From: Kevin Traynor <ktraynor@redhat.com>
To: Yuan Wang <yuanx.wang@intel.com>
Cc: Wei Ling <weix.ling@intel.com>,
Maxime Coquelin <maxime.coquelin@redhat.com>,
dpdk stable <stable@dpdk.org>
Subject: patch 'net/vhost: fix access to freed memory' has been queued to stable release 21.11.2
Date: Wed, 25 May 2022 17:27:59 +0100 [thread overview]
Message-ID: <20220525162847.711753-7-ktraynor@redhat.com> (raw)
In-Reply-To: <20220525162847.711753-1-ktraynor@redhat.com>
Hi,
FYI, your patch has been queued to stable release 21.11.2
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/30/22. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/58d1b856be11421a5d7688a89f0058ff10688e3a
Thanks.
Kevin
---
From 58d1b856be11421a5d7688a89f0058ff10688e3a Mon Sep 17 00:00:00 2001
From: Yuan Wang <yuanx.wang@intel.com>
Date: Sat, 12 Mar 2022 00:35:12 +0800
Subject: [PATCH] net/vhost: fix access to freed memory
[ upstream commit 9dc6bb06824f3c5887f0436ddba5ab9116cb277e ]
This patch fixes heap-use-after-free reported by ASan.
It is possible for the rte_vhost_dequeue_burst() to access the vq
is freed when numa_realloc() gets called in the device running state.
The control plane will set the vq->access_lock to protected the vq
from the data plane. Unfortunately the lock will fail at the moment
the vq is freed, allowing the rte_vhost_dequeue_burst() to access
the fields of the vq, which will trigger a heap-use-after-free error.
In the case of multiple queues, the vhost pmd can access other queues
that are not ready when the first queue is ready, which makes no sense
and also allows numa_realloc() and rte_vhost_dequeue_burst() access to
vq to happen at the same time. By controlling vq->allow_queuing we can make
the pmd access only the queues that are ready.
Fixes: 1ce3c7fe149 ("net/vhost: emulate device start/stop behavior")
Signed-off-by: Yuan Wang <yuanx.wang@intel.com>
Tested-by: Wei Ling <weix.ling@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
drivers/net/vhost/rte_eth_vhost.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/net/vhost/rte_eth_vhost.c b/drivers/net/vhost/rte_eth_vhost.c
index 070f0e6dfd..8a6595504a 100644
--- a/drivers/net/vhost/rte_eth_vhost.c
+++ b/drivers/net/vhost/rte_eth_vhost.c
@@ -721,4 +721,5 @@ update_queuing_status(struct rte_eth_dev *dev)
struct pmd_internal *internal = dev->data->dev_private;
struct vhost_queue *vq;
+ struct rte_vhost_vring_state *state;
unsigned int i;
int allow_queuing = 1;
@@ -731,4 +732,6 @@ update_queuing_status(struct rte_eth_dev *dev)
allow_queuing = 0;
+ state = vring_states[dev->data->port_id];
+
/* Wait until rx/tx_pkt_burst stops accessing vhost device */
for (i = 0; i < dev->data->nb_rx_queues; i++) {
@@ -736,5 +739,8 @@ update_queuing_status(struct rte_eth_dev *dev)
if (vq == NULL)
continue;
- rte_atomic32_set(&vq->allow_queuing, allow_queuing);
+ if (allow_queuing && state->cur[vq->virtqueue_id])
+ rte_atomic32_set(&vq->allow_queuing, 1);
+ else
+ rte_atomic32_set(&vq->allow_queuing, 0);
while (rte_atomic32_read(&vq->while_queuing))
rte_pause();
@@ -745,5 +751,8 @@ update_queuing_status(struct rte_eth_dev *dev)
if (vq == NULL)
continue;
- rte_atomic32_set(&vq->allow_queuing, allow_queuing);
+ if (allow_queuing && state->cur[vq->virtqueue_id])
+ rte_atomic32_set(&vq->allow_queuing, 1);
+ else
+ rte_atomic32_set(&vq->allow_queuing, 0);
while (rte_atomic32_read(&vq->while_queuing))
rte_pause();
@@ -968,4 +977,6 @@ vring_state_changed(int vid, uint16_t vring, int enable)
rte_spinlock_unlock(&state->lock);
+ update_queuing_status(eth_dev);
+
VHOST_LOG(INFO, "vring%u is %s\n",
vring, enable ? "enabled" : "disabled");
--
2.34.3
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2022-05-25 17:26:58.808074511 +0100
+++ 0007-net-vhost-fix-access-to-freed-memory.patch 2022-05-25 17:26:58.541828293 +0100
@@ -1 +1 @@
-From 9dc6bb06824f3c5887f0436ddba5ab9116cb277e Mon Sep 17 00:00:00 2001
+From 58d1b856be11421a5d7688a89f0058ff10688e3a Mon Sep 17 00:00:00 2001
@@ -4,0 +5,2 @@
+
+[ upstream commit 9dc6bb06824f3c5887f0436ddba5ab9116cb277e ]
next prev parent reply other threads:[~2022-05-25 16:29 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-25 16:27 patch 'test/mem: disable ASan when accessing unallocated " Kevin Traynor
2022-05-25 16:27 ` patch 'net/netvsc: fix hot adding multiple VF PCI devices' " Kevin Traynor
2022-05-25 16:27 ` patch 'net/nfp: remove unneeded header inclusion' " Kevin Traynor
2022-05-25 16:27 ` patch 'net/bonding: fix RSS key config with extended key length' " Kevin Traynor
2022-05-25 16:27 ` patch 'net/cxgbe: fix port ID in Rx mbuf' " Kevin Traynor
2022-05-25 16:27 ` patch 'net/cxgbe: fix Tx queue stuck with mbuf chain coalescing' " Kevin Traynor
2022-05-25 16:27 ` Kevin Traynor [this message]
2022-05-25 16:28 ` patch 'net/virtio: restore some optimisations with AVX512' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/vhost: fix TSO feature default disablement' " Kevin Traynor
2022-05-25 16:28 ` patch 'vhost: fix missing virtqueue lock protection' " Kevin Traynor
2022-05-25 16:28 ` patch 'vdpa/mlx5: fix interrupt trash that leads to crash' " Kevin Traynor
2022-05-25 16:28 ` patch 'vdpa/mlx5: fix dead loop when process interrupted' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/dpaa: fix event queue detach' " Kevin Traynor
2022-05-25 16:28 ` patch 'doc: update matching versions in ice guide' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bonding: fix stopping non-active slaves' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bonding: fix slave stop and remove on port close' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/tap: fix interrupt handler freeing' " Kevin Traynor
2022-05-25 16:28 ` patch 'ethdev: fix build with vtune option' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: fix order of clearing imissed register in PF' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: fix MAC and queues HW statistics overflow' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: fix pseudo-sharing between threads' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: fix mbuf free on Tx done cleanup' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: fix RSS disable' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: fix rollback on RSS hash update' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: remove redundant RSS tuple field' " Kevin Traynor
2022-05-25 16:28 ` patch 'ethdev: fix RSS update when RSS is disabled' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/hns3: remove unnecessary RSS switch' " Kevin Traynor
2022-05-25 16:28 ` patch 'app/testpmd: check statistics query before printing' " Kevin Traynor
2022-05-25 16:28 ` patch 'app/testpmd: fix MTU verification' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/cnxk: add message on flow parsing failure' " Kevin Traynor
2022-05-25 16:28 ` patch 'common/cnxk: fix unaligned access to device memory' " Kevin Traynor
2022-05-25 16:28 ` patch 'common/cnxk: fix null pointer dereference' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/cnxk: fix uninitialized variables' " Kevin Traynor
2022-05-25 16:28 ` patch 'common/cnxk: fix SQ flush sequence' " Kevin Traynor
2022-05-25 16:35 ` Kevin Traynor
2022-05-25 16:28 ` patch 'net/cnxk: add barrier after meta batch free in scalar' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix reordering in NEON Rx' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix device capability reporting' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: remove unused macro' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix Rx configuration' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix RSS action' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix ring group on Rx restart' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: check duplicate queue IDs' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: handle queue stop during RSS flow create' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: avoid unnecessary endianness conversion' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix speed autonegotiation' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: force PHY update on certain configurations' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix link status when port is stopped' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: recheck FW readiness if in reset process' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/bnxt: fix freeing VNIC filters' " Kevin Traynor
2022-05-25 16:28 ` patch 'net/mlx5: fix no-green metering with RSS' " Kevin Traynor
2022-05-25 16:28 ` patch 'doc: fix build with sphinx 4.5' " Kevin Traynor
2022-05-25 16:28 ` patch 'eventdev/eth_rx: fix telemetry Rx stats reset' " Kevin Traynor
2022-05-25 16:28 ` patch 'event/cnxk: fix out of bounds access in test' " Kevin Traynor
2022-05-25 16:28 ` patch 'eal/x86: fix unaligned access for small memcpy' " Kevin Traynor
2022-05-25 16:28 ` patch 'devargs: fix leak on hotplug failure' " Kevin Traynor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220525162847.711753-7-ktraynor@redhat.com \
--to=ktraynor@redhat.com \
--cc=maxime.coquelin@redhat.com \
--cc=stable@dpdk.org \
--cc=weix.ling@intel.com \
--cc=yuanx.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).