From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 61BE5454ED; Tue, 25 Jun 2024 08:39:41 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id CC8AE41060; Tue, 25 Jun 2024 08:39:36 +0200 (CEST) Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.4]) by mails.dpdk.org (Postfix) with ESMTP id 2DD034026F; Tue, 25 Jun 2024 04:13:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-ID:MIME-Version: Content-Type; bh=9fiUYGGBDVMP9YI/GgHq69ir3BgyAUvTkzEkYZ/yBxA=; b=O+c6EIFofJqmVunf2tMAFnASXIaYRdd8z5zUAweCWcdWrUjH0i3EMWL5zQZxkF kn5yAQEn08mtiAZz78BPfKlp6J+dPq5sM5CQUK8kuQJL5gTIPrMTOTdbcqzyJyY6 9qixjzbGG0moPScGOcsUNW5ciOOdB6JVjf9GXByWw68oE= Received: from localhost.localdomain (unknown [115.199.195.158]) by gzga-smtp-mta-g1-4 (Coremail) with SMTP id _____wD3fyfdJ3pmeBZ8AQ--.12675S2; Tue, 25 Jun 2024 10:13:50 +0800 (CST) From: zhaoxinxin <15957197901@163.com> To: dev@dpdk.org Cc: zhaoxinxin <15957197901@163.com>, stable@dpdk.org Subject: [PATCH] vhost: Fix the crash caused by accessing the released memory Date: Tue, 25 Jun 2024 10:13:47 +0800 Message-ID: <20240625021347.63978-1-15957197901@163.com> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CM-TRANSID: _____wD3fyfdJ3pmeBZ8AQ--.12675S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7uF15tr4UGFW3tr43GrWDXFb_yoW8WryDpF W8Za43Gr97tFnYq39xAa1UKa48u3WkCw17W34xG3W5Wrs8Gr4Yqa9rK3ZY9r17AFW8JFyU XF12gr4S9FWUC3DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pRAb1bUUUUU= X-Originating-IP: [115.199.195.158] X-CM-SenderInfo: zprvmkyxrzlmmqrbiqqrwthudrp/1tbiYxoJxGV4I7kpEAAAsK X-Mailman-Approved-At: Tue, 25 Jun 2024 08:39:33 +0200 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org The rte_vhost_driver_unregister() vhost_user_read_cb() vhost_user_client_reconnect() can be called at the same time by 3 threads. when memory of vsocket is freed in rte_vhost_driver_unregister(), then vhost_user_read_cb() maybe add vsocket to reconn_list, the invalid memory of vsocket is accessed in vhost_user_client_reconnect(). It's a bug for vhost as client. E.g., vhostuser port is created as client. Thread 1 calls rte_vhost_driver_unregister() to remove the vsocket of reconn from the reconn list. Then “vhost-events” thread calls vhost_user_read_cb() to add the vsocket of reconn back to the reconn list. At this time, after thread 1 releases the vsocket memory, the socket of vhostuser reconnects successfully, "vhost_reconn" thread will access the released memory. The core trace is: Program terminated with signal 11, Segmentation fault. The fix is to perform a delete operation again after releasing the memory Fixes: 451dc0f ("vhost: fix crash on port deletion") Cc: stable@dpdk.org Signed-off-by: Xinxin Zhao <15957197901@163.com> --- lib/vhost/socket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/vhost/socket.c b/lib/vhost/socket.c index a75728a2e4..01946096c4 100644 --- a/lib/vhost/socket.c +++ b/lib/vhost/socket.c @@ -1121,6 +1121,8 @@ rte_vhost_driver_unregister(const char *path) if (vsocket->is_server) { close(vsocket->socket_fd); unlink(path); + } else if (vsocket->reconnect) { + vhost_user_remove_reconnect(vsocket); } pthread_mutex_destroy(&vsocket->conn_mutex); -- 2.45.2