firewire: sbp2: fix DMA mapping leak on the failure path

Commit 5e2125677fd72d36396cc537466e07ffcbbd4b2b upstream.

Reported-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
who also provided a first version of the fix.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/firewire/fw-sbp2.c b/drivers/firewire/fw-sbp2.c
index 64142c1..1338426 100644 (file)
--- a/drivers/firewire/fw-sbp2.c
+++ b/drivers/firewire/fw-sbp2.c
@@ -1293,6 +1293,19 @@ static struct fw_driver sbp2_driver = {
        .id_table = sbp2_id_table,
 };
 
+static void sbp2_unmap_scatterlist(struct device *card_device,
+                                  struct sbp2_command_orb *orb)
+{
+       if (scsi_sg_count(orb->cmd))
+               dma_unmap_sg(card_device, scsi_sglist(orb->cmd),
+                            scsi_sg_count(orb->cmd),
+                            orb->cmd->sc_data_direction);
+
+       if (orb->request.misc & cpu_to_be32(COMMAND_ORB_PAGE_TABLE_PRESENT))
+               dma_unmap_single(card_device, orb->page_table_bus,
+                                sizeof(orb->page_table), DMA_TO_DEVICE);
+}
+
 static unsigned int
 sbp2_status_to_sense_data(u8 *sbp2_status, u8 *sense_data)
 {
@@ -1372,15 +1385,7 @@ complete_command_orb(struct sbp2_orb *base_orb, struct sbp2_status *status)
 
        dma_unmap_single(device->card->device, orb->base.request_bus,
                         sizeof(orb->request), DMA_TO_DEVICE);
-
-       if (scsi_sg_count(orb->cmd) > 0)
-               dma_unmap_sg(device->card->device, scsi_sglist(orb->cmd),
-                            scsi_sg_count(orb->cmd),
-                            orb->cmd->sc_data_direction);
-
-       if (orb->page_table_bus != 0)
-               dma_unmap_single(device->card->device, orb->page_table_bus,
-                                sizeof(orb->page_table), DMA_TO_DEVICE);
+       sbp2_unmap_scatterlist(device->card->device, orb);
 
        orb->cmd->result = result;
        orb->done(orb->cmd);
@@ -1530,8 +1535,10 @@ static int sbp2_scsi_queuecommand(struct scsi_cmnd *cmd, scsi_done_fn_t done)
        orb->base.request_bus =
                dma_map_single(device->card->device, &orb->request,
                               sizeof(orb->request), DMA_TO_DEVICE);
-       if (dma_mapping_error(device->card->device, orb->base.request_bus))
+       if (dma_mapping_error(device->card->device, orb->base.request_bus)) {
+               sbp2_unmap_scatterlist(device->card->device, orb);
                goto out;
+       }
 
        sbp2_send_orb(&orb->base, lu, lu->tgt->node_id, lu->generation,
                      lu->command_block_agent_address + SBP2_ORB_POINTER);