Commit 00817f0f authored by Keith Busch's avatar Keith Busch
Browse files

nvme-ioctl: fix leaked requests on mapping error 



All the callers assume nvme_map_user_request() frees the request on a
failure. This wasn't happening on invalid metadata or io_uring command
flags, so we've been leaking those requests.

Fixes: 23fd22e5 ("nvme: wire up fixed buffer support for nvme passthrough")
Fixes: 7c2fd760 ("nvme: fix metadata handling in nvme-passthrough")
Reviewed-by: default avatarDamien Le Moal <dlemoal@kernel.org>
Reviewed-by: default avatarKanchan Joshi <joshi.k@samsung.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
parent 56cf7ef0

drivers/nvme/host/ioctl.c

+8 −4
Original line number Diff line number Diff line
@@ -128,8 +128,10 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer, 
	if (!nvme_ctrl_sgl_supported(ctrl))

		dev_warn_once(ctrl->device, "using unchecked data buffer\n");

	if (has_metadata) {

		if (!supports_metadata)

			return -EINVAL;

		if (!supports_metadata) {

			ret = -EINVAL;

			goto out;

		}

		if (!nvme_ctrl_meta_sgl_supported(ctrl))

			dev_warn_once(ctrl->device,

				      "using unchecked metadata buffer\n");
@@ -139,8 +141,10 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer, 
		struct iov_iter iter;



		/* fixedbufs is only for non-vectored io */

		if (WARN_ON_ONCE(flags & NVME_IOCTL_VEC))

			return -EINVAL;

		if (WARN_ON_ONCE(flags & NVME_IOCTL_VEC)) {

			ret = -EINVAL;

			goto out;

		}

		ret = io_uring_cmd_import_fixed(ubuffer, bufflen,

				rq_data_dir(req), &iter, ioucmd);

		if (ret < 0)