Spdk/module/bdev
Richael Zhuang 953b74b9b0 bdev_nvme: fix heap-use-after-free when detaching controller
There is heap-use-after-free error when detaching a controller
when "io_path_stat" option set as true.
(if build spdk without asan ubsan, error is free(): corrupted
unsorted chunks)

It's because io_path is accessed in bdev_nvme_io_complete_nvme_status
after the io_path is freed.

io_path is freed when we detach the controller in function
_bdev_nvme_delete_io_path, this function will execute 1 and 2.
And before 4 is executed, 3 may be executed which accesses io_path.

1.spdk_put_io_channel() is called. bdev_nvme_destroy_ctrlr_channel_cb
has not been called.
2.free(io_path->stat); free(io_path);
3.bdev_nvme_poll; nbdev_io1 is success; bdev_nvme_io_complete_nvme_status()
access nbdev_io1->io_path.
4.bdev_nvme_destroy_ctrlr_channel_cb disconnect qpair and abort nbdev_io1.

This patch fixed this by moving 2 down under 4. We don't free io_path in
_bdev_nvme_delete_io_path but just remove from the nbdev_ch->io_path_list.

The processes to reproduce the error:
target: run nvmf_tgt
initiator: (build spdk with asan,ubsan enabled)
sudo ./build/examples/bdevperf --json bdevperf-multipath-rdma-active-active.json  -r tmp.sock -q 128 -o 4096  -w randrw -M 50 -t 120
sudo ./scripts/rpc.py -s tmp.sock  bdev_nvme_detach_controller -t rdma -a 10.10.10.10 -f IPv4 -s 4420 -n nqn.2016-06.io.spdk:cnode1 NVMe0

========
bdevperf-multipath-rdma-active-active.json

{
  "subsystems": [
  {
    "subsystem": "bdev",
    "config": [
       {
         "method":"bdev_nvme_attach_controller",
         "params": {
           "name": "NVMe0",
           "trtype": "tcp",
           "traddr": "10.169.204.201",
           "trsvcid": "4420",
           "subnqn": "nqn.2016-06.io.spdk:cnode1",
           "hostnqn": "nqn.2016-06.io.spdk:init",
           "adrfam": "IPv4"
        }
      },
      {
        "method":"bdev_nvme_attach_controller",
        "params": {
        "name": "NVMe0",
        "trtype": "rdma",
         "traddr": "10.10.10.10",
           "trsvcid": "4420",
           "subnqn": "nqn.2016-06.io.spdk:cnode1",
           "hostnqn": "nqn.2016-06.io.spdk:init",
           "adrfam": "IPv4",
           "multipath": "multipath"
        }
    },
    {
       "method":"bdev_nvme_set_multipath_policy",
       "params": {
         "name": "NVMe0n1",
         "policy": "active_active"
       }
    },
    {
       "method":"bdev_nvme_set_options",
         "params": {
           "io_path_stat": true
         }
    }
    ]
    }
  ]
}
======

Change-Id: I8f4f9dc7195f49992a5ba9798613b64d44266e5e
Signed-off-by: Richael Zhuang <richael.zhuang@arm.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/17581
Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Mellanox Build Bot
Reviewed-by: Shuhei Matsumoto <smatsumoto@nvidia.com>
2023-04-24 09:20:33 +00:00
..
aio so_ver: increase all major versions 2023-01-24 08:37:21 +00:00
compress accel: move accel_module.h to include/spdk 2023-04-19 06:36:20 +00:00
crypto accel: move accel_module.h to include/spdk 2023-04-19 06:36:20 +00:00
daos bdev: delete UUID generation from ephemeral bdevs 2023-04-13 12:12:58 +00:00
delay bdev/delay: add uuid option 2023-03-08 08:46:16 +00:00
error bdev/error: add option to provide UUID for error bdev 2023-04-13 12:12:58 +00:00
ftl module/bdev: Use error_response() rather than bool_response(false) for JSON RPCs 2023-01-31 21:40:09 +00:00
gpt bdev_gpt: add new SPDK partition type for off-by-one fix 2023-01-24 17:19:35 +00:00
iscsi bdev/iscsi: fix use-after-free in bdev_iscsi_command_cb() 2023-03-16 07:24:56 +00:00
lvol bdev/lvol: add param size_in_mib to replace size in bytes 2023-03-01 08:55:43 +00:00
malloc bdev/malloc: report accel sequence support 2023-04-19 06:36:20 +00:00
null bdev: delete UUID generation from ephemeral bdevs 2023-04-13 12:12:58 +00:00
nvme bdev_nvme: fix heap-use-after-free when detaching controller 2023-04-24 09:20:33 +00:00
ocf bdev/ocf: Update OCF to 22.6.1 2023-04-06 14:40:39 +00:00
passthru bdev: remove spdk_bdev_ext_io_opts from spdk_bdev_io 2023-02-16 10:09:35 +00:00
raid module/raid: specify memory domain support per raid module 2023-04-17 09:36:34 +00:00
rbd bdev: delete UUID generation from ephemeral bdevs 2023-04-13 12:12:58 +00:00
split so_ver: increase all major versions 2023-01-24 08:37:21 +00:00
uring bdev/uring: Unset write_cache 2023-04-06 20:50:48 +00:00
virtio so_ver: increase all major versions 2023-01-24 08:37:21 +00:00
xnvme bdev/xnvme: Use bdev_unregister_by_name() to delete a xnvme bdev 2023-01-31 21:40:09 +00:00
zone_block module/bdev: Use error_response() rather than bool_response(false) for JSON RPCs 2023-01-31 21:40:09 +00:00
Makefile bdev/pmem: Removed bdev pmem implementation 2023-03-09 09:21:23 +00:00