Commit 3bd113ea authored by Seth Howell's avatar Seth Howell Committed by Tomasz Zawadzki
Browse files

lib/vhost: Don't dereference svdev->name in dev_remove. 



If the vdev is marked for hotremove, it is possible that the
name has already been freed resulting in a heap use after free,
so remove the warning about a vdev being marked for hotremove
to avoid a segfault when removing a device.

This was observed in the vhost fuzz tests.

Signed-off-by: default avatarSeth Howell <seth.howell@intel.com>
Change-Id: I2891ca2bee70d72fb7b0dff96d569e9b92fe84eb
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/2071


Community-CI: Mellanox Build Bot
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarDarek Stojaczyk <dariusz.stojaczyk@intel.com>
Reviewed-by: default avatarChangpeng Liu <changpeng.liu@intel.com>
parent 6607e124

lib/vhost/vhost_scsi.c

+5 −6
Original line number Diff line number Diff line
@@ -1121,18 +1121,17 @@ spdk_vhost_scsi_dev_remove_tgt(struct spdk_vhost_dev *vdev, unsigned scsi_tgt_nu 
	svdev = to_scsi_dev(vdev);

	assert(svdev != NULL);

	scsi_dev_state = &svdev->scsi_dev_state[scsi_tgt_num];



	if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) {

		return -EBUSY;

	}



	if (scsi_dev_state->dev == NULL || scsi_dev_state->status == VHOST_SCSI_DEV_ADDING) {

		SPDK_ERRLOG("%s: SCSI target %u is not occupied\n", vdev->name, scsi_tgt_num);

		return -ENODEV;

	}



	assert(scsi_dev_state->status != VHOST_SCSI_DEV_EMPTY);

	if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) {

		SPDK_WARNLOG("%s: SCSI target %u has been already marked for hotremoval.\n",

			     vdev->name, scsi_tgt_num);

		return -EBUSY;

	}



	ctx = calloc(1, sizeof(*ctx));

	if (ctx == NULL) {

		SPDK_ERRLOG("calloc failed\n");