Skip to content

Commit

Permalink
nvmet: fix use-after-free when a port is removed
Browse files Browse the repository at this point in the history 
When a port is removed through configfs, any connected controllers
are starting teardown flow asynchronously and can still send commands.
This causes a use-after-free bug for any command that dereferences
req->port (like in nvmet_parse_io_cmd).

To fix this, wait for all the teardown scheduled works to complete
(like release_work at rdma/tcp drivers). This ensures there are no
active controllers when the port is eventually removed.

Signed-off-by: Israel Rukshin <israelr@nvidia.com>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
  • Loading branch information
Israel Rukshin authored and Christoph Hellwig committed Oct 20, 2021
1 parent 2b2af50 commit e3e19dc
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions drivers/nvme/target/configfs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1553,6 +1553,8 @@ static void nvmet_port_release(struct config_item *item)
{
struct nvmet_port *port = to_nvmet_port(item);

/* Let inflight controllers teardown complete */
flush_scheduled_work();
list_del(&port->global_entry);

kfree(port->ana_state);
Expand Down

0 comments on commit e3e19dc

Please sign in to comment.