nvme-tcp uaf when tls setup fails
Daniel Wagner
dwagner at suse.de
Mon Oct 14 08:50:06 PDT 2024
nvme_tcp_setup_ctrl is called from different context. If the function as
part of the initial controller creation, the argument 'new' is set to
true. That means nvme_tcp_teardown_admin_queue should also get informed
that it should release all resources, but currently it doesn't.
Pass forward the correct context to the error handling path as well.
diff --git a/drivers/nvmehost/tcp.c b/drivers/nvme/host/tcp.c
index 89c44413c593..c31434b4da73 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -2278,7 +2278,7 @@ static int nvme_tcp_setup_ctrl(struct nvme_ctrl *ctrl, bool new)
}
destroy_admin:
nvme_stop_keep_alive(ctrl);
- nvme_tcp_teardown_admin_queue(ctrl, false);
+ nvme_tcp_teardown_admin_queue(ctrl, new);
return ret;
}
More information about the Linux-nvme
mailing list