scsi: fix discard page leak

We leak a page allocated for discard on some error conditions
(e.g. scsi_prep_state_check returns BLKPREP_DEFER in
scsi_setup_blk_pc_cmnd).

We unprep on requests that weren't prepped in the error path of
scsi_init_io. It makes the error path to clean up scsi commands messy.

Let's strictly apply the rule that we can't unprep on a request that
wasn't prepped.

Calling just scsi_put_command() in the error path of scsi_init_io() is
enough. We don't set REQ_DONTPREP yet.

scsi_setup_discard_cmnd can safely free a page on the error case with
the above rule.

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index ee836193f53125801f139f5e3117920ba4f2dcb9..b8de389636f834f3b2e4faff7bb636de88e27a7a 100644 (file)
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1011,11 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
 
 err_exit:
        scsi_release_buffers(cmd);
-       if (error == BLKPREP_KILL)
-               scsi_put_command(cmd);
-       else /* BLKPREP_DEFER */
-               scsi_unprep_request(cmd->request);
-
+       scsi_put_command(cmd);
+       cmd->request->special = NULL;
        return error;
 }
 EXPORT_SYMBOL(scsi_init_io);

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 0994ab63b598799614357276ff95b68631f40aaa..1d0c4b7c3b693e481e4da942ab83daca8391252b 100644 (file)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -468,6 +468,10 @@ static int scsi_setup_discard_cmnd(struct scsi_device *sdp, struct request *rq)
        blk_add_request_payload(rq, page, len);
        ret = scsi_setup_blk_pc_cmnd(sdp, rq);
        rq->buffer = page_address(page);
+       if (ret != BLKPREP_OK) {
+               __free_page(page);
+               rq->buffer = NULL;
+       }
        return ret;
 }
 
@@ -485,8 +489,10 @@ static int scsi_setup_flush_cmnd(struct scsi_device *sdp, struct request *rq)
 
 static void sd_unprep_fn(struct request_queue *q, struct request *rq)
 {
-       if (rq->cmd_flags & REQ_DISCARD)
-               __free_page(virt_to_page(rq->buffer));
+       if (rq->cmd_flags & REQ_DISCARD) {
+               free_page((unsigned long)rq->buffer);
+               rq->buffer = NULL;
+       }
 }
 
 /**