lib/vhost: Don't dereference svdev->name in dev_remove.

If the vdev is marked for hotremove, it is possible that the
name has already been freed resulting in a heap use after free,
so remove the warning about a vdev being marked for hotremove
to avoid a segfault when removing a device.

This was observed in the vhost fuzz tests.

Signed-off-by: Seth Howell <seth.howell@intel.com>
Change-Id: I2891ca2bee70d72fb7b0dff96d569e9b92fe84eb
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/2071
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Darek Stojaczyk <dariusz.stojaczyk@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
This commit is contained in:
Seth Howell 2020-04-28 14:20:03 -07:00 committed by Tomasz Zawadzki
parent 6607e124c1
commit 3bd113eae7

View File

@ -1121,18 +1121,17 @@ spdk_vhost_scsi_dev_remove_tgt(struct spdk_vhost_dev *vdev, unsigned scsi_tgt_nu
svdev = to_scsi_dev(vdev);
assert(svdev != NULL);
scsi_dev_state = &svdev->scsi_dev_state[scsi_tgt_num];
if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) {
return -EBUSY;
}
if (scsi_dev_state->dev == NULL || scsi_dev_state->status == VHOST_SCSI_DEV_ADDING) {
SPDK_ERRLOG("%s: SCSI target %u is not occupied\n", vdev->name, scsi_tgt_num);
return -ENODEV;
}
assert(scsi_dev_state->status != VHOST_SCSI_DEV_EMPTY);
if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) {
SPDK_WARNLOG("%s: SCSI target %u has been already marked for hotremoval.\n",
vdev->name, scsi_tgt_num);
return -EBUSY;
}
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
SPDK_ERRLOG("calloc failed\n");