From d2c4392c25f803fee59ee7065d4512172e1b135c Mon Sep 17 00:00:00 2001 From: Zhiqiang Liu Date: Sat, 24 Jul 2021 11:28:17 +0800 Subject: [PATCH] spdk: backport 13 patches from upstream backport 13 patches from upstream to solve potential problems. Signed-off-by: Zhiqiang Liu (cherry picked from commit e33c22897713a19a9c3b4a420ce7962d3f7ac086) --- ...urn-value-of-strdup-in-blobfs_fuse_s.patch | 52 ++++++++++++ ...urn-value-of-strdup-in-spdk_fs_creat.patch | 51 ++++++++++++ ...fix-memleak-problem-in-blob_load_cpl.patch | 50 +++++++++++ ...tential-memleak-problem-in-blob_seri.patch | 69 ++++++++++++++++ ...-problem-in-spdk_idxd_configure_chan.patch | 72 ++++++++++++++++ ...leak-problem-in-spdk_idxd_get_channe.patch | 35 ++++++++ ...al-double-free-problem-in-ioat_chann.patch | 41 ++++++++++ ...n-value-of-strdup-in-spdk_nvmf_subsy.patch | 43 ++++++++++ ...n-value-of-strdup-in-spdk_nvmf_subsy.patch | 82 +++++++++++++++++++ ...age-problem-in-nvmf_vfio_user_listen.patch | 45 ++++++++++ ...1-after-close-fd-in-posix_sock_creat.patch | 62 ++++++++++++++ ...eturn-value-of-strdup-in-store_last_.patch | 39 +++++++++ ...1-after-close-fd-in-uring_sock_creat.patch | 62 ++++++++++++++ spdk.spec | 18 +++- 14 files changed, 720 insertions(+), 1 deletion(-) create mode 100644 0016-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch create mode 100644 0017-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch create mode 100644 0018-blobstore-fix-memleak-problem-in-blob_load_cpl.patch create mode 100644 0019-blobstore-fix-potential-memleak-problem-in-blob_seri.patch create mode 100644 0020-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch create mode 100644 0021-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch create mode 100644 0022-ioat-fix-potential-double-free-problem-in-ioat_chann.patch create mode 100644 0023-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch create mode 100644 0024-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch create mode 100644 0025-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch create mode 100644 0026-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch create mode 100644 0027-spdk_top-check-return-value-of-strdup-in-store_last_.patch create mode 100644 0028-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch diff --git a/0016-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch b/0016-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch new file mode 100644 index 0000000..fac492b --- /dev/null +++ b/0016-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch @@ -0,0 +1,52 @@ +From 65f41dc6b49cb2d8b7bb9e3951f6f4fcf5c93eee Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 18:25:14 +0800 +Subject: [PATCH 16/28] blobfs: check return value of strdup in + blobfs_fuse_start() + +In blobfs_fuse_start(), bfuse->bdev_name and bfuse->mountpoint +are allocated by calling strdup(), which may return NULL. +Here, we will go to err if strdup() returns NULL. + +Signed-off-by: Zhiqiang Liu +Change-Id: I0599254b3436a310ddd26732312281f07a4972ec +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8303 +Community-CI: Mellanox Build Bot +Tested-by: SPDK CI Jenkins +Reviewed-by: Aleksey Marchuk +Reviewed-by: Jim Harris +Reviewed-by: Changpeng Liu +--- + module/blobfs/bdev/blobfs_fuse.