From: Juan Vazquez <juvazq@linux.microsoft.com>
Date: Sat, 8 Jan 2022 16:17:58 -0800
Patch-mainline: v5.17-rc1
Subject: scsi: storvsc: Fix storvsc_queuecommand() memory leak
Git-commit: 4eea5332d67d8ae6ba5717ec0f4e671fdbd222e7
References: git-fixes

Fix possible memory leak in error path of storvsc_queuecommand() when
DMA mapping fails.

Signed-off-by: Juan Vazquez <juvazq@linux.microsoft.com>
Reviewed-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
Link: https://lore.kernel.org/r/20220109001758.6401-1-juvazq@linux.microsoft.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Acked-by: Olaf Hering <ohering@suse.de>
---
 drivers/scsi/storvsc_drv.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1850,8 +1850,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
 		payload->range.offset = offset_in_hvpg;
 
 		sg_count = scsi_dma_map(scmnd);
-		if (sg_count < 0)
-			return SCSI_MLQUEUE_DEVICE_BUSY;
+		if (sg_count < 0) {
+			ret = SCSI_MLQUEUE_DEVICE_BUSY;
+			goto err_free_payload;
+		}
 
 		for_each_sg(sgl, sg, sg_count, j) {
 			/*
@@ -1886,13 +1888,18 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
 	put_cpu();
 
 	if (ret == -EAGAIN) {
-		if (payload_sz > sizeof(cmd_request->mpb))
-			kfree(payload);
 		/* no more space */
-		return SCSI_MLQUEUE_DEVICE_BUSY;
+		ret = SCSI_MLQUEUE_DEVICE_BUSY;
+		goto err_free_payload;
 	}
 
 	return 0;
+
+err_free_payload:
+	if (payload_sz > sizeof(cmd_request->mpb))
+		kfree(payload);
+
+	return ret;
 }
 
 static struct scsi_host_template scsi_driver = {