From ea2db5bb0c5891bc46a97cc8f54b64039fd36fdc Mon Sep 17 00:00:00 2001 From: Shuhei Matsumoto Date: Tue, 21 Dec 2021 12:00:45 +0900 Subject: [PATCH] nvme_pcie: Use dummy stats after removing qpar from poll group Previously, when connecting qpair, we allocated stats per qpair if poll group is not used or we set stats per poll group otherwise. Then when deleting qpair, we freed per qpair stats if allocated. However, if qpair is still not completely disconnected after removing qpair from poll group, pqpair->stat is use-after-free and it causes a segmentation fault. To fix this issue, we set pqpair->stat to &g_dummy_stats instead. Signed-off-by: Shuhei Matsumoto Change-Id: Ibf303e6db5176e93ed75cbe3a414bb923d6e3ab6 Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10845 Community-CI: Broadcom CI Community-CI: Mellanox Build Bot Tested-by: SPDK CI Jenkins Reviewed-by: Jim Harris Reviewed-by: Aleksey Marchuk --- lib/nvme/nvme_pcie_common.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/nvme/nvme_pcie_common.c b/lib/nvme/nvme_pcie_common.c index 8bca0503e..e934bc789 100644 --- a/lib/nvme/nvme_pcie_common.c +++ b/lib/nvme/nvme_pcie_common.c @@ -3,6 +3,7 @@ * * Copyright (c) Intel Corporation. All rights reserved. * Copyright (c) 2021 Mellanox Technologies LTD. All rights reserved. + * Copyright (c) 2022 NVIDIA CORPORATION & AFFILIATES. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -46,6 +47,8 @@ __thread struct nvme_pcie_ctrlr *g_thread_mmio_ctrlr = NULL; +static struct spdk_nvme_pcie_stat g_dummy_stat = {}; + static void nvme_pcie_fail_request_bad_vtophys(struct spdk_nvme_qpair *qpair, struct nvme_tracker *tr); @@ -1735,6 +1738,9 @@ int nvme_pcie_poll_group_remove(struct spdk_nvme_transport_poll_group *tgroup, struct spdk_nvme_qpair *qpair) { + struct nvme_pcie_qpair *pqpair = nvme_pcie_qpair(qpair); + + pqpair->stat = &g_dummy_stat; return 0; }