|SUCCESS| vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free virtio_net

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Fri Mar 27 09:09:13 CET 2026

Previous message (by thread): |SUCCESS| vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free virtio_net
Next message (by thread): |Smoke |SUCCESS| pw(162700-162701) sid(37763) job(PER_PATCH_BUILD18425-20260326032130) [v4, 2/2] app/testpmd: revert switch domain mismatch check
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/162724

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-03-27

Commit: (patch from patchwork, no git sha available)
Author: YuanXin <yuanxin123456 at 126.com>
Subject: vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free virtio_net

This patch attempts to fix a race condition where numa_realloc() frees
and reallocates virtio_net while another thread (poller/reactor) is
accessing it, potentially causing crashes when accessing NULL pointers.

> diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
> index 4bfb13fb98..1312f95cbc 100644
> --- a/lib/vhost/vhost_user.c
> +++ b/lib/vhost/vhost_user.c
> @@ -681,6 +681,9 @@ numa_realloc(struct virtio_net **pdev, struct vhost_virtqueue **pvq)
>  
>  out_dev_realloc:
>  
> +	if (vq->index > 0)
> +		return;
> +
>  	if (dev->flags & VIRTIO_DEV_RUNNING)
>  		return;

Does this code introduce a race condition? The check "if (vq->index > 0)"
uses vq->index without holding any lock, but vq could potentially be
modified concurrently. The commit message acknowledges that "only vq is
protected by lock" but this code accesses vq->index outside of any lock.

Does this fix actually address the root cause? The commit message states
the issue is that dev (virtio_net) has no lock protecting it when
accessed by multiple threads. However, this patch only prevents
dev_realloc for vq->index > 0, which means the race can still occur on
the first queue (index 0). If a poller thread is accessing dev while
numa_realloc is called for vq 0, won't the same crash still occur?

Is the logic correct for multi-queue scenarios? By only allowing
dev_realloc when vq->index is 0, does this prevent necessary NUMA
reallocation when queue 0 is on a different NUMA node than subsequent
queues? What happens if vq 0 is on NUMA node A but vq 1 is on NUMA node
B - won't the device remain on the wrong NUMA node?

Does this code follow the DPDK C coding style? According to the coding
style guide, the comparison "if (vq->index > 0)" should explicitly
compare against 0 for non-boolean values, though this is already done
correctly. However, is the placement and spacing of this check
consistent with the existing code structure?

Previous message (by thread): |SUCCESS| vhost: fix rte_vhost_vring_call coredump caused by numa_realloc free virtio_net
Next message (by thread): |Smoke |SUCCESS| pw(162700-162701) sid(37763) job(PER_PATCH_BUILD18425-20260326032130) [v4, 2/2] app/testpmd: revert switch domain mismatch check
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the test-report mailing list