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/module/blobfs/bdev/blobfs_fuse.c b/module/blobfs/bdev/blobfs_fuse.c +index 1666549..176f81e 100644 +--- a/module/blobfs/bdev/blobfs_fuse.c ++++ b/module/blobfs/bdev/blobfs_fuse.c +@@ -301,15 +301,19 @@ blobfs_fuse_start(const char *bdev_name, const char *mountpoint, struct spdk_fil + return -ENOMEM; + } + +- rc = fuse_parse_cmdline(&args, &opts); +- assert(rc == 0); +- + bfuse->bdev_name = strdup(bdev_name); + bfuse->mountpoint = strdup(mountpoint); ++ if (!bfuse->bdev_name || !bfuse->mountpoint) { ++ rc = -ENOMEM; ++ goto err; ++ } + bfuse->fs = fs; + bfuse->cb_fn = cb_fn; + bfuse->cb_arg = cb_arg; + ++ rc = fuse_parse_cmdline(&args, &opts); ++ assert(rc == 0); ++ + fuse_handle = fuse_new(&args, &spdk_fuse_oper, sizeof(spdk_fuse_oper), NULL); + fuse_opt_free_args(&args); + if (fuse_handle == NULL) { +-- +1.8.3.1 + diff --git a/0017-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch b/0017-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch new file mode 100644 index 0000000..712e9ef --- /dev/null +++ b/0017-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch @@ -0,0 +1,51 @@ +From 199309e555028889c4cf5bb02d3d5b1278bb3ce5 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 16:17:32 +0800 +Subject: [PATCH 17/28] blobfs: check return value of strdup in + spdk_fs_create_file_async() + +In spdk_fs_create_file_async(), file->name is set to strdup(name). +We should check whether file->name is equal to NULL. + +Signed-off-by: Zhiqiang Liu +Change-Id: I2219cc353eb4711290aee2599505f57af9088bb2 +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8302 +Community-CI: Mellanox Build Bot +Reviewed-by: Ziye Yang +Reviewed-by: Aleksey Marchuk +Tested-by: SPDK CI Jenkins +--- + lib/blobfs/blobfs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/blobfs/blobfs.c b/lib/blobfs/blobfs.c +index c9bcde8..65c92a9 100644 +--- a/lib/blobfs/blobfs.c ++++ b/lib/blobfs/blobfs.c +@@ -1100,6 +1100,8 @@ spdk_fs_create_file_async(struct spdk_filesystem *fs, const char *name, + req = alloc_fs_request(fs->md_target.md_fs_channel); + if (req == NULL) { + SPDK_ERRLOG("Cannot allocate create async req for file=%s\n", name); ++ TAILQ_REMOVE(&fs->files, file, tailq); ++ file_free(file); + cb_fn(cb_arg, -ENOMEM); + return; + } +@@ -1110,6 +1112,14 @@ spdk_fs_create_file_async(struct spdk_filesystem *fs, const char *name, + args->arg = cb_arg; + + file->name = strdup(name); ++ if (!file->name) { ++ SPDK_ERRLOG("Cannot allocate file->name for file=%s\n", name); ++ free_fs_request(req); ++ TAILQ_REMOVE(&fs->files, file, tailq); ++ file_free(file); ++ cb_fn(cb_arg, -ENOMEM); ++ return; ++ } + _file_build_trace_arg_name(file); + spdk_bs_create_blob(fs->bs, fs_create_blob_create_cb, args); + } +-- +1.8.3.1 + diff --git a/0018-blobstore-fix-memleak-problem-in-blob_load_cpl.patch b/0018-blobstore-fix-memleak-problem-in-blob_load_cpl.patch new file mode 100644 index 0000000..3d0afbe --- /dev/null +++ b/0018-blobstore-fix-memleak-problem-in-blob_load_cpl.patch @@ -0,0 +1,50 @@ +From 7c4665e485e764f4fee069e60bdeffa387b15a4b Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 19:53:08 +0800 +Subject: [PATCH 18/28] blobstore:fix memleak problem in blob_load_cpl() + +In blob_load_cpl(), spdk_realloc() is called to realloc +memory of ctx->pages. If spdk_realloc() return NULL, +the ctx->pages is set to NULL without being freed, +and then a memleak problem occurs. + +Signed-off-by: Zhiqiang Liu +Change-Id: Idf21b690e89beab0245ba57a5de66a4f506d54fb +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8308 +Tested-by: SPDK CI Jenkins +Community-CI: Mellanox Build Bot +Reviewed-by: Aleksey Marchuk +Reviewed-by: Tomasz Zawadzki +--- + lib/blob/blobstore.