lib/vhost: Don't dereference svdev->name in dev_remove.

If the vdev is marked for hotremove, it is possible that the name has already been freed resulting in a heap use after free, so remove the warning about a vdev being marked for hotremove to avoid a segfault when removing a device. This was observed in the vhost fuzz tests. Signed-off-by: Seth Howell <seth.howell@intel.com> Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/2071 (master) (cherry picked from commit 3bd113eae7) Change-Id: I2891ca2bee70d72fb7b0dff96d569e9b92fe84eb Signed-off-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com> Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/2080 Reviewed-by: Ben Walker <benjamin.walker@intel.com> Reviewed-by: Seth Howell <seth.howell@intel.com> Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com> Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
2020-04-28 14:20:03 -07:00 · 2020-04-28 14:20:03 -07:00 · d831e63353
commit d831e63353
parent fca143dcb0
1 changed files with 5 additions and 6 deletions
--- a/lib/vhost/vhost_scsi.c
+++ b/lib/vhost/vhost_scsi.c
@ -1121,18 +1121,17 @@ spdk_vhost_scsi_dev_remove_tgt(struct spdk_vhost_dev *vdev, unsigned scsi_tgt_nu
 	svdev = to_scsi_dev(vdev);
 	assert(svdev != NULL);
 	scsi_dev_state = &svdev->scsi_dev_state[scsi_tgt_num];
+
+	if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) {
+		return -EBUSY;
+	}
+
 	if (scsi_dev_state->dev == NULL || scsi_dev_state->status == VHOST_SCSI_DEV_ADDING) {
 		SPDK_ERRLOG("%s: SCSI target %u is not occupied\n", vdev->name, scsi_tgt_num);
 		return -ENODEV;
 	}

 	assert(scsi_dev_state->status != VHOST_SCSI_DEV_EMPTY);
-	if (scsi_dev_state->status != VHOST_SCSI_DEV_PRESENT) {
-		SPDK_WARNLOG("%s: SCSI target %u has been already marked for hotremoval.\n",
-			     vdev->name, scsi_tgt_num);
-		return -EBUSY;
-	}
-
 	ctx = calloc(1, sizeof(*ctx));
 	if (ctx == NULL) {
 		SPDK_ERRLOG("calloc failed\n");