From e2daada1d58368b7e77c2990e680bf58e4d94f2e Mon Sep 17 00:00:00 2001 From: Steven Luong Date: Fri, 2 Apr 2021 22:42:26 -0700 Subject: vhost: Crash upon disconnect Patch 24601 introduced description into template. In vhost_user_process, template is reused inside the while loop to call clib_file_add. But description is allocated outside of the loop only once. As a result, the same storage for description is being referenced by all instances of call to clib_file_add. As long as we don't call clib_file_del, we may be good with multiple fds sharing the same storage for the description. When one of the fds disconnects and frees the description, the other fds is holding onto the free memory pointer. Bad news eventually happens when another fd disconnects and frees the description that was already free previously. The fix is to move the allocation of description inside the loop to avoid sharing. Type: fix Fixes: gerrit.fd.io/r/c/vpp/+/24601 Signed-off-by: Steven Luong Change-Id: Ie670931acdc2c7b851982d98fd0d837284a19036 --- src/vnet/devices/virtio/vhost_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/vnet/devices/virtio/vhost_user.c') diff --git a/src/vnet/devices/virtio/vhost_user.c b/src/vnet/devices/virtio/vhost_user.c index 5f04db09395..0ecc2ffb2ee 100644 --- a/src/vnet/devices/virtio/vhost_user.c +++ b/src/vnet/devices/virtio/vhost_user.c @@ -1271,7 +1271,6 @@ vhost_user_process (vlib_main_t * vm, sun.sun_family = AF_UNIX; template.read_function = vhost_user_socket_read; template.error_function = vhost_user_socket_error; - template.description = format (0, "vhost user process"); while (1) { @@ -1324,6 +1323,7 @@ vhost_user_process (vlib_main_t * vm, template.file_descriptor = sockfd; template.private_data = vui - vhost_user_main.vhost_user_interfaces; + template.description = format (0, "vhost user process"); vui->clib_file_index = clib_file_add (&file_main, &template); vui->num_qid = 2; -- cgit 1.2.3-korg