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/blob/blobstore.c b/lib/blob/blobstore.c +index 08483fc..1f7d224 100644 +--- a/lib/blob/blobstore.c ++++ b/lib/blob/blobstore.c +@@ -1490,16 +1490,18 @@ blob_load_cpl(spdk_bs_sequence_t *seq, void *cb_arg, int bserrno) + } + + if (page->next != SPDK_INVALID_MD_PAGE) { ++ struct spdk_blob_md_page *tmp_pages; + uint32_t next_page = page->next; + uint64_t next_lba = bs_md_page_to_lba(blob->bs, next_page); + + /* Read the next page */ +- ctx->num_pages++; +- ctx->pages = spdk_realloc(ctx->pages, (sizeof(*page) * ctx->num_pages), 0); +- if (ctx->pages == NULL) { ++ tmp_pages = spdk_realloc(ctx->pages, (sizeof(*page) * (ctx->num_pages + 1)), 0); ++ if (tmp_pages == NULL) { + blob_load_final(ctx, -ENOMEM); + return; + } ++ ctx->num_pages++; ++ ctx->pages = tmp_pages; + + bs_sequence_read_dev(seq, &ctx->pages[ctx->num_pages - 1], + next_lba, +-- +1.8.3.1 + diff --git a/0019-blobstore-fix-potential-memleak-problem-in-blob_seri.patch b/0019-blobstore-fix-potential-memleak-problem-in-blob_seri.patch new file mode 100644 index 0000000..d237bd1 --- /dev/null +++ b/0019-blobstore-fix-potential-memleak-problem-in-blob_seri.patch @@ -0,0 +1,69 @@ +From 94f83ca86169a3b5971c8edf99e3a4ff8e6d2d51 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 19:42:14 +0800 +Subject: [PATCH 19/28] blobstore: fix potential memleak problem in + blob_serialize_add_page() + +In blob_serialize_add_page(), *pages is set to spdk_realloc(*pages). +If spdk_realloc() returns NULL, the *pages pointer will be +overridden, whose memory will leak. + +Here, we introduce a new var (tmp_pages) for checking the return +value of spdk_realloc(*pages). + +Signed-off-by: Zhiqiang Liu +Change-Id: Ib2ead3f3b5d5e44688d1f0568816f483aa9e101f +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8307 +Community-CI: Mellanox Build Bot +Tested-by: SPDK CI Jenkins +Reviewed-by: Aleksey Marchuk +Reviewed-by: Tomasz Zawadzki +--- + lib/blob/blobstore.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/lib/blob/blobstore.c b/lib/blob/blobstore.c +index 1f7d224..551e615 100644 +--- a/lib/blob/blobstore.c ++++ b/lib/blob/blobstore.c +@@ -874,26 +874,28 @@ blob_serialize_add_page(const struct spdk_blob *blob, + uint32_t *page_count, + struct spdk_blob_md_page **last_page) + { +- struct spdk_blob_md_page *page; ++ struct spdk_blob_md_page *page, *tmp_pages; + + assert(pages != NULL); + assert(page_count != NULL); + ++ *last_page = NULL; + if (*page_count == 0) { + assert(*pages == NULL); +- *page_count = 1; + *pages = spdk_malloc(SPDK_BS_PAGE_SIZE, 0, + NULL, SPDK_ENV_SOCKET_ID_ANY, SPDK_MALLOC_DMA); ++ if (*pages == NULL) { ++ return -ENOMEM; ++ } ++ *page_count = 1; + } else { + assert(*pages != NULL); ++ tmp_pages = spdk_realloc(*pages, SPDK_BS_PAGE_SIZE * (*page_count + 1), 0); ++ if (tmp_pages == NULL) { ++ return -ENOMEM; ++ } + (*page_count)++; +- *pages = spdk_realloc(*pages, SPDK_BS_PAGE_SIZE * (*page_count), 0); +- } +- +- if (*pages == NULL) { +- *page_count = 0; +- *last_page = NULL; +- return -ENOMEM; ++ *pages = tmp_pages; + } + + page = &(*pages)[*page_count - 1]; +-- +1.8.3.1 + diff --git a/0020-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch b/0020-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch new file mode 100644 index 0000000..9ddb435 --- /dev/null +++ b/0020-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch @@ -0,0 +1,72 @@ +From 7e571efc4d6b726b645cd7dc32bab7231bdf543c Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Fri, 18 Jun 2021 17:11:16 +0800 +Subject: [PATCH 20/28] idxd: fix memleak problem in spdk_idxd_configure_chan() + +In spdk_idxd_configure_chan(), if memory allocation fails in +TAILQ_FOREACH() {} code range, we will goto err_user_comp and +err_user_desc tag, in which we donot free chan->completions +and confused batch->user_completions with chan->completions. +Memleak problem and double free problem may occurs. + +Signed-off-by: Zhiqiang Liu +Change-Id: I0e588a35184d97cab0ea6b6c013ca8b3342f940a +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8432 +Tested-by: SPDK CI Jenkins +Reviewed-by: Ziye Yang +Reviewed-by: Changpeng Liu +Reviewed-by: Jim Harris +Community-CI: Mellanox Build Bot +--- + lib/idxd/idxd.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/lib/idxd/idxd.c b/lib/idxd/idxd.c +index f240225..4f76f09 100644 +--- a/lib/idxd/idxd.c ++++ b/lib/idxd/idxd.c +@@ -194,7 +194,7 @@ spdk_idxd_configure_chan(struct spdk_idxd_io_channel *chan) + if (batch->user_desc == NULL) { + SPDK_ERRLOG("Failed to allocate batch descriptor memory\n"); + rc = -ENOMEM; +- goto err_user_desc; ++ goto err_user_desc_or_comp; + } + + batch->user_completions = spdk_zmalloc(DESC_PER_BATCH * sizeof(struct idxd_comp), +@@ -203,7 +203,7 @@ spdk_idxd_configure_chan(struct spdk_idxd_io_channel *chan) + if (batch->user_completions == NULL) { + SPDK_ERRLOG("Failed to allocate user completion memory\n"); + rc = -ENOMEM; +- goto err_user_comp; ++ goto err_user_desc_or_comp; + } + } + +@@ -212,16 +212,18 @@ spdk_idxd_configure_chan(struct spdk_idxd_io_channel *chan) + + return 0; + +-err_user_comp: ++err_user_desc_or_comp: + TAILQ_FOREACH(batch, &chan->batch_pool, link) { + spdk_free(batch->user_desc); ++ batch->user_desc = NULL; ++ spdk_free(batch->user_completions); ++ batch->user_completions = NULL; + } +-err_user_desc: +- TAILQ_FOREACH(batch, &chan->batch_pool, link) { +- spdk_free(chan->completions); +- } ++ spdk_free(chan->completions); ++ chan->completions = NULL; + err_comp: + spdk_free(chan->desc); ++ chan->desc = NULL; + err_desc: + spdk_bit_array_free(&chan->ring_slots); + +-- +1.8.3.1 + diff --git a/0021-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch b/0021-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch new file mode 100644 index 0000000..8ae9d81 --- /dev/null +++ b/0021-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch @@ -0,0 +1,35 @@ +From b4c40bfdf47efc027330a805947db521df8b8959 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 14:53:27 +0800 +Subject: [PATCH 21/28] idxd: fix one memleak problem in + spdk_idxd_get_channel() + +In spdk_idxd_get_channel(), if chan->batch_base is allocated +faild, we should free chan before returning NULL. + +Signed-off-by: Zhiqiang Liu +Change-Id: Ia652c334aead592429c1171da73d67160879686d +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8301 +Community-CI: Mellanox Build Bot +Reviewed-by: Aleksey Marchuk +Reviewed-by: Changpeng Liu +Tested-by: SPDK CI Jenkins +--- + lib/idxd/idxd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/idxd/idxd.c b/lib/idxd/idxd.c +index 4f76f09..d2fad12 100644 +--- a/lib/idxd/idxd.c ++++ b/lib/idxd/idxd.c +@@ -121,6 +121,7 @@ spdk_idxd_get_channel(struct spdk_idxd_device *idxd) + chan->batch_base = calloc(NUM_BATCHES_PER_CHANNEL, sizeof(struct idxd_batch)); + if (chan->batch_base == NULL) { + SPDK_ERRLOG("Failed to allocate batch pool\n"); ++ free(chan); + return NULL; + } + +-- +1.8.3.1 + diff --git a/0022-ioat-fix-potential-double-free-problem-in-ioat_chann.patch b/0022-ioat-fix-potential-double-free-problem-in-ioat_chann.patch