nvme_fc: fix double calls to nvme_cleanup_cmd()

Current fc transport code, on io termination, is calling
nvme_cleanup_cmd() followed by the transport dma unmap routine
which also calls nvme_cleanup_cmd(). Which means two kfrees occur
on the same address, raising havoc. This resulted in odd data errors,
effectively corruption..

Fix by removing the extraneous double calls. Call now occurs only in
teardown paths and as part of dma unmap routine.

Signed-off-by: James Smart <[email protected]>
Reviewed-by: Ewan D. Milne <[email protected]>
Reviewed-by: Hannes Reinecke <[email protected]>
Signed-off-by: Keith Busch <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>

diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
index 158d313be84767f836142c25f2d1cf7ceb01b19e..fe6f5b71979cc5e012692a61ea91b6547105038a 100644 (file)
--- a/drivers/nvme/host/fc.c
+++ b/drivers/nvme/host/fc.c
@@ -1957,10 +1957,8 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl *ctrl, struct nvme_fc_queue *queue,
                                        queue->lldd_handle, &op->fcp_req);
 
        if (ret) {
-               if (op->rq) {                   /* normal request */
+               if (op->rq)                     /* normal request */
                        nvme_fc_unmap_data(ctrl, op->rq, op);
-                       nvme_cleanup_cmd(op->rq);
-               }
                /* else - aen. no cleanup needed */
 
                nvme_fc_ctrl_put(ctrl);
@@ -2078,7 +2076,6 @@ __nvme_fc_final_op_cleanup(struct request *rq)
        op->flags &= ~(FCOP_FLAGS_TERMIO | FCOP_FLAGS_RELEASED |
                        FCOP_FLAGS_COMPLETE);
 
-       nvme_cleanup_cmd(rq);
        nvme_fc_unmap_data(ctrl, rq, op);
        nvme_complete_rq(rq);
        nvme_fc_ctrl_put(ctrl);