gerrit.fd Code Review - vpp.git/commit

author	Steven Luong <sluong@cisco.com>
	Sat, 3 Apr 2021 05:42:26 +0000 (22:42 -0700)
committer	Matthew Smith <mgsmith@netgate.com>
	Mon, 5 Apr 2021 20:26:28 +0000 (20:26 +0000)
commit	e2daada1d58368b7e77c2990e680bf58e4d94f2e
tree	f911bc22d79490a930743f7f30358049231590b9	tree \| snapshot
parent	42c5c207e7e62f82c34103f4207f3da3915732c4	commit \| diff

vhost: Crash upon disconnect

Patch 24601 introduced description into template. In vhost_user_process,
template is reused inside the while loop to call clib_file_add. But
description is allocated outside of the loop only once. As a result, the
same storage for description is being referenced by all instances of call
to clib_file_add. As long as we don't call clib_file_del, we may be
good with multiple fds sharing the same storage for the description. When
one of the fds disconnects and frees the description, the other fds is
holding onto the free memory pointer. Bad news eventually happens when
another fd disconnects and frees the description that was already free
previously.

The fix is to move the allocation of description inside the loop to avoid
sharing.

Type: fix
Fixes: gerrit.fd.io/r/c/vpp/+/24601

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ie670931acdc2c7b851982d98fd0d837284a19036