summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMaurizio Lombardi <mlombard@redhat.com>2023-01-27 18:42:37 +0300
committerChristoph Hellwig <hch@lst.de>2023-02-01 16:18:46 +0300
commitfd62678ab55cb01e11a404d302cdade222bf4022 (patch)
treec20351bc08526ced74526ad304c4b54546e70bad
parent0cab4404874f2de52617de8400c844891c6ea1ce (diff)
downloadlinux-fd62678ab55cb01e11a404d302cdade222bf4022.tar.xz
nvme: clear the request_queue pointers on failure in nvme_alloc_admin_tag_set
If nvme_alloc_admin_tag_set() fails, the admin_q and fabrics_q pointers are left with an invalid, non-NULL value. Other functions may then check the pointers and dereference them, e.g. in nvme_probe() -> out_disable: -> nvme_dev_remove_admin(). Fix the bug by setting admin_q and fabrics_q to NULL in case of error. Also use the set variable to free the tag_set as ctrl->admin_tagset isn't initialized yet. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reviewed-by: Keith Busch <kbusch@kernel.org> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Signed-off-by: Christoph Hellwig <hch@lst.de>
-rw-r--r--drivers/nvme/host/core.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 2990ed331a1a..1c333ce64bd4 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4892,7 +4892,9 @@ out_cleanup_admin_q:
blk_mq_destroy_queue(ctrl->admin_q);
blk_put_queue(ctrl->admin_q);
out_free_tagset:
- blk_mq_free_tag_set(ctrl->admin_tagset);
+ blk_mq_free_tag_set(set);
+ ctrl->admin_q = NULL;
+ ctrl->fabrics_q = NULL;
return ret;
}
EXPORT_SYMBOL_GPL(nvme_alloc_admin_tag_set);