nvme: Fix ctrl use-after-free during sysfs deletion (b780d741) · Commits · 戴 / test

drivers/nvme/host/core.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -4130,6 +4130,7 @@ int nvme_init_ctrl(struct nvme_ctrl ctrl, struct device dev,
		if (ret)
		goto out_release_instance;

		nvme_get_ctrl(ctrl);
		cdev_init(&ctrl->cdev, &nvme_dev_fops);
		ctrl->cdev.owner = ops->module;
		ret = cdev_device_add(&ctrl->cdev, ctrl->device);
		@@ -4148,6 +4149,7 @@ int nvme_init_ctrl(struct nvme_ctrl ctrl, struct device dev,

		return 0;
		out_free_name:
		nvme_put_ctrl(ctrl);
		kfree_const(ctrl->device->kobj.name);
		out_release_instance:
		ida_simple_remove(&nvme_instance_ida, ctrl->instance);

+1 −3

Original line number	Diff line number	Diff line
		@@ -3181,10 +3181,7 @@ nvme_fc_init_ctrl(struct device dev, struct nvmf_ctrl_options opts,
		goto fail_ctrl;
		}

		nvme_get_ctrl(&ctrl->ctrl);

		if (!queue_delayed_work(nvme_wq, &ctrl->connect_work, 0)) {
		nvme_put_ctrl(&ctrl->ctrl);
		dev_err(ctrl->ctrl.device,
		"NVME-FC{%d}: failed to schedule initial connect\n",
		ctrl->cnum);
		@@ -3209,6 +3206,7 @@ fail_ctrl:

		/* initiate nvme ctrl ref counting teardown */
		nvme_uninit_ctrl(&ctrl->ctrl);
		nvme_put_ctrl(&ctrl->ctrl);

		/* Remove core ctrl ref. */
		nvme_put_ctrl(&ctrl->ctrl);

+0 −1

Original line number	Diff line number	Diff line
		@@ -2802,7 +2802,6 @@ static int nvme_probe(struct pci_dev pdev, const struct pci_device_id id)
		dev_info(dev->ctrl.device, "pci function %s\n", dev_name(&pdev->dev));

		nvme_reset_ctrl(&dev->ctrl);
		nvme_get_ctrl(&dev->ctrl);
		async_schedule(nvme_async_probe, dev);

		return 0;

+1 −2

Original line number	Diff line number	Diff line
		@@ -2043,8 +2043,6 @@ static struct nvme_ctrl nvme_rdma_create_ctrl(struct device dev,
		dev_info(ctrl->ctrl.device, "new ctrl: NQN \"%s\", addr %pISpcs\n",
		ctrl->ctrl.opts->subsysnqn, &ctrl->addr);

		nvme_get_ctrl(&ctrl->ctrl);

		mutex_lock(&nvme_rdma_ctrl_mutex);
		list_add_tail(&ctrl->list, &nvme_rdma_ctrl_list);
		mutex_unlock(&nvme_rdma_ctrl_mutex);
		@@ -2054,6 +2052,7 @@ static struct nvme_ctrl nvme_rdma_create_ctrl(struct device dev,
		out_uninit_ctrl:
		nvme_uninit_ctrl(&ctrl->ctrl);
		nvme_put_ctrl(&ctrl->ctrl);
		nvme_put_ctrl(&ctrl->ctrl);
		if (ret > 0)
		ret = -EIO;
		return ERR_PTR(ret);

+1 −2

Original line number	Diff line number	Diff line
		@@ -2428,8 +2428,6 @@ static struct nvme_ctrl nvme_tcp_create_ctrl(struct device dev,
		dev_info(ctrl->ctrl.device, "new ctrl: NQN \"%s\", addr %pISp\n",
		ctrl->ctrl.opts->subsysnqn, &ctrl->addr);

		nvme_get_ctrl(&ctrl->ctrl);

		mutex_lock(&nvme_tcp_ctrl_mutex);
		list_add_tail(&ctrl->list, &nvme_tcp_ctrl_list);
		mutex_unlock(&nvme_tcp_ctrl_mutex);
		@@ -2439,6 +2437,7 @@ static struct nvme_ctrl nvme_tcp_create_ctrl(struct device dev,
		out_uninit_ctrl:
		nvme_uninit_ctrl(&ctrl->ctrl);
		nvme_put_ctrl(&ctrl->ctrl);
		nvme_put_ctrl(&ctrl->ctrl);
		if (ret > 0)
		ret = -EIO;
		return ERR_PTR(ret);