From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 27B21A00BE; Mon, 14 Mar 2022 09:23:01 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B3B4540DF4; Mon, 14 Mar 2022 09:23:00 +0100 (CET) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id CC1EB40DDD for ; Mon, 14 Mar 2022 09:22:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1647246178; x=1678782178; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Px1+nWNrxllT+o4hG4LbnQhjbeHWP/Z2JUUuxyitGhg=; b=bzuFYPYICtZ2QM1EcdbWtYSIRpW03T1oBe3/N+5x0i72wsoIS/lLiUlj rpk1j5D/BUOHBH7EackqoFLjDcpuyVRwVtAF242T4i/FtEBc5Wbso9XzM DUTfkZxfAg0DbQDuNit7VZnLHl2RsL/iWNudLvpZYPry8QEW0S+VIGH5F g73E3HXPr9kP8FCzadzx8Cxb1rwgtvwB5P3ypZ2F9TbWWMMM3vhS2dn8q nV0Ngcvra/FjU2aI6atN88mbP/ueI7Ehtsg2RxQcwM1gnHxlJR/LXWbwq I7eliIbHok+lx7jiiwy+tU1deQxCLA7nm0QWhOm6/KlWrtl2n3O9iGwRe g==; X-IronPort-AV: E=McAfee;i="6200,9189,10285"; a="280725714" X-IronPort-AV: E=Sophos;i="5.90,180,1643702400"; d="scan'208";a="280725714" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Mar 2022 01:22:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,180,1643702400"; d="scan'208";a="580033701" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by orsmga001.jf.intel.com with ESMTP; 14 Mar 2022 01:22:47 -0700 Received: from orsmsx602.amr.corp.intel.com (10.22.229.15) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Mon, 14 Mar 2022 01:22:47 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21 via Frontend Transport; Mon, 14 Mar 2022 01:22:47 -0700 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (104.47.74.41) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.21; Mon, 14 Mar 2022 01:22:44 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CsEna+ngjBF9TScdcViwTady8Tcm09WBYkYOG5om1zAosOkGbFy4FKjpnKjw7Qj7gOkAC+ao8DRzd3hCBoI2+UXLC4wDvCnT1+KYvtJfMJf1VlX0KmZJ0MnZkpzVrGkiK4KAQFiV4DuOa1xVEZuE2pjNOe2BGwnm6ughGcKId/GhXZO0f0AfbVoGkV1LNmC2E/qmSAsAi8n3k1BDmyP7tm5Yb28vzGLvlYURQUGHSfMc8OrBbEAlDeZSOAziS1R/6gZA5ZB+fS/4PY89ZN9teF+Ic2odPxn3RPxeLXsAEFJDUKzClL70nwa156V6snFXmsU34PvdWGMzhbfSBA/dIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Px1+nWNrxllT+o4hG4LbnQhjbeHWP/Z2JUUuxyitGhg=; b=W7hXQfh8nZwb+KFvOJqDIcey0uYlpFddo6KhVeb/949/dMgu81mVU+AS6VwV24F8PpOcmhrBr8PcQsRCfvVQ/G6AtlZCvcbc9oHBlgBE4LSeiaqVOdXibC1rGrjZoVtDye3iZ3Z1fce/TL0CVc9vxsamTatOG6vEp/aTr2H7OthwojXZR119+CRtydkF4nyC7+6oJHwp806HL6G6htsRiINK1MhWqgG1mxGsQMLdRPLNpUp+sS+6IYbmrTfi75sz0jz4iLtdcPTSmePQyqT5omfv6TOGHXX7MJn6BCUCY/T2PjXlmHGSRprw87SkkjCWt4q7D2wDO+OxG7TtaMkpaA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from PH7PR11MB6006.namprd11.prod.outlook.com (2603:10b6:510:1e1::13) by BN6PR1101MB2243.namprd11.prod.outlook.com (2603:10b6:405:50::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5061.22; Mon, 14 Mar 2022 08:22:39 +0000 Received: from PH7PR11MB6006.namprd11.prod.outlook.com ([fe80::b147:b72a:39de:2c81]) by PH7PR11MB6006.namprd11.prod.outlook.com ([fe80::b147:b72a:39de:2c81%7]) with mapi id 15.20.5061.026; Mon, 14 Mar 2022 08:22:38 +0000 From: "Ling, WeiX" To: "Wang, YuanX" , "maxime.coquelin@redhat.com" , "Xia, Chenbo" CC: "dev@dpdk.org" , "Hu, Jiayu" Subject: RE: [PATCH] net/vhost: fix access to freed memory Thread-Topic: [PATCH] net/vhost: fix access to freed memory Thread-Index: AQHYNSQLFIWhqjNDD02JAJLA572aR6y+ju/Q Date: Mon, 14 Mar 2022 08:22:38 +0000 Message-ID: References: <20220311163512.76501-1-yuanx.wang@intel.com> In-Reply-To: <20220311163512.76501-1-yuanx.wang@intel.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 20447213-720c-48de-ba31-08da0593cd2c x-ms-traffictypediagnostic: BN6PR1101MB2243:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: D/tXh2eiZiKPqh2wv4O14/nOVkHDvPIwcnB8wKX+l22Qy5sDBoZ2Ca2S/miOGunVUHbUZR/SMxvSIcJX0iE+qKsYJBQ817xduqBNkW7WTwsrKTD299ERww7rdMj6NGkST1Pr3bKPB5r0LdaOTohLs8QBpVeA43rDbjg4zZCqshjXJhgS2uv2QZJU0ykRfcCfOL2eaW2xkHd2A7JIyqpTl+r/Djlc7pHUuwEeaeL2i/JEqniHM5FvCzGgh+gbUt5i3rsMpf26/ARnpGHzBWaOANqMX84xkCtglvnNkYV6QpcEH//iZGNk+6XmNhRIMuK/GMCkHVU9OBY42iaRjlR+ZlteYvoY0qKTvp2hG2xFPjjlvMfZ2Uv/ET6d9EkeNt1ExEoKbZqjRkiXBF6wUNKdDcX4vB8F9355v9mmS3+xc/s3K4yx2msslhHMtWcsxPpWdEzY573XGwvQwhEpverFx99XWcXAiT7hfr+t9XVXo3ucxL3TNKikDhFo5qDwxok0OFvRU3NF2Wcf11maj2NwL+LxfsT5VrHvWo1DNZAQ5Q/FnHkMwijxEjuI5GrIK3z9umqSs/KvXwE/b45IkYwwCq79v32252dJqIMnfUZr0ukz3X4W3oiZYbrvcMk5kbYrn/hfouYL+JbBqcDs4UVmjORu/45MKX3M3aKN1W4FyYKP9pW+6GhDBc6wiGUn/1wINaofB3JE9jJpB5XZntFwUg== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR11MB6006.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(8936002)(52536014)(64756008)(71200400001)(66446008)(66476007)(66556008)(66946007)(76116006)(107886003)(53546011)(508600001)(7696005)(6506007)(26005)(5660300002)(33656002)(38100700002)(82960400001)(186003)(9686003)(6636002)(122000001)(110136005)(54906003)(2906002)(83380400001)(316002)(8676002)(4326008)(38070700005)(55016003)(86362001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?P8j9c6AsfDxmCdG9OHFQp6/hzEKuWWZu4mTb2f6VEOtY8akdgaz5IDnnfjKy?= =?us-ascii?Q?A/doKoMqa6ITF6XdkdzVWK9Aie8m0E2xVKwIHeZQ727oZk7Kc9BHKXmVTyhs?= =?us-ascii?Q?ZxPL+FGGufFLOTsbHqCMM9OZCqVzizZCLyBnSyIhXKwhox6smG+qD6EQ/vyS?= =?us-ascii?Q?/yV0ydwjZqG24o/1Ip49I886S2cjKqkMIjGIGV5/Yei9Bjb4AUEL3JdFHyMF?= =?us-ascii?Q?jUQOSBzMoN8x45e0nWtgJ1lMtXprsePuS5JP2yG/3tHWVQ/vR8RLAV/Vhi+S?= =?us-ascii?Q?5Or6/VmiMbdqceKuv/u2XgovYpP8Np7JN7DEMjTgReYvHB5gkY1UzmjWBPJy?= =?us-ascii?Q?9KcUaK3jUzJaxjWGgpf504bHrOJ5rs7MA/06BRYlbeVHYwdkKj4An32PgD3n?= =?us-ascii?Q?lawrR9DXnu3eyP0e+umOsIsbhllqgxy0XCfUyIhzwhzr3AwJV/Nezo9b5CX6?= =?us-ascii?Q?sUilW3RYDcps8joa8+nRA6uYGyZBrGdpvFM/M+X4RaQEEZbEgLFQZo533Pae?= =?us-ascii?Q?FAu0ibFBM7ajrS+Y3XWzPGBWnBJdLTVskSKLCmShIvP4Cfx+jjpkt3/c0x2L?= =?us-ascii?Q?9SqWTHFkGDn+PBx1TnKcTH+17FTjzBSEDl1cpnGQAR5uMr8FRd+Zlt+YoZE7?