From fc43fbba043ee608885102ee2d9e4e1d2a799f85 Mon Sep 17 00:00:00 2001 From: yidong0635 Date: Wed, 20 Mar 2019 15:29:47 -0400 Subject: [PATCH] rdma: fixed heap used after free issue. With ASAN to run this cases, it will report issue about heap used after free in spdk_nvmf_rdma_qpair_destroy. Resources have been released before, change the order to in this tailq to release resources. ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000080e0 at pc 0x0000006e1e3f bp 0x7fd48b6c3df0 sp 0x7fd48b6c3de0 READ of size 8 at 0x6080000080e0 thread T3 (reactor_1) 0x6e1e3e in spdk_nvmf_rdma_qpair_destroy spdk/lib/nvmf/rdma.c:813 Change-Id: Ia1c12bca84955a2de60399e6b265c9b8901bb51e Signed-off-by: yidong0635 Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/448534 Tested-by: SPDK CI Jenkins Reviewed-by: Changpeng Liu Reviewed-by: Seth Howell Reviewed-by: Jim Harris --- lib/nvmf/rdma.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/nvmf/rdma.c b/lib/nvmf/rdma.c index 960203d89..024f7c8b1 100644 --- a/lib/nvmf/rdma.c +++ b/lib/nvmf/rdma.c @@ -2704,6 +2704,10 @@ spdk_nvmf_rdma_poll_group_destroy(struct spdk_nvmf_transport_poll_group *group) TAILQ_FOREACH_SAFE(poller, &rgroup->pollers, link, tmp) { TAILQ_REMOVE(&rgroup->pollers, poller, link); + TAILQ_FOREACH_SAFE(qpair, &poller->qpairs, link, tmp_qpair) { + spdk_nvmf_rdma_qpair_destroy(qpair); + } + if (poller->srq) { nvmf_rdma_resources_destroy(poller->resources); ibv_destroy_srq(poller->srq); @@ -2713,9 +2717,6 @@ spdk_nvmf_rdma_poll_group_destroy(struct spdk_nvmf_transport_poll_group *group) if (poller->cq) { ibv_destroy_cq(poller->cq); } - TAILQ_FOREACH_SAFE(qpair, &poller->qpairs, link, tmp_qpair) { - spdk_nvmf_rdma_qpair_destroy(qpair); - } free(poller); }