From 833a5c9d2beb40c1b44d41fcb03c51def6d7d6df Mon Sep 17 00:00:00 2001
From: Alexey Marchuk <alexeymar@mellanox.com>
Date: Thu, 23 Dec 2021 15:59:05 +0300
Subject: [PATCH] bdev/nvme: Remove ctrlr_ch from group's list in error case

If qpair creation failed, ctrlr_ch remains in group->ctrlr_ch_list
but memory for ctrlr_ch is freed. Next attempt to get ctrlr's io
channel will modify data in already freed memory and may corrupt
another allocation.

Signed-off-by: Alexey Marchuk <alexeymar@mellanox.com>
Change-Id: I85002f2e6ac86a0ffda6dabfa57e79b59074fb5a
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10840
Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com>
Community-CI: Mellanox Build Bot
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Shuhei Matsumoto <shuheimatsumoto@gmail.com>
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
---
 module/bdev/nvme/bdev_nvme.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/module/bdev/nvme/bdev_nvme.c b/module/bdev/nvme/bdev_nvme.c
index 435b331d6c..a61d25ca41 100644
--- a/module/bdev/nvme/bdev_nvme.c
+++ b/module/bdev/nvme/bdev_nvme.c
@@ -1909,6 +1909,7 @@ bdev_nvme_create_ctrlr_channel_cb(void *io_device, void *ctx_buf)
 	return 0;
 
 err_qpair:
+	TAILQ_REMOVE(&ctrlr_ch->group->ctrlr_ch_list, ctrlr_ch, tailq);
 	spdk_put_io_channel(pg_ch);
 
 	return rc;