Commit ec47f92b authored Apr 25, 2019 by Seth Howell Committed by Darek Stojaczyk Apr 26, 2019

rdma: fix potential heap-use-after-free in srq shutdown



If there are outstanding recvs for a qpair when it is destroyed, we need
to clear the qpair from it before reposting it. Otehrwise, we have a
potential heap-use-after-free of double free (depending on whether the
recv completion is in error state or not).

See github issues #730

Change-Id: Ic2009c761cbcc5e89174f62fbd0872d0489c67ca
Signed-off-by: Seth Howell <seth.howell@intel.com>
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/452122


Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>

parent 9e1116ea

lib/nvmf/rdma.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -868,6 +868,7 @@ spdk_nvmf_rdma_qpair_destroy(struct spdk_nvmf_rdma_qpair *rqpair)
		STAILQ_FOREACH_SAFE(rdma_recv, &rqpair->resources->incoming_queue, link, recv_tmp) {
		if (rqpair == rdma_recv->qpair) {
		STAILQ_REMOVE_HEAD(&rqpair->resources->incoming_queue, link);
		rdma_recv->qpair = NULL;
		rc = ibv_post_srq_recv(rqpair->srq, &rdma_recv->wr, &bad_recv_wr);
		if (rc) {
		SPDK_ERRLOG("Unable to re-post rx descriptor\n");

Admin message