new file mode 100644 index 0000000..11c8505 --- /dev/null +++ b/0022-ioat-fix-potential-double-free-problem-in-ioat_chann.patch @@ -0,0 +1,41 @@ +From 46dd4eea588780d082ff0ce002a1dc0ad6e3e7eb Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 12:23:58 +0800 +Subject: [PATCH 22/28] ioat: fix potential double free problem in + ioat_channel_start() + +In ioat_channel_start(), if spdk_vtophys(ioat->comp_update) returns +SPDK_VTOPHYS_ERROR, spdk_free is called to free ioat->comp_update, +and ioat->comp_update is not set to NULL. However, the caller +ioat_attach() will also call ioat_channel_destruct() to free +ioat->comp_update, then double-free problem occurs. + +Here, we will not free ioat->comp_update in ioat_channel_start(), +ioat_channel_destruct() will do that. + +Signed-off-by: Zhiqiang Liu +Change-Id: I3be19a3feec5c2188051ee67820bfd1e61de9b48 +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8300 +Community-CI: Mellanox Build Bot +Reviewed-by: Changpeng Liu +Reviewed-by: Aleksey Marchuk +Tested-by: SPDK CI Jenkins +--- + lib/ioat/ioat.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/ioat/ioat.c b/lib/ioat/ioat.c +index 27ac0a0..af83c42 100644 +--- a/lib/ioat/ioat.c ++++ b/lib/ioat/ioat.c +@@ -429,7 +429,6 @@ ioat_channel_start(struct spdk_ioat_chan *ioat) + + comp_update_bus_addr = spdk_vtophys((void *)ioat->comp_update, NULL); + if (comp_update_bus_addr == SPDK_VTOPHYS_ERROR) { +- spdk_free((void *)ioat->comp_update); + return -1; + } + +-- +1.8.3.1 + diff --git a/0023-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch b/0023-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch new file mode 100644 index 0000000..5b054f5 --- /dev/null +++ b/0023-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch @@ -0,0 +1,43 @@ +From 7441bfb0394c6cc54ddcd270a86685b9dad16474 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 18:37:02 +0800 +Subject: [PATCH 23/28] nvmf: check return value of strdup in + spdk_nvmf_subsystem_disconnect_host() + +In spdk_nvmf_subsystem_disconnect_host(), we should check +whether strdup() return NULL. + +Signed-off-by: Zhiqiang Liu +Change-Id: I29cb6b2499ecd2a2367001c0d21ac95da4e10e20 +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8304 +Community-CI: Mellanox Build Bot +Tested-by: SPDK CI Jenkins +Reviewed-by: Changpeng Liu +Reviewed-by: Aleksey Marchuk +Reviewed-by: Jim Harris +--- + lib/nvmf/subsystem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c +index 8a3dd3b..5fc1813 100644 +--- a/lib/nvmf/subsystem.c ++++ b/lib/nvmf/subsystem.c +@@ -831,8 +831,13 @@ spdk_nvmf_subsystem_disconnect_host(struct spdk_nvmf_subsystem *subsystem, + return -ENOMEM; + } + +- ctx->subsystem = subsystem; + ctx->hostnqn = strdup(hostnqn); ++ if (ctx->hostnqn == NULL) { ++ free(ctx); ++ return -ENOMEM; ++ } ++ ++ ctx->subsystem = subsystem; + ctx->cb_fn = cb_fn; + ctx->cb_arg = cb_arg; + +-- +1.8.3.1 + diff --git a/0024-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch b/0024-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch new file mode 100644 index 0000000..0f67773 --- /dev/null +++ b/0024-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch @@ -0,0 +1,82 @@ +From b367f485f83e65b76d3ae67b5ab4bc344e1a7c49 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 18:59:13 +0800 +Subject: [PATCH 24/28] nvmf:check return value of strdup in + spdk_nvmf_subsystem_add_ns_ext() + +In spdk_nvmf_subsystem_add_ns_ext(), ns->ptpl_file is set to strdup(), +which may return NULL. We should deal with it. + +Signed-off-by: Zhiqiang Liu +Change-Id: If95102fe9d6d789b8ba9e846c4d7f4e22e48a93c +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8305 +Community-CI: Mellanox Build Bot +Reviewed-by: Changpeng Liu +Reviewed-by: Aleksey Marchuk +Reviewed-by: Jim Harris +Tested-by: SPDK CI Jenkins +--- + lib/nvmf/subsystem.