| From 0592de467cd89398784794e7183a318d10e382b9 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 6 Oct 2021 08:09:43 +0000 |
| Subject: nvmet: fix use-after-free when a port is removed |
| |
| From: Israel Rukshin <israelr@nvidia.com> |
| |
| [ Upstream commit e3e19dcc4c416d65f99f13d55be2b787f8d0050e ] |
| |
| When a port is removed through configfs, any connected controllers |
| are starting teardown flow asynchronously and can still send commands. |
| This causes a use-after-free bug for any command that dereferences |
| req->port (like in nvmet_parse_io_cmd). |
| |
| To fix this, wait for all the teardown scheduled works to complete |
| (like release_work at rdma/tcp drivers). This ensures there are no |
| active controllers when the port is eventually removed. |
| |
| Signed-off-by: Israel Rukshin <israelr@nvidia.com> |
| Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com> |
| Signed-off-by: Christoph Hellwig <hch@lst.de> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/nvme/target/configfs.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c |
| index 98613a45bd3b4..baf8a3e4ed12a 100644 |
| --- a/drivers/nvme/target/configfs.c |
| +++ b/drivers/nvme/target/configfs.c |
| @@ -1148,6 +1148,8 @@ static void nvmet_port_release(struct config_item *item) |
| { |
| struct nvmet_port *port = to_nvmet_port(item); |
| |
| + /* Let inflight controllers teardown complete */ |
| + flush_scheduled_work(); |
| list_del(&port->global_entry); |
| |
| kfree(port->ana_state); |
| -- |
| 2.33.0 |
| |
