|SUCCESS| vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free virtio_net

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Thu Mar 26 17:29:41 CET 2026

Previous message (by thread): |Smoke |SUCCESS| pw(162699) sid(37762) job(PER_PATCH_BUILD18424-20260326030651) [v3] net/netvsc: switch data path to synthetic on device stop
Next message (by thread): |SUCCESS| vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free virtio_net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/162725

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-03-26

I'll review this patch for correctness, coding style, and compliance with DPDK guidelines.

```
commit [SHA from patch]
Author: YuanXin <yuanxin123456 at 126.com>

vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free
virtio_net

backend may start poller when the first vq kick(like spdk), and access
virtio_net in poller pthread(reactor thread). At the same time, another
vq kick coming, then call numa_realloc to realloc virtio_net in numa node
of this vq, although virtio_net is already consistent with the first vq.
numa_realloc will free old virtio_net and set its member to 0, this
causes the previous poller pthread to access NULL ptr(latest code is
vhost_vring_inject_irq).
Why dev->flags & VIRTIO_DEV_RUNNING doesn't prevent that happening?
Because there is no lock protecting dev(virtio_net), only vq is protected
by lock.
So, it's no necessary to do dev_realloc for each vq kick when call
numa_realloc.

> diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
> index 4bfb13fb98..1312f95cbc 100644
> --- a/lib/vhost/vhost_user.c
> +++ b/lib/vhost/vhost_user.c
> @@ -681,6 +681,9 @@ numa_realloc(struct virtio_net **pdev, struct vhost_virtqueue **pvq)
>  
>  out_dev_realloc:
>  
> +	if (vq->index > 0)
> +		return;
> +

Does this comparison violate the coding style requirement that implicit
comparisons should only be used for booleans? The vq->index is an integer
value, not a boolean, so this should be written as "if (vq->index != 0)".

Does this code introduce a race condition? The patch claims to fix a race
where numa_realloc() can free dev while another thread accesses it.
However, this change only prevents dev reallocation when vq->index > 0.
What prevents the race when vq->index equals 0? Can two threads
simultaneously process queue 0 kicks and both enter numa_realloc()?

Does this logic correctly handle multi-queue scenarios? If virtqueues are
initialized in arbitrary order (not necessarily starting from index 0),
does this code still function correctly?

Is the fix complete? The commit message describes a race condition between
numa_realloc() freeing dev and other threads accessing dev->flags or
calling vhost_vring_inject_irq(). However, this patch only prevents
reallocation for non-zero queue indices. Does this fully address the race,
or does it only reduce the window of vulnerability?

>  	if (dev->flags & VIRTIO_DEV_RUNNING)
>  		return;

Does this check use proper boolean comparison style? According to the
coding style guide, implicit comparisons should only be used for booleans.
However, this appears to be existing code testing a flag value, which may
be acceptable if VIRTIO_DEV_RUNNING is treated as a boolean flag. This
pattern appears elsewhere in the codebase, so it may be acceptable, but
the new code above should follow explicit comparison style.

```

Previous message (by thread): |Smoke |SUCCESS| pw(162699) sid(37762) job(PER_PATCH_BUILD18424-20260326030651) [v3] net/netvsc: switch data path to synthetic on device stop
Next message (by thread): |SUCCESS| vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free virtio_net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the test-report mailing list