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c +index 5fc1813..5729524 100644 +--- a/lib/nvmf/subsystem.c ++++ b/lib/nvmf/subsystem.c +@@ -1451,14 +1451,14 @@ spdk_nvmf_subsystem_add_ns_ext(struct spdk_nvmf_subsystem *subsystem, const char + rc = nvmf_ns_reservation_restore(ns, &info); + if (rc) { + SPDK_ERRLOG("Subsystem restore reservation failed\n"); +- subsystem->ns[opts.nsid - 1] = NULL; +- spdk_bdev_module_release_bdev(ns->bdev); +- spdk_bdev_close(ns->desc); +- free(ns); +- return 0; ++ goto err_ns_reservation_restore; + } + } + ns->ptpl_file = strdup(ptpl_file); ++ if (!ns->ptpl_file) { ++ SPDK_ERRLOG("Namespace ns->ptpl_file allocation failed\n"); ++ goto err_strdup; ++ } + } + + for (transport = spdk_nvmf_transport_get_first(subsystem->tgt); transport; +@@ -1467,13 +1467,7 @@ spdk_nvmf_subsystem_add_ns_ext(struct spdk_nvmf_subsystem *subsystem, const char + rc = transport->ops->subsystem_add_ns(transport, subsystem, ns); + if (rc) { + SPDK_ERRLOG("Namespace attachment is not allowed by %s transport\n", transport->ops->name); +- free(ns->ptpl_file); +- nvmf_ns_reservation_clear_all_registrants(ns); +- subsystem->ns[opts.nsid - 1] = NULL; +- spdk_bdev_module_release_bdev(ns->bdev); +- spdk_bdev_close(ns->desc); +- free(ns); +- return 0; ++ goto err_subsystem_add_ns; + } + } + } +@@ -1486,6 +1480,18 @@ spdk_nvmf_subsystem_add_ns_ext(struct spdk_nvmf_subsystem *subsystem, const char + nvmf_subsystem_ns_changed(subsystem, opts.nsid); + + return opts.nsid; ++ ++err_subsystem_add_ns: ++ free(ns->ptpl_file); ++err_strdup: ++ nvmf_ns_reservation_clear_all_registrants(ns); ++err_ns_reservation_restore: ++ subsystem->ns[opts.nsid - 1] = NULL; ++ spdk_bdev_module_release_bdev(ns->bdev); ++ spdk_bdev_close(ns->desc); ++ free(ns); ++ return 0; ++ + } + + uint32_t +-- +1.8.3.1 + diff --git a/0025-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch b/0025-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch new file mode 100644 index 0000000..dd1ab3b --- /dev/null +++ b/0025-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch @@ -0,0 +1,45 @@ +From 09b368248b3337e5d7fd0ff9c4b1ce4fb0827ea1 Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 20:12:17 +0800 +Subject: [PATCH 25/28] nvmf: fix fd leakage problem in nvmf_vfio_user_listen() + +In nvmf_vfio_user_listen(), fd should be closed before +set it to endpoint->fd, otherwise, the fd leakage probem +occurs. + +Signed-off-by: Zhiqiang Liu +Change-Id: I3fabc65d2764926e5873475962e4362e46eb37e4 +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8309 +Community-CI: Mellanox Build Bot +Reviewed-by: Changpeng Liu +Reviewed-by: sunshihao +Reviewed-by: Aleksey Marchuk +Tested-by: SPDK CI Jenkins +--- + lib/nvmf/vfio_user.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/nvmf/vfio_user.c b/lib/nvmf/vfio_user.c +index f5daa8d..7ec980a 100644 +--- a/lib/nvmf/vfio_user.c ++++ b/lib/nvmf/vfio_user.c +@@ -1662,6 +1662,7 @@ nvmf_vfio_user_listen(struct spdk_nvmf_transport *transport, + } + free(path); + ++ endpoint->fd = fd; + err = ftruncate(fd, NVMF_VFIO_USER_DOORBELLS_OFFSET + NVMF_VFIO_USER_DOORBELLS_SIZE); + if (err != 0) { + goto out; +@@ -1675,8 +1676,6 @@ nvmf_vfio_user_listen(struct spdk_nvmf_transport *transport, + goto out; + } + +- endpoint->fd = fd; +- + snprintf(uuid, PATH_MAX, "%s/cntrl", endpoint_id(endpoint)); + SPDK_DEBUGLOG(nvmf_vfio, "%s: doorbells %p\n", uuid, endpoint->doorbells); + +-- +1.8.3.1 + diff --git a/0026-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch b/0026-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch new file mode 100644 index 0000000..bd35c09 --- /dev/null +++ b/0026-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch @@ -0,0 +1,62 @@ +From ab69fc61073df903970dbf00582617970f97a9ea Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 21:10:19 +0800 +Subject: [PATCH 26/28] posix: set fd to -1 after close(fd) in + posix_sock_create() + +In posix_sock_create(), we loops through all the addresses available. +If something is wrong, we should close(fd) and set fd to -1, and +try the next address. Only, when one fd satisfies all conditions, +we will break the loop with the useful fd. + +Signed-off-by: Zhiqiang Liu +Change-Id: Icbfc10246c92b95cacd6eb058e6e46cf8924fc4c +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8310 +Reviewed-by: Changpeng Liu +Reviewed-by: Aleksey Marchuk +Reviewed-by: Shuhei Matsumoto +Reviewed-by: Ziye Yang +Tested-by: SPDK CI Jenkins +Community-CI: Mellanox Build Bot +--- + module/sock/posix/posix.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/module/sock/posix/posix.c b/module/sock/posix/posix.c +index c180a16..ebafc1e 100644 +--- a/module/sock/posix/posix.c ++++ b/module/sock/posix/posix.c +@@ -468,12 +468,14 @@ retry: + rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } + rc = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } +@@ -483,6 +485,7 @@ retry: + rc = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &opts->priority, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } +@@ -493,6 +496,7 @@ retry: + rc = setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } +-- +1.8.3.1 + diff --git a/0027-spdk_top-check-return-value-of-strdup-in-store_last_.patch b/0027-spdk_top-check-return-value-of-strdup-in-store_last_.patch new file mode 100644 index 0000000..e8ee6d8 --- /dev/null +++ b/0027-spdk_top-check-return-value-of-strdup-in-store_last_.patch @@ -0,0 +1,39 @@ +From 9dace0d9cae727747f333f032537e873c73d9d8c Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 19:04:05 +0800 +Subject: [PATCH 27/28] spdk_top:check return value of strdup in + store_last_run_counter() + +In store_last_run_counter(), history->poller_name is set to +strdup(), which may return NULL. We should deal with it. + +Signed-off-by: Zhiqiang Liu +Change-Id: Ice5f27c4a7d2f9abd528b97a48ff5f92b48c8d7c +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8306 +Community-CI: Mellanox Build Bot +Reviewed-by: Jim Harris +Reviewed-by: Aleksey Marchuk +Tested-by: SPDK CI Jenkins +--- + app/spdk_top/spdk_top.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/app/spdk_top/spdk_top.c b/app/spdk_top/spdk_top.c +index 402c2a5..3c0a889 100644 +--- a/app/spdk_top/spdk_top.c ++++ b/app/spdk_top/spdk_top.c +@@ -1017,6 +1017,11 @@ store_last_run_counter(const char *poller_name, uint64_t thread_id, uint64_t las + return; + } + history->poller_name = strdup(poller_name); ++ if (!history->poller_name) { ++ fprintf(stderr, "Unable to allocate poller_name of a history object in store_last_run_counter.