[PATCH 4/4] nvmet-loop: do not call nvme_ctrl_put() after nvme_ctrl_uninit()
Sagi Grimberg
sagi at grimberg.me
Thu Mar 7 00:58:41 PST 2024
Looks fine,
Reviewed-by: Sagi Grimberg <sagi at grimberg.me>
But I think it would help if loop would behave like other transports
that do have the extra put.
On 01/03/2024 13:28, Hannes Reinecke wrote:
> nvme_ctrl_uninit() already calls nvme_ctrl_put(), doing it twice
> will cause an UAF.
>
> Signed-off-by: Daniel Wagner <dwagner at suse.de>
> Signed-off-by: Hannes Reinecke <hare at suse.de>
> ---
> drivers/nvme/target/loop.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
> index f1d5eee3daec..82db181f0168 100644
> --- a/drivers/nvme/target/loop.c
> +++ b/drivers/nvme/target/loop.c
> @@ -615,7 +615,6 @@ static struct nvme_ctrl *nvme_loop_create_ctrl(struct device *dev,
> kfree(ctrl->queues);
> out_uninit_ctrl:
> nvme_uninit_ctrl(&ctrl->ctrl);
> - nvme_put_ctrl(&ctrl->ctrl);
> out:
> if (ret > 0)
> ret = -EIO;
More information about the Linux-nvme
mailing list