diff options
| author | Bart Van Assche <bart.vanassche@sandisk.com> | 2016-11-01 12:36:46 -0400 |
|---|---|---|
| committer | Sagi Grimberg <sagi@grimberg.me> | 2016-11-13 19:08:50 -0500 |
| commit | fa14a0acea1ffe67913ba384a2897130a36dfe03 (patch) | |
| tree | ea33c1c7340d3f77d19820172d2906cf73b38c23 | |
| parent | a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (diff) | |
nvmet-rdma: Fix possible NULL deref when handling rdma cm events
When we initiate queue teardown sequence we call rdma_destroy_qp
which clears cm_id->qp, afterwards we call rdma_destroy_id, but
we might see a rdma_cm event in between with a cleared cm_id->qp
so watch out for that and silently ignore the event because this
means that the queue teardown sequence is in progress.
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
| -rw-r--r-- | drivers/nvme/target/rdma.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c index f8d23999e0f2..cf60759cc169 100644 --- a/drivers/nvme/target/rdma.c +++ b/drivers/nvme/target/rdma.c | |||
| @@ -1352,7 +1352,13 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, | |||
| 1352 | case RDMA_CM_EVENT_ADDR_CHANGE: | 1352 | case RDMA_CM_EVENT_ADDR_CHANGE: |
| 1353 | case RDMA_CM_EVENT_DISCONNECTED: | 1353 | case RDMA_CM_EVENT_DISCONNECTED: |
| 1354 | case RDMA_CM_EVENT_TIMEWAIT_EXIT: | 1354 | case RDMA_CM_EVENT_TIMEWAIT_EXIT: |
| 1355 | nvmet_rdma_queue_disconnect(queue); | 1355 | /* |
| 1356 | * We might end up here when we already freed the qp | ||
| 1357 | * which means queue release sequence is in progress, | ||
| 1358 | * so don't get in the way... | ||
| 1359 | */ | ||
| 1360 | if (queue) | ||
| 1361 | nvmet_rdma_queue_disconnect(queue); | ||
| 1356 | break; | 1362 | break; |
| 1357 | case RDMA_CM_EVENT_DEVICE_REMOVAL: | 1363 | case RDMA_CM_EVENT_DEVICE_REMOVAL: |
| 1358 | ret = nvmet_rdma_device_removal(cm_id, queue); | 1364 | ret = nvmet_rdma_device_removal(cm_id, queue); |