Commit e41246d3 authored by Christoph Hellwig's avatar Christoph Hellwig Committed by Yu Kuai
Browse files

nvme-pci: fix freeing of the HMB descriptor table 

stable inclusion
from stable-v5.10.231
commit 452f9ddd12bebc04cef741e8ba3806bf0e1fd015
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEGGM
CVE: CVE-2024-56756

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=452f9ddd12bebc04cef741e8ba3806bf0e1fd015



--------------------------------

[ Upstream commit 3c2fb1ca8086eb139b2a551358137525ae8e0d7a ]

The HMB descriptor table is sized to the maximum number of descriptors
that could be used for a given device, but __nvme_alloc_host_mem could
break out of the loop earlier on memory allocation failure and end up
using less descriptors than planned for, which leads to an incorrect
size passed to dma_free_coherent.

In practice this was not showing up because the number of descriptors
tends to be low and the dma coherent allocator always allocates and
frees at least a page.

Fixes: 87ad72a5 ("nvme-pci: implement host memory buffer support")
Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarYu Kuai <yukuai3@huawei.com>
parent d51fb86c

drivers/nvme/host/pci.c

+9 −7
Original line number Diff line number Diff line
@@ -147,6 +147,7 @@ struct nvme_dev { 
	/* host memory buffer support: */

	u64 host_mem_size;

	u32 nr_host_mem_descs;

	u32 host_mem_descs_size;

	dma_addr_t host_mem_descs_dma;

	struct nvme_host_mem_buf_desc *host_mem_descs;

	void **host_mem_desc_bufs;
@@ -1926,10 +1927,10 @@ static void nvme_free_host_mem(struct nvme_dev *dev) 


	kfree(dev->host_mem_desc_bufs);

	dev->host_mem_desc_bufs = NULL;

	dma_free_coherent(dev->dev,

			dev->nr_host_mem_descs * sizeof(*dev->host_mem_descs),

	dma_free_coherent(dev->dev, dev->host_mem_descs_size,

			dev->host_mem_descs, dev->host_mem_descs_dma);

	dev->host_mem_descs = NULL;

	dev->host_mem_descs_size = 0;

	dev->nr_host_mem_descs = 0;

}
@@ -1937,7 +1938,7 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred, 
		u32 chunk_size)

{

	struct nvme_host_mem_buf_desc *descs;

	u32 max_entries, len;

	u32 max_entries, len, descs_size;

	dma_addr_t descs_dma;

	int i = 0;

	void **bufs;
@@ -1950,8 +1951,9 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred, 
	if (dev->ctrl.hmmaxd && dev->ctrl.hmmaxd < max_entries)

		max_entries = dev->ctrl.hmmaxd;



	descs = dma_alloc_coherent(dev->dev, max_entries * sizeof(*descs),

				   &descs_dma, GFP_KERNEL);

	descs_size = max_entries * sizeof(*descs);

	descs = dma_alloc_coherent(dev->dev, descs_size, &descs_dma,

			GFP_KERNEL);

	if (!descs)

		goto out;
@@ -1980,6 +1982,7 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred, 
	dev->host_mem_size = size;

	dev->host_mem_descs = descs;

	dev->host_mem_descs_dma = descs_dma;

	dev->host_mem_descs_size = descs_size;

	dev->host_mem_desc_bufs = bufs;

	return 0;
@@ -1994,8 +1997,7 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred, 


	kfree(bufs);

out_free_descs:

	dma_free_coherent(dev->dev, max_entries * sizeof(*descs), descs,

			descs_dma);

	dma_free_coherent(dev->dev, descs_size, descs, descs_dma);

out:

	dev->host_mem_descs = NULL;

	return -ENOMEM;