Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp929752ybt;
        Wed, 17 Jun 2020 18:11:22 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwAed/YSOCDty/OqDsJATkvwWtMXzfbV+ufdcIcujD5IAN5wDlGHjOROaJ/n+MPIt8QS7Y4
X-Received: by 2002:a50:a68f:: with SMTP id e15mr1781612edc.285.1592442682020;
        Wed, 17 Jun 2020 18:11:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592442682; cv=none;
        d=google.com; s=arc-20160816;
        b=GOd+m8JYi0Y+mb3w1+2xUBN42Yq+2hiVihIiveIaoEJkinCQjBZOFnFqx9tuKfWNbP
         vrG8PbFC4lHhNTJke/yP8qJXVhVCTB9xBeQI5FgXi9AIL+P/vVKSM4PJV13aYSphUSxO
         If8gXWM9kfZBCCki+pnibZ2jOBPmItp0uAH059kQM3YwiDpdkMi9ItHoD4/Lz+N8QvRx
         yq2hRl9FaqSqctQI4k+ARLX0iKkT0lc2O430yRpoq6tdk3cj0sTjEgGzrLTCYj63OLgr
         48Dmo8zgX0uVhcQtyLfB6SpBQuPTR8Tdhryn8aQyOXxBJZoAkzi2QtejP0rnLkc7BljO
         NeWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=8gmmvD6AfLSClytR6QMk5xW54K0FWf9zojSyLluZarc=;
        b=yd1JotiT8QJCR2HPF0ZfEZBsbVKcfK3/KP0W1nmOVcjFhR2jXNNnA+Up5EE7qSxhfM
         IXsaKJTLm9eRstA0efer/8GHO6+DrxXT7iSgGN7bqE5ABzrmFR0redMxMolpdguEFND7
         sO42y1qgl9OzBOvQNP4UK+1SN5+ZdnWy42BB3B1JcSPIj0Ngm3ozr7MX4p4jHDTCikUt
         sO1ZiYsFBQb8b/imWsfTppVdZJ/+CWcxIX7/UuvbWG+Ov7LVdoFBzznkqDRztoJP5XDh
         xisz9VomG9BdNjhdGpzoJoMC/yUmykqKEd05XN24TxcP/gB8bT5UuLIfFInTK9a2e5Mc
         bxmw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=xrcW5FKL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v13si963365eju.21.2020.06.17.18.11.00;
        Wed, 17 Jun 2020 18:11:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=xrcW5FKL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727909AbgFRBIs (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 17 Jun 2020 21:08:48 -0400
Received: from mail.kernel.org ([198.145.29.99]:34456 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727843AbgFRBIh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Jun 2020 21:08:37 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9077D21BE5;
        Thu, 18 Jun 2020 01:08:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1592442516;
        bh=URqU8zLKGIUTvKeRvr6CXtgyoVs4U2bOE2L+VODufmY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=xrcW5FKLzI00tmKTU9c93je3rnfIvK9kV/G5MOc/n/fNpmXODD2PAayrg8PRf/RuD
         jOZzkzZkRaPiKQTiDtJsFRPrLacFkOfb98VaiylzqI7/mezd6w33GrVVpzb6nVhskn
         9tdJV6iTgCZTubZHjRhnrcpsTTsaKJ35dTqUvGMw=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Johannes Thumshirn <johannes.thumshirn@wdc.com>,
        Christoph Hellwig <hch@lst.de>,
        Daniel Wagner <dwagner@suse.de>,
        Hannes Reinecke <hare@suse.de>,
        "Martin K . Petersen" <martin.petersen@oracle.com>,
        Sasha Levin <sashal@kernel.org>, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.7 022/388] scsi: core: free sgtables in case command setup fails
Date:   Wed, 17 Jun 2020 21:01:59 -0400
Message-Id: <20200618010805.600873-22-sashal@kernel.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200618010805.600873-1-sashal@kernel.org>
References: <20200618010805.600873-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johannes Thumshirn <johannes.thumshirn@wdc.com>

[ Upstream commit 20a66f2bf280277ab5bb22e27445153b4eb0ac88 ]

In case scsi_setup_fs_cmnd() fails we're not freeing the sgtables allocated
by scsi_init_io(), thus we leak the allocated memory.

Free the sgtables allocated by scsi_init_io() in case scsi_setup_fs_cmnd()
fails.

Technically scsi_setup_scsi_cmnd() does not suffer from this problem as it
can only fail if scsi_init_io() fails, so it does not have sgtables
allocated. But to maintain symmetry and as a measure of defensive
programming, free the sgtables on scsi_setup_scsi_cmnd() failure as well.
scsi_mq_free_sgtables() has safeguards against double-freeing of memory so
this is safe to do.

While we're at it, rename scsi_mq_free_sgtables() to scsi_free_sgtables().

Link: https://bugzilla.kernel.org/show_bug.cgi?id=205595
Link: https://lore.kernel.org/r/20200428104605.8143-2-johannes.thumshirn@wdc.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Daniel Wagner <dwagner@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/scsi_lib.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 06c260f6cdae..3ecdae18597d 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -548,7 +548,7 @@ static void scsi_uninit_cmd(struct scsi_cmnd *cmd)
 	}
 }
 
-static void scsi_mq_free_sgtables(struct scsi_cmnd *cmd)
+static void scsi_free_sgtables(struct scsi_cmnd *cmd)
 {
 	if (cmd->sdb.table.nents)
 		sg_free_table_chained(&cmd->sdb.table,
@@ -560,7 +560,7 @@ static void scsi_mq_free_sgtables(struct scsi_cmnd *cmd)
 
 static void scsi_mq_uninit_cmd(struct scsi_cmnd *cmd)
 {
-	scsi_mq_free_sgtables(cmd);
+	scsi_free_sgtables(cmd);
 	scsi_uninit_cmd(cmd);
 }
 
@@ -1059,7 +1059,7 @@ blk_status_t scsi_init_io(struct scsi_cmnd *cmd)
 
 	return BLK_STS_OK;
 out_free_sgtables:
-	scsi_mq_free_sgtables(cmd);
+	scsi_free_sgtables(cmd);
 	return ret;
 }
 EXPORT_SYMBOL(scsi_init_io);
@@ -1190,6 +1190,7 @@ static blk_status_t scsi_setup_cmnd(struct scsi_device *sdev,
 		struct request *req)
 {
 	struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
+	blk_status_t ret;
 
 	if (!blk_rq_bytes(req))
 		cmd->sc_data_direction = DMA_NONE;
@@ -1199,9 +1200,14 @@ static blk_status_t scsi_setup_cmnd(struct scsi_device *sdev,
 		cmd->sc_data_direction = DMA_FROM_DEVICE;
 
 	if (blk_rq_is_scsi(req))
-		return scsi_setup_scsi_cmnd(sdev, req);
+		ret = scsi_setup_scsi_cmnd(sdev, req);
 	else
-		return scsi_setup_fs_cmnd(sdev, req);
+		ret = scsi_setup_fs_cmnd(sdev, req);
+
+	if (ret != BLK_STS_OK)
+		scsi_free_sgtables(cmd);
+
+	return ret;
 }
 
 static blk_status_t
-- 
2.25.1