net/9p: fix memory handling/allocation in rdma_request()

Return -ENOMEM when erroring on kmalloc and fix memory leaks when returning on error. Signed-off-by: Davidlohr Bueso <dave@gnu.org> Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>

net/9p: fix memory handling/allocation in rdma_request()
Return -ENOMEM when erroring on kmalloc and fix memory leaks when returning on error. Signed-off-by: Davidlohr Bueso <dave@gnu.org> Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Davidlohr Bueso · Eric Van Hensbergen
1 parent 32163f4b2c
Showing 1 changed file with 18 additions and 11 deletions Side-by-side Diff
net/9p/trans_rdma.c
@@ -426,8 +426,10 @@
  
 	/* Allocate an fcall for the reply */
 	rpl_context = kmalloc(sizeof *rpl_context, GFP_KERNEL);
-	if (!rpl_context)
+	if (!rpl_context) {
+		err = -ENOMEM;
 		goto err_close;
+	}
  
 	/*
 	 * If the request has a buffer, steal it, otherwise
@@ -445,8 +447,8 @@
 	}
 	rpl_context->rc = req->rc;
 	if (!rpl_context->rc) {
-		kfree(rpl_context);
-		goto err_close;
+		err = -ENOMEM;
+		goto err_free2;
 	}
  
 	/*
@@ -458,11 +460,8 @@
 	 */
 	if (atomic_inc_return(&rdma->rq_count) <= rdma->rq_depth) {
 		err = post_recv(client, rpl_context);
-		if (err) {
-			kfree(rpl_context->rc);
-			kfree(rpl_context);
-			goto err_close;
-		}
+		if (err)
+			goto err_free1;
 	} else
 		atomic_dec(&rdma->rq_count);
  
@@ -471,8 +470,10 @@
  
 	/* Post the request */
 	c = kmalloc(sizeof *c, GFP_KERNEL);
-	if (!c)
-		goto err_close;
+	if (!c) {
+		err = -ENOMEM;
+		goto err_free1;
+	}
 	c->req = req;
  
 	c->busa = ib_dma_map_single(rdma->cm_id->device,
  
@@ -499,9 +500,15 @@
 	return ib_post_send(rdma->qp, &wr, &bad_wr);
  
  error:
+	kfree(c);
+	kfree(rpl_context->rc);
+	kfree(rpl_context);
 	P9_DPRINTK(P9_DEBUG_ERROR, "EIO\n");
 	return -EIO;
-
+ err_free1:
+	kfree(rpl_context->rc);
+ err_free2:
+	kfree(rpl_context);
  err_close:
 	spin_lock_irqsave(&rdma->req_lock, flags);
 	if (rdma->state < P9_RDMA_CLOSING) {
...	...	@@ -426,8 +426,10 @@
426	426
427	427	/* Allocate an fcall for the reply */
428	428	rpl_context = kmalloc(sizeof *rpl_context, GFP_KERNEL);
429		- if (!rpl_context)
	429	+ if (!rpl_context) {
	430	+ err = -ENOMEM;
430	431	goto err_close;
	432	+ }
431	433
432	434	/*
433	435	* If the request has a buffer, steal it, otherwise
...	...	@@ -445,8 +447,8 @@
445	447	}
446	448	rpl_context->rc = req->rc;
447	449	if (!rpl_context->rc) {
448		- kfree(rpl_context);
449		- goto err_close;
	450	+ err = -ENOMEM;
	451	+ goto err_free2;
450	452	}
451	453
452	454	/*
...	...	@@ -458,11 +460,8 @@
458	460	*/
459	461	if (atomic_inc_return(&rdma->rq_count) <= rdma->rq_depth) {
460	462	err = post_recv(client, rpl_context);
461		- if (err) {
462		- kfree(rpl_context->rc);
463		- kfree(rpl_context);
464		- goto err_close;
465		- }
	463	+ if (err)
	464	+ goto err_free1;
466	465	} else
467	466	atomic_dec(&rdma->rq_count);
468	467
...	...	@@ -471,8 +470,10 @@
471	470
472	471	/* Post the request */
473	472	c = kmalloc(sizeof *c, GFP_KERNEL);
474		- if (!c)
475		- goto err_close;
	473	+ if (!c) {
	474	+ err = -ENOMEM;
	475	+ goto err_free1;
	476	+ }
476	477	c->req = req;
477	478
478	479	c->busa = ib_dma_map_single(rdma->cm_id->device,
479	480
...	...	@@ -499,9 +500,15 @@
499	500	return ib_post_send(rdma->qp, &wr, &bad_wr);
500	501
501	502	error:
	503	+ kfree(c);
	504	+ kfree(rpl_context->rc);
	505	+ kfree(rpl_context);
502	506	P9_DPRINTK(P9_DEBUG_ERROR, "EIO\n");
503	507	return -EIO;
504		-
	508	+ err_free1:
	509	+ kfree(rpl_context->rc);
	510	+ err_free2:
	511	+ kfree(rpl_context);
505	512	err_close:
506	513	spin_lock_irqsave(&rdma->req_lock, flags);
507	514	if (rdma->state < P9_RDMA_CLOSING) {