From 0c4699855f66e8bf89a41cf83b41adc753c30cce Mon Sep 17 00:00:00 2001 From: Steven Date: Sun, 4 Nov 2018 08:20:01 -0800 Subject: vhost: crash in vhost_user_tx_avx2 (gdb) bt bt Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) frame 5 frame 5 293 if (PREDICT_FALSE (rxvq->last_avail_idx == rxvq->avail->idx)) (gdb) p *rxvq p *rxvq $3 = {cacheline0 = 0x7f290bcadd80 "\377\003", qsz_mask = 1023, last_avail_idx = 0, last_used_idx = 0, n_since_last_int = 0, desc = 0x0, avail = 0x0, used = 0x0, int_deadline = 0, started = 1 '\001', enabled = 1 '\001', log_used = 0 '\000', cacheline1 = 0x7f290bcaddc0 "\377\377\377\377\016", errfd = -1, callfd_idx = 14, kickfd_idx = 19, log_guest_addr = 5151049792, mode = 0} The crash is because we access the null pointer rxvq->avail, which is supposed to be derived from the mmap informed by the driver. We fixed a similar issue before in https://gerrit.fd.io/r/#/c/14545/ The reason was the driver ummaps the memory without doing the disconnect in SR-IOV environment. The fixed was applied to the RX path. Now it happens in the TX path. We just need to apply the same check in the TX path. Change-Id: I7b1dfc96797cb5b52845bc6cec09a8c5d4325280 Signed-off-by: Steven --- src/vnet/devices/virtio/vhost_user_output.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/vnet/devices/virtio/vhost_user_output.c') diff --git a/src/vnet/devices/virtio/vhost_user_output.c b/src/vnet/devices/virtio/vhost_user_output.c index 820594999c8..9b6c01704bf 100644 --- a/src/vnet/devices/virtio/vhost_user_output.c +++ b/src/vnet/devices/virtio/vhost_user_output.c @@ -261,6 +261,12 @@ VNET_DEVICE_CLASS_TX_FN (vhost_user_device_class) (vlib_main_t * vm, VHOST_VRING_IDX_RX (*vec_elt_at_index (vui->per_cpu_tx_qid, thread_index)); rxvq = &vui->vrings[qid]; + if (PREDICT_FALSE (rxvq->avail == 0)) + { + error = VHOST_USER_TX_FUNC_ERROR_MMAP_FAIL; + goto done3; + } + if (PREDICT_FALSE (vui->use_tx_spinlock)) vhost_user_vring_lock (vui, qid); -- cgit 1.2.3-korg