[PATCH] nvme-rdma: fix crash when connect rejected
Chao Leng
lengchao at huawei.com
Mon Oct 12 04:10:40 EDT 2020
A crash happened when connect rejected. host establish the connect after
received ConnectReply, and then continue to send FabricsConnect.
If target do not receive ReadyToUse, host may receive ConnectReject.
Call nvme_rdma_destroy_queue_ib after host received the event of
RDMA_CM_EVENT_REJECTED. Then the command of FabricsConnect timeout,
nvme_rdma_timeout call nvme_rdma_complete_rq to fail the request.
The crash happened due to use after free in nvme_rdma_complete_rq.
nvme_rdma_destroy_queue_ib is redundant when handle the event of
RDMA_CM_EVENT_REJECTED. nvme_rdma_destroy_queue_ib is already
called in the error handling process of connection failure.
Signed-off-by: Chao Leng <lengchao at huawei.com>
---
drivers/nvme/host/rdma.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
index 9e378d0a0c01..116902b1b2c3 100644
--- a/drivers/nvme/host/rdma.c
+++ b/drivers/nvme/host/rdma.c
@@ -1926,7 +1926,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id,
complete(&queue->cm_done);
return 0;
case RDMA_CM_EVENT_REJECTED:
- nvme_rdma_destroy_queue_ib(queue);
cm_error = nvme_rdma_conn_rejected(queue, ev);
break;
case RDMA_CM_EVENT_ROUTE_ERROR:
--
2.16.4
More information about the Linux-nvme
mailing list