[PATCH 2/2] nvme-pci: Fix UAF introduced by nvme_dev_remove_admin()
Keith Busch
kbusch at kernel.org
Tue Jun 22 12:16:02 PDT 2021
On Mon, Jun 21, 2021 at 05:27:10PM -0700, Casey Chen wrote:
> nvme_dev_remove_admin() could free admin_q and admin_tagset while
> they are being accessed by nvme_dev_disable(), which could come from
> nvme_remove_dead_ctrl() by nvme_reset_work() during cleanup.
>
> Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling") was
> to avoid requests being stuck on a removed controller by killing admin queue.
> But the later fix c8e9e9b7646e ("nvme-pci: unquiesce admin queue on shutdown"),
> together with nvme_dev_disable(dev, true) right before nvme_dev_remove_admin()
> could help dispatch requests and fail them early, so we don't need
> nvme_dev_remove_admin() any more.
>
> Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling")
Thanks, this change looks good.
Reviewed-by: Keith Busch <kbusch at kernel.org>
> upstream_status: upstream
> ---
> drivers/nvme/host/pci.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
> index 5abc4c3be454..49ef2027bcb0 100644
> --- a/drivers/nvme/host/pci.c
> +++ b/drivers/nvme/host/pci.c
> @@ -3023,7 +3023,6 @@ static void nvme_remove(struct pci_dev *pdev)
> if (!pci_device_is_present(pdev)) {
> nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD);
> nvme_dev_disable(dev, true);
> - nvme_dev_remove_admin(dev);
> }
>
> flush_work(&dev->ctrl.reset_work);
> --
> 2.17.1
More information about the Linux-nvme
mailing list