[PATCH 1/4] nvme-tcp: fix a possible use-after-free in controller reset during load

[Sagi Grimberg]

> On Tue, Feb 01, 2022 at 02:36:03PM +0200, Sagi Grimberg wrote:
>> The driver will make sure to flush ctrl->async_event_work _after_
>> changing the controller state (it is flushed in nvme_stop_ctrl).
>> Only after that it will continue to free the admin queue. So if
>> this check passed, it is safe to submit the aer command.
>>
>> I think that the ctrl->state check should be sufficient. In fact, I
>> think we can move it to the core instead of doing it in the drivers:
> 
> Maybe through in a comment explaining this?  Otherwise having less
> checks and having them in the core is always a good thing, so I'm
> in favour.

I sent a v2 already. You want me to send a v3 with something like:
--
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index c11cd3a814fd..4beeb53e33e8 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4253,6 +4253,12 @@ static void nvme_async_event_work(struct 
work_struct *work)
         nvme_aen_uevent(ctrl);
         if (ctrl->state != NVME_CTRL_LIVE)
                 return;
+       /*
+        * drivers must guarantee aer submission here is safe
+        * by flushing the ctrl async_event_work after changing
+        * the controller state from LIVE and before freeing the
+        * admin queue.
+        */
         ctrl->ops->submit_async_event(ctrl);
  }
--