Commit 92d1e663 authored by Alex Michon's avatar Alex Michon Committed by Jim Harris
Browse files

bdev/nvme: Fix depopulating a namespace twice 



If we receive 2 AENs in a row, we may attempt to delete the same
namespace twice, which would result in a use-after-free.

Change-Id: I4d9cb4a1ada5d6c945cad10a963f218c70d5c8f8
Signed-off-by: default avatarAlex Michon <amichon@kalrayinc.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/25511


Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarAleksey Marchuk <alexeymar@nvidia.com>
Reviewed-by: default avatarJim Harris <jim.harris@nvidia.com>
Community-CI: Mellanox Build Bot
Community-CI: Community CI Samsung <spdk.community.ci.samsung@gmail.com>
parent 52a41348

module/bdev/nvme/bdev_nvme.c

+6 −0
Original line number Diff line number Diff line
@@ -5013,6 +5013,12 @@ nvme_ctrlr_depopulate_namespace(struct nvme_ctrlr *nvme_ctrlr, struct nvme_ns *n 
{

	struct nvme_bdev *nbdev;



	if (nvme_ns->depopulating) {

		/* Maybe we received 2 AENs in a row */

		return;

	}

	nvme_ns->depopulating = true;



	spdk_poller_unregister(&nvme_ns->anatt_timer);



	nbdev = nvme_ns->bdev;

module/bdev/nvme/bdev_nvme.h

+1 −0
Original line number Diff line number Diff line
@@ -54,6 +54,7 @@ struct nvme_ns { 
	enum spdk_nvme_ana_state	ana_state;

	bool				ana_state_updating;

	bool				ana_transition_timedout;

	bool				depopulating;

	struct spdk_poller		*anatt_timer;

	struct nvme_async_probe_ctx	*probe_ctx;

	TAILQ_ENTRY(nvme_ns)		tailq;