From: Shusong Tao <taoshusong@huawei.com> mainline inclusion from mainline-v5.10-rc1 commit a87da50f39d467f2ea4c1f98decb72ef6d87a31e category: bugfix bugzilla: NA CVE: NA Link: https://gitee.com/openeuler/kernel/issues/I1WGZE ------------------------------------------------- A crash happened due to injecting error test. The cqe has incorrect command id, host may find a request which already be freed. req->mr->rkey cause a crash in nvme_rdma_process_nvme_rsp. Because the mr is already freed. Add a check for the mr to fix it. Signed-off-by: Shusong Tao <taoshusong@huawei.com> Reviewed-by: Chao Leng <lengchao@huawei.com> Reviewed-by: Jike Cheng <chengjike.cheng@huawei.com> Signed-off-by: Lijie <lijie34@huawei.com> Acked-by: Hanjun Guo <guohanjun@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/nvme/host/rdma.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index b91444c1fd45..db2bed55bd68 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -1425,10 +1425,11 @@ static int nvme_rdma_process_nvme_rsp(struct nvme_rdma_queue *queue, req->result = cqe->result; if (wc->wc_flags & IB_WC_WITH_INVALIDATE) { - if (unlikely(wc->ex.invalidate_rkey != req->mr->rkey)) { + if (unlikely(!req->mr || + wc->ex.invalidate_rkey != req->mr->rkey)) { dev_err(queue->ctrl->ctrl.device, "Bogus remote invalidation for rkey %#x\n", - req->mr->rkey); + req->mr ? req->mr->rkey : 0); nvme_rdma_error_recovery(queue->ctrl); } } else if (req->mr) { -- 2.25.1