> -----Original Message-----
> From: Wang, YuanX <yuanx.w...@intel.com>
> Sent: Saturday, March 12, 2022 12:35 AM
> To: maxime.coque...@redhat.com; Xia, Chenbo <chenbo....@intel.com>
> Cc: dev@dpdk.org; Hu, Jiayu <jiayu...@intel.com>; Ling, WeiX
> <weix.l...@intel.com>; Wang, YuanX <yuanx.w...@intel.com>
> Subject: [PATCH] net/vhost: fix access to freed memory
>
> This patch fixes heap-use-after-free reported by ASan.
>
> It is possible for the rte_vhost_dequeue_burst() to access the vq is freed
> when numa_realloc() gets called in the device running state.
> The control plane will set the vq->access_lock to protected the vq from the
> data plane. Unfortunately the lock will fail at the moment the vq is freed,
> allowing the rte_vhost_dequeue_burst() to access the fields of the vq, which
> will trigger a heap-use-after-free error.
>
> In the case of multiple queues, the vhost pmd can access other queues that
> are not ready when the first queue is ready, which makes no sense and also
> allows numa_realloc() and rte_vhost_dequeue_burst() access to vq to
> happen at the same time. By controlling vq->allow_queuing we can make the
> pmd access only the queues that are ready.
>
> Fixes: 1ce3c7fe149 ("net/vhost: emulate device start/stop behavior")
>
> Signed-off-by: Yuan Wang <yuanx.w...@intel.com>
> ---
Tested-by: Wei Ling <weix.l...@intel.com>
