Patch "nvme-ioctl: fix leaked requests on mapping error" has been added to the 6.12-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Mar 2025 15:44:34 -0400

This is a note to let you know that I've just added the patch titled

    nvme-ioctl: fix leaked requests on mapping error

to the 6.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nvme-ioctl-fix-leaked-requests-on-mapping-error.patch
and it can be found in the queue-6.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8db9d90cfdcaf2b58c63c8e91026158b0a0cee81
Author: Keith Busch <kbusch@xxxxxxxxxx>
Date:   Mon Feb 24 17:13:30 2025 -0800

    nvme-ioctl: fix leaked requests on mapping error
    
    [ Upstream commit 00817f0f1c45b007965f5676b9a2013bb39c7228 ]
    
    All the callers assume nvme_map_user_request() frees the request on a
    failure. This wasn't happening on invalid metadata or io_uring command
    flags, so we've been leaking those requests.
    
    Fixes: 23fd22e55b767b ("nvme: wire up fixed buffer support for nvme passthrough")
    Fixes: 7c2fd76048e95d ("nvme: fix metadata handling in nvme-passthrough")
    Reviewed-by: Damien Le Moal <dlemoal@xxxxxxxxxx>
    Reviewed-by: Kanchan Joshi <joshi.k@xxxxxxxxxxx>
    Reviewed-by: Christoph Hellwig <hch@xxxxxx>
    Signed-off-by: Keith Busch <kbusch@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index d4b80938de09c..e4daac9c24401 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -128,8 +128,10 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer,
 	if (!nvme_ctrl_sgl_supported(ctrl))
 		dev_warn_once(ctrl->device, "using unchecked data buffer\n");
 	if (has_metadata) {
-		if (!supports_metadata)
-			return -EINVAL;
+		if (!supports_metadata) {
+			ret = -EINVAL;
+			goto out;
+		}
 		if (!nvme_ctrl_meta_sgl_supported(ctrl))
 			dev_warn_once(ctrl->device,
 				      "using unchecked metadata buffer\n");
@@ -139,8 +141,10 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer,
 		struct iov_iter iter;
 
 		/* fixedbufs is only for non-vectored io */
-		if (WARN_ON_ONCE(flags & NVME_IOCTL_VEC))
-			return -EINVAL;
+		if (WARN_ON_ONCE(flags & NVME_IOCTL_VEC)) {
+			ret = -EINVAL;
+			goto out;
+		}
 		ret = io_uring_cmd_import_fixed(ubuffer, bufflen,
 				rq_data_dir(req), &iter, ioucmd);
 		if (ret < 0)







