nvme-rdma: fix possible double free of controller async event buffer (682630f0) · Commits · e / devices / android_kernel_fairphone_FP5

If reconnect/reset failed where the controller async event buffer was freed, we might end up freeing it again as we call nvme_rdma_destroy_admin_queue again in the remove path. Given that the sequence is guaranteed to serialize by .ctrl_stop, we simply set ctrl->async_event_sqe.data to NULL and don't free it in future visits. Reported-by:

Max Gurtovoy <maxg@mellanox.com> Tested-by:

Max Gurtovoy <maxg@mellanox.com> Signed-off-by:

Sagi Grimberg <sagi@grimberg.me> Signed-off-by:

Christoph Hellwig <hch@lst.de>

drivers/nvme/host/rdma.c

+5 −2

Original line number	Original line	Diff line number	Diff line
	@@ -732,8 +732,11 @@ static void nvme_rdma_destroy_admin_queue(struct nvme_rdma_ctrl *ctrl,
	blk_cleanup_queue(ctrl->ctrl.admin_q);		blk_cleanup_queue(ctrl->ctrl.admin_q);
	nvme_rdma_free_tagset(&ctrl->ctrl, ctrl->ctrl.admin_tagset);		nvme_rdma_free_tagset(&ctrl->ctrl, ctrl->ctrl.admin_tagset);
	}		}
			if (ctrl->async_event_sqe.data) {
	nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe,		nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe,
	sizeof(struct nvme_command), DMA_TO_DEVICE);		sizeof(struct nvme_command), DMA_TO_DEVICE);
			ctrl->async_event_sqe.data = NULL;
			}
	nvme_rdma_free_queue(&ctrl->queues[0]);		nvme_rdma_free_queue(&ctrl->queues[0]);
	}		}