diff options
| author | Israel Rukshin <israelr@nvidia.com> | 2021-10-06 08:09:43 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-11-17 09:48:31 +0100 |
| commit | 81d11e40fdbbb4d1e382d048bf3d6b9a5ec402ee (patch) | |
| tree | 444b00c9493df07123b5d15fb84d3eeb5180df83 /drivers/nvme/target/configfs.c | |
| parent | 1ec1ca2be9c62ba2af7b61694e9d06c1fc84e9c8 (diff) | |
nvmet: fix use-after-free when a port is removed
[ Upstream commit e3e19dcc4c416d65f99f13d55be2b787f8d0050e ]
When a port is removed through configfs, any connected controllers
are starting teardown flow asynchronously and can still send commands.
This causes a use-after-free bug for any command that dereferences
req->port (like in nvmet_parse_io_cmd).
To fix this, wait for all the teardown scheduled works to complete
(like release_work at rdma/tcp drivers). This ensures there are no
active controllers when the port is eventually removed.
Signed-off-by: Israel Rukshin <israelr@nvidia.com>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/nvme/target/configfs.c')
| -rw-r--r-- | drivers/nvme/target/configfs.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c index 98613a45bd3b..baf8a3e4ed12 100644 --- a/drivers/nvme/target/configfs.c +++ b/drivers/nvme/target/configfs.c @@ -1148,6 +1148,8 @@ static void nvmet_port_release(struct config_item *item) { struct nvmet_port *port = to_nvmet_port(item); + /* Let inflight controllers teardown complete */ + flush_scheduled_work(); list_del(&port->global_entry); kfree(port->ana_state); |