From bd8a611c7e4558f18e3280ace9e48ecae5673800 Mon Sep 17 00:00:00 2001 From: Steven Date: Sun, 30 Jul 2017 10:29:26 -0700 Subject: Devices: Set interface rx-mode may cause SIGSEGV with nonexistent queue When I type in set interface rx-mode with a nonexistent queue, I got a crash with the following traceback. It looks like the vm is NULL when vlib_node_get_runtime is called. DBGvpp# sh int rx Thread 0 (vpp_main): node dpdk-input: TenGigabitEthernet5/0/0 queue 0 (polling) TenGigabitEthernet5/0/1 queue 0 (polling) TenGigabitEthernet7/0/0 queue 0 (polling) TenGigabitEthernet7/0/1 queue 0 (polling) node vhost-user-input: VirtualEthernet0/0/2 queue 0 (adaptive) DBGvpp# set interface rx-mode VirtualEthernet0/0/2 queue 1 polling Thread 1 "vpp_main" received signal SIGSEGV, Segmentation fault. 0x00007ffff6d4e0bc in vlib_node_get_runtime (vm=0x0, node_index=125) at /home/sluong/vpp/build-data/../src/vlib/node_funcs.h:92 92 vlib_node_t *n = vec_elt (nm->nodes, node_index); (gdb) where at /home/sluong/vpp/build-data/../src/vlib/node_funcs.h:92 at /home/sluong/vpp/build-data/../src/vlib/node_funcs.h:112 vnm=0x6f0fa0 , hw_if_index=7, queue_id=1, mode=0x7fffb62099e8) at /home/sluong/vpp/build-data/../src/vnet/devices/devices.c:307 hw_if_index=7, queue_id=1, mode=VNET_HW_INTERFACE_RX_MODE_POLLING) at /home/sluong/vpp/build-data/../src/vnet/interface_cli.c:1192 vm=0x7ffff7b9d440 , input=0x7fffb6209ef0, cmd=0x7fffb61d5d14) at /home/sluong/vpp/build-data/../src/vnet/interface_cli.c:1288 vm=0x7ffff7b9d440 , cm=0x7ffff7b9d630 , input=0x7fffb6209ef0, parent_command_index=18) at /home/sluong/vpp/build-data/../src/vlib/cli.c:588 vm=0x7ffff7b9d440 , cm=0x7ffff7b9d630 , input=0x7fffb6209ef0, parent_command_index=12) The fix is to add a check for vec_len(hw->input_node_thread_index_by_queue) and vec_len (hw->rx_mode_by_queue) to reject the command if the queue_id is out of bound. While at it, I notice inputting queue_id=-1 is being interpreted as all queues. An easy fix is to not overload the queue_id variable with -1 to mean something else. Change-Id: Id70ec3e7d06ccc67635e6d28ef53420bdac4a988 Signed-off-by: Steven --- src/vnet/devices/devices.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/vnet/devices/devices.c') diff --git a/src/vnet/devices/devices.c b/src/vnet/devices/devices.c index 2eb8e30e076..a38ecd2d1bb 100644 --- a/src/vnet/devices/devices.c +++ b/src/vnet/devices/devices.c @@ -264,6 +264,10 @@ vnet_hw_interface_set_rx_mode (vnet_main_t * vnm, u32 hw_if_index, (hw->flags & VNET_HW_INTERFACE_FLAG_SUPPORTS_INT_MODE) == 0) return VNET_API_ERROR_UNSUPPORTED; + if ((vec_len (hw->input_node_thread_index_by_queue) < queue_id + 1) || + (vec_len (hw->rx_mode_by_queue) < queue_id + 1)) + return VNET_API_ERROR_INVALID_QUEUE; + hw->rx_mode_by_queue[queue_id] = mode; thread_index = hw->input_node_thread_index_by_queue[queue_id]; vm = vlib_mains[thread_index]; @@ -307,6 +311,10 @@ vnet_hw_interface_get_rx_mode (vnet_main_t * vnm, u32 hw_if_index, if (hw->input_node_thread_index_by_queue == 0) return VNET_API_ERROR_INVALID_INTERFACE; + if ((vec_len (hw->input_node_thread_index_by_queue) < queue_id + 1) || + (vec_len (hw->rx_mode_by_queue) < queue_id + 1)) + return VNET_API_ERROR_INVALID_QUEUE; + thread_index = hw->input_node_thread_index_by_queue[queue_id]; vm = vlib_mains[thread_index]; -- cgit 1.2.3-korg