[PATCH] nvme: fix admin request_queue lifetime
Ewan Milne
emilne at redhat.com
Wed Nov 5 13:31:13 PST 2025
On Tue, Nov 4, 2025 at 6:00 PM Keith Busch <kbusch at meta.com> wrote:
>
> From: Keith Busch <kbusch at kernel.org>
>
> The namespaces can access the controller's admin request_queue, and
> stale references on the namespaces may exist. Ensure the request_queue
> is active by moving the controller's 'put' after all references on the
> controller have been released to ensure no one is trying to access the
> request_queue. This fixes a reported use-after-free bug:
>
OK, so I get that this fixes the use-after-free, and don't let my
comments hold up
acceptance of the patch. But can you explain why this actually helps?
nvme_alloc_admin_tag_set() allocates the admin_q as part of the admin tagset
initiailization, and doesn't this change keep the lifetime of the
admin_q past when
the admin tagset is deallocated? So where do we detect that?
-Ewan
More information about the Linux-nvme
mailing list