From 958d4e0e056cc3fd67bb461b183761a40d521837 Mon Sep 17 00:00:00 2001
From: Fengnan Chang <changfengnan@bytedance.com>
Date: Thu, 5 Jan 2023 10:36:17 +0800
Subject: [PATCH] nvme: fix memleak when submit request failed

Some memory alloc in nvme_allocate_request_user_copy, and submit
through nvme_qpair_submit_request, if nvme ctrlr is failed or
qpair state not meet the requirements, submit will return -ENXIO,
and call nvme_free_request(), but it will not free
req->payload.contig_or_cb_arg, those memory only gets freed when the
request is actually completed, through nvme_user_copy_cmd_complete().
Let's fix this by add check when submit failed.

Fixes issue #2832
Change-Id: I54f0fc60dbb53ced9f52da7d89017be13db2eee1
Signed-off-by: Fengnan Chang <changfengnan@bytedance.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/15985
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-by: Xiaodong Liu <xiaodong.liu@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
---
 lib/nvme/nvme_ctrlr.c       | 4 +++-
 lib/nvme/nvme_pcie_common.c | 4 +++-
 lib/nvme/nvme_qpair.c       | 4 ++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/nvme/nvme_ctrlr.c b/lib/nvme/nvme_ctrlr.c
index 2fdab705e..9a4837a2d 100644
--- a/lib/nvme/nvme_ctrlr.c
+++ b/lib/nvme/nvme_ctrlr.c
@@ -3362,7 +3362,9 @@ nvme_ctrlr_cleanup_process(struct spdk_nvme_ctrlr_process *proc)
 		STAILQ_REMOVE(&proc->active_reqs, req, nvme_request, stailq);
 
 		assert(req->pid == proc->pid);
-
+		if (req->user_buffer && req->payload_size) {
+			spdk_free(req->payload.contig_or_cb_arg);
+		}
 		nvme_free_request(req);
 	}
 
diff --git a/lib/nvme/nvme_pcie_common.c b/lib/nvme/nvme_pcie_common.c
index c75155c2c..000636d51 100644
--- a/lib/nvme/nvme_pcie_common.c
+++ b/lib/nvme/nvme_pcie_common.c
@@ -291,7 +291,9 @@ nvme_pcie_qpair_insert_pending_admin_request(struct spdk_nvme_qpair *qpair,
 	} else {
 		SPDK_ERRLOG("The owning process (pid %d) is not found. Dropping the request.\n",
 			    active_req->pid);
-
+		if (active_req->user_buffer && active_req->payload_size) {
+			spdk_free(active_req->payload.contig_or_cb_arg);
+		}
 		nvme_free_request(active_req);
 	}
 }
diff --git a/lib/nvme/nvme_qpair.c b/lib/nvme/nvme_qpair.c
index 68de0284f..43e8a40c0 100644
--- a/lib/nvme/nvme_qpair.c
+++ b/lib/nvme/nvme_qpair.c
@@ -1049,6 +1049,10 @@ error:
 		return rc;
 	}
 
+	if (req->user_buffer && req->payload_size) {
+		spdk_free(req->payload.contig_or_cb_arg);
+	}
+
 	nvme_free_request(req);
 
 	return rc;