From f99d46d5f7037bcc1f3de07e9d2c0588b2012247 Mon Sep 17 00:00:00 2001 From: Ziye Yang Date: Wed, 28 Apr 2021 23:10:13 +0800 Subject: [PATCH] bdev/aio: move disk free operation in spdk_io_device_unregister's call back Recently, checked the spdk_io_device_unregister function, it will have deferred free behaviour, and the io_device will possibly be freed in put_io_channel function. And this means that it is not safe to directly call: spdk_io_device_unregister (io_device, NULL); Then free io_device relately resource. Because there will be channel to use the resources associated with io_device. Then we will possibly cause a NULL pointer access. I found this issue in bdev rbd module, and I think that the same issue could happen in other modules. So it is better to put the resource free function as the call back function. Change-Id: Icc1f86d72b672faefb3b7f416030b818a8cf45ce Signed-off-by: Ziye Yang Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/7646 Reviewed-by: Shuhei Matsumoto Reviewed-by: Jim Harris Community-CI: Broadcom CI Tested-by: SPDK CI Jenkins --- module/bdev/aio/bdev_aio.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/module/bdev/aio/bdev_aio.c b/module/bdev/aio/bdev_aio.c index b9925ede6b..f7c26d8854 100644 --- a/module/bdev/aio/bdev_aio.c +++ b/module/bdev/aio/bdev_aio.c @@ -246,10 +246,10 @@ bdev_aio_flush(struct file_disk *fdisk, struct bdev_aio_task *aio_task) } } -static int -bdev_aio_destruct(void *ctx) +static void +bdev_aio_destruct_cb(void *io_device) { - struct file_disk *fdisk = ctx; + struct file_disk *fdisk = io_device; int rc = 0; TAILQ_REMOVE(&g_aio_disk_head, fdisk, link); @@ -257,9 +257,18 @@ bdev_aio_destruct(void *ctx) if (rc < 0) { SPDK_ERRLOG("bdev_aio_close() failed\n"); } - spdk_io_device_unregister(fdisk, NULL); + aio_free_disk(fdisk); - return rc; +} + +static int +bdev_aio_destruct(void *ctx) +{ + struct file_disk *fdisk = ctx; + + spdk_io_device_unregister(fdisk, bdev_aio_destruct_cb); + + return 0; } static int