diff options
| author | Israel Rukshin <israelr@nvidia.com> | 2021-10-06 10:09:43 +0200 |
|---|---|---|
| committer | Christoph Hellwig <hch@lst.de> | 2021-10-20 19:16:00 +0200 |
| commit | e3e19dcc4c416d65f99f13d55be2b787f8d0050e (patch) | |
| tree | 0abf4cdc025d15b2a16a81042c73e34e84a29f8b /drivers/nvme/target | |
| parent | qla2xxx: add ->map_queues support for nvme (diff) | |
| download | linux-e3e19dcc4c416d65f99f13d55be2b787f8d0050e.tar.xz linux-e3e19dcc4c416d65f99f13d55be2b787f8d0050e.zip | |
nvmet: fix use-after-free when a port is removed
When a port is removed through configfs, any connected controllers
are starting teardown flow asynchronously and can still send commands.
This causes a use-after-free bug for any command that dereferences
req->port (like in nvmet_parse_io_cmd).
To fix this, wait for all the teardown scheduled works to complete
(like release_work at rdma/tcp drivers). This ensures there are no
active controllers when the port is eventually removed.
Signed-off-by: Israel Rukshin <israelr@nvidia.com>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to 'drivers/nvme/target')
| -rw-r--r-- | drivers/nvme/target/configfs.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c index be5d82421e3a..496d775c6770 100644 --- a/drivers/nvme/target/configfs.c +++ b/drivers/nvme/target/configfs.c @@ -1553,6 +1553,8 @@ static void nvmet_port_release(struct config_item *item) { struct nvmet_port *port = to_nvmet_port(item); + /* Let inflight controllers teardown complete */ + flush_scheduled_work(); list_del(&port->global_entry); kfree(port->ana_state); |