= =?us-ascii?Q?F6EL+NTN3zEuoR0FPkSE1tGB6J8lUAElfkNPtGEUGBKsqKM1vCx5EVwfRe4K?= =?us-ascii?Q?dju4Lvsi1ctbUxEb0wp9vRRzar/9TwQrzzHw7lpIrYcMx1oOY7rTlzvAwVk+?= =?us-ascii?Q?uxI/WG3FPsUSXMP8PCSVl97Lxyv/1n4Bk0fPJyQi3tpuwj02Z1sCP9jA/lcn?= =?us-ascii?Q?7yxVG732Z8ysTZ5rsUBH416Sg8E9TzDyQJAMpGyRI4DxqKpocerq/5j2nF86?= =?us-ascii?Q?/T+X0DPE6akHq9c0oigz3wBzyP82rb+7sFdFteuYGu9abwLYqUPj1J3IfAmZ?= =?us-ascii?Q?3p8jU37b42ORjj0pXvL7WSHmXjcGLQ1Ufd5bUQ74DmXw3pWKa1csXBDh/3JH?= =?us-ascii?Q?4NZNF5pymjas2vxzNM71jJamsz6Q4g/SULPpHwo/WkX9cPKGafTeF7aAWKFv?= =?us-ascii?Q?p3RQpMbZ7lVdh8AeRL+hbwoXa5UBwCbVIoPNw/rjeN6mYRuTNiDGFk/Yz08j?= =?us-ascii?Q?qUEFrj4ehUh5DnFFdn52x4iW00O4TLoRONxT4vghHmlGTgzA9x3f+qpwUUsH?= =?us-ascii?Q?1KHZ0cjhAmbDjJ8tmFaz6bXyOCMV6otb9bWFw06k4OMxUmFqkfrOP7f7764A?= =?us-ascii?Q?20z7orShVZvE2aA6GisdCBDwQGTS+aPGW85sYqX5RAB4Umv0l+DeIjjRA6Xk?= =?us-ascii?Q?3fB4DYby2Jzblc1ZI6zVL/KCaT5tjN2HLFl5sDZ73BcwDm86QhB80hHgqtZt?= =?us-ascii?Q?ZeniTyVPR4IfseowWWz7U1Xqx0UkQ+QhsBwVhZQLzyo1Njl12NdSSH2hOKX6?= =?us-ascii?Q?/l2h3uyY30N6Do4MFfQJc+fGmZ4A67Ly?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH7PR11MB6006.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 20447213-720c-48de-ba31-08da0593cd2c X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2022 08:22:38.6313 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: BbvteMNhYkj+zPzne+5+DZG1u2vomet23a/qRAiHnOXbGgE1XjLTP89h0TE7tHwFSPBSQJsQddU4gjc7bqOtCQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2243 X-OriginatorOrg: intel.com X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org > -----Original Message----- > From: Wang, YuanX > Sent: Saturday, March 12, 2022 12:35 AM > To: maxime.coquelin@redhat.com; Xia, Chenbo > Cc: dev@dpdk.org; Hu, Jiayu ; Ling, WeiX > ; Wang, YuanX > Subject: [PATCH] net/vhost: fix access to freed memory >=20 > This patch fixes heap-use-after-free reported by ASan. >=20 > It is possible for the rte_vhost_dequeue_burst() to access the vq is free= d > when numa_realloc() gets called in the device running state. > The control plane will set the vq->access_lock to protected the vq from t= he > data plane. Unfortunately the lock will fail at the moment the vq is free= d, > allowing the rte_vhost_dequeue_burst() to access the fields of the vq, wh= ich > will trigger a heap-use-after-free error. >=20 > In the case of multiple queues, the vhost pmd can access other queues tha= t > are not ready when the first queue is ready, which makes no sense and als= o > allows numa_realloc() and rte_vhost_dequeue_burst() access to vq to > happen at the same time. By controlling vq->allow_queuing we can make the > pmd access only the queues that are ready. >=20 > Fixes: 1ce3c7fe149 ("net/vhost: emulate device start/stop behavior") >=20 > Signed-off-by: Yuan Wang > --- Tested-by: Wei Ling