Commit 833a5c9d authored Dec 23, 2021 by Alexey Marchuk Committed by Tomasz Zawadzki Dec 27, 2021

bdev/nvme: Remove ctrlr_ch from group's list in error case



If qpair creation failed, ctrlr_ch remains in group->ctrlr_ch_list
but memory for ctrlr_ch is freed. Next attempt to get ctrlr's io
channel will modify data in already freed memory and may corrupt
another allocation.

Signed-off-by: Alexey Marchuk <alexeymar@mellanox.com>
Change-Id: I85002f2e6ac86a0ffda6dabfa57e79b59074fb5a
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10840


Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com>
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Shuhei Matsumoto <shuheimatsumoto@gmail.com>
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>

parent 17e9f58f

module/bdev/nvme/bdev_nvme.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1909,6 +1909,7 @@ bdev_nvme_create_ctrlr_channel_cb(void io_device, void ctx_buf)
		return 0;

		err_qpair:
		TAILQ_REMOVE(&ctrlr_ch->group->ctrlr_ch_list, ctrlr_ch, tailq);
		spdk_put_io_channel(pg_ch);

		return rc;