Commit 46e531bd authored by Sebastian Brzezinka's avatar Sebastian Brzezinka Committed by Tomasz Zawadzki
Browse files

lib/nvme: fix heap-use-after-free on pqpair's shadow_doorbell 



pqpair shadow_doorbell point to a memory space allocated by ctrlr, when
ctrlr is disconnected before qpair is deleted, `pqpair->shadow_doorbell`
try to change value of already released memory.

```
==64530==ERROR: AddressSanitizer: heap-use-after-free on address 0x20003041a008 at pc 0x7f66758f8e4d bp 0x7f666f6f84e0 sp 0x7f666f6f84d8
WRITE of size 4 at 0x20003041a008 thread T3 (reactor_2)
```
Signed-off-by: default avatarSebastian Brzezinka <sebastian.brzezinka@intel.com>
Change-Id: I9c8b079dab1a34d34f41fc43a0db6ec35f40cc17
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/19703


Reviewed-by: default avatarJim Harris <jim.harris@gmail.com>
Reviewed-by: default avatarAleksey Marchuk <alexeymar@nvidia.com>
Reviewed-by: default avatarArtur Paszkiewicz <artur.paszkiewicz@intel.com>
Community-CI: Mellanox Build Bot
Reviewed-by: default avatarBen Walker <ben@nvidia.com>
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarMichael Haeuptle <michaelhaeuptle@gmail.com>
parent cc2a4920

lib/nvme/nvme_pcie_common.c

+1 −1
Original line number Diff line number Diff line
@@ -1150,7 +1150,7 @@ nvme_pcie_ctrlr_delete_io_qpair(struct spdk_nvme_ctrlr *ctrlr, struct spdk_nvme_ 
	free(status);



clear_shadow_doorbells:

	if (pqpair->flags.has_shadow_doorbell) {

	if (pqpair->flags.has_shadow_doorbell && ctrlr->shadow_doorbell) {

		*pqpair->shadow_doorbell.sq_tdbl = 0;

		*pqpair->shadow_doorbell.cq_hdbl = 0;

		*pqpair->shadow_doorbell.sq_eventidx = 0;