[PATCH 5.10 230/575] nvmet: fix use-after-free when a port is removed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: 2021-11-15 19:40:28
Also in:
lkml
Subsystem:
nvm express target driver, the rest · Maintainers:
Christoph Hellwig, Sagi Grimberg, Chaitanya Kulkarni, Linus Torvalds
From: Israel Rukshin <redacted> [ Upstream commit e3e19dcc4c416d65f99f13d55be2b787f8d0050e ] When a port is removed through configfs, any connected controllers are starting teardown flow asynchronously and can still send commands. This causes a use-after-free bug for any command that dereferences req->port (like in nvmet_parse_io_cmd). To fix this, wait for all the teardown scheduled works to complete (like release_work at rdma/tcp drivers). This ensures there are no active controllers when the port is eventually removed. Signed-off-by: Israel Rukshin <redacted> Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/nvme/target/configfs.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index 37e1d7784e175..9aed5cc710960 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c@@ -1462,6 +1462,8 @@ static void nvmet_port_release(struct config_item *item) { struct nvmet_port *port = to_nvmet_port(item); + /* Let inflight controllers teardown complete */ + flush_scheduled_work(); list_del(&port->global_entry); kfree(port->ana_state);
--
2.33.0