[PATCH 00/11] nvmet-fcloop: track resources via reference counting
Daniel Wagner
dwagner at suse.de
Thu Feb 27 08:30:10 PST 2025
On Wed, Feb 26, 2025 at 07:45:52PM +0100, Daniel Wagner wrote:
> static void nvmet_port_subsys_drop_link(struct config_item *parent,
> struct config_item *target)
> {
> [...]
> found:
> list_del(&p->entry);
> nvmet_port_del_ctrls(port, subsys);
> nvmet_port_disc_changed(port, subsys); /* XXX triggers the above UAF */
>
> if (list_empty(&port->subsystems))
> nvmet_disable_port(port);
> up_write(&nvmet_config_sem);
> kfree(p);
> }
>
> The nvmet_port_disc_changed is a bit useless, because these event will
> never be seen by the host. Anyway, more debugging is necessary.
The problem is there is no ref counting for pe->tgtport. And in
nvmet_port_disc_changed needs to take a ref on hostport. I am doing some
more testing and it looks promising. Hopefully this is one of those
famous lost words.
More information about the Linux-nvme
mailing list