[PATCH v2] ntb: fix tx descriptor leak on dmaengine_submit failure

[WenTao Liang]

When dmaengine_submit fails after dma_set_unmap has been called, the
error path err_set_unmap only calls dmaengine_unmap_put once, but the
unmap object has two references (one from dmaengine_get_unmap_data and
one from dma_set_unmap held by the tx descriptor). The tx descriptor
itself is never freed, so its reference to unmap is never released,
causing a kref leak and a dangling pointer in the freed descriptor.

Replace dmaengine_unmap_put with dmaengine_desc_put(txd) in the
err_set_unmap path to properly release the tx descriptor, which will also
drop the unmap reference it holds.

Suggested-by: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Fixes: 282a2feeb9bf ("NTB: Use DMA Engine to Transmit and Receive")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>

Changes in v2:
- Fix patch format based on reviewer feedback
- Resend to ntb@xxxxxxxxxxxxxxx (remove invalid googlegroups address)
---
 drivers/ntb/ntb_transport.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
index 7cabc82305d6..28091ec5a74e 100644
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -1572,7 +1572,7 @@ static int ntb_async_rx_submit(struct ntb_queue_entry *entry, void *offset)
 	return 0;
 
 err_set_unmap:
-	dmaengine_unmap_put(unmap);
+	dmaengine_desc_put(txd);
 err_get_unmap:
 	dmaengine_unmap_put(unmap);
 err:
@@ -1896,7 +1896,7 @@ static int ntb_async_tx_submit(struct ntb_transport_qp *qp,
 
 	return 0;
 err_set_unmap:
-	dmaengine_unmap_put(unmap);
+	dmaengine_desc_put(txd);
 err_get_unmap:
 	dmaengine_unmap_put(unmap);
 err:
-- 
2.39.5 (Apple Git-154)