<html>
    <head>
      <base href="https://bugs.dpdk.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8" class="bz_new_table">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_UNCONFIRMED "
   title="UNCONFIRMED - PMD: IDPF segfaults during init on GCP baremetal"
   href="https://bugs.dpdk.org/show_bug.cgi?id=1403">1403</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>PMD: IDPF segfaults during init on GCP baremetal
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>DPDK
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>UNCONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>ethdev
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dev@dpdk.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>jordanrhee@google.com
          </td>
        </tr>

        <tr>
          <th>Target Milestone</th>
          <td>---
          </td>
        </tr></table>
      <p>
        <div class="bz_comment_block">
          <pre class="bz_comment_text">The DPDK IDPF driver (as of 23.11) segfaults during initialization while
handling response to `VIRTCHNL2_OP_SET_RSS_HASH` message.


Segfault is due to load from invalid address contained in
`ctlq_msg.ctx.indirect.payload`. 


```
idpf_handle_virtchnl_msg()
...
rte_memcpy(adapter->mbx_resp, ctlq_msg.ctx.indirect.payload->va,
                           IDPF_DFLT_MBX_BUF_SIZE);
```


`payload` only contains a valid address if the message is an 'indirect'
message. It is not valid if it is a 'direct' message. If `ctlq_msg.data_len` is
0, then it is a direct message and the caller should not access
`ctlq_msg.ctx.indirect`. `VIRTCHNL2_OP_SET_RSS_HASH` has a zero-length
response.


The following patch enables the DPDK IDPF driver to load and run successfully:


```
diff --git a/drivers/net/idpf/idpf_ethdev.c b/drivers/net/idpf/idpf_ethdev.c
index 6ae2ac2681..c273e9ba38 100644
--- a/drivers/net/idpf/idpf_ethdev.c
+++ b/drivers/net/idpf/idpf_ethdev.c
@@ -1087,8 +1087,10 @@ idpf_handle_virtchnl_msg(struct idpf_adapter_ext
*adapter_ex)
                        return;
                }

-               rte_memcpy(adapter->mbx_resp,
ctlq_msg.ctx.indirect.payload->va,
+                if (ctlq_msg.data_len) {
+                     rte_memcpy(adapter->mbx_resp,
ctlq_msg.ctx.indirect.payload->va,
                           IDPF_DFLT_MBX_BUF_SIZE);
+                }

                mbx_op = rte_le_to_cpu_16(ctlq_msg.opcode);
                vc_op = rte_le_to_cpu_32(ctlq_msg.cookie.mbx.chnl_opcode);
```


Stack:
```
#0  0x000000000108fc61 in idpf_handle_virtchnl_msg (adapter_ex=0x1003d7b40) at
../drivers/net/idpf/idpf_ethdev.c:1090
#1  0x00000000010912e3 in idpf_dev_alarm_handler (param=0x1003d7b40) at
../drivers/net/idpf/idpf_ethdev.c:1145
#2  0x000000000211e8fc in eal_alarm_callback (arg=0x0) at
../lib/eal/linux/eal_alarm.c:105
#3  0x0000000002123c3d in eal_intr_process_interrupts (events=0x7f4a69a052e0,
nfds=1) at ../lib/eal/linux/eal_interrupts.c:1017
#4  0x0000000002123f1c in eal_intr_handle_interrupts (pfd=6, totalfds=3) at
../lib/eal/linux/eal_interrupts.c:1091
#5  0x00000000021240ee in eal_intr_thread_main (arg=0x0) at
../lib/eal/linux/eal_interrupts.c:1163
#6  0x0000000002103bc4 in control_thread_start (arg=0x90c4f00) at
../lib/eal/common/eal_common_thread.c:282
#7  0x000000000211b7a0 in thread_start_wrapper (arg=0x7fff25a9c5a0) at
../lib/eal/unix/rte_thread.c:112
#8  0x00007f4a69fe96ea in start_thread () from /lib64/libpthread.so.0
#9  0x00007f4a69b2150f in clone () from /lib64/libc.so.6

(gdb) print ctlq_msg
$7 = {
  vmvf_type = 2 '\002',
  host_id = 117 'u',
  opcode = 2051,
  data_len = 0,             <--- direct message
  {
    func_id = 26624,
    status = 26624
  },
  cookie = {
    mbx = {
      chnl_opcode = 518,   <--- VIRTCHNL2_OP_SET_RSS_HASH
      chnl_retval = 0
    }
  },
  ctx = {
    direct = "\000\000\000\000\000\000\000\000x\357\336\277\374\026\000",
    indirect = {
      context = "\000\000\000\000\000\000\000",
      payload = 0x16fcbfdeef78                      <---- Invalid address
    },
    sw_cookie = {
      rsvd = 0,
      data = 0,
      flags = 0
    }
  }
}

```
          </pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
      <div itemscope itemtype="http://schema.org/EmailMessage">
        <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
          
          <link itemprop="url" href="https://bugs.dpdk.org/show_bug.cgi?id=1403">
          <meta itemprop="name" content="View bug">
        </div>
        <meta itemprop="description" content="Bugzilla bug update notification">
      </div>
    </body>
</html>