From fdf2490a32412c2e58e5c47355d014a2152a7d57 Mon Sep 17 00:00:00 2001
From: Alexey Marchuk <alexeymar@mellanox.com>
Date: Mon, 27 Jul 2020 21:35:11 +0300
Subject: [PATCH] nvmf/rdma: Don't destroy qpair if rdma_accept fails

Failed qpair will be destroyed on generic nvmf layer during handling
of error code returned from spdk_nvmf_poll_group_add.
The current approach leads to heap-use-after-free.

Change-Id: I99331150fa36a3c3c18176589afb973dee449b3a
Signed-off-by: Alexey Marchuk <alexeymar@mellanox.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/3538
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
---
 lib/nvmf/rdma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/nvmf/rdma.c b/lib/nvmf/rdma.c
index bc68526d1..fc31bab7a 100644
--- a/lib/nvmf/rdma.c
+++ b/lib/nvmf/rdma.c
@@ -3428,7 +3428,6 @@ nvmf_rdma_qpair_reject_connection(struct spdk_nvmf_rdma_qpair *rqpair)
 	if (rqpair->cm_id != NULL) {
 		nvmf_rdma_event_reject(rqpair->cm_id, SPDK_NVMF_RDMA_ERROR_NO_RESOURCES);
 	}
-	nvmf_rdma_qpair_destroy(rqpair);
 }
 
 static int
@@ -3568,6 +3567,7 @@ nvmf_rdma_close_qpair(struct spdk_nvmf_qpair *qpair)
 	 */
 	if (rqpair->qpair.state == SPDK_NVMF_QPAIR_UNINITIALIZED) {
 		nvmf_rdma_qpair_reject_connection(rqpair);
+		nvmf_rdma_qpair_destroy(rqpair);
 		return;
 	}