[PATCH 1/1] nvme: fix use-after-free of admin queue via stale pointer
Keith Busch
kbusch at kernel.org
Wed Oct 29 17:39:34 PDT 2025
On Wed, Oct 29, 2025 at 03:08:53PM -0600, Casey Chen wrote:
>
> Fix this by taking an additional reference on the admin queue during
> namespace allocation and releasing it during namespace cleanup.
Since the namespaces already hold references on the controller, would it
be simpler to move the controller's final blk_put_queue to the final
ctrl free? This should have the same lifetime as your patch, but with
simpler ref counting:
---
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index fa4181d7de736..0b83d82f67e75 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4901,7 +4901,6 @@ void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl)
*/
nvme_stop_keep_alive(ctrl);
blk_mq_destroy_queue(ctrl->admin_q);
- blk_put_queue(ctrl->admin_q);
if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->fabrics_q);
blk_put_queue(ctrl->fabrics_q);
@@ -5045,6 +5044,7 @@ static void nvme_free_ctrl(struct device *dev)
container_of(dev, struct nvme_ctrl, ctrl_device);
struct nvme_subsystem *subsys = ctrl->subsys;
+ blk_put_queue(ctrl->admin_q);
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
nvme_free_cels(ctrl);
--
More information about the Linux-nvme
mailing list