ivampiresp/Spdk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nvmf/ctrlr: cache opc & fctype info

Browse Source 
Request can be freed by transport_req_complete. In such case req
or req->cmd dereference might result in heap-use-after-free.

Signed-off-by: Jacek Kalwas <jacek.kalwas@intel.com>
Change-Id: I2280d3978f1f183a250828aab7d2ca49ef1800ec
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/476929
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
This commit is contained in:
Jacek Kalwas 2019-12-08 14:22:01 +01:00 committed by Tomasz Zawadzki
parent 7843321065
commit 7448215428
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/nvmf/ctrlr.c
View File

@ -2484,6 +2484,8 @@ spdk_nvmf_request_complete(struct spdk_nvmf_request *req)
struct spdk_nvme_cpl *rsp = &req->rsp->nvme_cpl;
struct spdk_nvmf_qpair *qpair;
struct spdk_nvmf_subsystem_poll_group *sgroup = NULL;
bool is_connect = req->cmd->nvmf_cmd.opcode == SPDK_NVME_OPC_FABRIC &&
req->cmd->nvmf_cmd.fctype == SPDK_NVMF_FABRIC_COMMAND_CONNECT;
rsp->sqid = 0;
rsp->status.p = 0;
@ -2505,9 +2507,7 @@ spdk_nvmf_request_complete(struct spdk_nvmf_request *req)
}
/* AER cmd and fabric connect are exceptions */
if (sgroup != NULL && qpair->ctrlr->aer_req != req &&
!(req->cmd->nvmf_cmd.opcode == SPDK_NVME_OPC_FABRIC &&
req->cmd->nvmf_cmd.fctype == SPDK_NVMF_FABRIC_COMMAND_CONNECT)) {
if (sgroup != NULL && qpair->ctrlr->aer_req != req && !is_connect) {
assert(sgroup->io_outstanding > 0);
sgroup->io_outstanding--;
if (sgroup->state == SPDK_NVMF_SUBSYSTEM_PAUSING &&