Commit 52ecd5ce authored Oct 07, 2025 by Vineet Madan Committed by Tomasz Zawadzki Oct 24, 2025

bdev/nvme: fix race between controller destruction and reset



We have the following race condition -
1. A controller reset is in progress (iterating through channels).
2. The controller is being removed/destroyed at the same time.
3. The iterator visits a channel that has a connect_poller active.
4. The channel is destroyed (in 'bdev_nvme_destroy_ctrlr_channel_cb'),
   but the connect_poller is left running.
5. The connect_poller fires after the qpair has been freed, thus hitting
   the assertion failure `qpair != NULL`.

Fix:
Unregister the 'connect_poller' when disconnecting the qpair in
'bdev_nvme_destroy_ctrlr_channel_cb'.

Change-Id: I503cc5e56dae35bd30e68b4867c900d1a0bf5a89
Signed-off-by: Vineet Madan <vineet.madan@nutanix.com>
Reviewed-on: https://review.spdk.io/c/spdk/spdk/+/26821


Reviewed-by: Jacek Kalwas <jacek.kalwas@nutanix.com>
Community-CI: Mellanox Build Bot
Tested-by: SPDK Automated Test System <spdkbot@gmail.com>
Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com>
Reviewed-by: Shuhei Matsumoto <smatsumoto@nvidia.com>

parent b6883829

module/bdev/nvme/bdev_nvme.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -3777,6 +3777,12 @@ bdev_nvme_destroy_ctrlr_channel_cb(void io_device, void ctx_buf)
		* The qpair may have been created after the reset process started.
		*/
		spdk_nvme_ctrlr_disconnect_io_qpair(nvme_qpair->qpair);

		/* Since the channel is being destroyed, unregister any connect_poller
		* that might be active for the channel.
		*/
		spdk_poller_unregister(&ctrlr_ch->connect_poller);

		if (ctrlr_ch->reset_iter) {
		/* Skip current ctrlr_channel in a full reset sequence because
		* it is being deleted now.