vhost: Crash upon disconnect

Patch 24601 introduced description into template. In vhost_user_process,
template is reused inside the while loop to call clib_file_add. But
description is allocated outside of the loop only once. As a result, the
same storage for description is being referenced by all instances of call
to clib_file_add. As long as we don't call clib_file_del, we may be
good with multiple fds sharing the same storage for the description. When
one of the fds disconnects and frees the description, the other fds is
holding onto the free memory pointer. Bad news eventually happens when
another fd disconnects and frees the description that was already free
previously.

The fix is to move the allocation of description inside the loop to avoid
sharing.

Type: fix
Fixes: gerrit.fd.io/r/c/vpp/+/24601

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ie670931acdc2c7b851982d98fd0d837284a19036

diff --git a/src/vnet/devices/virtio/vhost_user.c b/src/vnet/devices/virtio/vhost_user.c
index 5f04db0..0ecc2ff 100644 (file)
--- a/src/vnet/devices/virtio/vhost_user.c
+++ b/src/vnet/devices/virtio/vhost_user.c
@@ -1271,7 +1271,6 @@ vhost_user_process (vlib_main_t * vm,
   sun.sun_family = AF_UNIX;
   template.read_function = vhost_user_socket_read;
   template.error_function = vhost_user_socket_error;
-  template.description = format (0, "vhost user process");
 
   while (1)
     {
@@ -1324,6 +1323,7 @@ vhost_user_process (vlib_main_t * vm,
                      template.file_descriptor = sockfd;
                      template.private_data =
                          vui - vhost_user_main.vhost_user_interfaces;
+                     template.description = format (0, "vhost user process");
                      vui->clib_file_index = clib_file_add (&file_main, &template);
                      vui->num_qid = 2;