On 9/29/22 4:04 AM, Sagi Grimberg wrote: > index 9bacfd014e3d..f42e6e40d84b 100644 >> --- a/drivers/nvme/host/core.c >> +++ b/drivers/nvme/host/core.c >> @@ -385,6 +385,8 @@ static inline void nvme_end_req(struct request *req) >> ????? nvme_end_req_zoned(req); >> ????? nvme_trace_bio_complete(req); >> ????? blk_mq_end_request(req, status); >> +??? if (req->cmd_flags & REQ_NVME_MPATH) >> +??????? nvme_mpath_end_request(req); > > I guess the order should probably be reversed, because after > blk_mq_end_request req may become invalid and create UAF? Yes - blk_mq_end_request() will put the tag, it could be reused by the time you call nvme_mpath_end_request(). It won't be a UAF as the requests are allocated upfront and never freed, but the state will be uncertain at that point. -- Jens Axboe
