From 3bd113eae75de13dc668a1a57ea9de137de52820 Mon Sep 17 00:00:00 2001 From: Seth Howell Date: Tue, 28 Apr 2020 14:20:03 -0700 Subject: [PATCH] lib/vhost: Don't dereference svdev->name in dev_remove. If the vdev is marked for hotremove, it is possible that the name has already been freed resulting in a heap use after free, so remove the warning about a vdev being marked for hotremove to avoid a segfault when removing a device. This was observed in the vhost fuzz tests. Signed-off-by: Seth Howell Change-Id: I2891ca2bee70d72fb7b0dff96d569e9b92fe84eb Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/2071 Community-CI: Mellanox Build Bot Tested-by: SPDK CI Jenkins Reviewed-by: Darek Stojaczyk Reviewed-by: Changpeng Liu --- lib/vhost/vhost_scsi.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/vhost/vhost_scsi.c b/lib/vhost/vhost_scsi.c index a39efc9db3..724cd099e1 100644 --- a/lib/vhost/vhost_scsi.c +++ b/lib/vhost/vhost_scsi.c @@ -1121,18 +1121,17 @@ spdk_vhost_scsi_dev_remove_tgt(struct spdk_vhost_dev *vdev, unsigned scsi_tgt_nu svdev = to_scsi_dev(vdev); assert(svdev != NULL); scsi_dev_state = &svdev->scsi_dev_state[scsi_tgt_num]; + + if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) { + return -EBUSY; + } + if (scsi_dev_state->dev == NULL || scsi_dev_state->status == VHOST_SCSI_DEV_ADDING) { SPDK_ERRLOG("%s: SCSI target %u is not occupied\n", vdev->name, scsi_tgt_num); return -ENODEV; } assert(scsi_dev_state->status != VHOST_SCSI_DEV_EMPTY); - if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) { - SPDK_WARNLOG("%s: SCSI target %u has been already marked for hotremoval.\n", - vdev->name, scsi_tgt_num); - return -EBUSY; - } - ctx = calloc(1, sizeof(*ctx)); if (ctx == NULL) { SPDK_ERRLOG("calloc failed\n");