nvmet-tcp: fix page fragment cache leak in error path

In nvmet_tcp_alloc_queue(), when a connection is closed during the
allocation process (e.g., nvmet_tcp_set_queue_sock() returns -ENOTCONN),
the error handling jumps to out_destroy_sq and then to out_ida_remove
without draining the page fragment cache.

Although nvmet_tcp_free_cmd() is called in some error paths to release
individual page fragments, the underlying page cache reference held by
queue->pf_cache is never released. The first allocation using pf_cache
is the call to nvmet_tcp_alloc_cmd() for queue->connect, which happens
after ida_alloc() returns successfully. This results in a page leak each
time a connection fails during allocation, which could lead to memory
exhaustion over time if connections are repeatedly opened and closed.

Fix this by calling page_frag_cache_drain() before freeing the queue
structure in the out_ida_remove label.

Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
Signed-off-by: Keith Busch <kbusch@kernel.org>

diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 164a564ba3b4e994ccbf437170e19ddac4fdc9a1..93b3c6134240a445f6ec79d722e706f109591625 100644 (file)
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -1997,6 +1997,12 @@ out_free_connect:
        nvmet_tcp_free_cmd(&queue->connect);
 out_ida_remove:
        ida_free(&nvmet_tcp_queue_ida, queue->idx);
+       /*
+        * Drain the page fragment cache if any allocations were done.
+        * The first allocation using pf_cache is nvmet_tcp_alloc_cmd()
+        * for queue->connect after ida_alloc().
+        */
+       page_frag_cache_drain(&queue->pf_cache);
 out_sock:
        fput(queue->sock->file);
 out_free_queue: