From patchwork Fri Feb 9 17:14:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomasz Kulasek X-Patchwork-Id: 35095 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id EB4801B852; Fri, 9 Feb 2018 18:16:12 +0100 (CET) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 26D071B851; Fri, 9 Feb 2018 18:16:11 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Feb 2018 09:16:10 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,483,1511856000"; d="scan'208";a="29526669" Received: from unknown (HELO Sent) ([10.103.103.74]) by fmsmga001.fm.intel.com with SMTP; 09 Feb 2018 09:16:07 -0800 Received: by Sent (sSMTP sendmail emulation); Fri, 09 Feb 2018 18:15:03 +0100 From: Tomasz Kulasek To: yliu@fridaylinux.org Cc: dev@dpdk.org, yuanhan.liu@linux.intel.com, stable@dpdk.org, Dariusz Stojaczyk Date: Fri, 9 Feb 2018 18:14:55 +0100 Message-Id: <20180209171455.2904-1-tomaszx.kulasek@intel.com> X-Mailer: git-send-email 2.12.3 Subject: [dpdk-dev] [PATCH] vhost: fix double free on shutdown X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The vhost connection can be closed concurrently from 2 places: * the connection thread itself * rte_vhost_driver_unregister The connection thread will terminate the connection if any recv error occurred. The unregister function will terminate the connection together with the thread. However, there is no sychronization between those two. The connection thread runs in the background without any mutex. The rte_vhost_driver_unregister now signals the connection thread to terminate itself and waits until it's killed. Fixes: 65388b43f592 ("vhost: fix fd leaks for vhost-user server mode") Cc: yuanhan.liu@linux.intel.com Cc: stable@dpdk.org Signed-off-by: Dariusz Stojaczyk Signed-off-by: Tomasz Kulasek --- lib/librte_vhost/socket.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/lib/librte_vhost/socket.c b/lib/librte_vhost/socket.c index 83befdced..46ac88efd 100644 --- a/lib/librte_vhost/socket.c +++ b/lib/librte_vhost/socket.c @@ -735,7 +735,7 @@ rte_vhost_driver_unregister(const char *path) { int i; int count; - struct vhost_user_connection *conn, *next; + struct vhost_user_connection *conn; pthread_mutex_lock(&vhost_user.mutex); @@ -752,22 +752,17 @@ rte_vhost_driver_unregister(const char *path) } pthread_mutex_lock(&vsocket->conn_mutex); - for (conn = TAILQ_FIRST(&vsocket->conn_list); - conn != NULL; - conn = next) { - next = TAILQ_NEXT(conn, next); - - fdset_del(&vhost_user.fdset, conn->connfd); - RTE_LOG(INFO, VHOST_CONFIG, - "free connfd = %d for device '%s'\n", - conn->connfd, path); + TAILQ_FOREACH(conn, &vsocket->conn_list, next) { close(conn->connfd); - vhost_destroy_device(conn->vid); - TAILQ_REMOVE(&vsocket->conn_list, conn, next); - free(conn); } pthread_mutex_unlock(&vsocket->conn_mutex); + do { + pthread_mutex_lock(&vsocket->conn_mutex); + conn = TAILQ_FIRST(&vsocket->conn_list); + pthread_mutex_unlock(&vsocket->conn_mutex); + } while (conn != NULL); + pthread_mutex_destroy(&vsocket->conn_mutex); free(vsocket->path); free(vsocket);