From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 937ADA0A0A
	for <public@inbox.dpdk.org>; Thu, 25 Mar 2021 15:42:51 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 8292C140DCD;
	Thu, 25 Mar 2021 15:42:51 +0100 (CET)
Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com
 [209.85.208.177])
 by mails.dpdk.org (Postfix) with ESMTP id CA7DE4067B;
 Thu, 25 Mar 2021 15:42:49 +0100 (CET)
Received: by mail-lj1-f177.google.com with SMTP id f26so3428367ljp.8;
 Thu, 25 Mar 2021 07:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=Br90KYVN5VoHoRMbAKPIbUnU2thqGVhKeL1gmUFhXoI=;
 b=j5JqUDuvOV9r8OkP5x8HBYfqvUp/0OBakkjL4oGfLOgg9fue/qE7cUV7SrTqNQZWpi
 EFUm8pmAotk01H+3B/7Aa1muEUgiZyfdd+gZ2FoH9UkvfHGvEzqoXkUCbWu7y2462RNd
 EVPqqiv67UJZBlXi8YNjJRjye+Em9i+HS4BCokH+9fe/8OniOGzGTZ3lbOpCwo+xm7wS
 5g392/IMwSgg1zJgvQqQcD2g2U/K/JnkWdrxKi1vkUc97PvKngl2SNyAGeaL8EyGCcAC
 2lyxp4bS4niwh/WJkmenHYj+ItBmHiR6vbjMrO6xcGNZfcAqVP78vIpCUTt92Iit4ujT
 pkFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=Br90KYVN5VoHoRMbAKPIbUnU2thqGVhKeL1gmUFhXoI=;
 b=FvalV8Gz5kYpCxR6MYJiIdzh/ijPTlLHEjnZlvkP3pI0ZO0hqSZ9KvXDLVCAA16CBX
 xAezWDT5mzfzYnD/6yOkvEoQ0W/6UldjJMW/0uf57bm0hBnhLXvCqMf5mHAXoltVmQd2
 4SCLcfVbTsf9EPyPl2IZK8Wmc/ESkqFm9GPkCqhI98ys1+dMiBwTrrt4YEMKo9pr0tw7
 vWmCHYcMvsQiE4AUmlj7HZoZIOf7yZDCAWg553CrbWLiF0dzbyvkqN6/bPgAMFdwizr6
 bqGwGU7ySKAQ/WHy/GsuUoljAQt66hkdPjfGtMThYrb9C/FagPttw8SH0xR3WcEUGELi
 E3sg==
X-Gm-Message-State: AOAM5327QgRaktz+OFFWRW6qeNdEoy3uhhHTho78clkbpSVsns4ULLxV
 ZJ9XeGXp2/AsBZu7BS0hTlM4CucihQsY52pDtOc=
X-Google-Smtp-Source: ABdhPJz9gcC/2VPsZ6RkkysS0e1fPTVjSvvWk+EbeTdFxK895e8B3pPC34GfmgA0Y/D8bwJVYyAqUnt3seP9eIp6i7w=
X-Received: by 2002:a2e:b4d0:: with SMTP id r16mr5846913ljm.324.1616683369404; 
 Thu, 25 Mar 2021 07:42:49 -0700 (PDT)
MIME-Version: 1.0
References: <20210324130422.92357-1-lucp.at.work@gmail.com>
 <20210325112731.16324-1-olivier.matz@6wind.com>
In-Reply-To: <20210325112731.16324-1-olivier.matz@6wind.com>
From: Luc Pelletier <lucp.at.work@gmail.com>
Date: Thu, 25 Mar 2021 10:42:38 -0400
Message-ID: <CAFeRdtA_5MXnCgxtXZUy6tBm3ZVQKu47Nu+6fWytSuM=9q_3Lg@mail.gmail.com>
To: Olivier Matz <olivier.matz@6wind.com>
Cc: dev@dpdk.org, jianfeng.tan@intel.com, david.marchand@redhat.com, 
 stable@dpdk.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dpdk-stable] [PATCH v2] eal: fix race in ctrl thread creation
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi Olivier,

> Thank you for reporting this problem and submitting the patch.
> I think the issue can be fixed without any loop, like in this
> patch. What do you think?

I think getting rid of the loop is an excellent idea. Good thinking.
Your version is much cleaner.

> +       __atomic_store_n(&params->barrier_refcnt, 2, __ATOMIC_RELEASE);

I don't mean to nitpick but I don't think you need to use
__atomic_store_n to initialize the refcnt. Either way is fine of
course :)

Thanks.

Le jeu. 25 mars 2021 =C3=A0 07:27, Olivier Matz <olivier.matz@6wind.com> a =
=C3=A9crit :
>
> As reported by Luc, there is a race where the barrier is destroyed by
> one thread, while the other thread did not yet leave
> pthread_barrier_wait.
>
> This patch fixes the race condition by adding an atomic counter to
> ensure that the barrier is destroyed only it is not used by any thread.
>
> Fixes: 3a0d465d4c53 ("eal: fix use-after-free on control thread creation"=
)
> Cc: jianfeng.tan@intel.com
> Cc: stable@dpdk.org
>
> Reported-by: Luc Pelletier <lucp.at.work@gmail.com>
> Signed-off-by: David Marchand <david.marchand@redhat.com>
> Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
> ---
>
> Hi Luc,
>
> Thank you for reporting this problem and submitting the patch.
> I think the issue can be fixed without any loop, like in this
> patch. What do you think?
>
> Regards,
> Olivier
>
>
>  lib/librte_eal/common/eal_common_thread.c | 38 +++++++++++++----------
>  1 file changed, 21 insertions(+), 17 deletions(-)
>
> diff --git a/lib/librte_eal/common/eal_common_thread.c b/lib/librte_eal/c=
ommon/eal_common_thread.c
> index 73a055902a..891f825e87 100644
> --- a/lib/librte_eal/common/eal_common_thread.c
> +++ b/lib/librte_eal/common/eal_common_thread.c
> @@ -170,11 +170,11 @@ struct rte_thread_ctrl_params {
>         void *(*start_routine)(void *);
>         void *arg;
>         pthread_barrier_t configured;
> +       unsigned int barrier_refcnt;
>  };
>
>  static void *ctrl_thread_init(void *arg)
>  {
> -       int ret;
>         struct internal_config *internal_conf =3D
>                 eal_get_internal_configuration();
>         rte_cpuset_t *cpuset =3D &internal_conf->ctrl_cpuset;
> @@ -184,8 +184,9 @@ static void *ctrl_thread_init(void *arg)
>
>         __rte_thread_init(rte_lcore_id(), cpuset);
>
> -       ret =3D pthread_barrier_wait(&params->configured);
> -       if (ret =3D=3D PTHREAD_BARRIER_SERIAL_THREAD) {
> +       pthread_barrier_wait(&params->configured);
> +       if (__atomic_sub_fetch(&params->barrier_refcnt, 1,
> +                               __ATOMIC_ACQ_REL) =3D=3D 0) {
>                 pthread_barrier_destroy(&params->configured);
>                 free(params);
>         }
> @@ -210,15 +211,17 @@ rte_ctrl_thread_create(pthread_t *thread, const cha=
r *name,
>
>         params->start_routine =3D start_routine;
>         params->arg =3D arg;
> -
> -       pthread_barrier_init(&params->configured, NULL, 2);
> -
> -       ret =3D pthread_create(thread, attr, ctrl_thread_init, (void *)pa=
rams);
> +       __atomic_store_n(&params->barrier_refcnt, 2, __ATOMIC_RELEASE);
> +       ret =3D pthread_barrier_init(&params->configured, NULL, 2);
>         if (ret !=3D 0) {
>                 free(params);
>                 return -ret;
>         }
>
> +       ret =3D pthread_create(thread, attr, ctrl_thread_init, (void *)pa=
rams);
> +       if (ret !=3D 0)
> +               goto fail;
> +
>         if (name !=3D NULL) {
>                 ret =3D rte_thread_setname(*thread, name);
>                 if (ret < 0)
> @@ -227,25 +230,26 @@ rte_ctrl_thread_create(pthread_t *thread, const cha=
r *name,
>         }
>
>         ret =3D pthread_setaffinity_np(*thread, sizeof(*cpuset), cpuset);
> -       if (ret)
> -               goto fail;
> +       if (ret !=3D 0)
> +               goto fail_cancel;
>
> -       ret =3D pthread_barrier_wait(&params->configured);
> -       if (ret =3D=3D PTHREAD_BARRIER_SERIAL_THREAD) {
> +       pthread_barrier_wait(&params->configured);
> +       if (__atomic_sub_fetch(&params->barrier_refcnt, 1,
> +                               __ATOMIC_ACQ_REL) =3D=3D 0) {
>                 pthread_barrier_destroy(&params->configured);
>                 free(params);
>         }
>
>         return 0;
>
> -fail:
> -       if (PTHREAD_BARRIER_SERIAL_THREAD =3D=3D
> -           pthread_barrier_wait(&params->configured)) {
> -               pthread_barrier_destroy(&params->configured);
> -               free(params);
> -       }
> +fail_cancel:
>         pthread_cancel(*thread);
>         pthread_join(*thread, NULL);
> +
> +fail:
> +       pthread_barrier_destroy(&params->configured);
> +       free(params);
> +
>         return -ret;
>  }
>
> --
> 2.29.2
>