From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 320B043CB4; Thu, 14 Mar 2024 21:41:55 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id BF4454029B; Thu, 14 Mar 2024 21:41:54 +0100 (CET) Received: from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178]) by mails.dpdk.org (Postfix) with ESMTP id 1A6EC40144 for ; Thu, 14 Mar 2024 21:41:53 +0100 (CET) Received: by inbox.dpdk.org (Postfix, from userid 33) id E523D43CB6; Thu, 14 Mar 2024 21:41:52 +0100 (CET) From: bugzilla@dpdk.org To: dev@dpdk.org Subject: [DPDK/ethdev Bug 1403] PMD: IDPF segfaults during init on GCP baremetal Date: Thu, 14 Mar 2024 20:41:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: DPDK X-Bugzilla-Component: ethdev X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: jordanrhee@google.com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: dev@dpdk.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: multipart/alternative; boundary=17104489120.297d2Bc.228672 Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All MIME-Version: 1.0 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org --17104489120.297d2Bc.228672 Date: Thu, 14 Mar 2024 21:41:52 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All https://bugs.dpdk.org/show_bug.cgi?id=3D1403 Bug ID: 1403 Summary: PMD: IDPF segfaults during init on GCP baremetal Product: DPDK Version: unspecified Hardware: All OS: Linux Status: UNCONFIRMED Severity: normal Priority: Normal Component: ethdev Assignee: dev@dpdk.org Reporter: jordanrhee@google.com Target Milestone: --- The DPDK IDPF driver (as of 23.11) segfaults during initialization while handling response to `VIRTCHNL2_OP_SET_RSS_HASH` message. Segfault is due to load from invalid address contained in `ctlq_msg.ctx.indirect.payload`.=20 ``` idpf_handle_virtchnl_msg() ... rte_memcpy(adapter->mbx_resp, ctlq_msg.ctx.indirect.payload->va, IDPF_DFLT_MBX_BUF_SIZE); ``` `payload` only contains a valid address if the message is an 'indirect' message. It is not valid if it is a 'direct' message. If `ctlq_msg.data_len= ` is 0, then it is a direct message and the caller should not access `ctlq_msg.ctx.indirect`. `VIRTCHNL2_OP_SET_RSS_HASH` has a zero-length response. The following patch enables the DPDK IDPF driver to load and run successful= ly: ``` diff --git a/drivers/net/idpf/idpf_ethdev.c b/drivers/net/idpf/idpf_ethdev.c index 6ae2ac2681..c273e9ba38 100644 --- a/drivers/net/idpf/idpf_ethdev.c +++ b/drivers/net/idpf/idpf_ethdev.c @@ -1087,8 +1087,10 @@ idpf_handle_virtchnl_msg(struct idpf_adapter_ext *adapter_ex) return; } - rte_memcpy(adapter->mbx_resp, ctlq_msg.ctx.indirect.payload->va, + if (ctlq_msg.data_len) { + rte_memcpy(adapter->mbx_resp, ctlq_msg.ctx.indirect.payload->va, IDPF_DFLT_MBX_BUF_SIZE); + } mbx_op =3D rte_le_to_cpu_16(ctlq_msg.opcode); vc_op =3D rte_le_to_cpu_32(ctlq_msg.cookie.mbx.chnl_opcode); ``` Stack: ``` #0 0x000000000108fc61 in idpf_handle_virtchnl_msg (adapter_ex=3D0x1003d7b4= 0) at ../drivers/net/idpf/idpf_ethdev.c:1090 #1 0x00000000010912e3 in idpf_dev_alarm_handler (param=3D0x1003d7b40) at ../drivers/net/idpf/idpf_ethdev.c:1145 #2 0x000000000211e8fc in eal_alarm_callback (arg=3D0x0) at ../lib/eal/linux/eal_alarm.c:105 #3 0x0000000002123c3d in eal_intr_process_interrupts (events=3D0x7f4a69a05= 2e0, nfds=3D1) at ../lib/eal/linux/eal_interrupts.c:1017 #4 0x0000000002123f1c in eal_intr_handle_interrupts (pfd=3D6, totalfds=3D3= ) at ../lib/eal/linux/eal_interrupts.c:1091 #5 0x00000000021240ee in eal_intr_thread_main (arg=3D0x0) at ../lib/eal/linux/eal_interrupts.c:1163 #6 0x0000000002103bc4 in control_thread_start (arg=3D0x90c4f00) at ../lib/eal/common/eal_common_thread.c:282 #7 0x000000000211b7a0 in thread_start_wrapper (arg=3D0x7fff25a9c5a0) at ../lib/eal/unix/rte_thread.c:112 #8 0x00007f4a69fe96ea in start_thread () from /lib64/libpthread.so.0 #9 0x00007f4a69b2150f in clone () from /lib64/libc.so.6 (gdb) print ctlq_msg $7 =3D { vmvf_type =3D 2 '\002', host_id =3D 117 'u', opcode =3D 2051, data_len =3D 0, <--- direct message { func_id =3D 26624, status =3D 26624 }, cookie =3D { mbx =3D { chnl_opcode =3D 518, <--- VIRTCHNL2_OP_SET_RSS_HASH chnl_retval =3D 0 } }, ctx =3D { direct =3D "\000\000\000\000\000\000\000\000x\357\336\277\374\026\000", indirect =3D { context =3D "\000\000\000\000\000\000\000", payload =3D 0x16fcbfdeef78 <---- Invalid address }, sw_cookie =3D { rsvd =3D 0, data =3D 0, flags =3D 0 } } } ``` --=20 You are receiving this mail because: You are the assignee for the bug.= --17104489120.297d2Bc.228672 Date: Thu, 14 Mar 2024 21:41:52 +0100 MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All
Bug ID 1403
Summary PMD: IDPF segfaults during init on GCP baremetal
Product DPDK
Version unspecified
Hardware All
OS Linux
Status UNCONFIRMED
Severity normal
Priority Normal
Component ethdev
Assignee dev@dpdk.org
Reporter jordanrhee@google.com
Target Milestone --- 

