Merge tag 'nvme-5.17-2022-02-03' of git://git.infradead.org/nvme into block-5.17

axboe · axboe · commit e8db8c9cadac · 2022-02-03T12:37:02.000-07:00
Pull NVMe fixes from Christoph:

"nvme fixes for Linux 5.17

 - fix a use-after-free in rdm and tcp controller reset (Sagi Grimberg)
 - fix the state check in nvmf_ctlr_matches_baseopts (Uday Shankar)"

* tag 'nvme-5.17-2022-02-03' of git://git.infradead.org/nvme:
  nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts()
  nvme-rdma: fix possible use-after-free in transport error_recovery work
  nvme-tcp: fix possible use-after-free in transport error_recovery work
  nvme: fix a possible use-after-free in controller reset during load
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
@@ -4253,7 +4253,14 @@ static void nvme_async_event_work(struct work_struct *work)
 		container_of(work, struct nvme_ctrl, async_event_work);
 
 	nvme_aen_uevent(ctrl);
-	ctrl->ops->submit_async_event(ctrl);
+
+	/*
+	 * The transport drivers must guarantee AER submission here is safe by
+	 * flushing ctrl async_event_work after changing the controller state
+	 * from LIVE and before freeing the admin queue.
+	*/
+	if (ctrl->state == NVME_CTRL_LIVE)
+		ctrl->ops->submit_async_event(ctrl);
 }
 
 static bool nvme_ctrl_pp_status(struct nvme_ctrl *ctrl)
diff --git a/drivers/nvme/host/fabrics.h b/drivers/nvme/host/fabrics.h
@@ -170,6 +170,7 @@ nvmf_ctlr_matches_baseopts(struct nvme_ctrl *ctrl,
 			struct nvmf_ctrl_options *opts)
 {
 	if (ctrl->state == NVME_CTRL_DELETING ||
+	    ctrl->state == NVME_CTRL_DELETING_NOIO ||
 	    ctrl->state == NVME_CTRL_DEAD ||
 	    strcmp(opts->subsysnqn, ctrl->opts->subsysnqn) ||
 	    strcmp(opts->host->nqn, ctrl->opts->host->nqn) ||
diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
@@ -1200,6 +1200,7 @@ static void nvme_rdma_error_recovery_work(struct work_struct *work)
 			struct nvme_rdma_ctrl, err_work);
 
 	nvme_stop_keep_alive(&ctrl->ctrl);
+	flush_work(&ctrl->ctrl.async_event_work);
 	nvme_rdma_teardown_io_queues(ctrl, false);
 	nvme_start_queues(&ctrl->ctrl);
 	nvme_rdma_teardown_admin_queue(ctrl, false);
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
@@ -2096,6 +2096,7 @@ static void nvme_tcp_error_recovery_work(struct work_struct *work)
 	struct nvme_ctrl *ctrl = &tcp_ctrl->ctrl;
 
 	nvme_stop_keep_alive(ctrl);
+	flush_work(&ctrl->async_event_work);
 	nvme_tcp_teardown_io_queues(ctrl, false);
 	/* unquiesce to fail fast pending requests */
 	nvme_start_queues(ctrl);

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,7 @@ nvmf_ctlr_matches_baseopts(struct nvme_ctrl *ctrl,`
`170`	`170`	`struct nvmf_ctrl_options *opts)`
`171`	`171`	`{`
`172`	`172`	`if (ctrl->state == NVME_CTRL_DELETING \|\|`
	`173`	`+ ctrl->state == NVME_CTRL_DELETING_NOIO \|\|`
`173`	`174`	`ctrl->state == NVME_CTRL_DEAD \|\|`
`174`	`175`	`strcmp(opts->subsysnqn, ctrl->opts->subsysnqn) \|\|`
`175`	`176`	`strcmp(opts->host->nqn, ctrl->opts->host->nqn) \|\|`