\n"); ++ free(history); ++ return; ++ } + history->thread_id = thread_id; + history->last_run_counter = last_run_counter; + +-- +1.8.3.1 + diff --git a/0028-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch b/0028-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch new file mode 100644 index 0000000..3862ce4 --- /dev/null +++ b/0028-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch @@ -0,0 +1,62 @@ +From b97c91b7d2480ee1cc038e70f6e2de2e2bb5d19d Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Sun, 13 Jun 2021 21:29:33 +0800 +Subject: [PATCH 28/28] uring: set fd to -1 after close(fd) in + uring_sock_create() + +In uring_sock_create(), we loops through all the addresses available. +If something is wrong, we should close(fd) and set fd to -1, and +try the next address. Only, when one fd satisfies all conditions, +we will break the loop with the useful fd. + +Signed-off-by: Zhiqiang Liu +Change-Id: I22eada5437776fe90a6b57ab42cbad6dc4b0585c +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8311 +Community-CI: Mellanox Build Bot +Tested-by: SPDK CI Jenkins +Reviewed-by: Aleksey Marchuk +Reviewed-by: Changpeng Liu +Reviewed-by: Jim Harris +Reviewed-by: Ziye Yang +--- + module/sock/uring/uring.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/module/sock/uring/uring.c b/module/sock/uring/uring.c +index be76973..8f22758 100644 +--- a/module/sock/uring/uring.c ++++ b/module/sock/uring/uring.c +@@ -424,12 +424,14 @@ retry: + rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } + rc = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } +@@ -439,6 +441,7 @@ retry: + rc = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &opts->priority, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } +@@ -448,6 +451,7 @@ retry: + rc = setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof val); + if (rc != 0) { + close(fd); ++ fd = -1; + /* error */ + continue; + } +-- +1.8.3.1 + diff --git a/spdk.spec b/spdk.spec index 3cf4a73..4256da3 100644 --- a/spdk.spec +++ b/spdk.spec @@ -4,7 +4,7 @@ Name: spdk Version: 21.01 -Release: 4 +Release: 5 Summary: Set of libraries and utilities for high performance user-mode storage License: BSD and MIT URL: http://spdk.io @@ -24,6 +24,19 @@ Patch12: 0012-lib-util-Fix-valgrind-error-reported-on-ARM-platform.patch Patch13: 0013-lib-vhost-force-cpumask-to-be-subset-of-application-.patch Patch14: 0014-autorun-allow-pass-configuration-file-path.patch Patch15: 0015-spdk_top-fix-app-crashing-on-tab-selection-with-TAB-.patch +Patch16: 0016-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch +Patch17: 0017-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch +Patch18: 0018-blobstore-fix-memleak-problem-in-blob_load_cpl.patch +Patch19: 0019-blobstore-fix-potential-memleak-problem-in-blob_seri.patch +Patch20: 0020-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch +Patch21: 0021-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch +Patch22: 0022-ioat-fix-potential-double-free-problem-in-ioat_chann.patch +Patch23: 0023-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch +Patch24: 0024-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch +Patch25: 0025-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch +Patch26: 0026-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch +Patch27: 0027-spdk_top-check-return-value-of-strdup-in-store_last_.patch +Patch28: 0028-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch %define package_version %{version}-%{release} @@ -184,6 +197,9 @@ mv doc/output/html/ %{install_docdir} %changelog +* Sat Jul 24 2021 Zhiqiang Liu - 21.01-5 +- backport 13 bugfix from upstream + * Thu Jul 13 2021 Xiaokeng Li - 21.01-4 - backport bugfix from upstream -- Gitee