diff options
| author | Steve Wise <[email protected]> | 2016-11-08 17:16:02 +0000 |
|---|---|---|
| committer | Sagi Grimberg <[email protected]> | 2016-11-14 00:08:53 +0000 |
| commit | c8dbc37cd81d4705fce51123f5d81ea3267a5b88 (patch) | |
| tree | 930d2f3e3778b18d28f8cde75bf256111de120cb /lib/debugobjects.c | |
| parent | nvmet-rdma: don't forget to delete a queue from the list of connection failed (diff) | |
| download | kernel-c8dbc37cd81d4705fce51123f5d81ea3267a5b88.tar.gz kernel-c8dbc37cd81d4705fce51123f5d81ea3267a5b88.zip | |
nvme-rdma: stop and free io queues on connect failure
While testing nvme-rdma with the spdk nvmf target over iw_cxgb4, I
configured the target (mistakenly) to generate an error creating the
NVMF IO queues. This resulted a "Invalid SQE Parameter" error sent back
to the host on the first IO queue connect:
[ 9610.928182] nvme nvme1: queue_size 128 > ctrl maxcmd 120, clamping down
[ 9610.938745] nvme nvme1: creating 32 I/O queues.
So nvmf_connect_io_queue() returns an error to
nvmf_connect_io_queue() / nvmf_connect_io_queues(), and that
is returned to nvme_rdma_create_io_queues(). In the error path,
nvmf_rdma_create_io_queues() frees the queue tagset memory _before_
stopping and freeing the IB queues, which causes yet another
touch-after-free crash due to SQ CQEs being flushed after the ib_cqe
structs pointed-to by the flushed WRs have been freed (since they are
part of the nvme_rdma_request struct).
The fix is to stop and free the queues in nvmf_connect_io_queues()
if there is an error connecting any of the queues.
Signed-off-by: Steve Wise <[email protected]>
Signed-off-by: Sagi Grimberg <[email protected]>
Diffstat (limited to 'lib/debugobjects.c')
0 files changed, 0 insertions, 0 deletions