From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9A23443DE5; Wed, 3 Apr 2024 11:40:13 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 69E77402CE; Wed, 3 Apr 2024 11:40:13 +0200 (CEST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mails.dpdk.org (Postfix) with ESMTP id ACF7B4025C for ; Wed, 3 Apr 2024 11:40:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712137211; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=t7tAYg6T6SXEdzcz93Gf9PW4Nawcq922SaEEbolFG60=; b=ZfqgY2RrHaafNnAk2EKMdS07km8lzWpJpmeLeJr5QWtW9ohJw0Ujx1LHAPP/9BhACrZ0DL hkF2rxFC9451RvRq4aTGHUD59MTsEgQgsxggprhx4/Wmx+Wu8z6z30m6xh8mYQF70ku3pZ Thi04Tf/83tn322BiK67mgL2kdRciqk= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-106-A83DS-JPOZ-e9jIkRGwlAg-1; Wed, 03 Apr 2024 05:40:08 -0400 X-MC-Unique: A83DS-JPOZ-e9jIkRGwlAg-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 78A17383CCE2; Wed, 3 Apr 2024 09:40:07 +0000 (UTC) Received: from [10.39.208.23] (unknown [10.39.208.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A5EFC492BC9; Wed, 3 Apr 2024 09:40:04 +0000 (UTC) Message-ID: Date: Wed, 3 Apr 2024 11:39:58 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] vhost: fix crash caused by accessing a freed vsocket To: Gongming Chen , chenbox@nvidia.com Cc: dev@dpdk.org, Gongming Chen , stable@dpdk.org References: From: Maxime Coquelin Autocrypt: addr=maxime.coquelin@redhat.com; keydata= xsFNBFOEQQIBEADjNLYZZqghYuWv1nlLisptPJp+TSxE/KuP7x47e1Gr5/oMDJ1OKNG8rlNg kLgBQUki3voWhUbMb69ybqdMUHOl21DGCj0BTU3lXwapYXOAnsh8q6RRM+deUpasyT+Jvf3a gU35dgZcomRh5HPmKMU4KfeA38cVUebsFec1HuJAWzOb/UdtQkYyZR4rbzw8SbsOemtMtwOx YdXodneQD7KuRU9IhJKiEfipwqk2pufm2VSGl570l5ANyWMA/XADNhcEXhpkZ1Iwj3TWO7XR uH4xfvPl8nBsLo/EbEI7fbuUULcAnHfowQslPUm6/yaGv6cT5160SPXT1t8U9QDO6aTSo59N jH519JS8oeKZB1n1eLDslCfBpIpWkW8ZElGkOGWAN0vmpLfdyiqBNNyS3eGAfMkJ6b1A24un /TKc6j2QxM0QK4yZGfAxDxtvDv9LFXec8ENJYsbiR6WHRHq7wXl/n8guyh5AuBNQ3LIK44x0 KjGXP1FJkUhUuruGyZsMrDLBRHYi+hhDAgRjqHgoXi5XGETA1PAiNBNnQwMf5aubt+mE2Q5r qLNTgwSo2dpTU3+mJ3y3KlsIfoaxYI7XNsPRXGnZi4hbxmeb2NSXgdCXhX3nELUNYm4ArKBP LugOIT/zRwk0H0+RVwL2zHdMO1Tht1UOFGfOZpvuBF60jhMzbQARAQABzSxNYXhpbWUgQ29x dWVsaW4gPG1heGltZS5jb3F1ZWxpbkByZWRoYXQuY29tPsLBeAQTAQIAIgUCV3u/5QIbAwYL CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyjiNKEaHD4ma2g/+P+Hg9WkONPaY1J4AR7Uf kBneosS4NO3CRy0x4WYmUSLYMLx1I3VH6SVjqZ6uBoYy6Fs6TbF6SHNc7QbB6Qjo3neqnQR1 71Ua1MFvIob8vUEl3jAR/+oaE1UJKrxjWztpppQTukIk4oJOmXbL0nj3d8dA2QgHdTyttZ1H xzZJWWz6vqxCrUqHU7RSH9iWg9R2iuTzii4/vk1oi4Qz7y/q8ONOq6ffOy/t5xSZOMtZCspu Mll2Szzpc/trFO0pLH4LZZfz/nXh2uuUbk8qRIJBIjZH3ZQfACffgfNefLe2PxMqJZ8mFJXc RQO0ONZvwoOoHL6CcnFZp2i0P5ddduzwPdGsPq1bnIXnZqJSl3dUfh3xG5ArkliZ/++zGF1O wvpGvpIuOgLqjyCNNRoR7cP7y8F24gWE/HqJBXs1qzdj/5Hr68NVPV1Tu/l2D1KMOcL5sOrz 2jLXauqDWn1Okk9hkXAP7+0Cmi6QwAPuBT3i6t2e8UdtMtCE4sLesWS/XohnSFFscZR6Vaf3 gKdWiJ/fW64L6b9gjkWtHd4jAJBAIAx1JM6xcA1xMbAFsD8gA2oDBWogHGYcScY/4riDNKXi lw92d6IEHnSf6y7KJCKq8F+Jrj2BwRJiFKTJ6ChbOpyyR6nGTckzsLgday2KxBIyuh4w+hMq