From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7D542A034F for ; Wed, 10 Nov 2021 07:38:15 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 78F7040E28; Wed, 10 Nov 2021 07:38:15 +0100 (CET) Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2084.outbound.protection.outlook.com [40.107.243.84]) by mails.dpdk.org (Postfix) with ESMTP id 447544068B for ; Wed, 10 Nov 2021 07:38:14 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K/W0SsPxNXG82RXrSK5uUtZmtIO3QTZ/eva2tFUlkkSlP+b8VRb19eeVPy5XtCv7x/KUXkluYziNnWtgmDePPyV4xCkRghcAzpWMFqr0dSONVpi+gD1ztny/EeUlY8dNvtqYo+QJCg4FNHwTCMPnPYDwKFWm/0ibrL6oiMkimG4e2Y6pOXF4gQXD+zZ3Ft1V1VuygtJRREC64GiG4VzblSZoKCyNjXVSHItq98488tUpDA8Covy5pVK8x1yoIK6zCm5Mfd8Fc3WqoQq+TD0s8B/DPKdmRg3PG4pB7zNRJGtLZp+k7OpykwUUrkCt9a6NhYolrRNuFweMgtgKxkcT1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gXqm40r+ZnxVmZGS2k3qZ24TUjvxSUqRTFFh53e35F0=; b=nOumz/YdZ5poS8iGlt//i4KJRxmJR0rw6UY6V2lPZe5xbh1KuU4kN3fqkFuNzARahRX22mAkrVYspMDjxqdr1AE3FXvN8SjthvCztB9XGhf/2jVLdlVw2bNesHqh1KnfePHotYNvOpTo9suFmH8JWQR9TWO/6Ae7NYIQuxGl0bQntkelNmcV8HRTrjOPxtSFXVKIZumraspdk03PDQHgvysOCu7FRCdIJ8nRmuxzRUEzUbMP2Gom43XskM0qlz1RHh4aIuekXwOe8watVvvvJaxAC+NuIRTGFPThUGZmX0wRGkkKow13UcB8y2UNjL6tb3BOqAyUlPIm/kZUtyxpYw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.112.34) smtp.rcpttodomain=intel.com smtp.mailfrom=nvidia.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gXqm40r+ZnxVmZGS2k3qZ24TUjvxSUqRTFFh53e35F0=; b=EvcOwsYbnFE2jqVMt89h5EFLU6dswoZ+pGu3EYxYqw8UX2zRd4x6UOs85cl7RITALvwFWxif1IieGym+QAWXhV3Xp46HkJCO7m2jA5R79mpRpdiTVZARX2jnqpf0FQP79Iwl9G4iZ4BfPVuVXhfrU8ApGHYrIwpY1Tp3L7UfKeMFcQRK82t42dZqhAqELAFmYtAkJw90tXttNn9SreoU4+xCZBztJ1eBPdsiKYBx96AI2A/BkZXtB28JKDg4iuiZIi6btFQDVd98iOTA6tOHbSsUpBjch0OPOgR4LHuQ4AoJthJtNjDVmI3uGq4dTdO4B2Gk2EWV+4dViaYjTK0Hkg== Received: from DS7PR03CA0296.namprd03.prod.outlook.com (2603:10b6:5:3ad::31) by BN6PR12MB1924.namprd12.prod.outlook.com (2603:10b6:404:108::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.15; Wed, 10 Nov 2021 06:38:12 +0000 Received: from DM6NAM11FT059.eop-nam11.prod.protection.outlook.com (2603:10b6:5:3ad:cafe::8d) by DS7PR03CA0296.outlook.office365.com (2603:10b6:5:3ad::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.16 via Frontend Transport; Wed, 10 Nov 2021 06:38:12 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.112.34) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; Received: from mail.nvidia.com (216.228.112.34) by DM6NAM11FT059.mail.protection.outlook.com (10.13.172.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4690.15 via Frontend Transport; Wed, 10 Nov 2021 06:38:11 +0000 Received: from nvidia.com (172.20.187.6) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 10 Nov 2021 06:38:08 +0000 From: Xueming Li To: Gaoxiang Liu CC: Luca Boccassi , Chenbo Xia , dpdk stable Date: Wed, 10 Nov 2021 14:28:57 +0800 Message-ID: <20211110063216.2744012-54-xuemingl@nvidia.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211110063216.2744012-1-xuemingl@nvidia.com> References: <20211110063216.2744012-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [172.20.187.6] X-ClientProxiedBy: HQMAIL101.nvidia.com (172.20.187.10) To HQMAIL107.nvidia.com (172.20.187.13) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1670d139-0dcb-4e07-b913-08d9a414aac0 X-MS-TrafficTypeDiagnostic: BN6PR12MB1924: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6108; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tIlrOj+EppcmnhkgFWtiF80WWKbwfz4ZeNiibX5JUyUKBobUX9ToRxcnELUivbeVMvBhwl9TMILjYwhghHtXKNAK3Na/EDsMmyprAeTJVGYkWp41szyUcG8aH0k0pPAzz6+sLKacyb8iAgpTr3T5jGbjjOBziUR0UAuUgJVAz3VwNqm6s8yJfGsSs56v2nkwu88/xNGi+o1IknAGMteKJ0uzVx2JNEayiOeskUSf42A6mTwUvMmUqjVGUvuois4lKfp1nVsQ5SsHv5SauIfeuZwcatHe6MEcvkpvYkdhx8se6gAatmj9ufdgw6G3akSOsryEwngpOfBWquAA2WOmrmz9oXgvoAOI+hVnHmzswlxabWVg+VUOvsxpPyWKX2P4MNTy2UR6Fgh7iECRa765BM+v5KdbD6UDfwG9bwPg+bW5fDAk5FGWRAhw01YjZFjdDwJpqAoHIP3odz649Qmibc7Sy/H95PynwHDajuQ9JzNGaA36+7y168kOI6TqCXpnrnPl1dUIldtigjWMs4MiaHaQn9OJbJ+pPFhDFoWKeGe14pLpo+LIOlruBEYQv6Ae12J3w8ewsLQsV4Kbc9BIbbhJjmBjzgGSTqUHhj1WtQJFlkss24/bkKqNAOibyrFBfMVo14jf+iPhpJFgmxkEnP0z8a2WPy8bkQfk+8aXXR+e5TRSg2UznuQSG+DuGZiqoSxyuPn1A13BuPoF71Ao0q5apgdlEXR5crk82cz/7FNszvXHzA2r3hppJqLg9XP2kO9OmssiR/yek8EQG5mJ0r1vEbTeO5peWc1ZOcv7gJRwqnV5U7Cj14SS7pm9B6i0xvgMrCnMNbQxBiwMNhtlbQ== X-Forefront-Antispam-Report: CIP:216.228.112.34; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:schybrid03.nvidia.com; CAT:NONE; SFS:(4636009)(46966006)(36840700001)(2616005)(4001150100001)(966005)(1076003)(86362001)(186003)(6666004)(4326008)(8936002)(356005)(8676002)(55016002)(83380400001)(16526019)(36860700001)(47076005)(5660300002)(2906002)(26005)(53546011)(70586007)(70206006)(336012)(36756003)(6286002)(316002)(426003)(7696005)(82310400003)(508600001)(54906003)(36906005)(6916009)(7636003); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2021 06:38:11.9404 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1670d139-0dcb-4e07-b913-08d9a414aac0 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.112.34]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT059.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1924 Subject: [dpdk-stable] patch 'vhost: fix crash on port deletion' has been queued to stable release 20.11.4 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to stable release 20.11.4 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/12/21. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/steevenlee/dpdk This queued commit can be viewed at: https://github.com/steevenlee/dpdk/commit/e543f89ba585ee382549616f9d88b6eeeee142e4 Thanks. Xueming Li --- >From e543f89ba585ee382549616f9d88b6eeeee142e4 Mon Sep 17 00:00:00 2001 From: Gaoxiang Liu Date: Thu, 2 Sep 2021 23:45:53 +0800 Subject: [PATCH] vhost: fix crash on port deletion Cc: Xueming Li [ upstream commit 451dc0fad83d07d194e688f52093c7e888d2e317 ] The rte_vhost_driver_unregister() and vhost_user_read_cb() can be called at the same time by 2 threads. when memory of vsocket is freed in rte_vhost_driver_unregister(), the invalid memory of vsocket is accessed in vhost_user_read_cb(). It's a bug of both mode for vhost as server or client. E.g., vhostuser port is created as server. Thread1 calls rte_vhost_driver_unregister(). Before the listen fd is deleted from poll waiting fds, "vhost-events" thread then calls vhost_user_server_new_connection(), then a new conn fd is added in fdset when trying to reconnect. "vhost-events" thread then calls vhost_user_read_cb() and accesses invalid memory of socket while thread1 frees the memory of vsocket. E.g., vhostuser port is created as client. Thread1 calls rte_vhost_driver_unregister(). Before vsocket of reconn is deleted from reconn list, "vhost_reconn" thread then calls vhost_user_add_connection() then a new conn fd is added in fdset when trying to reconnect. "vhost-events" thread then calls vhost_user_read_cb() and accesses invalid memory of socket while thread1 frees the memory of vsocket. The fix is to move the "fdset_try_del" in front of free memory of conn, then avoid the race condition. The core trace is: Program terminated with signal 11, Segmentation fault. Fixes: 52d874dc6705 ("vhost: fix crash on closing in client mode") Signed-off-by: Gaoxiang Liu Reviewed-by: Chenbo Xia --- lib/librte_vhost/socket.c | 107 +++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 54 deletions(-) diff --git a/lib/librte_vhost/socket.c b/lib/librte_vhost/socket.c index 5d0d728d52..d6f9414c4d 100644 --- a/lib/librte_vhost/socket.c +++ b/lib/librte_vhost/socket.c @@ -1023,66 +1023,65 @@ again: for (i = 0; i < vhost_user.vsocket_cnt; i++) { struct vhost_user_socket *vsocket = vhost_user.vsockets[i]; + if (strcmp(vsocket->path, path)) + continue; - if (!strcmp(vsocket->path, path)) { - pthread_mutex_lock(&vsocket->conn_mutex); - for (conn = TAILQ_FIRST(&vsocket->conn_list); - conn != NULL; - conn = next) { - next = TAILQ_NEXT(conn, next); - - /* - * If r/wcb is executing, release vsocket's - * conn_mutex and vhost_user's mutex locks, and - * try again since the r/wcb may use the - * conn_mutex and mutex locks. - */ - if (fdset_try_del(&vhost_user.fdset, - conn->connfd) == -1) { - pthread_mutex_unlock( - &vsocket->conn_mutex); - pthread_mutex_unlock(&vhost_user.mutex); - goto again; - } - - VHOST_LOG_CONFIG(INFO, - "free connfd = %d for device '%s'\n", - conn->connfd, path); - close(conn->connfd); - vhost_destroy_device(conn->vid); - TAILQ_REMOVE(&vsocket->conn_list, conn, next); - free(conn); - } - pthread_mutex_unlock(&vsocket->conn_mutex); - - if (vsocket->is_server) { - /* - * If r/wcb is executing, release vhost_user's - * mutex lock, and try again since the r/wcb - * may use the mutex lock. - */ - if (fdset_try_del(&vhost_user.fdset, - vsocket->socket_fd) == -1) { - pthread_mutex_unlock(&vhost_user.mutex); - goto again; - } - - close(vsocket->socket_fd); - unlink(path); - } else if (vsocket->reconnect) { - vhost_user_remove_reconnect(vsocket); + if (vsocket->is_server) { + /* + * If r/wcb is executing, release vhost_user's + * mutex lock, and try again since the r/wcb + * may use the mutex lock. + */ + if (fdset_try_del(&vhost_user.fdset, vsocket->socket_fd) == -1) { + pthread_mutex_unlock(&vhost_user.mutex); + goto again; } + } else if (vsocket->reconnect) { + vhost_user_remove_reconnect(vsocket); + } - pthread_mutex_destroy(&vsocket->conn_mutex); - vhost_user_socket_mem_free(vsocket); + pthread_mutex_lock(&vsocket->conn_mutex); + for (conn = TAILQ_FIRST(&vsocket->conn_list); + conn != NULL; + conn = next) { + next = TAILQ_NEXT(conn, next); - count = --vhost_user.vsocket_cnt; - vhost_user.vsockets[i] = vhost_user.vsockets[count]; - vhost_user.vsockets[count] = NULL; - pthread_mutex_unlock(&vhost_user.mutex); + /* + * If r/wcb is executing, release vsocket's + * conn_mutex and vhost_user's mutex locks, and + * try again since the r/wcb may use the + * conn_mutex and mutex locks. + */ + if (fdset_try_del(&vhost_user.fdset, + conn->connfd) == -1) { + pthread_mutex_unlock(&vsocket->conn_mutex); + pthread_mutex_unlock(&vhost_user.mutex); + goto again; + } - return 0; + VHOST_LOG_CONFIG(INFO, + "free connfd = %d for device '%s'\n", + conn->connfd, path); + close(conn->connfd); + vhost_destroy_device(conn->vid); + TAILQ_REMOVE(&vsocket->conn_list, conn, next); + free(conn); + } + pthread_mutex_unlock(&vsocket->conn_mutex); + + if (vsocket->is_server) { + close(vsocket->socket_fd); + unlink(path); } + + pthread_mutex_destroy(&vsocket->conn_mutex); + vhost_user_socket_mem_free(vsocket); + + count = --vhost_user.vsocket_cnt; + vhost_user.vsockets[i] = vhost_user.vsockets[count]; + vhost_user.vsockets[count] = NULL; + pthread_mutex_unlock(&vhost_user.mutex); + return 0; } pthread_mutex_unlock(&vhost_user.mutex); -- 2.33.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2021-11-10 14:17:04.460854189 +0800 +++ 0053-vhost-fix-crash-on-port-deletion.patch 2021-11-10 14:17:01.807413276 +0800 @@ -1 +1 @@ -From 451dc0fad83d07d194e688f52093c7e888d2e317 Mon Sep 17 00:00:00 2001 +From e543f89ba585ee382549616f9d88b6eeeee142e4 Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit 451dc0fad83d07d194e688f52093c7e888d2e317 ] @@ -37 +39,0 @@ -Cc: stable@dpdk.org @@ -42 +44 @@ - lib/vhost/socket.c | 107 ++++++++++++++++++++++----------------------- + lib/librte_vhost/socket.c | 107 +++++++++++++++++++------------------- @@ -45 +47 @@ -diff --git a/lib/vhost/socket.c b/lib/vhost/socket.c +diff --git a/lib/librte_vhost/socket.c b/lib/librte_vhost/socket.c @@ -47,2 +49,2 @@ ---- a/lib/vhost/socket.c -+++ b/lib/vhost/socket.c +--- a/lib/librte_vhost/socket.c ++++ b/lib/librte_vhost/socket.c