Commit 849c6e77 authored by Jens Axboe's avatar Jens Axboe

NVMe: fix race condition in nvme_submit_sync_cmd()

If we have a race between the schedule timing out and the command
completing, we could have the task issuing the command exit
nvme_submit_sync_cmd() while the irq is running sync_completion().
If that happens, we could be corrupting memory, since the stack
that held 'cmdinfo' is no longer valid.

Fix this by always calling nvme_abort_cmd_info(). Once that call
completes, we know that we have either run sync_completion() if
the completion came in, or that we will never run it since we now
have special_completion() as the command callback handler.
Acked-by: default avatarKeith Busch <keith.busch@intel.com>
Signed-off-by: default avatarJens Axboe <axboe@fb.com>
parent fe54303e
...@@ -804,12 +804,19 @@ static int nvme_submit_sync_cmd(struct request *req, struct nvme_command *cmd, ...@@ -804,12 +804,19 @@ static int nvme_submit_sync_cmd(struct request *req, struct nvme_command *cmd,
nvme_finish_cmd(nvmeq, req->tag, NULL); nvme_finish_cmd(nvmeq, req->tag, NULL);
set_current_state(TASK_RUNNING); set_current_state(TASK_RUNNING);
} }
schedule_timeout(timeout); ret = schedule_timeout(timeout);
if (cmdinfo.status == -EINTR) { /*
nvme_abort_cmd_info(nvmeq, blk_mq_rq_to_pdu(req)); * Ensure that sync_completion has either run, or that it will
* never run.
*/
nvme_abort_cmd_info(nvmeq, blk_mq_rq_to_pdu(req));
/*
* We never got the completion
*/
if (cmdinfo.status == -EINTR)
return -EINTR; return -EINTR;
}
if (result) if (result)
*result = cmdinfo.result; *result = cmdinfo.result;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment