Commit 74669b90 authored by Naresh Gottumukkala's avatar Naresh Gottumukkala Committed by Tomasz Zawadzki
Browse files

nvmf/fc: Fix use after free issue. 



As fc_req is freed in the previous step, using fc_req->hwqp
results in segfault. Fix this.

Signed-off-by: default avatarNaresh Gottumukkala <raju.gottumukkala@broadcom.com>
Change-Id: I9d82f62a24e8c139b1971466948fc5aa3513f4ea
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/5826


Community-CI: Broadcom CI
Community-CI: Mellanox Build Bot
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarJim Harris <james.r.harris@intel.com>
Reviewed-by: default avatarShuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
parent cf07c1f7

lib/nvmf/fc.c

+2 −1
Original line number Diff line number Diff line
@@ -1264,6 +1264,7 @@ nvmf_fc_request_abort_complete(void *arg1) 
{

	struct spdk_nvmf_fc_request *fc_req =

		(struct spdk_nvmf_fc_request *)arg1;

	struct spdk_nvmf_fc_hwqp *hwqp = fc_req->hwqp;

	struct spdk_nvmf_fc_caller_ctx *ctx = NULL, *tmp = NULL;

	TAILQ_HEAD(, spdk_nvmf_fc_caller_ctx) abort_cbs;
@@ -1279,7 +1280,7 @@ nvmf_fc_request_abort_complete(void *arg1) 
	/* Request abort completed. Notify all the callbacks */

	TAILQ_FOREACH_SAFE(ctx, &abort_cbs, link, tmp) {

		/* Notify */

		ctx->cb(fc_req->hwqp, 0, ctx->cb_args);

		ctx->cb(hwqp, 0, ctx->cb_args);

		/* Remove */

		TAILQ_REMOVE(&abort_cbs, ctx, link);

		/* free */