From c83cd9375bce67599280235b1f06fb682f27e580 Mon Sep 17 00:00:00 2001
From: Ehud Naim <ehudn@marvell.com>
Date: Tue, 13 Feb 2018 14:33:57 +0200
Subject: [PATCH] nvme: fixing ctrlr mutex free

adding nvme_ctrlr_destruct_finish because nvme_transport_ctrlr_destruct may
use a destroyed mutex.

nvme_ctrlr_destruct() free "ctrlr_lock" and after that call
nvme_transport_ctrlr_destruct()->nvme_pcie_ctrlr_destruct()(with pci)->
nvme_ctrlr_proc_get_devhandle()->nvme_robust_mutex_lock(&ctrlr->ctrlr_lock);

Change-Id: I55714ea9097d2c9d844a00b5a88fa2d51a3f4469
Signed-off-by: Ehud Naim <ehudn@marvell.com>
Reviewed-on: https://review.gerrithub.io/399605
Reviewed-by: Daniel Verkamp <daniel.verkamp@intel.com>
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
---
 lib/nvme/nvme_ctrlr.c                         | 8 ++++++--
 lib/nvme/nvme_internal.h                      | 1 +
 lib/nvme/nvme_pcie.c                          | 2 ++
 lib/nvme/nvme_rdma.c                          | 2 ++
 test/unit/lib/nvme/nvme_pcie.c/nvme_pcie_ut.c | 6 ++++++
 5 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/nvme/nvme_ctrlr.c b/lib/nvme/nvme_ctrlr.c
index d780f20bf..7aa4b9deb 100644
--- a/lib/nvme/nvme_ctrlr.c
+++ b/lib/nvme/nvme_ctrlr.c
@@ -1670,6 +1670,12 @@ nvme_ctrlr_init_cap(struct spdk_nvme_ctrlr *ctrlr, const union spdk_nvme_cap_reg
 	ctrlr->opts.io_queue_requests = spdk_max(ctrlr->opts.io_queue_requests, ctrlr->opts.io_queue_size);
 }
 
+void
+nvme_ctrlr_destruct_finish(struct spdk_nvme_ctrlr *ctrlr)
+{
+	pthread_mutex_destroy(&ctrlr->ctrlr_lock);
+}
+
 void
 nvme_ctrlr_destruct(struct spdk_nvme_ctrlr *ctrlr)
 {
@@ -1687,8 +1693,6 @@ nvme_ctrlr_destruct(struct spdk_nvme_ctrlr *ctrlr)
 
 	spdk_bit_array_free(&ctrlr->free_io_qids);
 
-	pthread_mutex_destroy(&ctrlr->ctrlr_lock);
-
 	nvme_transport_ctrlr_destruct(ctrlr);
 }
 
diff --git a/lib/nvme/nvme_internal.h b/lib/nvme/nvme_internal.h
index 4f25ac6b2..613b368b2 100644
--- a/lib/nvme/nvme_internal.h
+++ b/lib/nvme/nvme_internal.h
@@ -568,6 +568,7 @@ int	nvme_ctrlr_probe(const struct spdk_nvme_transport_id *trid, void *devhandle,
 			 spdk_nvme_probe_cb probe_cb, void *cb_ctx);
 
 int	nvme_ctrlr_construct(struct spdk_nvme_ctrlr *ctrlr);
+void	nvme_ctrlr_destruct_finish(struct spdk_nvme_ctrlr *ctrlr);
 void	nvme_ctrlr_destruct(struct spdk_nvme_ctrlr *ctrlr);
 void	nvme_ctrlr_fail(struct spdk_nvme_ctrlr *ctrlr, bool hot_remove);
 int	nvme_ctrlr_process_init(struct spdk_nvme_ctrlr *ctrlr);
diff --git a/lib/nvme/nvme_pcie.c b/lib/nvme/nvme_pcie.c
index 85085913b..88282f276 100644
--- a/lib/nvme/nvme_pcie.c
+++ b/lib/nvme/nvme_pcie.c
@@ -890,6 +890,8 @@ nvme_pcie_ctrlr_destruct(struct spdk_nvme_ctrlr *ctrlr)
 		nvme_pcie_qpair_destroy(ctrlr->adminq);
 	}
 
+	nvme_ctrlr_destruct_finish(ctrlr);
+
 	nvme_ctrlr_free_processes(ctrlr);
 
 	nvme_pcie_ctrlr_free_bars(pctrlr);
diff --git a/lib/nvme/nvme_rdma.c b/lib/nvme/nvme_rdma.c
index 9c4657208..ba91313c5 100644
--- a/lib/nvme/nvme_rdma.c
+++ b/lib/nvme/nvme_rdma.c
@@ -1361,6 +1361,8 @@ nvme_rdma_ctrlr_destruct(struct spdk_nvme_ctrlr *ctrlr)
 		nvme_rdma_qpair_destroy(ctrlr->adminq);
 	}
 
+	nvme_ctrlr_destruct_finish(ctrlr);
+
 	free(rctrlr);
 
 	return 0;
diff --git a/test/unit/lib/nvme/nvme_pcie.c/nvme_pcie_ut.c b/test/unit/lib/nvme/nvme_pcie.c/nvme_pcie_ut.c
index 7e2e68867..4d6917d65 100644
--- a/test/unit/lib/nvme/nvme_pcie.c/nvme_pcie_ut.c
+++ b/test/unit/lib/nvme/nvme_pcie.c/nvme_pcie_ut.c
@@ -161,6 +161,12 @@ nvme_ctrlr_construct(struct spdk_nvme_ctrlr *ctrlr)
 	abort();
 }
 
+void
+nvme_ctrlr_destruct_finish(struct spdk_nvme_ctrlr *ctrlr)
+{
+	abort();
+}
+
 void
 nvme_ctrlr_destruct(struct spdk_nvme_ctrlr *ctrlr)
 {