The rte_vhost_driver_unregister() vhost_user_read_cb()
vhost_user_client_reconnect() can be called at the same time by 3 threads.
when memory of vsocket is freed in rte_vhost_driver_unregister(),
then vhost_user_read_cb() maybe add vsocket to reconn_list,
the invalid memory of vsocket is accessed in vhost_user_client_reconnect().
It's a bug for vhost as client.
E.g., vhostuser port is created as client.
Thread 1 calls rte_vhost_driver_unregister() to remove
the vsocket of reconn from the reconn list.
Then “vhost-events” thread calls vhost_user_read_cb() to
add the vsocket of reconn back to the reconn list.
At this time, after thread 1 releases the vsocket memory,
the socket of vhostuser reconnects successfully,
"vhost_reconn" thread will access the released memory.
The core trace is:
Program terminated with signal 11, Segmentation fault.
The fix is to perform a delete operation again after releasing the memory
Fixes: 451dc0f ("vhost: fix crash on port deletion")
Cc: sta...@dpdk.org
Signed-off-by: Xinxin Zhao <15957197...@163.com>
---
lib/vhost/socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/vhost/socket.c b/lib/vhost/socket.c
index a75728a2e4..01946096c4 100644
--- a/lib/vhost/socket.c
+++ b/lib/vhost/socket.c
@@ -1121,6 +1121,8 @@ rte_vhost_driver_unregister(const char *path)
if (vsocket->is_server) {
close(vsocket->socket_fd);
unlink(path);
+ } else if (vsocket->reconnect) {
+ vhost_user_remove_reconnect(vsocket);
}
pthread_mutex_destroy(&vsocket->conn_mutex);
--
2.45.2
