| From 5e7d5e2988ce64c520c9451d3aaf6fa8904528dd Mon Sep 17 00:00:00 2001 |
| From: Sagi Grimberg <sagi@grimberg.me> |
| Date: Tue, 24 Sep 2019 11:27:05 -0700 |
| Subject: [PATCH] nvme-rdma: fix possible use-after-free in connect timeout |
| |
| commit 67b483dd03c4cd9e90e4c3943132dce514ea4e88 upstream. |
| |
| If the connect times out, we may have already destroyed the |
| queue in the timeout handler, so test if the queue is still |
| allocated in the connect error handler. |
| |
| Reported-by: Yi Zhang <yi.zhang@redhat.com> |
| Signed-off-by: Sagi Grimberg <sagi@grimberg.me> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c |
| index 7b074323bcdf..59e1cedfca92 100644 |
| --- a/drivers/nvme/host/rdma.c |
| +++ b/drivers/nvme/host/rdma.c |
| @@ -614,7 +614,8 @@ static int nvme_rdma_start_queue(struct nvme_rdma_ctrl *ctrl, int idx) |
| if (!ret) { |
| set_bit(NVME_RDMA_Q_LIVE, &queue->flags); |
| } else { |
| - __nvme_rdma_stop_queue(queue); |
| + if (test_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags)) |
| + __nvme_rdma_stop_queue(queue); |
| dev_info(ctrl->ctrl.device, |
| "failed to connect queue: %d ret=%d\n", idx, ret); |
| } |
| -- |
| 2.7.4 |
| |
