xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nvmet: fix use-after-free when a port is removed

Browse Source 
[ Upstream commit e3e19dcc4c416d65f99f13d55be2b787f8d0050e ]

When a port is removed through configfs, any connected controllers
are starting teardown flow asynchronously and can still send commands.
This causes a use-after-free bug for any command that dereferences
req->port (like in nvmet_parse_io_cmd).

To fix this, wait for all the teardown scheduled works to complete
(like release_work at rdma/tcp drivers). This ensures there are no
active controllers when the port is eventually removed.

Signed-off-by: Israel Rukshin <israelr@nvidia.com>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Israel Rukshin
2021-10-06 08:09:43 +00:00
committed by Greg Kroah-Hartman
parent 1a10bf4c9d
commit e73574f7bc
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/nvme/target/configfs.c
View File

@@ -1462,6 +1462,8 @@ static void nvmet_port_release(struct config_item *item)
{ {
struct nvmet_port *port = to_nvmet_port(item); struct nvmet_port *port = to_nvmet_port(item);
/* Let inflight controllers teardown complete */
flush_scheduled_work();
list_del(&port->global_entry); list_del(&port->global_entry);
kfree(port->ana_state); kfree(port->ana_state);