Commit a87da50f authored Oct 12, 2020 by Chao Leng Committed by Christoph Hellwig Oct 22, 2020

nvme-rdma: fix crash due to incorrect cqe



A crash happened due to injecting error test.
When a CQE has incorrect command id due do an error injection, the host
may find a request which is already freed.  Dereferencing req->mr->rkey
causes a crash in nvme_rdma_process_nvme_rsp because the mr is already
freed.

Add a check for the mr to fix it.

Signed-off-by: Chao Leng <lengchao@huawei.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>

parent 43efdb8e

drivers/nvme/host/rdma.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -1730,10 +1730,11 @@ static void nvme_rdma_process_nvme_rsp(struct nvme_rdma_queue *queue,
		req->result = cqe->result;

		if (wc->wc_flags & IB_WC_WITH_INVALIDATE) {
		if (unlikely(wc->ex.invalidate_rkey != req->mr->rkey)) {
		if (unlikely(!req->mr \|\|
		wc->ex.invalidate_rkey != req->mr->rkey)) {
		dev_err(queue->ctrl->ctrl.device,
		"Bogus remote invalidation for rkey %#x\n",
		req->mr->rkey);
		req->mr ? req->mr->rkey : 0);
		nvme_rdma_error_recovery(queue->ctrl);
		}
		} else if (req->mr) {

Admin message