Re: [PATCH 00/11] nvmet-fcloop: track resources via reference counting

From: Daniel Wagner
Date: Thu Feb 27 2025 - 11:34:41 EST

Next message: Rafael J. Wysocki: "Re: [PATCH v1 0/5] PM: sleep: Improvements of async suspend and resume of devices"
Previous message: David Jander: "[RFC PATCH 3/7] motion: Add simple-pwm.c PWM based DC motor controller driver"
In reply to: Hannes Reinecke: "Re: [PATCH 11/11] nvmet-fc: inline nvmet_fc_free_hostport"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 26, 2025 at 07:45:52PM +0100, Daniel Wagner wrote:
> static void nvmet_port_subsys_drop_link(struct config_item *parent,
> struct config_item *target)
> {
> [...]
> found:
> list_del(&p->entry);
> nvmet_port_del_ctrls(port, subsys);
> nvmet_port_disc_changed(port, subsys); /* XXX triggers the above UAF */
>
> if (list_empty(&port->subsystems))
> nvmet_disable_port(port);
> up_write(&nvmet_config_sem);
> kfree(p);
> }
>
> The nvmet_port_disc_changed is a bit useless, because these event will
> never be seen by the host. Anyway, more debugging is necessary.

The problem is there is no ref counting for pe->tgtport. And in
nvmet_port_disc_changed needs to take a ref on hostport. I am doing some
more testing and it looks promising. Hopefully this is one of those
famous lost words.

Next message: Rafael J. Wysocki: "Re: [PATCH v1 0/5] PM: sleep: Improvements of async suspend and resume of devices"
Previous message: David Jander: "[RFC PATCH 3/7] motion: Add simple-pwm.c PWM based DC motor controller driver"
In reply to: Hannes Reinecke: "Re: [PATCH 11/11] nvmet-fc: inline nvmet_fc_free_hostport"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]