TGDSp2rmWGJjASrOwU0EVPSbkwEQAMkaNc084Qvql+XW+wcUIY+Dn9A2D1gMr2BVwdSfVDN7 0ZYxo9PvSkzh6eQmnZNQtl8WSHl3VG3IEDQzsMQ2ftZn2sxjcCadexrQQv3Lu60Tgj7YVYRM H+fLYt9W5YuWduJ+FPLbjIKynBf6JCRMWr75QAOhhhaI0tsie3eDsKQBA0w7WCuPiZiheJaL 4MDe9hcH4rM3ybnRW7K2dLszWNhHVoYSFlZGYh+MGpuODeQKDS035+4H2rEWgg+iaOwqD7bg CQXwTZ1kSrm8NxIRVD3MBtzp9SZdUHLfmBl/tLVwDSZvHZhhvJHC6Lj6VL4jPXF5K2+Nn/Su CQmEBisOmwnXZhhu8ulAZ7S2tcl94DCo60ReheDoPBU8PR2TLg8rS5f9w6mLYarvQWL7cDtT d2eX3Z6TggfNINr/RTFrrAd7NHl5h3OnlXj7PQ1f0kfufduOeCQddJN4gsQfxo/qvWVB7PaE 1WTIggPmWS+Xxijk7xG6x9McTdmGhYaPZBpAxewK8ypl5+yubVsE9yOOhKMVo9DoVCjh5To5 aph7CQWfQsV7cd9PfSJjI2lXI0dhEXhQ7lRCFpf3V3mD6CyrhpcJpV6XVGjxJvGUale7+IOp sQIbPKUHpB2F+ZUPWds9yyVxGwDxD8WLqKKy0WLIjkkSsOb9UBNzgRyzrEC9lgQ/ABEBAAHC wV8EGAECAAkFAlT0m5MCGwwACgkQyjiNKEaHD4nU8hAAtt0xFJAy0sOWqSmyxTc7FUcX+pbD KVyPlpl6urKKMk1XtVMUPuae/+UwvIt0urk1mXi6DnrAN50TmQqvdjcPTQ6uoZ8zjgGeASZg jj0/bJGhgUr9U7oG7Hh2F8vzpOqZrdd65MRkxmc7bWj1k81tOU2woR/Gy8xLzi0k0KUa8ueB iYOcZcIGTcs9CssVwQjYaXRoeT65LJnTxYZif2pfNxfINFzCGw42s3EtZFteczClKcVSJ1+L +QUY/J24x0/ocQX/M1PwtZbB4c/2Pg/t5FS+s6UB1Ce08xsJDcwyOPIH6O3tccZuriHgvqKP yKz/Ble76+NFlTK1mpUlfM7PVhD5XzrDUEHWRTeTJSvJ8TIPL4uyfzhjHhlkCU0mw7Pscyxn DE8G0UYMEaNgaZap8dcGMYH/96EfE5s/nTX0M6MXV0yots7U2BDb4soLCxLOJz4tAFDtNFtA wLBhXRSvWhdBJZiig/9CG3dXmKfi2H+wdUCSvEFHRpgo7GK8/Kh3vGhgKmnnxhl8ACBaGy9n fxjSxjSO6rj4/MeenmlJw1yebzkX8ZmaSi8BHe+n6jTGEFNrbiOdWpJgc5yHIZZnwXaW54QT UhhSjDL1rV2B4F28w30jYmlRmm2RdN7iCZfbyP3dvFQTzQ4ySquuPkIGcOOHrvZzxbRjzMx1 Mwqu3GQ= In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Hi Gongming, It's the 9th time the patch has been sent. I'm not sure whether there are changes between them or these are just re-sends, but that's something to avoid. If there are differences, you should use versionning to highlight it. If unsure, please check the contributions guidelines first. Regarding the patch itself, I don't know if this is avoidable, but I would prefer we do not introduce yet another lock in there. Thanks, Maxime On 4/3/24 08:31, Gongming Chen wrote: > From: Gongming Chen > > When a vhost user message handling error in the event dispatch thread, > vsocket reconn is added to the reconnection list of the reconnection > thread. > Since the reconnection, event dispatching and app configuration thread > do not have common thread protection restrictions, the app config > thread freed vsocket in the rte_vhost_driver_unregister process, > but vsocket reconn can still exist in the reconn_list through this > mechanism. > Then in the reconnection thread, the vsocket is connected again and > conn is added to the dispatch thread. > Finally, the vsocket is accessed again in the event dispatch thread, > resulting in a use-after-free error. > > This patch adds a vhost threads read-write lock to restrict > reconnection, event dispatching and app configuration threads. > When the vhost driver unregisters, it exclusively holds the lock to > safely free the