From 9d8e7d0dacf09ddac7e617d17dbeec6af56e81e8 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Thu, 12 May 2016 10:48:13 -0700 Subject: [PATCH] IB/srp: Fix a memory descriptor leak in an error path If an error occurs after srp_fr_pool_get() succeeded and before the descriptor is stored in srp_map_state (*state->fr.next++ = desc) then srp_unmap_data() won't free the newly allocated memory descriptor. Hence free the descriptor explicitly. Fixes: f7f7aab1a5c0 ("IB/srp: Convert to new registration API") Signed-off-by: Bart Van Assche Tested-by: Laurence Oberman Cc: Sagi Grimberg Cc: Christoph Hellwig Cc: # v4.4+ Signed-off-by: Doug Ledford --- drivers/infiniband/ulp/srp/ib_srp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c index 4497035..527503d 100644 --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -1330,8 +1330,13 @@ static int srp_map_finish_fr(struct srp_map_state *state, ib_update_fast_reg_key(desc->mr, rkey); n = ib_map_mr_sg(desc->mr, state->sg, sg_nents, 0, dev->mr_page_size); - if (unlikely(n < 0)) + if (unlikely(n < 0)) { + srp_fr_pool_put(ch->fr_pool, &desc, 1); + pr_debug("%s: ib_map_mr_sg(%d) returned %d.\n", + dev_name(&req->scmnd->device->sdev_gendev), sg_nents, + n); return n; + } req->reg_cqe.done = srp_reg_mr_err_done; -- 2.7.4