nvme: remove ns sibling before clearing path

Keith Busch · Christoph Hellwig · commit 48f78be33260 · 2018-10-08T11:53:42.000+02:00
The code had been clearing a namespace being deleted as the current
path while that namespace was still in the path siblings list. It is
possible a new IO could set that namespace back to the current path
since it appeared to be an eligable path to select, which may result in
a use-after-free error.

This patch ensures a namespace being removed is not eligable to be reset
as a current path prior to clearing it as the current path.

Signed-off-by: Keith Busch &lt;keith.busch@intel.com&gt;
Reviewed-by: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
@@ -3143,8 +3143,8 @@ static void nvme_ns_remove(struct nvme_ns *ns)
 	}
 
 	mutex_lock(&ns->ctrl->subsys->lock);
-	nvme_mpath_clear_current_path(ns);
 	list_del_rcu(&ns->siblings);
+	nvme_mpath_clear_current_path(ns);
 	mutex_unlock(&ns->ctrl->subsys->lock);
 
 	down_write(&ns->ctrl->namespaces_rwsem);

Original file line number	Diff line number	Diff line change
`@@ -3143,8 +3143,8 @@ static void nvme_ns_remove(struct nvme_ns *ns)`
`3143`	`3143`	`}`
`3144`	`3144`
`3145`	`3145`	`mutex_lock(&ns->ctrl->subsys->lock);`
`3146`		`- nvme_mpath_clear_current_path(ns);`
`3147`	`3146`	`list_del_rcu(&ns->siblings);`
	`3147`	`+ nvme_mpath_clear_current_path(ns);`
`3148`	`3148`	`mutex_unlock(&ns->ctrl->subsys->lock);`
`3149`	`3149`
`3150`	`3150`	`down_write(&ns->ctrl->namespaces_rwsem);`