From 155c3babce940f62d73e0c5ad5ace973093b6ca7 Mon Sep 17 00:00:00 2001
From: Jacek Kalwas <jacek.kalwas@intel.com>
Date: Fri, 29 Nov 2019 09:47:41 +0100
Subject: [PATCH] nvmf/tcp: rm qpair destroy from poll_group_add

Destroy in poll_group_add results in heap-use-after-free because
upper layer calls qpair_fini in case poll_group_add returns
error.

Signed-off-by: Jacek Kalwas <jacek.kalwas@intel.com>
Change-Id: I3e921a21b7ab5f7c15c80bc5919cb97cbda0b5d2
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/475858
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
---
 lib/nvmf/tcp.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lib/nvmf/tcp.c b/lib/nvmf/tcp.c
index 5acfe9e0c..02bab727d 100644
--- a/lib/nvmf/tcp.c
+++ b/lib/nvmf/tcp.c
@@ -2701,28 +2701,24 @@ spdk_nvmf_tcp_poll_group_add(struct spdk_nvmf_transport_poll_group *group,
 	if (rc != 0) {
 		SPDK_ERRLOG("Could not add sock to sock_group: %s (%d)\n",
 			    spdk_strerror(errno), errno);
-		spdk_nvmf_tcp_qpair_destroy(tqpair);
 		return -1;
 	}
 
 	rc =  spdk_nvmf_tcp_qpair_sock_init(tqpair);
 	if (rc != 0) {
 		SPDK_ERRLOG("Cannot set sock opt for tqpair=%p\n", tqpair);
-		spdk_nvmf_tcp_qpair_destroy(tqpair);
 		return -1;
 	}
 
 	rc = spdk_nvmf_tcp_qpair_init(&tqpair->qpair);
 	if (rc < 0) {
 		SPDK_ERRLOG("Cannot init tqpair=%p\n", tqpair);
-		spdk_nvmf_tcp_qpair_destroy(tqpair);
 		return -1;
 	}
 
 	rc = spdk_nvmf_tcp_qpair_init_mem_resource(tqpair, 1);
 	if (rc < 0) {
 		SPDK_ERRLOG("Cannot init memory resource info for tqpair=%p\n", tqpair);
-		spdk_nvmf_tcp_qpair_destroy(tqpair);
 		return -1;
 	}