From: Chunguang Xu <chunguang.xu@shopee.com>
Date: Tue, 11 Jun 2024 10:02:08 +0000 (+0800)
Subject: nvme: avoid double free special payload
X-Git-Tag: v5.10.237~132
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=882574942a9be8b9d70d13462ddacc80c4b385ba;p=thirdparty%2Fkernel%2Fstable.git

nvme: avoid double free special payload

commit e5d574ab37f5f2e7937405613d9b1a724811e5ad upstream.

If a discard request needs to be retried, and that retry may fail before
a new special payload is added, a double free will result. Clear the
RQF_SPECIAL_LOAD when the request is cleaned.

Signed-off-by: Chunguang Xu <chunguang.xu@shopee.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
[Minor context change fixed]
Signed-off-by: Cliff Liu <donghua.liu@windriver.com>
Signed-off-by: He Zhe <Zhe.He@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 5f16fc9111a9f..e63d3ca11cc9a 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -850,6 +850,7 @@ void nvme_cleanup_cmd(struct request *req)
 			clear_bit_unlock(0, &ns->ctrl->discard_page_busy);
 		else
 			kfree(page_address(page) + req->special_vec.bv_offset);
+		req->rq_flags &= ~RQF_SPECIAL_PAYLOAD;
 	}
 }
 EXPORT_SYMBOL_GPL(nvme_cleanup_cmd);