summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorBart Van Assche <bart.vanassche@sandisk.com>2016-11-01 19:36:46 +0300
committerSagi Grimberg <sagi@grimberg.me>2016-11-14 03:08:50 +0300
commitfa14a0acea1ffe67913ba384a2897130a36dfe03 (patch)
treeea33c1c7340d3f77d19820172d2906cf73b38c23 /drivers
parenta25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (diff)
downloadlinux-fa14a0acea1ffe67913ba384a2897130a36dfe03.tar.xz
nvmet-rdma: Fix possible NULL deref when handling rdma cm events
When we initiate queue teardown sequence we call rdma_destroy_qp which clears cm_id->qp, afterwards we call rdma_destroy_id, but we might see a rdma_cm event in between with a cleared cm_id->qp so watch out for that and silently ignore the event because this means that the queue teardown sequence is in progress. Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/nvme/target/rdma.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
index f8d23999e0f2..cf60759cc169 100644
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -1352,7 +1352,13 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id,
case RDMA_CM_EVENT_ADDR_CHANGE:
case RDMA_CM_EVENT_DISCONNECTED:
case RDMA_CM_EVENT_TIMEWAIT_EXIT:
- nvmet_rdma_queue_disconnect(queue);
+ /*
+ * We might end up here when we already freed the qp
+ * which means queue release sequence is in progress,
+ * so don't get in the way...
+ */
+ if (queue)
+ nvmet_rdma_queue_disconnect(queue);
break;
case RDMA_CM_EVENT_DEVICE_REMOVAL:
ret = nvmet_rdma_device_removal(cm_id, queue);