vhost_scsi: fix a heap-use-after-free case
`struct spdk_vhost_dev vdev` in `struct spdk_vhost_scsi_dev` can be
unregistered in `vhost_scsi_dev_remove`, so we can't use it
anymore in other places after `vhost_dev_unregister`.
Ideally `state->remove_cb` should not take the `vdev` as
the input parameter either, but I don't find it's used
anywhere, so leave it unchanged.
==29555==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000006df0
READ of size 2 at 0x602000006df0 thread T0 (reactor_0)
#0 0x7f3c246c0f0a (/lib64/libasan.so.5+0x9cf0a)
#1 0x7f3c246c3c15 in vsnprintf (/lib64/libasan.so.5+0x9fc15)
#2 0xa55cfa in spdk_vlog /spdk/lib/log/log.c:158
#3 0xa5596f in spdk_log /spdk/lib/log/log.c:110
#4 0x842e43 in remove_scsi_tgt /spdk/lib/vhost/vhost_scsi.c:208
#5 0x851508 in vhost_scsi_dev_remove_tgt_cpl_cb /spdk/lib/vhost/vhost_scsi.c:1149
#6 0x8383f1 in foreach_session_finish_cb /spdk/lib/vhost/vhost.c:1144
#7 0x9d3223 in msg_queue_run_batch /spdk/lib/thread/thread.c:703
#8 0x9d73fe in thread_poll /spdk/lib/thread/thread.c:919
#9 0x9d7c3b in spdk_thread_poll /spdk/lib/thread/thread.c:979
#10 0x8812fe in _reactor_run /spdk/lib/event/reactor.c:920
#11 0x881bf1 in reactor_run /spdk/lib/event/reactor.c:958
#12 0x88292b in spdk_reactors_start /spdk/lib/event/reactor.c:1060
#13 0x873ff9 in spdk_app_start /spdk/lib/event/app.c:585
#14 0x408044 in main /spdk/app/vhost/vhost.c:105
#15 0x7f3c23691f42 in __libc_start_main (/lib64/libc.so.6+0x23f42)
#16 0x407add in _start (/spdk/build/bin/vhost+0x407add)
0x602000006df0 is located 0 bytes inside of 8-byte region [0x602000006df0,0x602000006df8)
freed by thread T0 (reactor_0) here:
#0 0x7f3c2473191f in __interceptor_free (/lib64/libasan.so.5+0x10d91f)
#1 0x8369f2 in vhost_dev_unregister /spdk/lib/vhost/vhost.c:1024
#2 0x84f32d in vhost_scsi_dev_remove /spdk/lib/vhost/vhost_scsi.c:913
#3 0x83cdb7 in spdk_vhost_dev_remove /spdk/lib/vhost/vhost.c:1494
#4 0x83ed66 in vhost_fini /spdk/lib/vhost/vhost.c:1644
#5 0x9d3223 in msg_queue_run_batch /spdk/lib/thread/thread.c:703
#6 0x9d73fe in thread_poll /spdk/lib/thread/thread.c:919
#7 0x9d7c3b in spdk_thread_poll /spdk/lib/thread/thread.c:979
#8 0x8812fe in _reactor_run /spdk/lib/event/reactor.c:920
#9 0x881bf1 in reactor_run /spdk/lib/event/reactor.c:958
#10 0x88292b in spdk_reactors_start /spdk/lib/event/reactor.c:1060
#11 0x873ff9 in spdk_app_start /spdk/lib/event/app.c:585
#12 0x408044 in main /spdk/app/vhost/vhost.c:105
#13 0x7f3c23691f42 in __libc_start_main (/lib64/libc.so.6+0x23f42)
Change-Id: I511c4316a838cd92961d57c9193d384acd49d760
Signed-off-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10141
Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com>
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-by: Dong Yi <dongx.yi@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
This commit is contained in:
Changpeng Liu
Jim Harris
parent
5ea834b540
commit
245394ca0e
@ -205,8 +205,7 @@ remove_scsi_tgt(struct spdk_vhost_scsi_dev *svdev,
|
|||||||
state->remove_cb(&svdev->vdev, state->remove_ctx);
|
state->remove_cb(&svdev->vdev, state->remove_ctx);
|
||||||
state->remove_cb = NULL;
|
state->remove_cb = NULL;
|
||||||
}
|
}
|
||||||
SPDK_INFOLOG(vhost, "%s: removed target 'Target %u'\n",
|
SPDK_INFOLOG(vhost, "removed target 'Target %u'\n", scsi_tgt_num);
|
||||||
svdev->vdev.name, scsi_tgt_num);
|
|
||||||
|
|
||||||
if (--svdev->ref == 0 && svdev->registered == false) {
|
if (--svdev->ref == 0 && svdev->registered == false) {
|
||||||
free(svdev);
|
free(svdev);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user