nvmet-rdma: Fix possible NULL deref when handling rdma cm events (fa14a0ac) · Commits · e / devices / android_kernel_oneplus_sm8150

When we initiate queue teardown sequence we call rdma_destroy_qp which clears cm_id->qp, afterwards we call rdma_destroy_id, but we might see a rdma_cm event in between with a cleared cm_id->qp so watch out for that and silently ignore the event because this means that the queue teardown sequence is in progress. Signed-off-by:

Bart Van Assche <bart.vanassche@sandisk.com> Signed-off-by:

Sagi Grimberg <sagi@grimberg.me>

drivers/nvme/target/rdma.c

+7 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1352,6 +1352,12 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id,
	case RDMA_CM_EVENT_ADDR_CHANGE:		case RDMA_CM_EVENT_ADDR_CHANGE:
	case RDMA_CM_EVENT_DISCONNECTED:		case RDMA_CM_EVENT_DISCONNECTED:
	case RDMA_CM_EVENT_TIMEWAIT_EXIT:		case RDMA_CM_EVENT_TIMEWAIT_EXIT:
			/*
			* We might end up here when we already freed the qp
			* which means queue release sequence is in progress,
			* so don't get in the way...
			*/
			if (queue)
	nvmet_rdma_queue_disconnect(queue);		nvmet_rdma_queue_disconnect(queue);
	break;		break;
	case RDMA_CM_EVENT_DEVICE_REMOVAL:		case RDMA_CM_EVENT_DEVICE_REMOVAL: