From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8ACCCA0543 for ; Tue, 21 Jun 2022 10:05:33 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8660040151; Tue, 21 Jun 2022 10:05:33 +0200 (CEST) Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2047.outbound.protection.outlook.com [40.107.94.47]) by mails.dpdk.org (Postfix) with ESMTP id 1E6824281E for ; Tue, 21 Jun 2022 10:05:32 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FbSou/2AZbhuh9cX8Ly6tqlJ9BvaER06jrVLX2NP+fJev8NjFjPtyxBNN8166fmZj+d7M8guG+a298m+mxfyXAfZx5eqJlKHZ/LkY0nzl8khPZ/le7qusw8PSsD/HcLWo6VD36KNzIcX41Bq6YIJhNu/AA8VB+3365VgBJcPdbNHRm9s8zGdYuAPypgJsGtb3FaplWZNMCyW4DB42bnyeKXTaUV8bXsS9f7nLRENMdDnUkMnuF5YsFRMc8ksuU+v0yz5O0KfFj7XVA5UkwJjhsU2idJy18OjvgLxEU3iYjAUgpgKGOj+cYW0qp1rGAAs+b7SCT8dvt/a8MyFscuzMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MBgRdNutkZsZ0iACvV65e3tsHNSBF/N69ifAPcTqTE0=; b=Db6fnnnsnvboRM0jbfyw3kaoy9IeKuuV7c5WjxoNbV2pRGVonLqW1jUbQOQnSq8W5WmKsHuJTmHwSowKgO166uDLghVujYHZ3pwCm50fLPneKZFhkxURg+gy8UG6EL8+8HmdJxfec1wOd7ZoZcq0jjFbS60HA1WPwvRAXZGz9rNftECBHQJv7bafy+LYI+WcnwQdaD7cNrn1QXx6xY/vskOnuJjDf8NT6R0vF0NdNtYIsbPLb2Jdcx0YEQw5p4q1Nx8TZnvREOR+HZbMz9q9VfmHzFKCv3RhZ7eY2MYnVASbeVo6odZ/5wZBiq2bH0X1gNG1FyqTpPFtqpaVDUsLag== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.238) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MBgRdNutkZsZ0iACvV65e3tsHNSBF/N69ifAPcTqTE0=; b=mALFJVz51dFuZot+YzBLuj/Byaz7StE4zELg9bww8OAxxyJXu8JC4NZKO6y4zX/3zkTIbXkDd443QjVfU6ZpMXpCnNzDdoGRGQut8Tzw59+oM1zTrxnTZkREwVlXIHQu3/gfxr1HajVo0fGUICDGF6eBAeUDOzP2QoKqtLswUv1b1UvVF+FTviZRMjB5KiI5gMRK7lEof7r8tOhe7Oj12CJh0KIupgSeP/1ZTq4ZY7LyVKiE0X3e+pg8CVRY9U3eQpNYRtLEJaKc1OYATU4SDtve3Gp9iknFWUfTxAliROozRSluYdwKOVt2ir2GPkcvTtHECnueTalsfSVIcVeU+Q== Received: from DM3PR12CA0078.namprd12.prod.outlook.com (2603:10b6:0:57::22) by DM5PR1201MB0220.namprd12.prod.outlook.com (2603:10b6:4:4e::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.15; Tue, 21 Jun 2022 08:05:30 +0000 Received: from DM6NAM11FT038.eop-nam11.prod.protection.outlook.com (2603:10b6:0:57:cafe::93) by DM3PR12CA0078.outlook.office365.com (2603:10b6:0:57::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.14 via Frontend Transport; Tue, 21 Jun 2022 08:05:30 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.238) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.238 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.238; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (12.22.5.238) by DM6NAM11FT038.mail.protection.outlook.com (10.13.173.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5353.14 via Frontend Transport; Tue, 21 Jun 2022 08:05:30 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by DRHQMAIL105.nvidia.com (10.27.9.14) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 21 Jun 2022 08:05:29 +0000 Received: from nvidia.com (10.126.230.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Tue, 21 Jun 2022 01:05:27 -0700 From: Xueming Li To: Yuan Wang CC: Wei Ling , Maxime Coquelin , dpdk stable Subject: patch 'net/vhost: fix access to freed memory' has been queued to stable release 20.11.6 Date: Tue, 21 Jun 2022 11:01:33 +0300 Message-ID: <20220621080301.2315720-28-xuemingl@nvidia.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220621080301.2315720-1-xuemingl@nvidia.com> References: <20220621080301.2315720-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.230.35] X-ClientProxiedBy: rnnvmail202.nvidia.com (10.129.68.7) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f9624e98-6c8a-4bef-f474-08da535ccf07 X-MS-TrafficTypeDiagnostic: DM5PR1201MB0220:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: UYu4Xz0EaU4cgHZTFZUU6cEBxINr0wZr47adjRsorZduY0awJ+UA8xBwDZ8BqWDzkRtdVX0hUdztPEs+yLnCeiC1/NAgqMdsfz5bwxztPDLWpPJF8x25xZZfSEnsNH68zL3qKCL22hFl9VXAlKiFEiDin7+HaFn1uMT54hmj+qiVJ4fH2NrFTRBTXfuFGE1Xsmt0oLloqOHrwhYa75dBEjNTb/II80XX2z9jjjtiqL9GhfFVfJVM7cN+4xl0rHQDNG8szB9TRPHWFmxa2GsdGUi4pfZNdj6kh6MNgpHxzrcLF7eOIE1cmiIVYHxURidE3s7Y8vQKaN7g9oGtjXV0ruUMDo0T6MMs2FAN2I+UPsDDWXq4UsanLDCz/PCrB8CSBG7B0jAjd+ozboCvvpprbQliBJivzl8EDs7xJqP7+x1z1XO1NbaIFNogfEdtJlYq8klu+AcLy8zm/XtpVl5+Z9/DXokRKa6BHhg9GqeaeM+y0vHf8xoCb8cLia2LNSp5jRiTAtD2CjKOeoQrmDEcgKuhNLkJOuC5ZUNm7LZhNjrh0iRRcaEXCfWtbxEqpaR8jQ9p6p831c9bUvhkV7yYhLz2oHfxXpzX/d0kGYrxONMXTzGIg1Uja1G63LVwVYngMypRtYv1JDW+bKugFAmAnnA/53Ud30/ACBq41w8H+oXrwDfanrzMDSWVL6/67TUnM3wMYQHujWxwwQ4XAYlXo5+JSKAjTJXa9rljtQJhjqf13QOjwie3R2+NW3jXztdovMc0Y4SuBM3SocQE8D6svWP/XlQ91amy34aBAnIXDEFc2EiVOXVi1ADgB/wAtwCUd+ZL0DvRd8abe07D7+ex6q68mm9b3WH79pJOeoXE6k8= X-Forefront-Antispam-Report: CIP:12.22.5.238; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:InfoNoRecords; CAT:NONE; SFS:(13230016)(4636009)(396003)(136003)(39860400002)(376002)(346002)(40470700004)(36840700001)(46966006)(83380400001)(47076005)(336012)(81166007)(426003)(40460700003)(82740400003)(6666004)(86362001)(55016003)(186003)(36860700001)(40480700001)(1076003)(16526019)(82310400005)(7696005)(54906003)(6286002)(36756003)(356005)(8936002)(316002)(6916009)(26005)(53546011)(4326008)(2906002)(478600001)(966005)(41300700001)(70206006)(2616005)(5660300002)(8676002)(70586007)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Jun 2022 08:05:30.0754 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f9624e98-6c8a-4bef-f474-08da535ccf07 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[12.22.5.238]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT038.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1201MB0220 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 20.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 06/23/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/steevenlee/dpdk This queued commit can be viewed at: https://github.com/steevenlee/dpdk/commit/e4729f10d06291d8ab915e316bea1f0330ee656e Thanks. Xueming Li --- >From e4729f10d06291d8ab915e316bea1f0330ee656e Mon Sep 17 00:00:00 2001 From: Yuan Wang Date: Sat, 12 Mar 2022 00:35:12 +0800 Subject: [PATCH] net/vhost: fix access to freed memory Cc: Xueming Li [ upstream commit 9dc6bb06824f3c5887f0436ddba5ab9116cb277e ] This patch fixes heap-use-after-free reported by ASan. It is possible for the rte_vhost_dequeue_burst() to access the vq is freed when numa_realloc() gets called in the device running state. The control plane will set the vq->access_lock to protected the vq from the data plane. Unfortunately the lock will fail at the moment the vq is freed, allowing the rte_vhost_dequeue_burst() to access the fields of the vq, which will trigger a heap-use-after-free error. In the case of multiple queues, the vhost pmd can access other queues that are not ready when the first queue is ready, which makes no sense and also allows numa_realloc() and rte_vhost_dequeue_burst() access to vq to happen at the same time. By controlling vq->allow_queuing we can make the pmd access only the queues that are ready. Fixes: 1ce3c7fe149 ("net/vhost: emulate device start/stop behavior") Signed-off-by: Yuan Wang Tested-by: Wei Ling Reviewed-by: Maxime Coquelin --- drivers/net/vhost/rte_eth_vhost.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/net/vhost/rte_eth_vhost.c b/drivers/net/vhost/rte_eth_vhost.c index 5845bb15f3..0778dfbd13 100644 --- a/drivers/net/vhost/rte_eth_vhost.c +++ b/drivers/net/vhost/rte_eth_vhost.c @@ -719,6 +719,7 @@ update_queuing_status(struct rte_eth_dev *dev) { struct pmd_internal *internal = dev->data->dev_private; struct vhost_queue *vq; + struct rte_vhost_vring_state *state; unsigned int i; int allow_queuing = 1; @@ -729,12 +730,17 @@ update_queuing_status(struct rte_eth_dev *dev) rte_atomic32_read(&internal->dev_attached) == 0) allow_queuing = 0; + state = vring_states[dev->data->port_id]; + /* Wait until rx/tx_pkt_burst stops accessing vhost device */ for (i = 0; i < dev->data->nb_rx_queues; i++) { vq = dev->data->rx_queues[i]; if (vq == NULL) continue; - rte_atomic32_set(&vq->allow_queuing, allow_queuing); + if (allow_queuing && state->cur[vq->virtqueue_id]) + rte_atomic32_set(&vq->allow_queuing, 1); + else + rte_atomic32_set(&vq->allow_queuing, 0); while (rte_atomic32_read(&vq->while_queuing)) rte_pause(); } @@ -743,7 +749,10 @@ update_queuing_status(struct rte_eth_dev *dev) vq = dev->data->tx_queues[i]; if (vq == NULL) continue; - rte_atomic32_set(&vq->allow_queuing, allow_queuing); + if (allow_queuing && state->cur[vq->virtqueue_id]) + rte_atomic32_set(&vq->allow_queuing, 1); + else + rte_atomic32_set(&vq->allow_queuing, 0); while (rte_atomic32_read(&vq->while_queuing)) rte_pause(); } @@ -963,6 +972,8 @@ vring_state_changed(int vid, uint16_t vring, int enable) state->max_vring = RTE_MAX(vring, state->max_vring); rte_spinlock_unlock(&state->lock); + update_queuing_status(eth_dev); + VHOST_LOG(INFO, "vring%u is %s\n", vring, enable ? "enabled" : "disabled"); -- 2.35.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-06-21 15:37:50.567724958 +0800 +++ 0027-net-vhost-fix-access-to-freed-memory.patch 2022-06-21 15:37:49.004451134 +0800 @@ -1 +1 @@ -From 9dc6bb06824f3c5887f0436ddba5ab9116cb277e Mon Sep 17 00:00:00 2001 +From e4729f10d06291d8ab915e316bea1f0330ee656e Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit 9dc6bb06824f3c5887f0436ddba5ab9116cb277e ] @@ -31 +34 @@ -index 070f0e6dfd..8a6595504a 100644 +index 5845bb15f3..0778dfbd13 100644 @@ -34 +37 @@ -@@ -720,6 +720,7 @@ update_queuing_status(struct rte_eth_dev *dev) +@@ -719,6 +719,7 @@ update_queuing_status(struct rte_eth_dev *dev) @@ -42 +45 @@ -@@ -730,12 +731,17 @@ update_queuing_status(struct rte_eth_dev *dev) +@@ -729,12 +730,17 @@ update_queuing_status(struct rte_eth_dev *dev) @@ -61 +64 @@ -@@ -744,7 +750,10 @@ update_queuing_status(struct rte_eth_dev *dev) +@@ -743,7 +749,10 @@ update_queuing_status(struct rte_eth_dev *dev) @@ -73 +76 @@ -@@ -967,6 +976,8 @@ vring_state_changed(int vid, uint16_t vring, int enable) +@@ -963,6 +972,8 @@ vring_state_changed(int vid, uint16_t vring, int enable)