[bug report] nvme-fc: address target disconnect race conditions in fcp io submit
Dan Carpenter
dan.carpenter at linaro.org
Fri Oct 27 05:18:16 PDT 2023
Hello James Smart,
The patch 8b25f351929b: "nvme-fc: address target disconnect race
conditions in fcp io submit" from Jul 18, 2017 (linux-next), leads to
the following Smatch static checker warning:
drivers/nvme/host/fc.c:2788 nvme_fc_start_fcp_op()
error: dereferencing freed memory 'ctrl'
drivers/nvme/host/fc.c
2781 if (!(op->flags & FCOP_FLAGS_AEN)) {
2782 nvme_fc_unmap_data(ctrl, op->rq, op);
2783 nvme_cleanup_cmd(op->rq);
2784 }
2785
2786 nvme_fc_ctrl_put(ctrl);
^^^^
The nvme_fc_ctrl_put() function drops a refcound and potentially frees
ctrl.
2787
--> 2788 if (ctrl->rport->remoteport.port_state == FC_OBJSTATE_ONLINE &&
^^^^^^
Use after free?
2789 ret != -EBUSY)
2790 return BLK_STS_IOERR;
2791
2792 return BLK_STS_RESOURCE;
2793 }
2794
2795 return BLK_STS_OK;
2796 }
regards,
dan carpenter
More information about the Linux-nvme
mailing list