vhost_scsi: fix a heap-use-after-free case
`struct spdk_vhost_dev vdev` in `struct spdk_vhost_scsi_dev` can be unregistered in `vhost_scsi_dev_remove`, so we can't use it anymore in other places after `vhost_dev_unregister`. Ideally `state->remove_cb` should not take the `vdev` as the input parameter either, but I don't find it's used anywhere, so leave it unchanged. ==29555==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000006df0 READ of size 2 at 0x602000006df0 thread T0 (reactor_0) #0 0x7f3c246c0f0a (/lib64/libasan.so.5+0x9cf0a) #1 0x7f3c246c3c15 in vsnprintf (/lib64/libasan.so.5+0x9fc15) #2 0xa55cfa in spdk_vlog /spdk/lib/log/log.c:158 #3 0xa5596f in spdk_log /spdk/lib/log/log.c:110 #4 0x842e43 in remove_scsi_tgt /spdk/lib/vhost/vhost_scsi.c:208 #5 0x851508 in vhost_scsi_dev_remove_tgt_cpl_cb /spdk/lib/vhost/vhost_scsi.c:1149 #6 0x8383f1 in foreach_session_finish_cb /spdk/lib/vhost/vhost.c:1144 #7 0x9d3223 in msg_queue_run_batch /spdk/lib/thread/thread.c:703 #8 0x9d73fe in thread_poll /spdk/lib/thread/thread.c:919 #9 0x9d7c3b in spdk_thread_poll /spdk/lib/thread/thread.c:979 #10 0x8812fe in _reactor_run /spdk/lib/event/reactor.c:920 #11 0x881bf1 in reactor_run /spdk/lib/event/reactor.c:958 #12 0x88292b in spdk_reactors_start /spdk/lib/event/reactor.c:1060 #13 0x873ff9 in spdk_app_start /spdk/lib/event/app.c:585 #14 0x408044 in main /spdk/app/vhost/vhost.c:105 #15 0x7f3c23691f42 in __libc_start_main (/lib64/libc.so.6+0x23f42) #16 0x407add in _start (/spdk/build/bin/vhost+0x407add) 0x602000006df0 is located 0 bytes inside of 8-byte region [0x602000006df0,0x602000006df8) freed by thread T0 (reactor_0) here: #0 0x7f3c2473191f in __interceptor_free (/lib64/libasan.so.5+0x10d91f) #1 0x8369f2 in vhost_dev_unregister /spdk/lib/vhost/vhost.c:1024 #2 0x84f32d in vhost_scsi_dev_remove /spdk/lib/vhost/vhost_scsi.c:913 #3 0x83cdb7 in spdk_vhost_dev_remove /spdk/lib/vhost/vhost.c:1494 #4 0x83ed66 in vhost_fini /spdk/lib/vhost/vhost.c:1644 #5 0x9d3223 in msg_queue_run_batch /spdk/lib/thread/thread.c:703 #6 0x9d73fe in thread_poll /spdk/lib/thread/thread.c:919 #7 0x9d7c3b in spdk_thread_poll /spdk/lib/thread/thread.c:979 #8 0x8812fe in _reactor_run /spdk/lib/event/reactor.c:920 #9 0x881bf1 in reactor_run /spdk/lib/event/reactor.c:958 #10 0x88292b in spdk_reactors_start /spdk/lib/event/reactor.c:1060 #11 0x873ff9 in spdk_app_start /spdk/lib/event/app.c:585 #12 0x408044 in main /spdk/app/vhost/vhost.c:105 #13 0x7f3c23691f42 in __libc_start_main (/lib64/libc.so.6+0x23f42) Change-Id: I511c4316a838cd92961d57c9193d384acd49d760 Signed-off-by: Changpeng Liu <changpeng.liu@intel.com> Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10141 Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com> Community-CI: Mellanox Build Bot Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com> Reviewed-by: Dong Yi <dongx.yi@intel.com> Reviewed-by: Jim Harris <james.r.harris@intel.com> Reviewed-by: Ben Walker <benjamin.walker@intel.com>
This commit is contained in:
parent
5ea834b540
commit
245394ca0e
@ -205,8 +205,7 @@ remove_scsi_tgt(struct spdk_vhost_scsi_dev *svdev,
|
|||||||
state->remove_cb(&svdev->vdev, state->remove_ctx);
|
state->remove_cb(&svdev->vdev, state->remove_ctx);
|
||||||
state->remove_cb = NULL;
|
state->remove_cb = NULL;
|
||||||
}
|
}
|
||||||
SPDK_INFOLOG(vhost, "%s: removed target 'Target %u'\n",
|
SPDK_INFOLOG(vhost, "removed target 'Target %u'\n", scsi_tgt_num);
|
||||||
svdev->vdev.name, scsi_tgt_num);
|
|
||||||
|
|
||||||
if (--svdev->ref == 0 && svdev->registered == false) {
|
if (--svdev->ref == 0 && svdev->registered == false) {
|
||||||
free(svdev);
|
free(svdev);
|
||||||
|
Loading…
Reference in New Issue
Block a user