From nobody Sat Feb 7 11:05:01 2026 Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA0A319DFAB for ; Sun, 1 Feb 2026 03:08:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=67.231.145.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769915336; cv=none; b=kB7USW3yV/ipQaSpFfHXYwSuitdb8RiL7X2r/+GxgBv1PkkjpVSq0qaqdBmYp3mJw/P9K/cDrDkPFqWkjxv2erIzQrEWjqD/0uuy603JckiHgm+F5XFKt0CS41Eyx7iy1Iysq4hg29vZQf+IAWLzsA/AUgEYJnWb2Mh+3+GR77M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769915336; c=relaxed/simple; bh=UwkAKCi4uDO6XEH3OFD+lOj0lyd4R6jBtd4UpfLCrms=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=aT4iruIXofVQPKvskhSg2dMaKohsiJTsSXca0UGW3JvL44Gmw8PATB4Xr/FmxXhkUP6DcMDTZhjgDAjheUi10Mi6WxD+T6wsAiYtJ0c6Of4M1b4+Z3wTZzkrZ1NS/1I/7Ys5PPlUJS6VSvHcThgh9Kw+c8zl90qXlrzE3r9ALlw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=meta.com; spf=pass smtp.mailfrom=meta.com; dkim=pass (2048-bit key) header.d=meta.com header.i=@meta.com header.b=Spi3+a31; arc=none smtp.client-ip=67.231.145.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=meta.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=meta.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=meta.com header.i=@meta.com header.b="Spi3+a31" Received: from pps.filterd (m0109334.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6111381T2520639 for ; Sat, 31 Jan 2026 19:08:54 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=s2048-2025-q2; bh=icBR9kiwaK5ieSI1ON SopOpVymHytvb8yTztT1ByJJ0=; b=Spi3+a31SAgtLpVX9WygTW72JyX1YAwDl4 LZHSNMtVFPB80LANVzT3UBIoZZyPUaMg2OeUeNlg8357bUxKL0uVmuoDS8WgWJz0 ABD5YFuoeTJkWHAk23O5qTJ9Z1guPVAQSTSQbZkLZ+91ZmuEJ7fgY8RaNq7/C0h6 miqv9FdPW8t1NcU72CnvMrIFkmsPitW414l54Mz0MC8TGR8HOS/tfP9ecj2scYCB myRvkpcFwVeqDAfPkDExmC8fvS2SPdpL/pzZ6aNrFCScnlhEJugMA5VpuiJe6o5W 0sin940QnpZD2Qy7D7V3/zxqtrw22kw1OhYcOeSy1uau/bcoiV8Q== Received: from maileast.thefacebook.com ([163.114.135.16]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4c1hwjw121-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Sat, 31 Jan 2026 19:08:54 -0800 (PST) Received: from twshared18017.01.snb2.facebook.com (2620:10d:c0a8:1b::30) by mail.thefacebook.com (2620:10d:c0a9:6f::8fd4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.35; Sun, 1 Feb 2026 03:08:52 +0000 Received: by devbig010.atn3.facebook.com (Postfix, from userid 224791) id 1D7EF77B21B; Sat, 31 Jan 2026 19:08:40 -0800 (PST) From: Daniel Hodges To: , , , CC: , , Daniel Hodges Subject: [PATCH] nvme-fabrics: use kfree_sensitive() for DHCHAP secrets Date: Sat, 31 Jan 2026 19:08:40 -0800 Message-ID: <20260201030840.3173507-1-hodgesd@meta.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FB-Internal: Safe X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjAxMDAyNSBTYWx0ZWRfX8yNJv0A5TA1a vCkxyD2F95QaoATf419ucXSzGbCIhM/vQzomModitj01+HGEwvcbDGIx5mt0VGJWlyBFPfH+w8m 1GwMM6ADysKfqGs/Y+4dgJBHBwpJjk0TIHpVFzTxVb6fOF5Xj+fCTv+xnkKo0ulrHrzGuvw4NBZ GIh8E60y6lb1tZ0y78eWh8NqZ1GMwSt5qR4dDSRXsG2wfzYfAONa9TSzUyHlL6aOLeU5Zl3RzTj KYV/FrnGQI7Dhspq+8MLaE0/3rdsiB7taFstSKGPfOKU5pMRqEatjmNaKblzMous1XcVHFa19Ly /Asn48mFFpx6v/Mc9zTQ1kaTkjlQKV3H+HQO6/0rAxKCw4cEJ9Z6nTXB5FX9XCHZrYMp4MXtYU9 VkwoFcVIl0lZUB8zi88uHphvQOxwi3Fdgfffdn1UcGzLFjtfO15EKrxyZ/zQsXdErYEfgm6S2n3 2UJp7pwp7rCf5gLmBHA== X-Proofpoint-ORIG-GUID: 2EgWsejoI34SVXMP4JJZF3AIQ5eqnhdS X-Authority-Analysis: v=2.4 cv=BLu+bVQG c=1 sm=1 tr=0 ts=697ec3c6 cx=c_pps a=MfjaFnPeirRr97d5FC5oHw==:117 a=MfjaFnPeirRr97d5FC5oHw==:17 a=vUbySO9Y5rIA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VabnemYjAAAA:8 a=-W7SLkP_sVXSNSbjlKUA:9 a=gKebqoRLp9LExxC7YDUY:22 X-Proofpoint-GUID: 2EgWsejoI34SVXMP4JJZF3AIQ5eqnhdS X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-01_01,2026-01-30_04,2025-10-01_01 Content-Type: text/plain; charset="utf-8" The DHCHAP secrets (dhchap_secret and dhchap_ctrl_secret) contain authentication key material for NVMe-oF. Use kfree_sensitive() instead of kfree() in nvmf_free_options() to ensure secrets are zeroed before the memory is freed, preventing recovery from freed pages. Signed-off-by: Daniel Hodges Reviewed-by: Christoph Hellwig --- drivers/nvme/host/fabrics.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c index 55a8afd2efd5..d37cb140d832 100644 --- a/drivers/nvme/host/fabrics.c +++ b/drivers/nvme/host/fabrics.c @@ -1283,22 +1283,22 @@ void nvmf_free_options(struct nvmf_ctrl_options *op= ts) { nvmf_host_put(opts->host); key_put(opts->keyring); key_put(opts->tls_key); kfree(opts->transport); kfree(opts->traddr); kfree(opts->trsvcid); kfree(opts->subsysnqn); kfree(opts->host_traddr); kfree(opts->host_iface); - kfree(opts->dhchap_secret); - kfree(opts->dhchap_ctrl_secret); + kfree_sensitive(opts->dhchap_secret); + kfree_sensitive(opts->dhchap_ctrl_secret); kfree(opts); } EXPORT_SYMBOL_GPL(nvmf_free_options); =20 #define NVMF_REQUIRED_OPTS (NVMF_OPT_TRANSPORT | NVMF_OPT_NQN) #define NVMF_ALLOWED_OPTS (NVMF_OPT_QUEUE_SIZE | NVMF_OPT_NR_IO_QUEUES | \ NVMF_OPT_KATO | NVMF_OPT_HOSTNQN | \ NVMF_OPT_HOST_ID | NVMF_OPT_DUP_CONNECT |\ NVMF_OPT_DISABLE_SQFLOW | NVMF_OPT_DISCOVERY |\ NVMF_OPT_FAIL_FAST_TMO | NVMF_OPT_DHCHAP_SECRET |\ --=20 2.47.3