nvmet-rdma: fix response use after free

Israel Rukshin · Christoph Hellwig · commit d7dcdf9d4e15 · 2018-12-07T07:11:11.000-08:00
nvmet_rdma_release_rsp() may free the response before using it at error flow. Fixes: 8407879 ("nvmet-rdma: fix possible bogus dereference under heavy load") Signed-off-by: Israel Rukshin <israelr@mellanox.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Max Gurtovoy <maxg@mellanox.com> Signed-off-by: Christoph Hellwig <hch@lst.de>
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
@@ -529,14 +529,15 @@ static void nvmet_rdma_send_done(struct ib_cq *cq, struct ib_wc *wc)
 {
 	struct nvmet_rdma_rsp *rsp =
 		container_of(wc->wr_cqe, struct nvmet_rdma_rsp, send_cqe);
+	struct nvmet_rdma_queue *queue = cq->cq_context;
 
 	nvmet_rdma_release_rsp(rsp);
 
 	if (unlikely(wc->status != IB_WC_SUCCESS &&
 		     wc->status != IB_WC_WR_FLUSH_ERR)) {
 		pr_err("SEND for CQE 0x%p failed with status %s (%d).\n",
 			wc->wr_cqe, ib_wc_status_msg(wc->status), wc->status);
-		nvmet_rdma_error_comp(rsp->queue);
+		nvmet_rdma_error_comp(queue);
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -529,14 +529,15 @@ static void nvmet_rdma_send_done(struct ib_cq cq, struct ib_wc wc)`
`529`	`529`	`{`
`530`	`530`	`struct nvmet_rdma_rsp *rsp =`
`531`	`531`	`container_of(wc->wr_cqe, struct nvmet_rdma_rsp, send_cqe);`
	`532`	`+ struct nvmet_rdma_queue *queue = cq->cq_context;`
`532`	`533`
`533`	`534`	`nvmet_rdma_release_rsp(rsp);`
`534`	`535`
`535`	`536`	`if (unlikely(wc->status != IB_WC_SUCCESS &&`
`536`	`537`	`wc->status != IB_WC_WR_FLUSH_ERR)) {`
`537`	`538`	`pr_err("SEND for CQE 0x%p failed with status %s (%d).\n",`
`538`	`539`	`wc->wr_cqe, ib_wc_status_msg(wc->status), wc->status);`
`539`		`- nvmet_rdma_error_comp(rsp->queue);`
	`540`	`+ nvmet_rdma_error_comp(queue);`
`540`	`541`	`}`
`541`	`542`	`}`
`542`	`543`