Commit c0aa9f19 authored Oct 11, 2023 by Haoqian He Committed by Tomasz Zawadzki Oct 24, 2023

vhost: make vhost_dev_unregister thread safe



In function vhost_dev_unregister, before removing vdev from the
global linked list g_vhost_devices, other threads may access vdev
member but some of them have been free at this time, causing uaf.
E.g. When live migration, destroy_connection may access vdev->ctxt
by vhost_session_find_by_vid at the same time.

So we use spdk_vhost_lock to prevent other threads from accessing
vdev members(e.g. user_dev(ctxt), name, path) which have been free.

Change-Id: I81cc91633770c6b08f36b43545ed57cbb309aa01
Signed-off-by: Haoqian He <haoqian.he@smartx.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/20273


Community-CI: Mellanox Build Bot
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-by: Jim Harris <jim.harris@samsung.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>

parent 181143cc

lib/vhost/vhost.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -166,12 +166,14 @@ vhost_dev_unregister(struct spdk_vhost_dev *vdev)
		{
		int rc;

		spdk_vhost_lock();
		if (vdev->backend->type == VHOST_BACKEND_SCSI) {
		rc = vhost_user_dev_unregister(vdev);
		} else {
		rc = virtio_blk_destroy_ctrlr(vdev);
		}
		if (rc != 0) {
		spdk_vhost_unlock();
		return rc;
		}

		@@ -179,7 +181,6 @@ vhost_dev_unregister(struct spdk_vhost_dev *vdev)

		free(vdev->name);

		spdk_vhost_lock();
		TAILQ_REMOVE(&g_vhost_devices, vdev, tailq);
		if (TAILQ_EMPTY(&g_vhost_devices) && g_fini_cb != NULL) {
		g_fini_cb();