nvme: clear the request_queue pointers on failure in nvme_alloc_io_tag_set

maurizio-lombardi · Christoph Hellwig · commit 6fbf13c0e24f · 2023-02-01T14:18:46.000+01:00
In nvme_alloc_io_tag_set(), the connect_q pointer should be set to NULL
in case of error to avoid potential invalid pointer dereferences.

Signed-off-by: Maurizio Lombardi &lt;mlombard@redhat.com&gt;
Reviewed-by: Chaitanya Kulkarni &lt;kch@nvidia.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
@@ -4956,6 +4956,7 @@ int nvme_alloc_io_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set,
 
 out_free_tag_set:
 	blk_mq_free_tag_set(set);
+	ctrl->connect_q = NULL;
 	return ret;
 }
 EXPORT_SYMBOL_GPL(nvme_alloc_io_tag_set);

Original file line number	Diff line number	Diff line change
`@@ -4956,6 +4956,7 @@ int nvme_alloc_io_tag_set(struct nvme_ctrl ctrl, struct blk_mq_tag_set set,`
`4956`	`4956`
`4957`	`4957`	`out_free_tag_set:`
`4958`	`4958`	`blk_mq_free_tag_set(set);`
	`4959`	`+ ctrl->connect_q = NULL;`
`4959`	`4960`	`return ret;`
`4960`	`4961`	`}`
`4961`	`4962`	`EXPORT_SYMBOL_GPL(nvme_alloc_io_tag_set);`