From patchwork Fri Sep 13 08:12:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Koichiro Den X-Patchwork-Id: 1985040 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4n9Z32HFz1y2H for ; Fri, 13 Sep 2024 18:12:49 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sp1Pw-0000Qa-TX; Fri, 13 Sep 2024 08:12:36 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sp1Pv-0000QH-I0 for kernel-team@lists.ubuntu.com; Fri, 13 Sep 2024 08:12:35 +0000 Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com [209.85.214.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 40A823F2FC for ; Fri, 13 Sep 2024 08:12:35 +0000 (UTC) Received: by mail-pl1-f200.google.com with SMTP id d9443c01a7336-2073498f269so24662945ad.3 for ; Fri, 13 Sep 2024 01:12:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726215154; x=1726819954; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8L0vrbFgv4Mu/6r5cmOuR+j94BX5uLThEYX/ZYExbug=; b=h6BdaG9EQqSO2EMil6NIFbaGJQas1B+pf3pZhIMA1sG0R1nxcPURvds1hhsyNgiwEk RqsNYrzdrjvR5lLZixYOp6ssMcwQ5dp7T3Ipritj92KS7Z5d5KR157rcyXJGU83gonN/ yK2tTVhc5I+zsva8ixG8QehMJLKRXSyS140jbfMA2SmYyWR3wZZPzMs/GBGk4PYK/nEl 6iRM4exbwkfUETI7O5prG3urYD676l4/9yo8zqI+1JdtO6FkvAQTOVPW1SiGeqJWVtFN wprBCf9y+jdjxTiZh//PFWEjnF00RdcH9H1RfZNNyN8kNJ4EM01DrsFUQQdVO4MD0P8H MUNw== X-Gm-Message-State: AOJu0Yx7gw31xAUhKc+evHIWGr/WNjl9j6bWuoekPc3QZ5lBPjAw8MXF ZgSC8BwIjNuOMy5GTE8yfJ/bvZfGwLkaXtoq82hYAkNr2Yb1u4HS9NWhBqGxrOpGu2qh4boiuPP 8vS7gNCk8/ad8ZNHt4DbD7bokMDlLdOo9Gp0zeuHsybo2+GtKVNiHBNWUJ+8Qf8MrxnIFe4pw1f KycmPCKTeCYA== X-Received: by 2002:a17:903:22ca:b0:206:a913:96a7 with SMTP id d9443c01a7336-2076e4616e2mr84459245ad.44.1726215153687; Fri, 13 Sep 2024 01:12:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFo7E/fQLLnnmAERl4/P1RC6kqy8HlFAUwJX4brrZm+HX0XgxIo8rV2dViAYBmCEu+rRSLlug== X-Received: by 2002:a17:903:22ca:b0:206:a913:96a7 with SMTP id d9443c01a7336-2076e4616e2mr84458865ad.44.1726215153117; Fri, 13 Sep 2024 01:12:33 -0700 (PDT) Received: from localhost.localdomain ([240f:74:7be:1:c226:9335:7ec4:be63]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2076af478c3sm23993045ad.71.2024.09.13.01.12.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Sep 2024 01:12:32 -0700 (PDT) From: Koichiro Den To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] nvme: avoid double free special payload Date: Fri, 13 Sep 2024 17:12:07 +0900 Message-ID: <20240913081209.1659072-2-koichiro.den@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240913081209.1659072-1-koichiro.den@canonical.com> References: <20240913081209.1659072-1-koichiro.den@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Chunguang Xu If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned. Signed-off-by: Chunguang Xu Reviewed-by: Sagi Grimberg Reviewed-by: Max Gurtovoy Signed-off-by: Keith Busch (backported from commit e5d574ab37f5f2e7937405613d9b1a724811e5ad) [koichiroden: Adjusted context due to a missing commit 3973e15fa534 ("nvme: use bvec_virt")] CVE-2024-41073 Signed-off-by: Koichiro Den --- drivers/nvme/host/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 9144ed14b074..250e933020f9 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -765,6 +765,7 @@ void nvme_cleanup_cmd(struct request *req) clear_bit_unlock(0, &ns->ctrl->discard_page_busy); else kfree(page_address(page) + req->special_vec.bv_offset); + req->rq_flags &= ~RQF_SPECIAL_PAYLOAD; } } EXPORT_SYMBOL_GPL(nvme_cleanup_cmd);