nvme-rdma: fix possible free of a non-allocated async event buffer

If nvme_rdma_configure_admin_queue fails before we allocated the async event buffer, we will falsly free it because nvme_rdma_free_queue is freeing it. Fix it by allocating the buffer right after nvme_rdma_alloc_queue and free it right before nvme_rdma_queue_free to maintain orderly reverse cleanup sequence. Reported-by: Israel Rukshin <israelr@mellanox.com> Signed-off-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Max Gurtovoy <maxg@mellanox.com> Signed-off-by: Christoph Hellwig <hch@lst.de>
author: Sagi Grimberg <sagi@grimberg.me> 2018-06-19 08:34:10 -0400
committer: Christoph Hellwig <hch@lst.de> 2018-06-20 08:20:28 -0400
commit: 94e42213cc1ae41c57819539c0130f8dfc69d718 (patch)
tree: 9e9f01f9576663e64878e24ee25373ee7f712dac
parent: 3d0641015bf73aaa1cb54c936674959e7805070f (diff)
1 files changed, 11 insertions, 13 deletions
diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
index bcb0e5d6343d..f9affb71ac85 100644
--- a/drivers/nvme/host/rdma.c
+++ b/drivers/nvme/host/rdma.c
@@ -560,12 +560,6 @@ static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue)
        if (!test_and_clear_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags))
                return;
-        if (nvme_rdma_queue_idx(queue) == 0) {
-                nvme_rdma_free_qe(queue->device->dev,
-                        &queue->ctrl->async_event_sqe,
-                        sizeof(struct nvme_command), DMA_TO_DEVICE);
-        }
        nvme_rdma_destroy_queue_ib(queue);
        rdma_destroy_id(queue->cm_id);
 }
@@ -739,6 +733,8 @@ static void nvme_rdma_destroy_admin_queue(struct nvme_rdma_ctrl *ctrl,
                blk_cleanup_queue(ctrl->ctrl.admin_q);
                nvme_rdma_free_tagset(&ctrl->ctrl, ctrl->ctrl.admin_tagset);
        }
+        nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe,
+                sizeof(struct nvme_command), DMA_TO_DEVICE);
        nvme_rdma_free_queue(&ctrl->queues[0]);
 }
@@ -755,11 +751,16 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl,
        ctrl->max_fr_pages = nvme_rdma_get_max_fr_pages(ctrl->device->dev);
+        error = nvme_rdma_alloc_qe(ctrl->device->dev, &ctrl->async_event_sqe,
+                        sizeof(struct nvme_command), DMA_TO_DEVICE);
+        if (error)
+                goto out_free_queue;
        if (new) {
                ctrl->ctrl.admin_tagset = nvme_rdma_alloc_tagset(&ctrl->ctrl, true);
                if (IS_ERR(ctrl->ctrl.admin_tagset)) {
                        error = PTR_ERR(ctrl->ctrl.admin_tagset);
-                        goto out_free_queue;
+                        goto out_free_async_qe;
                }
                ctrl->ctrl.admin_q = blk_mq_init_queue(&ctrl->admin_tag_set);
@@ -795,12 +796,6 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl,
        if (error)
                goto out_stop_queue;
-        error = nvme_rdma_alloc_qe(ctrl->queues[0].device->dev,
-                        &ctrl->async_event_sqe, sizeof(struct nvme_command),
-                        DMA_TO_DEVICE);
-        if (error)
-                goto out_stop_queue;
        return 0;
 out_stop_queue:
@@ -811,6 +806,9 @@ out_cleanup_queue:
 out_free_tagset:
        if (new)
                nvme_rdma_free_tagset(&ctrl->ctrl, ctrl->ctrl.admin_tagset);
+out_free_async_qe:
+        nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe,
+                sizeof(struct nvme_command), DMA_TO_DEVICE);
 out_free_queue:
        nvme_rdma_free_queue(&ctrl->queues[0]);
        return error;
author	Sagi Grimberg <sagi@grimberg.me>	2018-06-19 08:34:10 -0400
committer	Christoph Hellwig <hch@lst.de>	2018-06-20 08:20:28 -0400
commit	94e42213cc1ae41c57819539c0130f8dfc69d718 (patch)
tree	9e9f01f9576663e64878e24ee25373ee7f712dac
parent	3d0641015bf73aaa1cb54c936674959e7805070f (diff)