Description
In the Linux kernel, the following vulnerability has been resolved: nvmet: avoid potential UAF in nvmet_req_complete() An nvme target ->queue_response() operation implementation may free the request passed as argument. Such implementation potentially could result in a use after free of the request pointer when percpu_ref_put() is called in nvmet_req_complete(). Avoid such problem by using a local variable to save the sq pointer before calling __nvmet_req_complete(), thus avoiding dereferencing the req pointer after that function call.
Product status
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before e5d99b29012bbf0e86929403209723b2806500c1
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before fafcb4b26393870c45462f9af6a48e581dbbcf7e
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before 04c394208831d5e0d5cfee46722eb0f033cd4083
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before a6317235da8aa7cb97529ebc8121cc2a4c4c437a
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before f1d5888a5efe345b63c430b256e95acb0a475642
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before bcd535f07c58342302a2cd2bdd8894fe0872c8a9
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before 8ed9813871038b25a934b21ab76b5b7dbf44fc3a
a07b4970f464f13640e28e16dad6cfa33647cc99 (git) before 6173a77b7e9d3e202bdb9897b23f2a8afe7bf286
4.8
Any version before 4.8
4.14.311 (semver)
4.19.279 (semver)
5.4.238 (semver)
5.10.176 (semver)
5.15.104 (semver)
6.1.21 (semver)
6.2.8 (semver)
6.3 (original_commit_for_fix)
References
git.kernel.org/...c/e5d99b29012bbf0e86929403209723b2806500c1
git.kernel.org/...c/fafcb4b26393870c45462f9af6a48e581dbbcf7e
git.kernel.org/...c/04c394208831d5e0d5cfee46722eb0f033cd4083
git.kernel.org/...c/a6317235da8aa7cb97529ebc8121cc2a4c4c437a
git.kernel.org/...c/f1d5888a5efe345b63c430b256e95acb0a475642
git.kernel.org/...c/bcd535f07c58342302a2cd2bdd8894fe0872c8a9
git.kernel.org/...c/8ed9813871038b25a934b21ab76b5b7dbf44fc3a
git.kernel.org/...c/6173a77b7e9d3e202bdb9897b23f2a8afe7bf286