patch 'vhost: fix virtqueue use after free on NUMA reallocation' has been queued to stable release 19.11.14

christian.ehrhardt at canonical.com christian.ehrhardt at canonical.com
Fri Nov 11 12:38:18 CET 2022 

Hi,

FYI, your patch has been queued to stable release 19.11.14

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/18/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/cpaelzer/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/cpaelzer/dpdk-stable-queue/commit/f656287344ae0d29b322688095c1ee638f28675b

Thanks.

Christian Ehrhardt <christian.ehrhardt at canonical.com>

---
>From f656287344ae0d29b322688095c1ee638f28675b Mon Sep 17 00:00:00 2001
From: David Marchand <david.marchand at redhat.com>
Date: Mon, 25 Jul 2022 22:32:03 +0200
Subject: [PATCH] vhost: fix virtqueue use after free on NUMA reallocation

[ upstream commit 0b2a2ca35037d6a5168f0832c11d9858b8ae946a ]

translate_ring_addresses (via numa_realloc) may change a virtio device and
virtio queue.
The virtqueue object must be refreshed before accessing the lock.

Fixes: 04c27cb673b9 ("vhost: fix unsafe vring addresses modifications")

Signed-off-by: David Marchand <david.marchand at redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 lib/librte_vhost/vhost_user.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index af44d1e69c..76ce6cb11a 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -2389,6 +2389,7 @@ vhost_user_iotlb_msg(struct virtio_net **pdev, struct VhostUserMsg *msg,
 			if (is_vring_iotlb(dev, vq, imsg)) {
 				rte_spinlock_lock(&vq->access_lock);
 				*pdev = dev = translate_ring_addresses(dev, i);
+				vq = dev->virtqueue[i];
 				rte_spinlock_unlock(&vq->access_lock);
 			}
 		}
-- 
2.38.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-11-11 12:35:04.846725606 +0100
+++ 0001-vhost-fix-virtqueue-use-after-free-on-NUMA-reallocat.patch	2022-11-11 12:35:04.697191643 +0100
@@ -1 +1 @@
-From 0b2a2ca35037d6a5168f0832c11d9858b8ae946a Mon Sep 17 00:00:00 2001
+From f656287344ae0d29b322688095c1ee638f28675b Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 0b2a2ca35037d6a5168f0832c11d9858b8ae946a ]
+
@@ -11 +12,0 @@
-Cc: stable at dpdk.org
@@ -16 +17 @@
- lib/vhost/vhost_user.c | 1 +
+ lib/librte_vhost/vhost_user.c | 1 +
@@ -19,5 +20,5 @@
-diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
-index 4ad28bac45..91d40e32fc 100644
---- a/lib/vhost/vhost_user.c
-+++ b/lib/vhost/vhost_user.c
-@@ -2596,6 +2596,7 @@ vhost_user_iotlb_msg(struct virtio_net **pdev,
+diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
+index af44d1e69c..76ce6cb11a 100644
+--- a/lib/librte_vhost/vhost_user.c
++++ b/lib/librte_vhost/vhost_user.c
+@@ -2389,6 +2389,7 @@ vhost_user_iotlb_msg(struct virtio_net **pdev, struct VhostUserMsg *msg,

More information about the stable mailing list