The rte_vhost_driver_unregister() and vhost_user_read_cb() can be
called at the same time by 2 threads. reconn may be added back to
reconn_list by vhost_user_read_cb() after rte_vhost_driver_unregister()
removed from reconn_list. Then rte_vhost_driver_unregister free vsocket,
cause vhost_user_client_reconnect access invalid vsocket memory.
Timeline is as below:
rte_vhost_driver_unregister thread excute vhost_user_remove_reconnect
vhost_user_read_cb thread excute vhost_user_start_client add reconn to
reconn_list
vhost_user_read_cb thread free conn
rte_vhost_driver_unregister thread cannot find conn, then excute
vhost_user_socket_mem_free
vhost_user_client_reconnect access invalid mem, crash
Signed-off-by: suntianyuan <suntiany...@baidu.com>
---
lib/vhost/socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/vhost/socket.c b/lib/vhost/socket.c
index 669c322e12..72c776d15c 100644
--- a/lib/vhost/socket.c
+++ b/lib/vhost/socket.c
@@ -1046,8 +1046,6 @@ rte_vhost_driver_unregister(const char *path)
pthread_mutex_unlock(&vhost_user.mutex);
goto again;
}
- } else if (vsocket->reconnect) {
- vhost_user_remove_reconnect(vsocket);
}
pthread_mutex_lock(&vsocket->conn_mutex);
@@ -1080,6 +1078,8 @@ rte_vhost_driver_unregister(const char *path)
if (vsocket->is_server) {
close(vsocket->socket_fd);
unlink(path);
+ } else if (vsocket->reconnect) {
+ vhost_user_remove_reconnect(vsocket);
}
pthread_mutex_destroy(&vsocket->conn_mutex);
--
2.32.0 (Apple Git-132)
