From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com [209.85.220.53]) by dpdk.org (Postfix) with ESMTP id 6B0B82A5D for ; Tue, 26 Apr 2016 06:48:29 +0200 (CEST) Received: by mail-pa0-f53.google.com with SMTP id r5so1940366pag.1 for ; Mon, 25 Apr 2016 21:48:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=K4nAoSYbP4Y7uxPP0WoTT/ojcAbTvAK4/qeTniFhJxA=; b=x45oifCmbrDoOqKy6jB9txmEwM1zH2YUzD/lPfmmQIh80ZunYKHqZGDaItr8B3HXzZ tRG9kTqR+fvGXkIhMi4EE9FH02i+hG4GWC7buH5JjlJ8vVqYpHYHWg0cuk1bMr7IokCx hVBHJQj1WaShm2Cz31fsUsbHSpgfVwqmgQQCayfN4iVt+XObdbx+oVfpjGBV+dSOu7OT fIyA0qR6XArdiAAKunYBZJ3syVThM4yHR05rhZhDP93Tzw3D/0Z4LGbs8C0IrGa71K5U gq7qcK0MkoBT1oZYis4zBWXW8rd0r7z3M0SFk8QD3DoIRLf1B9n30cDuGUECyjuCUDvE YfhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K4nAoSYbP4Y7uxPP0WoTT/ojcAbTvAK4/qeTniFhJxA=; b=jpjyq4QcFg4i335FSLSLT6RlSheD9Kf2btbVWMLHZHSjMYLSQKcX5G5ljlRV9bB/Dk UmY9JahfvEkBVqhJbYbBz8AAeEoPHex+RpNpUsUE9IVJPhSGBv5s15yAdi6VsjnLQVCV z7RuvT/FQZ2u28qpZtb3FZtKBq8zZXgTgsADv2NXhvtnMTun0qG21Hkl676l2s+mRHMy u8Mp4mMRj/FFK02GIaC+g7h1w+EY5Zv5ZM1iokfKdURdv9Med3tw2INg9EBX3DsZBDPY g6OBzASaq2pOsHqHartxQIjcoeooZhyBrdOFzrEvhEmnYnTnApvN3mgRBr7hFpON2xN7 EwPg== X-Gm-Message-State: AOPr4FW4Wxt0OnIJ57oSAfv/88bfUhnE0ZLBTp0e1iTSC6YUFLmlm8FZKHevyu+m0rCLBA== X-Received: by 10.66.88.104 with SMTP id bf8mr663699pab.129.1461646108812; Mon, 25 Apr 2016 21:48:28 -0700 (PDT) Received: from xeon-e3 (static-50-53-72-186.bvtn.or.frontiernet.net. [50.53.72.186]) by smtp.gmail.com with ESMTPSA id l88sm32687335pfb.79.2016.04.25.21.48.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Apr 2016 21:48:28 -0700 (PDT) Date: Mon, 25 Apr 2016 21:48:42 -0700 From: Stephen Hemminger To: Jianfeng Tan Cc: dev@dpdk.org, huawei.xie@intel.com, yuanhan.liu@linux.intel.com Message-ID: <20160425214842.25df5915@xeon-e3> In-Reply-To: <1461242170-146337-1-git-send-email-jianfeng.tan@intel.com> References: <1461242170-146337-1-git-send-email-jianfeng.tan@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH] virtio: fix segfault when transmit pkts X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 04:48:29 -0000 On Thu, 21 Apr 2016 12:36:10 +0000 Jianfeng Tan wrote: > Issue: when using virtio nic to transmit pkts, it causes segment fault. > > How to reproduce: > a. start testpmd with vhost. > $testpmd -c 0x3 -n 4 --socket-mem 1024,0 --no-pci \ > --vdev 'eth_vhost0,iface=/tmp/sock0,queues=1' -- -i --nb-cores=1 > b. start a qemu with a virtio nic connected with the vhost-user port. > $qemu -smp cores=2,sockets=1 -cpu host -enable-kvm vm-0.img -vnc :5 -m 4G \ > -object memory-backend-file,id=mem,size=4096M,mem-path=,share=on \ > -numa node,memdev=mem -mem-prealloc \ > -chardev socket,id=char1,path=$sock_vhost \ > -netdev type=vhost-user,id=net1,chardev=char1 \ > -device virtio-net-pci,netdev=net1,mac=00:01:02:03:04:05 > c. enable testpmd on the host. > testpmd> set fwd io > testpmd> start > d. start testpmd in VM. > $testpmd -c 0x3 -n 4 -m 1024 -- -i --disable-hw-vlan-filter --txqflags=0xf01 > testpmd> set fwd txonly > testpmd> start > > How to fix: this bug is because inside virtqueue_enqueue_xmit(), the flag of > desc has been updated inside the do {} while (); and after the loop, all descs > could have run out, so idx is VQ_RING_DESC_CHAIN_END (32768), use this idx to > reference the start_dp array will lead to segment fault. > > Signed-off-by: Jianfeng Tan > --- > drivers/net/virtio/virtio_rxtx.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/drivers/net/virtio/virtio_rxtx.c b/drivers/net/virtio/virtio_rxtx.c > index ef21d8e..432aeab 100644 > --- a/drivers/net/virtio/virtio_rxtx.c > +++ b/drivers/net/virtio/virtio_rxtx.c > @@ -271,8 +271,6 @@ virtqueue_enqueue_xmit(struct virtqueue *txvq, struct rte_mbuf *cookie, > idx = start_dp[idx].next; > } while ((cookie = cookie->next) != NULL); > > - start_dp[idx].flags &= ~VRING_DESC_F_NEXT; > - > if (use_indirect) > idx = txvq->vq_ring.desc[head_idx].next; > At this point in the code idx is the index past the current set of ring descriptors. So yes this is a real bug. I think the description meta-data needs work to explain it better.