From: Sagi Grimberg <sagi@grimberg.me>
Date: Mon, 27 Feb 2017 16:44:45 +0000 (+0200)
Subject: nvme-loop: fix a possible use-after-free when destroying the admin queue
X-Git-Tag: v4.14-rc1~1241^2~1^2~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e4c5d3762e2d6d274bd1cc948c47063becfa2103;p=platform%2Fkernel%2Flinux-rpi.git

nvme-loop: fix a possible use-after-free when destroying the admin queue

we need to destroy the nvmet sq and let it finish gracefully
before continue to cleanup the queue.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
---

diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index d1f06e7..74e04a0 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -288,9 +288,9 @@ static struct blk_mq_ops nvme_loop_admin_mq_ops = {
 
 static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl)
 {
+	nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
 	blk_cleanup_queue(ctrl->ctrl.admin_q);
 	blk_mq_free_tag_set(&ctrl->admin_tag_set);
-	nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
 }
 
 static void nvme_loop_free_ctrl(struct nvme_ctrl *nctrl)