In receive_SyncParam(), when the fifo_alloc() call for the resync
plan buffer fails, the error path executes put_ldev(device) at line
3790 and then jumps to the disconnect label. The disconnect label
also calls put_ldev(device) when new_disk_conf is non-NULL, which
is always the case by this point (get_ldev succeeded and
new_disk_conf was allocated).

This results in a double put_ldev, causing the ldev reference count
to underflow. All other goto disconnect sites in the same function
correctly rely solely on the disconnect label to perform the single
put_ldev — the fifo_alloc failure path was the only one to
prematurely release the reference.

Remove the spurious put_ldev(device) call before goto disconnect
to fix the double put.

Cc: stable@vger.kernel.org
Fixes: b30ab7913b0a ("drbd: Rename "mdev" to "device"")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/block/drbd/drbd_receiver.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 58b95bf4bdca..f618d03fd2a6 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -3787,7 +3787,6 @@ static int receive_SyncParam(struct drbd_connection *connection, struct packet_i
 				new_plan = fifo_alloc(fifo_size);
 				if (!new_plan) {
 					drbd_err(device, "kmalloc of fifo_buffer failed");
-					put_ldev(device);
 					goto disconnect;
 				}
 			}
-- 
2.39.5 (Apple Git-154)