[PATCH 1/1] nvme: correctly account for namespace head reference counter
Daniel Wagner
dwagner at suse.de
Tue Jun 24 06:42:39 PDT 2025
On Tue, Jun 24, 2025 at 07:00:39PM +0530, Nilay Shroff wrote:
> > Could the put moved in front of 'goto out_unlink_ns'?
>
> I believe you would want to move the second nvme_put_ns_head()
> above as the first statement under out_unlink_ns label as shown
> below:
>
> out_unlink_ns:
> nvme_put_ns_head(ns->head);
> mutex_lock(&ctrl->subsys->lock);
> list_del_rcu(&ns->siblings);
> if (list_empty(&ns->head->list)) {
> list_del_init(&ns->head->entry);
> last_path = true;
> }
> mutex_unlock(&ctrl->subsys->lock);
> if (last_path)
> nvme_put_ns_head(ns->head);
>
> If that's the case, and this is indeed the last reference to ns->head,
> then nvme_put_ns_head() could potentially free the ns->head object.
> If that happens, any access to ns->head afterward — such as ns->head->list
> — would result in a use-after-free and potentially trigger a kernel oops,
> correct?
Ah sorry brainfarth, you are right.
More information about the Linux-nvme
mailing list