Commit 62baf409 authored by Israel Rukshin's avatar Israel Rukshin Committed by Yang Yingliang
Browse files

nvme: Fix ctrl use-after-free during sysfs deletion 

mainline inclusion
from mainline-v5.7-rc1
commit b780d741
category: bugfix
bugzilla: NA
CVE: NA
Link: https://gitee.com/openeuler/kernel/issues/I1WGZE



--------------------------------

In case nvme_sysfs_delete() is called by the user before taking the ctrl
reference count, the ctrl may be freed during the creation and cause the
bug. Take the reference as soon as the controller is externally visible,
which is done by cdev_device_add() in nvme_init_ctrl(). Also take the
reference count at the core layer instead of taking it on each transport
separately.

Signed-off-by: default avatarIsrael Rukshin <israelr@mellanox.com>
Reviewed-by: default avatarMax Gurtovoy <maxg@mellanox.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
Conflicts:
    drivers/nvme/host/tcp.c
[No code about TCP in current version.]
Reviewed-by: default avatarChao Leng <lengchao@huawei.com>
Reviewed-by: default avatarJike Cheng <chengjike.cheng@huawei.com>
Signed-off-by: default avatarLijie <lijie34@huawei.com>
Reviewed-by: default avatarHou Tao <houtao1@huawei.com>
Acked-by: default avatarHanjun Guo <guohanjun@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent 21d889f5
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment