From 377139cb7654d7a404912fffe4dd5e69c3bd6128 Mon Sep 17 00:00:00 2001 From: Sylvain Didelot Date: Mon, 15 Nov 2021 09:48:54 +0100 Subject: [PATCH] nvme_cuse: Fix NULL pointer dereference triggered by unit test The unit test test_nvme_cuse_stop() manually creates 2 cuse devices and executes nvme_cuse_stop(). Problem is that the Fuse session is never initialized for those 2 cuse devices, causing cuse_nvme_ns_stop() to access 'ns_device->session', which is a NULL pointer. This bug is detected by ASAN as follows: ==77298==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000180 (pc 0x7fdac6d7d40e bp 0x000000000000 sp 0x7fff74768320 T0) ==77298==The signal is caused by a READ memory access. ==77298==Hint: address points to the zero page. 0 0x7fdac6d7d40e in fuse_session_destroy (/usr/lib64/libfuse3.so.3+0x1640e) 1 0x40dc7a in cuse_nvme_ns_stop /home/vagrant/spdk_repo/spdk/lib/nvme/nvme_cuse.c:851 2 0x40df59 in cuse_nvme_ctrlr_stop /home/vagrant/spdk_repo/spdk/lib/nvme/nvme_cuse.c:923 3 0x40f103 in nvme_cuse_stop /home/vagrant/spdk_repo/spdk/lib/nvme/nvme_cuse.c:1094 4 0x415803 in test_nvme_cuse_stop /home/vagrant/spdk_repo/spdk/test/unit/lib/nvme/nvme_cuse.c/nvme_cuse_ut.c:393 5 0x7fdac724c1a6 (/usr/lib64/libcunit.so.1+0x41a6) 6 0x7fdac724c528 (/usr/lib64/libcunit.so.1+0x4528) 7 0x7fdac724d456 in CU_run_all_tests (/usr/lib64/libcunit.so.1+0x5456) 8 0x415a4e in main /home/vagrant/spdk_repo/spdk/test/unit/lib/nvme/nvme_cuse.c/nvme_cuse_ut.c:415 9 0x7fdac62351e1 in __libc_start_main (/usr/lib64/libc.so.6+0x281e1) 10 0x403ddd in _start (/home/vagrant/spdk_repo/spdk/test/unit/lib/nvme/nvme_cuse.c/nvme_cuse_ut+0x403ddd) The fix is to call fuse_session_destroy() only if the fuse session is != NULL. Signed-off-by: Sylvain Didelot Change-Id: I41881243227d83e8d1e6b90e72c1b6d62ccd98d3 Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10225 Community-CI: Mellanox Build Bot Community-CI: Broadcom CI Tested-by: SPDK CI Jenkins Reviewed-by: Aleksey Marchuk Reviewed-by: Ben Walker --- lib/nvme/nvme_cuse.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/nvme/nvme_cuse.c b/lib/nvme/nvme_cuse.c index 0cd845e1d..6ca5d2c11 100644 --- a/lib/nvme/nvme_cuse.c +++ b/lib/nvme/nvme_cuse.c @@ -846,7 +846,9 @@ cuse_nvme_ns_start(struct cuse_device *ctrlr_device, uint32_t nsid) static void cuse_nvme_ns_stop(struct cuse_device *ctrlr_device, struct cuse_device *ns_device) { - fuse_session_exit(ns_device->session); + if (ns_device->session != NULL) { + fuse_session_exit(ns_device->session); + } pthread_join(ns_device->tid, NULL); TAILQ_REMOVE(&ctrlr_device->ns_devices, ns_device, tailq); free(ns_device);