nvme-rdma: fix possible use-after-free in connect timeout

[ Upstream commit 67b483dd03 ] If the connect times out, we may have already destroyed the queue in the timeout handler, so test if the queue is still allocated in the connect error handler. Reported-by: Yi Zhang <yi.zhang@redhat.com> Signed-off-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-12-06 01:49:46 +00:00 · 2019-09-24 11:27:05 -07:00
parent b1fad53d75
commit 8bdf437e0b
1 changed files with 2 additions and 1 deletions
--- a/drivers/nvme/host/rdma.c
+++ b/drivers/nvme/host/rdma.c
@@ -620,6 +620,7 @@ static int nvme_rdma_start_queue(struct nvme_rdma_ctrl *ctrl, int idx)
 	if (!ret) {
 		set_bit(NVME_RDMA_Q_LIVE, &queue->flags);
 	} else {
+		if (test_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags))
 			__nvme_rdma_stop_queue(queue);
 		dev_info(ctrl->ctrl.device,
 			"failed to connect queue: %d ret=%d\n", idx, ret);