IB/srp: Fix a memory descriptor leak in an error path

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If an error occurs after srp_fr_pool_get() succeeded and before the
descriptor is stored in srp_map_state (*state->fr.next++ = desc)
then srp_unmap_data() won't free the newly allocated memory
descriptor. Hence free the descriptor explicitly.

Fixes: f7f7aab1a5c0 ("IB/srp: Convert to new registration API")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Cc: Sagi Grimberg <sai@grimberg.me>
Cc: Christoph Hellwig <hch@lst.de>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Doug Ledford <dledford@redhat.com>

authored by

Bart Van Assche and committed by

Doug Ledford 10 years ago 9d8e7d0d cf1acab7

+6 -1

1 changed file

expand all

drivers

infiniband

ulp

srp

ib_srp.c

+6 -1

drivers/infiniband/ulp/srp/ib_srp.c

··· 1330 1330 ib_update_fast_reg_key(desc->mr, rkey); 1331 1331 1332 1332 n = ib_map_mr_sg(desc->mr, state->sg, sg_nents, 0, dev->mr_page_size); 1333 - if (unlikely(n < 0)) 1333 + if (unlikely(n < 0)) { 1334 + srp_fr_pool_put(ch->fr_pool, &desc, 1); 1335 + pr_debug("%s: ib_map_mr_sg(%d) returned %d.\n", 1336 + dev_name(&req->scmnd->device->sdev_gendev), sg_nents, 1337 + n); 1334 1338 return n; 1339 + } 1335 1340 1336 1341 req->reg_cqe.done = srp_reg_mr_err_done; 1337 1342