The DPDK IDPF driver (as of 23.11)=
 segfaults during initialization while
handling response to `VIRTCHNL2_OP_SET_RSS_HASH` message.


Segfault is due to load from invalid address contained in
`ctlq_msg.ctx.indirect.payload`.=20


```
idpf_handle_virtchnl_msg()
...
rte_memcpy(adapter->mbx_resp, ctlq_msg.ctx.indirect.payload->va,
                           IDPF_DFLT_MBX_BUF_SIZE);
```


`payload` only contains a valid address if the message is an 'indirect'
message. It is not valid if it is a 'direct' message. If `ctlq_msg.data_len=
` is
0, then it is a direct message and the caller should not access
`ctlq_msg.ctx.indirect`. `VIRTCHNL2_OP_SET_RSS_HASH` has a zero-length
response.


The following patch enables the DPDK IDPF driver to load and run successful=
ly:


```
diff --git a/drivers/net/idpf/idpf_ethdev.c b/drivers/net/idpf/idpf_ethdev.c
index 6ae2ac2681..c273e9ba38 100644
--- a/drivers/net/idpf/idpf_ethdev.c
+++ b/drivers/net/idpf/idpf_ethdev.c
@@ -1087,8 +1087,10 @@ idpf_handle_virtchnl_msg(struct idpf=
_adapter_ext
*adapter_ex)
                        return;
                }

-               rte_memcpy(adapter->mbx_resp,
ctlq_msg.ctx.indirect.payload->va,
+                if (ctlq_msg.data_len) {
+                     rte_memcpy(adapter->mbx_resp,
ctlq_msg.ctx.indirect.payload->va,
                           IDPF_DFLT_MBX_BUF_SIZE);
+                }

                mbx_op =3D rte_le_to_cpu_16(ctlq_msg.opcode);
                vc_op =3D rte_le_to_cpu_32(ctlq_msg.cookie.mbx.chnl_opcode);
```


Stack:
```
#0  0x000000000108fc61 in idpf_handle_virtchnl_msg (adapter_ex=3D0x1003d7b4=
0) at
../drivers/net/idpf/idpf_ethdev.c:1090
#1  0x00000000010912e3 in idpf_dev_alarm_handler (param=3D0x1003d7b40) at
../drivers/net/idpf/idpf_ethdev.c:1145
#2  0x000000000211e8fc in eal_alarm_callback (arg=3D0x0) at
../lib/eal/linux/eal_alarm.c:105
#3  0x0000000002123c3d in eal_intr_process_interrupts (events=3D0x7f4a69a05=
2e0,
nfds=3D1) at ../lib/eal/linux/eal_interrupts.c:1017
#4  0x0000000002123f1c in eal_intr_handle_interrupts (pfd=3D6, totalfds=3D3=
) at
../lib/eal/linux/eal_interrupts.c:1091
#5  0x00000000021240ee in eal_intr_thread_main (arg=3D0x0) at
../lib/eal/linux/eal_interrupts.c:1163
#6  0x0000000002103bc4 in control_thread_start (arg=3D0x90c4f00) at
../lib/eal/common/eal_common_thread.c:282
#7  0x000000000211b7a0 in thread_start_wrapper (arg=3D0x7fff25a9c5a0) at
../lib/eal/unix/rte_thread.c:112
#8  0x00007f4a69fe96ea in start_thread () from /lib64/libpthread.so.0
#9  0x00007f4a69b2150f in clone () from /lib64/libc.so.6

(gdb) print ctlq_msg
$7 =3D {
  vmvf_type =3D 2 '\002',
  host_id =3D 117 'u',
  opcode =3D 2051,
  data_len =3D 0,             <--- direct message
  {
    func_id =3D 26624,
    status =3D 26624
  },
  cookie =3D {
    mbx =3D {
      chnl_opcode =3D 518,   <--- VIRTCHNL2_OP_SET_RSS_HASH
      chnl_retval =3D 0
    }
  },
  ctx =3D {
    direct =3D "\000\000\000\000\000\000\000\000x\357\336\277\374\026\=
000",
    indirect =3D {
      context =3D "\000\000\000\000\000\000\000",
      payload =3D 0x16fcbfdeef78                      <---- Invalid addr=
ess
    },
    sw_cookie =3D {
      rsvd =3D 0,
      data =3D 0,
      flags =3D 0
    }
  }
}

```

You are receiving this mail because:
  • You are the assignee for the bug.
=20=20=20=20=20=20=20=20=20=20
= --17104489120.297d2Bc.228672--