From: Leon Romanovsky leonro@nvidia.com

mainline inclusion from mainline-v6.11-rc1 commit c31fad1470389666ac7169fe43aa65bf5b7e2cfd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPOL CVE: CVE-2024-42276

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

nvme_map_data() is called when request has physical segments, hence the nvme_unmap_data() should have same condition to avoid dereference.

Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data") Signed-off-by: Leon Romanovsky leonro@nvidia.com Reviewed-by: Christoph Hellwig hch@lst.de Reviewed-by: Nitesh Shetty nj.shetty@samsung.com Signed-off-by: Keith Busch kbusch@kernel.org

Conflicts: drivers/nvme/host/pci.c [Commit 62451a2b2e7e ("nvme: separate command prep and issue") separate nvme_map_data/nvme_unmap_data from nvme_queue_rq to nvme_prep_rq.] Signed-off-by: Li Lingfeng lilingfeng3@huawei.com --- drivers/nvme/host/pci.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index c378649b583b..c4a0c1611629 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -947,7 +947,8 @@ static blk_status_t nvme_queue_rq(struct blk_mq_hw_ctx *hctx, nvme_submit_cmd(nvmeq, cmnd, bd->last); return BLK_STS_OK; out_unmap_data: - nvme_unmap_data(dev, req); + if (blk_rq_nr_phys_segments(req)) + nvme_unmap_data(dev, req); out_free_cmd: nvme_cleanup_cmd(req); return ret;