nvme-rdma: fix possible use-after-free in connect timeout

If the connect times out, we may have already destroyed the queue in the timeout handler, so test if the queue is still allocated in the connect error handler. Reported-by: N Yi Zhang <yi.zhang@redhat.com> Signed-off-by: N Sagi Grimberg <sagi@grimberg.me>

nvme-rdma: fix possible use-after-free in connect timeout
If the connect times out, we may have already destroyed the queue in the timeout handler, so test if the queue is still allocated in the connect error handler. Reported-by: N Yi Zhang <yi.zhang@redhat.com> Signed-off-by: N Sagi Grimberg <sagi@grimberg.me>
67b483dd · Sagi Grimberg · f968688f · 67b483dd
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/nvme/host/rdma.c drivers/nvme/host/rdma.c +2 -1

未找到文件。
--- a/drivers/nvme/host/rdma.c
+++ b/drivers/nvme/host/rdma.c
@@ -620,7 +620,8 @@ static int nvme_rdma_start_queue(struct nvme_rdma_ctrl *ctrl, int idx)
 	if (!ret) {
 		set_bit(NVME_RDMA_Q_LIVE, &queue->flags);
 	} else {
-		__nvme_rdma_stop_queue(queue);
+		if (test_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags))
+			__nvme_rdma_stop_queue(queue);
 		dev_info(ctrl->ctrl.device,
 			"failed to connect queue: %d ret=%d\n", idx, ret);
 	}