Commit fc43fbba authored Mar 20, 2019 by yidong0635 Committed by Jim Harris Mar 21, 2019

rdma: fixed heap used after free issue.



With ASAN to run this cases, it will report issue about heap used after free
in spdk_nvmf_rdma_qpair_destroy. Resources have been released before,
change the order to in this tailq to release resources.

ERROR: AddressSanitizer: heap-use-after-free on address
0x6080000080e0 at pc 0x0000006e1e3f bp 0x7fd48b6c3df0 sp 0x7fd48b6c3de0
READ of size 8 at 0x6080000080e0 thread T3 (reactor_1)
0x6e1e3e in spdk_nvmf_rdma_qpair_destroy spdk/lib/nvmf/rdma.c:813

Change-Id: Ia1c12bca84955a2de60399e6b265c9b8901bb51e
Signed-off-by: yidong0635 <dongx.yi@intel.com>
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/448534


Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-by: Seth Howell <seth.howell5141@gmail.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>

parent ae11723a

lib/nvmf/rdma.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -2704,6 +2704,10 @@ spdk_nvmf_rdma_poll_group_destroy(struct spdk_nvmf_transport_poll_group *group)
		TAILQ_FOREACH_SAFE(poller, &rgroup->pollers, link, tmp) {
		TAILQ_REMOVE(&rgroup->pollers, poller, link);

		TAILQ_FOREACH_SAFE(qpair, &poller->qpairs, link, tmp_qpair) {
		spdk_nvmf_rdma_qpair_destroy(qpair);
		}

		if (poller->srq) {
		nvmf_rdma_resources_destroy(poller->resources);
		ibv_destroy_srq(poller->srq);
		@@ -2713,9 +2717,6 @@ spdk_nvmf_rdma_poll_group_destroy(struct spdk_nvmf_transport_poll_group *group)
		if (poller->cq) {
		ibv_destroy_cq(poller->cq);
		}
		TAILQ_FOREACH_SAFE(qpair, &poller->qpairs, link, tmp_qpair) {
		spdk_nvmf_rdma_qpair_destroy(qpair);
		}

		free(poller);
		}