vsocket. > > #0 0x0000000000000025 in ?? () > #1 0x0000000003ed7ca0 in vhost_user_read_cb at lib/vhost/socket.c:330 > #2 0x0000000003ed625f in fdset_event_dispatch at lib/vhost/fd_man.c:283 > > Fixes: e623e0c6d8a5 ("vhost: add vhost-user client mode") > Cc: stable@dpdk.org > > Signed-off-by: Gongming Chen > --- > lib/vhost/fd_man.c | 3 +++ > lib/vhost/meson.build | 1 + > lib/vhost/socket.c | 30 ++++++++++++------------------ > lib/vhost/vhost_thread.c | 37 +++++++++++++++++++++++++++++++++++++ > lib/vhost/vhost_thread.h | 16 ++++++++++++++++ > 5 files changed, 69 insertions(+), 18 deletions(-) > create mode 100644 lib/vhost/vhost_thread.c > create mode 100644 lib/vhost/vhost_thread.h > > diff --git a/lib/vhost/fd_man.c b/lib/vhost/fd_man.c > index 481e6b900a..b0e0aa2640 100644 > --- a/lib/vhost/fd_man.c > +++ b/lib/vhost/fd_man.c > @@ -9,6 +9,7 @@ > #include > > #include "fd_man.h" > +#include "vhost_thread.h" > > RTE_LOG_REGISTER_SUFFIX(vhost_fdset_logtype, fdset, INFO); > #define RTE_LOGTYPE_VHOST_FDMAN vhost_fdset_logtype > @@ -250,6 +251,7 @@ fdset_event_dispatch(void *arg) > if (val < 0) > continue; > > + vhost_thread_read_lock(); > need_shrink = 0; > for (i = 0; i < numfds; i++) { > pthread_mutex_lock(&pfdset->fd_mutex); > @@ -303,6 +305,7 @@ fdset_event_dispatch(void *arg) > > if (need_shrink) > fdset_shrink(pfdset); > + vhost_thread_read_unlock(); > } > > return 0; > diff --git a/lib/vhost/meson.build b/lib/vhost/meson.build > index 41b622a9be..7bc1840ed0 100644 > --- a/lib/vhost/meson.build > +++ b/lib/vhost/meson.build > @@ -25,6 +25,7 @@ sources = files( > 'vdpa.c', > 'vhost.c', > 'vhost_crypto.c', > + 'vhost_thread.c', > 'vhost_user.c', > 'virtio_net.c', > 'virtio_net_ctrl.c', > diff --git a/lib/vhost/socket.c b/lib/vhost/socket.c > index 96b3ab5595..e05d36f549 100644 > --- a/lib/vhost/socket.c > +++ b/lib/vhost/socket.c > @@ -20,6 +20,7 @@ > #include "fd_man.h" > #include "vduse.h" > #include "vhost.h" > +#include "vhost_thread.h" > #include "vhost_user.h" > > > @@ -463,6 +464,7 @@ vhost_user_client_reconnect(void *arg __rte_unused) > struct vhost_user_reconnect *reconn, *next; > > while (1) { > + vhost_thread_read_lock(); > pthread_mutex_lock(&reconn_list.mutex); > > /* > @@ -494,6 +496,7 @@ vhost_user_client_reconnect(void *arg __rte_unused) > } > > pthread_mutex_unlock(&reconn_list.mutex); > + vhost_thread_read_unlock(); > sleep(1); > } > > @@ -1071,7 +1074,7 @@ rte_vhost_driver_unregister(const char *path) > if (path == NULL) > return -1; > > -again: > + vhost_thread_write_lock(); > pthread_mutex_lock(&vhost_user.mutex); > > for (i = 0; i < vhost_user.vsocket_cnt; i++) { > @@ -1083,14 +1086,10 @@ rte_vhost_driver_unregister(const char *path) > vduse_device_destroy(path); > } else if (vsocket->is_server) { > /* > - * If r/wcb is executing, release vhost_user's > - * mutex lock, and try again since the r/wcb > - * may use the mutex lock. > + * The vhost thread write lock has been acquired, > + * and fd must be deleted from fdset. > */ > - if (fdset_try_del(&vhost_user.fdset, vsocket->socket_fd) == -1) { > - pthread_mutex_unlock(&vhost_user.mutex); > - goto again; > - } > + fdset_del(&vhost_user.fdset, vsocket->socket_fd); > } else if (vsocket->reconnect) { > vhost_user_remove_reconnect(vsocket); > } > @@ -1102,17 +1101,10 @@ rte_vhost_driver_unregister(const char *path) > next = TAILQ_NEXT(conn, next); > > /* > - * If r/wcb is executing, release vsocket's > - * conn_mutex and vhost_user's mutex locks, and > - * try again since the r/wcb may use the > - * conn_mutex and mutex locks. > + * The vhost thread write lock has been acquired, > + * and fd must be deleted from fdset. > */ > - if (fdset_try_del(&vhost_user.fdset, > - conn->connfd) == -1) { > - pthread_mutex_unlock(&vsocket->conn_mutex); > - pthread_mutex_unlock(&vhost_user.mutex); > - goto again; > - } > + fdset_del(&vhost_user.fdset, conn->connfd); > > VHOST_CONFIG_LOG(path, INFO, "free connfd %d", conn->connfd); > close(conn->connfd); > @@ -1134,9 +1126,11 @@ rte_vhost_driver_unregister(const char *path) > vhost_user.vsockets[i] = vhost_user.vsockets[count]; > vhost_user.vsockets[count] = NULL; > pthread_mutex_unlock(&vhost_user.mutex); > + vhost_thread_write_unlock(); > return 0; > } > pthread_mutex_unlock(&vhost_user.mutex); > + vhost_thread_write_unlock(); > > return -1; > } > diff --git a/lib/vhost/vhost_thread.c b/lib/vhost/vhost_thread.c > new file mode 100644 > index 0000000000..6b5dc22042 > --- /dev/null > +++ b/lib/vhost/vhost_thread.c > @@ -0,0 +1,37 @@ > +/* SPDX-License-Identifier: BSD-3-Clause > + * Copyright (c) 2024 China Telecom Cloud Technology Co., Ltd > + */ > + > +#include > + > +#include "vhost_thread.h" > + > +static rte_rwlock_t vhost_thread_lock = RTE_RWLOCK_INITIALIZER; > + > +void > +vhost_thread_read_lock(void) > + __rte_no_thread_safety_analysis > +{ > + rte_rwlock_read_lock(&vhost_thread_lock); > +} > + > +void > +vhost_thread_read_unlock(void) > + __rte_no_thread_safety_analysis > +{ > + rte_rwlock_read_unlock(&vhost_thread_lock); > +} > + > +void > +vhost_thread_write_lock(void) > + __rte_no_thread_safety_analysis > +{ > + rte_rwlock_write_lock(&vhost_thread_lock); > +} > + > +void > +vhost_thread_write_unlock(void) > + __rte_no_thread_safety_analysis > +{ > + rte_rwlock_write_unlock(&vhost_thread_lock); > +} > diff --git a/lib/vhost/vhost_thread.h b/lib/vhost/vhost_thread.h > new file mode 100644 > index 0000000000..61679172af > --- /dev/null > +++ b/lib/vhost/vhost_thread.h > @@ -0,0 +1,16 @@ > +/* SPDX-License-Identifier: BSD-3-Clause > + * Copyright (c) 2024 China Telecom Cloud Technology Co., Ltd > + */ > + > +#ifndef _VHOST_THREAD_H_ > +#define _VHOST_THREAD_H_ > + > +void vhost_thread_read_lock(void); > + > +void vhost_thread_read_unlock(void); > + > +void vhost_thread_write_lock(void); > + > +void vhost_thread_write_unlock(void); > + > +#endif