diff options
author | Sagi Grimberg <sagi@grimberg.me> | 2019-09-24 11:27:05 -0700 |
---|---|---|
committer | Sagi Grimberg <sagi@grimberg.me> | 2019-09-27 10:24:53 -0700 |
commit | 67b483dd03c4cd9e90e4c3943132dce514ea4e88 (patch) | |
tree | 71f11ac206a3f3047eeb3b06ddb79dae8189dd47 /drivers | |
parent | f968688f44f529f96a64c9853fb2fb5d0a329aff (diff) | |
download | lwn-67b483dd03c4cd9e90e4c3943132dce514ea4e88.tar.gz lwn-67b483dd03c4cd9e90e4c3943132dce514ea4e88.zip |
nvme-rdma: fix possible use-after-free in connect timeout
If the connect times out, we may have already destroyed the
queue in the timeout handler, so test if the queue is still
allocated in the connect error handler.
Reported-by: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/nvme/host/rdma.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index 9d16dfc29368..4d280160dd3f 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -620,7 +620,8 @@ static int nvme_rdma_start_queue(struct nvme_rdma_ctrl *ctrl, int idx) if (!ret) { set_bit(NVME_RDMA_Q_LIVE, &queue->flags); } else { - __nvme_rdma_stop_queue(queue); + if (test_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags)) + __nvme_rdma_stop_queue(queue); dev_info(ctrl->ctrl.device, "failed to connect queue: %d ret=%d\n", idx, ret); } |