[PATCH v2] nvmet: Avoid potential UAF in nvmet_req_complete()
Sagi Grimberg
sagi at grimberg.me
Mon Mar 6 06:00:53 PST 2023
>> Hey Damien,
>>
>>> An nvme target ->queue_response() operation implementation may free the
>>> request passed as argument. Such implementation potentially could result
>>> in a use after free of the request pointer when percpu_ref_put() is
>>> called in nvmet_req_complete().
>>
>> Can you point me to which transport frees the request?
>
> My prototype PCIe endpoint nvme function driver, not upstream yet.
>
> The endpoint board keeps randomly crashing without this patch and not freeing
> the request (embedded in a struct) in the ->queue_response() operation would
> require *a lot* more code.
Got it,
Reviewed-by: Sagi Grimberg <sagi at grimberg.me>
More information about the Linux-nvme
mailing list