From: Israel Rukshin <israelr@nvidia.com>
Date: Wed, 6 Oct 2021 08:09:43 +0000 (+0000)
Subject: nvmet: fix use-after-free when a port is removed
X-Git-Tag: v6.6.17~8867^2~48^2~19
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e3e19dcc4c416d65f99f13d55be2b787f8d0050e;p=platform%2Fkernel%2Flinux-rpi.git

nvmet: fix use-after-free when a port is removed

When a port is removed through configfs, any connected controllers
are starting teardown flow asynchronously and can still send commands.
This causes a use-after-free bug for any command that dereferences
req->port (like in nvmet_parse_io_cmd).

To fix this, wait for all the teardown scheduled works to complete
(like release_work at rdma/tcp drivers). This ensures there are no
active controllers when the port is eventually removed.

Signed-off-by: Israel Rukshin <israelr@nvidia.com>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
---

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index be5d8242..496d775 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -1553,6 +1553,8 @@ static void nvmet_port_release(struct config_item *item)
 {
 	struct nvmet_port *port = to_nvmet_port(item);
 
+	/* Let inflight controllers teardown complete */
+	flush_scheduled_work();
 	list_del(&port->global_entry);
 
 	kfree(port->ana_state);