From ec47f92b9bc37efea2c8b182a66914b202827b10 Mon Sep 17 00:00:00 2001
From: Seth Howell <seth.howell@intel.com>
Date: Thu, 25 Apr 2019 10:46:20 -0700
Subject: [PATCH] rdma: fix potential heap-use-after-free in srq shutdown

If there are outstanding recvs for a qpair when it is destroyed, we need
to clear the qpair from it before reposting it. Otehrwise, we have a
potential heap-use-after-free of double free (depending on whether the
recv completion is in error state or not).

See github issues #730

Change-Id: Ic2009c761cbcc5e89174f62fbd0872d0489c67ca
Signed-off-by: Seth Howell <seth.howell@intel.com>
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/452122
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
---
 lib/nvmf/rdma.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/nvmf/rdma.c b/lib/nvmf/rdma.c
index bf9709595..0a07f9e89 100644
--- a/lib/nvmf/rdma.c
+++ b/lib/nvmf/rdma.c
@@ -868,6 +868,7 @@ spdk_nvmf_rdma_qpair_destroy(struct spdk_nvmf_rdma_qpair *rqpair)
 			STAILQ_FOREACH_SAFE(rdma_recv, &rqpair->resources->incoming_queue, link, recv_tmp) {
 				if (rqpair == rdma_recv->qpair) {
 					STAILQ_REMOVE_HEAD(&rqpair->resources->incoming_queue, link);
+					rdma_recv->qpair = NULL;
 					rc = ibv_post_srq_recv(rqpair->srq, &rdma_recv->wr, &bad_recv_wr);
 					if (rc) {
 						SPDK_ERRLOG("Unable to re-post rx descriptor\n");