| From df615a1d939aa3820332e6a8b2ab76f806e104a4 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 12 Oct 2020 16:10:40 +0800 |
| Subject: nvme-rdma: fix crash when connect rejected |
| |
| From: Chao Leng <lengchao@huawei.com> |
| |
| [ Upstream commit 43efdb8e870ee0f58633fd579aa5b5185bf5d39e ] |
| |
| A crash can happened when a connect is rejected. The host establishes |
| the connection after received ConnectReply, and then continues to send |
| the fabrics Connect command. If the controller does not receive the |
| ReadyToUse capsule, host may receive a ConnectReject reply. |
| |
| Call nvme_rdma_destroy_queue_ib after the host received the |
| RDMA_CM_EVENT_REJECTED event. Then when the fabrics Connect command |
| times out, nvme_rdma_timeout calls nvme_rdma_complete_rq to fail the |
| request. A crash happenes due to use after free in |
| nvme_rdma_complete_rq. |
| |
| nvme_rdma_destroy_queue_ib is redundant when handling the |
| RDMA_CM_EVENT_REJECTED event as nvme_rdma_destroy_queue_ib is already |
| called in connection failure handler. |
| |
| Signed-off-by: Chao Leng <lengchao@huawei.com> |
| Reviewed-by: Sagi Grimberg <sagi@grimberg.me> |
| Signed-off-by: Christoph Hellwig <hch@lst.de> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/nvme/host/rdma.c | 1 - |
| 1 file changed, 1 deletion(-) |
| |
| diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c |
| index 9e378d0a0c01c..116902b1b2c34 100644 |
| --- a/drivers/nvme/host/rdma.c |
| +++ b/drivers/nvme/host/rdma.c |
| @@ -1926,7 +1926,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, |
| complete(&queue->cm_done); |
| return 0; |
| case RDMA_CM_EVENT_REJECTED: |
| - nvme_rdma_destroy_queue_ib(queue); |
| cm_error = nvme_rdma_conn_rejected(queue, ev); |
| break; |
| case RDMA_CM_EVENT_ROUTE_ERROR: |
| -- |
| 2.27.0 |
| |