[dpdk-dev] [PATCH v2] virtio: fix segfault when transmit pkts

Yuanhan Liu yuanhan.liu at linux.intel.com
Tue Apr 26 05:43:09 CEST 2016


On Mon, Apr 25, 2016 at 02:37:45AM +0000, Jianfeng Tan wrote:
> Issue: when using virtio nic to transmit pkts, it causes segment fault.
> 
> How to reproduce:
> Basically, we need to construct a case with vm send packets to vhost-user,
> and this issue does not happen when transmitting packets using indirect
> desc. Besides, make sure all descriptors are exhausted before vhost
> dequeues any packets.
> 
> a. start testpmd with vhost.
>   $ testpmd -c 0x3 -n 4 --socket-mem 1024,0 --no-pci \
>     --vdev 'eth_vhost0,iface=/tmp/sock0,queues=1' -- -i --nb-cores=1
> 
> b. start a qemu with a virtio nic connected with the vhost-user port, just
> make sure mrg_rxbuf is enabled.
> 
> c. enable testpmd on the host.
>   testpmd> set fwd io
>   testpmd> start (better without start vhost-user)
> 
> d. start testpmd in VM.
>   $testpmd -c 0x3 -n 4 -m 1024 -- -i --disable-hw-vlan-filter --txqflags=0xf01
>   testpmd> set fwd txonly
>   testpmd> start
> 
> How to fix: this bug is because inside virtqueue_enqueue_xmit(), the flag of
                          ^^^^^^^
> desc has been updated inside the do {} while (), not necessary to update after
> the loop.

That's not a right "because": you were stating a fact of the right way
to do setup desc flags, but not the cause of this bug.

> (And if we do that after the loop, if all descs could have run out,
> idx is VQ_RING_DESC_CHAIN_END (32768), use this idx to reference the start_dp
> array will lead to segment fault.)

And that's the cause. So, you should state the cause first, then the fix
(which we already have), but not in the verse order you just did.

So, I'd like to reword the commit log a bit, to something like following.
What do you think of it? If no objection, I could merge it soon. Thanks
for the fix, BTW!

	--yliu

    ---
    Subject: virtio: fix segfault on Tx desc flags setup
    
    
    After the do-while loop, idx could be VQ_RING_DESC_CHAIN_END (32768)
    when it's the last vring desc buf we can get. Therefore, following
    expresssion could lead to a segfault error, as it tries to access
    beyond the desc memory boundary.
    
        start_dp[idx].flags &= ~VRING_DESC_F_NEXT;
    
    This bug could be reproduced easily with "set fwd txonly" in the
    guest PMD, where the dequeue on host is slower than the guest Tx,
    that running out of free desc buf is pretty easy.
    
    The fix is straightforward and easy, just remove it, as we have
    already set desc flags properly inside the do-while loop.
    
    Fixes: dd856dfcb9e ("virtio: use any layout on Tx")


More information about the dev mailing list