diff options
| author | Logan Gunthorpe <logang@deltatee.com> | 2019-08-01 01:35:31 +0200 |
|---|---|---|
| committer | Sagi Grimberg <sagi@grimberg.me> | 2019-08-01 02:57:06 +0200 |
| commit | 3aed86731ee2b23e4dc4d2c6d943d33992cd551b (patch) | |
| tree | ec1c8fdaaae875427d39e0734626161419167293 /drivers/nvme/target/configfs.c | |
| parent | nvme-multipath: revalidate nvme_ns_head gendisk in nvme_validate_ns (diff) | |
| download | linux-3aed86731ee2b23e4dc4d2c6d943d33992cd551b.tar.xz linux-3aed86731ee2b23e4dc4d2c6d943d33992cd551b.zip | |
nvmet: Fix use-after-free bug when a port is removed
When a port is removed through configfs, any connected controllers
are still active and can still send commands. This causes a
use-after-free bug which is detected by KASAN for any admin command
that dereferences req->port (like in nvmet_execute_identify_ctrl).
To fix this, disconnect all active controllers when a subsystem is
removed from a port. This ensures there are no active controllers
when the port is eventually removed.
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by : Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Diffstat (limited to 'drivers/nvme/target/configfs.c')
| -rw-r--r-- | drivers/nvme/target/configfs.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c index cd52b9f15376..98613a45bd3b 100644 --- a/drivers/nvme/target/configfs.c +++ b/drivers/nvme/target/configfs.c @@ -675,6 +675,7 @@ static void nvmet_port_subsys_drop_link(struct config_item *parent, found: list_del(&p->entry); + nvmet_port_del_ctrls(port, subsys); nvmet_port_disc_changed(port, subsys); if (list_empty(&port->subsystems)) |