From 82e3ab61c59d27c511fbc32ae6c530c5b60bf586 Mon Sep 17 00:00:00 2001 From: Alistair Francis Date: Thu, 16 Apr 2026 09:02:50 +1000 Subject: [PATCH] nvmet-tcp: Ensure old keys are freed before replacing new ones Previously after the host sends a REPLACETLSPSK we freed the TLS keys as part of calling nvmet_auth_sq_free() on success. A recent change ensured we don't free the keys, allowing REPLACETLSPSK to work. But that fix results in a kernel memory leak when running ``` nvme_trtype=loop ./check nvme/041 nvme/042 nvme/043 nvme/044 nvme/045 nvme/051 nvme/052 echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak ``` We can't free the keys on a successful DHCHAP operation, otherwise the next REPLACETLSPSK will fail, so instead let's free them before we replace them as part of nvmet_auth_challenge(). This ensures that REPLACETLSPSK works, while also avoiding any memory leaks. Fixes: 2e6eb6b277f59 ("nvmet-tcp: Don't free SQ on authentication success") Signed-off-by: Alistair Francis Reviewed-by: Christoph Hellwig --- drivers/nvme/target/fabrics-cmd-auth.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c index f1e613e7c63e..b5d5e612c33e 100644 --- a/drivers/nvme/target/fabrics-cmd-auth.c +++ b/drivers/nvme/target/fabrics-cmd-auth.c @@ -411,6 +411,13 @@ static int nvmet_auth_challenge(struct nvmet_req *req, void *d, int al) int hash_len = nvme_auth_hmac_hash_len(ctrl->shash_id); int data_size = sizeof(*d) + hash_len; + /* + * If replacing the keys then we have previous successful keys + * that might be leaked, so we need to free them here. + */ + if (req->sq->dhchap_c1) + nvmet_auth_sq_free(req->sq); + if (ctrl->dh_tfm) data_size += ctrl->dh_keysize; if (al < data_size) {