wentao Liang, stable

nvmet_rdma_queue_connect() calls nvmet_rdma_find_get_device() which
acquires a reference on the returned ndev via kref_get(). On the path
where the host queue backlog is exceeded and the function returns
NVME_SC_CONNECT_CTRL_BUSY, reference of ndev is not released, leaking
the kref.

Fix this by adding a goto to the existing put_device label before the
early return.

Fixes: 31deaeb11ba7 ("nvmet-rdma: avoid circular locking dependency on install_queue()")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/nvme/target/rdma.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
index e6e2c3f9afdf..ac26f4f774c4 100644
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -1598,8 +1598,10 @@ static int nvmet_rdma_queue_connect(struct rdma_cm_id *cm_id,
 				pending++;
 		}
 		mutex_unlock(&nvmet_rdma_queue_mutex);
-		if (pending > NVMET_RDMA_BACKLOG)
-			return NVME_SC_CONNECT_CTRL_BUSY;
+		if (pending > NVMET_RDMA_BACKLOG) {
+			ret = NVME_SC_CONNECT_CTRL_BUSY;
+			goto put_device;
+		}
 	}
 
 	ret = nvmet_rdma_cm_accept(cm_id, queue, &event->param.conn);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] nvme: target: rdma: fix ndev refcount leak on queue connect
  2026-05-27  8:45 [PATCH] nvme: target: rdma: fix ndev refcount leak on queue connect Wentao Liang
@ 2026-05-27 13:24 ` Christoph Hellwig
  2026-05-27 15:41 ` Keith Busch
  1 sibling, 0 replies; 3+ messages in thread
From: Christoph Hellwig @ 2026-05-27 13:24 UTC (permalink / raw)
  To: Wentao Liang
  Cc: Christoph Hellwig, Sagi Grimberg, Chaitanya Kulkarni, linux-nvme,
	linux-kernel, stable

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] nvme: target: rdma: fix ndev refcount leak on queue connect
  2026-05-27  8:45 [PATCH] nvme: target: rdma: fix ndev refcount leak on queue connect Wentao Liang
  2026-05-27 13:24 ` Christoph Hellwig
@ 2026-05-27 15:41 ` Keith Busch
  1 sibling, 0 replies; 3+ messages in thread
From: Keith Busch @ 2026-05-27 15:41 UTC (permalink / raw)
  To: Wentao Liang
  Cc: Christoph Hellwig, Sagi Grimberg, Chaitanya Kulkarni, linux-nvme,
	linux-kernel, stable

On Wed, May 27, 2026 at 08:45:44AM +0000, Wentao Liang wrote:
> nvmet_rdma_queue_connect() calls nvmet_rdma_find_get_device() which
> acquires a reference on the returned ndev via kref_get(). On the path
> where the host queue backlog is exceeded and the function returns
> NVME_SC_CONNECT_CTRL_BUSY, reference of ndev is not released, leaking
> the kref.
> 
> Fix this by adding a goto to the existing put_device label before the
> early return.

Thanks, applied to nvme-7.2.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-27 15:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-27  8:45 [PATCH] nvme: target: rdma: fix ndev refcount leak on queue connect Wentao Liang
2026-05-27 13:24 ` Christoph Hellwig
2026-05-27 15:41 ` Keith Busch

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox