Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2692710ybg; Mon, 28 Oct 2019 00:21:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqwrWX1r9iiI0G3wD0/IUs8WrAGj1SAq11Cy3hSjVH2h2p+QkkHiOrQTFI6iZP0JF+3UKET3 X-Received: by 2002:a50:fb93:: with SMTP id e19mr5493155edq.138.1572247280107; Mon, 28 Oct 2019 00:21:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572247280; cv=none; d=google.com; s=arc-20160816; b=rp7pDy8YePsBsK9m7mVW1o0w71yvdQhL3jy/ne2qL04TlNfRdFZO8D/ya2r9c7DC1G lPQ3FAynjEDtYM1OBNXg8xXcrYipaOkk/Uv/ucLOMHoSSr+vLi/PmaocwoQQVmIibJkv aEtchl0y9o5G3PzdsXDr6lyOv9pnSgwMdsCStWain7OSZVLQp75RGmVpVNmrcB6AXgN/ +ZPey1BwmYrpgyOCjiEwvycQCGzVzxt/epNblRD7AnkW1dxKFkZkjrc+/GXHPBBGFDfq XOsBXeiKwlP5XmQ7eXMe8QEsGC6wp+gbAVJpGxyGL07OCbLfoOcj37uIJn5U3SqBtnC2 maVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zWmXpMuqz4U/McAkThIwVGofhJfsTFIi4sYgadNdnQ0=; b=RuLyB3PstHfmHxbZZyIz6BjZR3uWxgtvMqtkGffi7ss5BKvQH63AcCvb3XmXLHtmwP VJE5VfsaQF9AHC9+JuXPCyclAQjWDoWPsS+irCco66pH3fj41VWblj41EP9krYf52+4Q Kt7UVnRgb44/3lRNAeIt9xYAdMQ8N2iuxXDlAC2KhNnRKD1CqtCgObmofvlRTvhqqnR0 au/PxQaKpwn1AICcJ8cJTv1zvfZNALbKnwD8nl11a3EYJ0HpVSKlhhofnl4mNif/Z10p YSm7dZzL9ZM9umwvCp4o2e8ycaAOw0tpq3g8nKAI6ljI6aQiJvjthuxJtX2VwsYCRP8j E9eg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wlL188OI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ha17si5894056ejb.196.2019.10.28.00.20.57; Mon, 28 Oct 2019 00:21:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wlL188OI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731208AbfJ0VSE (ORCPT + 99 others); Sun, 27 Oct 2019 17:18:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:38096 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731189AbfJ0VSC (ORCPT ); Sun, 27 Oct 2019 17:18:02 -0400 Received: from localhost (100.50.158.77.rev.sfr.net [77.158.50.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7078420717; Sun, 27 Oct 2019 21:18:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572211081; bh=2Vkxwzxf5v7bmtbDLQR/hmDRq0Mt1UcwVRUHSzDX9qs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wlL188OI/fFB1CDOXdZWEWbqh6kzQ2zIT7ZssFRzuMV6BRJSki8uXTamYi9RONr+Y nIzZkLo6yHsHxXIuAvQw9AbJww07nJSLGTXHDCv+Hr+ZoTo3ZlipKqFudeH9LqSb5h oWCYzkGJxtFnpoUUAbUYzYOJ8w7eG1TSUKwzUhaw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yi Zhang , Sagi Grimberg , Sasha Levin Subject: [PATCH 5.3 025/197] nvme-rdma: fix possible use-after-free in connect timeout Date: Sun, 27 Oct 2019 21:59:03 +0100 Message-Id: <20191027203353.061786254@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191027203351.684916567@linuxfoundation.org> References: <20191027203351.684916567@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sagi Grimberg [ Upstream commit 67b483dd03c4cd9e90e4c3943132dce514ea4e88 ] If the connect times out, we may have already destroyed the queue in the timeout handler, so test if the queue is still allocated in the connect error handler. Reported-by: Yi Zhang Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin --- drivers/nvme/host/rdma.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index cc1956349a2af..842ef876724f7 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -620,7 +620,8 @@ static int nvme_rdma_start_queue(struct nvme_rdma_ctrl *ctrl, int idx) if (!ret) { set_bit(NVME_RDMA_Q_LIVE, &queue->flags); } else { - __nvme_rdma_stop_queue(queue); + if (test_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags)) + __nvme_rdma_stop_queue(queue); dev_info(ctrl->ctrl.device, "failed to connect queue: %d ret=%d\n", idx, ret); } -- 2.20.1