nvme: avoid double free special payload

CKI Backport Bot · CKI Backport Bot · commit 3cfd9c956581 · 2024-07-31T18:44:01.000Z
JIRA: https://issues.redhat.com/browse/RHEL-51309 CVE: CVE-2024-41073 commit e5d574a Author: Chunguang Xu <chunguang.xu@shopee.com> Date: Tue Jun 11 18:02:08 2024 +0800 nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned. Signed-off-by: Chunguang Xu <chunguang.xu@shopee.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
@@ -1009,6 +1009,7 @@ void nvme_cleanup_cmd(struct request *req)
 			clear_bit_unlock(0, &ctrl->discard_page_busy);
 		else
 			kfree(bvec_virt(&req->special_vec));
+		req->rq_flags &= ~RQF_SPECIAL_PAYLOAD;
 	}
 }
 EXPORT_SYMBOL_GPL(nvme_cleanup_cmd);

Original file line number	Diff line number	Diff line change
`@@ -1009,6 +1009,7 @@ void nvme_cleanup_cmd(struct request *req)`
`1009`	`1009`	`clear_bit_unlock(0, &ctrl->discard_page_busy);`
`1010`	`1010`	`else`
`1011`	`1011`	`kfree(bvec_virt(&req->special_vec));`
	`1012`	`+ req->rq_flags &= ~RQF_SPECIAL_PAYLOAD;`
`1012`	`1013`	`}`
`1013`	`1014`	`}`
`1014`	`1015`	`EXPORT_SYMBOL_GPL(nvme_cleanup_cmd);`