[PATCH rfc] nvme: support io stats on the mpath device
Sagi Grimberg
sagi at grimberg.me
Mon Oct 3 01:38:51 PDT 2022
>> index 9bacfd014e3d..f42e6e40d84b 100644
>>> --- a/drivers/nvme/host/core.c
>>> +++ b/drivers/nvme/host/core.c
>>> @@ -385,6 +385,8 @@ static inline void nvme_end_req(struct request *req)
>>> ????? nvme_end_req_zoned(req);
>>> ????? nvme_trace_bio_complete(req);
>>> ????? blk_mq_end_request(req, status);
>>> +??? if (req->cmd_flags & REQ_NVME_MPATH)
>>> +??????? nvme_mpath_end_request(req);
>>
>> I guess the order should probably be reversed, because after
>> blk_mq_end_request req may become invalid and create UAF?
>
> Yes - blk_mq_end_request() will put the tag, it could be reused by the
> time you call nvme_mpath_end_request(). It won't be a UAF as the
> requests are allocated upfront and never freed, but the state will be
> uncertain at that point.
Will reverse that...
More information about the Linux-nvme
mailing list