On 3/11/22 17:35, Yuan Wang wrote:
This patch fixes heap-use-after-free reported by ASan.
It is possible for the rte_vhost_dequeue_burst() to access the vq
is freed when numa_realloc() gets called in the device running state.
The control plane will set the vq->access_lock to protected the vq
from the data plane. Unfortunately the lock will fail at the moment
the vq is freed, allowing the rte_vhost_dequeue_burst() to access
the fields of the vq, which will trigger a heap-use-after-free error.
In the case of multiple queues, the vhost pmd can access other queues
that are not ready when the first queue is ready, which makes no sense
and also allows numa_realloc() and rte_vhost_dequeue_burst() access to
vq to happen at the same time. By controlling vq->allow_queuing we can make
the pmd access only the queues that are ready.
Fixes: 1ce3c7fe149 ("net/vhost: emulate device start/stop behavior")
Signed-off-by: Yuan Wang <yuanx.w...@intel.com>
---
drivers/net/vhost/rte_eth_vhost.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
Applied to dpdk-next-virtio/main.
Thanks,
Maxime
