diff options
| author | Israel Rukshin <israelr@mellanox.com> | 2020-03-24 16:29:41 +0100 |
|---|---|---|
| committer | Keith Busch <kbusch@kernel.org> | 2020-03-25 20:51:56 +0100 |
| commit | b780d7415aacec855e2f2370cbf98f918b224903 (patch) | |
| tree | c1ba48f4e31b554716d16cf8c4db24f831957fab /drivers/nvme/host/pci.c | |
| parent | nvme-pci: Re-order nvme_pci_free_ctrl (diff) | |
| download | linux-b780d7415aacec855e2f2370cbf98f918b224903.tar.xz linux-b780d7415aacec855e2f2370cbf98f918b224903.zip | |
nvme: Fix ctrl use-after-free during sysfs deletion
In case nvme_sysfs_delete() is called by the user before taking the ctrl
reference count, the ctrl may be freed during the creation and cause the
bug. Take the reference as soon as the controller is externally visible,
which is done by cdev_device_add() in nvme_init_ctrl(). Also take the
reference count at the core layer instead of taking it on each transport
separately.
Signed-off-by: Israel Rukshin <israelr@mellanox.com>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Diffstat (limited to 'drivers/nvme/host/pci.c')
| -rw-r--r-- | drivers/nvme/host/pci.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index ff0bd2d84f3e..4e062c3a84bc 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -2802,7 +2802,6 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id) dev_info(dev->ctrl.device, "pci function %s\n", dev_name(&pdev->dev)); nvme_reset_ctrl(&dev->ctrl); - nvme_get_ctrl(&dev->ctrl); async_schedule(nvme_async_probe, dev); return 0; |