Commit ea2db5bb authored Dec 21, 2021 by Shuhei Matsumoto Committed by Tomasz Zawadzki Jan 19, 2022

nvme_pcie: Use dummy stats after removing qpar from poll group



Previously, when connecting qpair, we allocated stats per qpair if poll
group is not used or we set stats per poll group otherwise.
Then when deleting qpair, we freed per qpair stats if allocated.

However, if qpair is still not completely disconnected after removing
qpair from poll group, pqpair->stat is use-after-free and it causes
a segmentation fault.

To fix this issue, we set pqpair->stat to &g_dummy_stats instead.

Signed-off-by: Shuhei Matsumoto <smatsumoto@nvidia.com>
Change-Id: Ibf303e6db5176e93ed75cbe3a414bb923d6e3ab6
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10845


Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com>
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>

parent f1941efe

lib/nvme/nvme_pcie_common.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -3,6 +3,7 @@
		*
		* Copyright (c) Intel Corporation. All rights reserved.
		* Copyright (c) 2021 Mellanox Technologies LTD. All rights reserved.
		* Copyright (c) 2022 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
		*
		* Redistribution and use in source and binary forms, with or without
		* modification, are permitted provided that the following conditions
		@@ -46,6 +47,8 @@

		__thread struct nvme_pcie_ctrlr *g_thread_mmio_ctrlr = NULL;

		static struct spdk_nvme_pcie_stat g_dummy_stat = {};

		static void
		nvme_pcie_fail_request_bad_vtophys(struct spdk_nvme_qpair qpair, struct nvme_tracker tr);

		@@ -1735,6 +1738,9 @@ int
		nvme_pcie_poll_group_remove(struct spdk_nvme_transport_poll_group *tgroup,
		struct spdk_nvme_qpair *qpair)
		{
		struct nvme_pcie_qpair *pqpair = nvme_pcie_qpair(qpair);

		pqpair->stat = &g_dummy_stat;
		return 0;
		}