net/9p: fix memory handling/allocation in rdma_request() (1d6400c7) · Commits · e / devices / android_kernel_fairphone_FP4

net/9p/trans_rdma.c

+18 −11

Original line number	Diff line number	Diff line
		@@ -426,8 +426,10 @@ static int rdma_request(struct p9_client client, struct p9_req_t req)

		/* Allocate an fcall for the reply */
		rpl_context = kmalloc(sizeof *rpl_context, GFP_KERNEL);
		if (!rpl_context)
		if (!rpl_context) {
		err = -ENOMEM;
		goto err_close;
		}

		/*
		* If the request has a buffer, steal it, otherwise
		@@ -445,8 +447,8 @@ static int rdma_request(struct p9_client client, struct p9_req_t req)
		}
		rpl_context->rc = req->rc;
		if (!rpl_context->rc) {
		kfree(rpl_context);
		goto err_close;
		err = -ENOMEM;
		goto err_free2;
		}

		/*
		@@ -458,11 +460,8 @@ static int rdma_request(struct p9_client client, struct p9_req_t req)
		*/
		if (atomic_inc_return(&rdma->rq_count) <= rdma->rq_depth) {
		err = post_recv(client, rpl_context);
		if (err) {
		kfree(rpl_context->rc);
		kfree(rpl_context);
		goto err_close;
		}
		if (err)
		goto err_free1;
		} else
		atomic_dec(&rdma->rq_count);

		@@ -471,8 +470,10 @@ static int rdma_request(struct p9_client client, struct p9_req_t req)

		/* Post the request */
		c = kmalloc(sizeof *c, GFP_KERNEL);
		if (!c)
		goto err_close;
		if (!c) {
		err = -ENOMEM;
		goto err_free1;
		}
		c->req = req;

		c->busa = ib_dma_map_single(rdma->cm_id->device,
		@@ -499,9 +500,15 @@ static int rdma_request(struct p9_client client, struct p9_req_t req)
		return ib_post_send(rdma->qp, &wr, &bad_wr);

		error:
		kfree(c);
		kfree(rpl_context->rc);
		kfree(rpl_context);
		P9_DPRINTK(P9_DEBUG_ERROR, "EIO\n");
		return -EIO;

		err_free1:
		kfree(rpl_context->rc);
		err_free2:
		kfree(rpl_context);
		err_close:
		spin_lock_irqsave(&rdma->req_lock, flags);
		if (rdma->state < P9_RDMA_CLOSING) {