From 9c070c1d256a4676897b93506f205154f1bad1e9 Mon Sep 17 00:00:00 2001
From: Jan Musial <jan.musial@intel.com>
Date: Thu, 25 Mar 2021 14:00:17 +0100
Subject: [PATCH] Fix freeing oversized discard requests

When issuing discard request over 512KiB OCF would trim this request and
overwrite req->core_line_count which would then cause this request to be
freed from wrong mpool.

This is fixed now by saving core_line_count that was set when allocating
this request that is never overwritten. This alloc_core_line_count is
then used to free the request from correct mpool.

Signed-off-by: Jan Musial <jan.musial@intel.com>
---
 src/ocf_request.c | 18 ++++++++++--------
 src/ocf_request.h |  3 +++
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/ocf_request.c b/src/ocf_request.c
index 6b0d849..bd2e6fc 100644
--- a/src/ocf_request.c
+++ b/src/ocf_request.c
@@ -85,12 +85,16 @@ struct ocf_request *ocf_req_new(ocf_queue_t queue, ocf_core_t core,
 		req = env_mpool_new(cache->owner->resources.req, 1);
 	}
 
-
 	if (unlikely(!req))
 		return NULL;
 
-	if (map_allocated)
+	if (map_allocated) {
 		req->map = req->__map;
+		req->alloc_core_line_count = core_line_count;
+	} else {
+		req->alloc_core_line_count = 1;
+	}
+
 
 	OCF_DEBUG_TRACE(cache);
 
@@ -204,13 +208,11 @@ void ocf_req_put(struct ocf_request *req)
 	if (!req->d2c && req->io_queue != req->cache->mngt_queue)
 		ocf_refcnt_dec(&req->cache->refcnt.metadata);
 
-	if (req->map == req->__map) {
-		env_mpool_del(req->cache->owner->resources.req, req,
-				req->core_line_count);
-	} else {
+	if (req->map != req->__map)
 		env_free(req->map);
-		env_mpool_del(req->cache->owner->resources.req, req, 1);
-	}
+
+	env_mpool_del(req->cache->owner->resources.req, req,
+			req->alloc_core_line_count);
 
 	ocf_queue_put(queue);
 }
diff --git a/src/ocf_request.h b/src/ocf_request.h
index 007746a..945ec42 100644
--- a/src/ocf_request.h
+++ b/src/ocf_request.h
@@ -166,6 +166,9 @@ struct ocf_request {
 	uint32_t core_line_count;
 	/*! Core line count */
 
+	uint32_t alloc_core_line_count;
+	/*! Number of core lines at time of request allocation */
+
 	int error;
 	/*!< This filed indicates an error for OCF request */