On 9/2/21 5:45 PM, Gaoxiang Liu wrote:
> The rte_vhost_driver_unregister() and vhost_user_read_cb()
> can be called at the same time by 2 threads.
> when memory of vsocket is freed in rte_vhost_driver_unregister(),
> the invalid memory of vsocket is accessed in vhost_user_read_cb().
> It's a bug of both mode for vhost as server or client.
>
> E.g., vhostuser port is created as server.
> Thread1 calls rte_vhost_driver_unregister().
> Before the listen fd is deleted from poll waiting fds,
> "vhost-events" thread then calls vhost_user_server_new_connection(),
> then a new conn fd is added in fdset when trying to reconnect.
> "vhost-events" thread then calls vhost_user_read_cb() and
> accesses invalid memory of socket while thread1 frees the memory of
> vsocket.
>
> E.g., vhostuser port is created as client.
> Thread1 calls rte_vhost_driver_unregister().
> Before vsocket of reconn is deleted from reconn list,
> "vhost_reconn" thread then calls vhost_user_add_connection()
> then a new conn fd is added in fdset when trying to reconnect.
> "vhost-events" thread then calls vhost_user_read_cb() and
> accesses invalid memory of socket while thread1 frees the memory of
> vsocket.
>
> The fix is to move the "fdset_try_del" in front of free memory of conn,
> then avoid the race condition.
>
> The core trace is:
> Program terminated with signal 11, Segmentation fault.
>
> Fixes: 52d874dc6705 ("vhost: fix crash on closing in client mode")
>
> Signed-off-by: Gaoxiang Liu <liugaoxi...@huawei.com>
> ---
>
> v2:
> * Fix coding style issues.
>
> v3:
> * Add detailed log.
>
> v4:
> * Add the reason, when vhostuser port is created as server.
>
> v5:
> * Add detailed log when vhostuser port is created as client
>
> v6:
> * Add 'path' check before deleting listen fd
> * Fix spelling issues
>
> v7:
> * Fix coding style issues.
> ---
> lib/vhost/socket.c | 107 ++++++++++++++++++++++-----------------------
> 1 file changed, 53 insertions(+), 54 deletions(-)
>
Applied to dpdk-next-virtio/main.
Thanks,
Maxime
