| Message ID | CAGSMBPOLNsc-+_Zj7FgBhmD0kpUAoy3fu5urxN74YTfmE20Qzw@mail.gmail.com (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers |
Return-Path: <dev-bounces@dpdk.org> X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [IPv6:::1]) by dpdk.org (Postfix) with ESMTP id 968C29248; Thu, 12 Nov 2015 22:46:05 +0100 (CET) Received: from mail-yk0-f170.google.com (mail-yk0-f170.google.com [209.85.160.170]) by dpdk.org (Postfix) with ESMTP id 4396A9247 for <dev@dpdk.org>; Thu, 12 Nov 2015 22:46:04 +0100 (CET) Received: by ykfs79 with SMTP id s79so116304797ykf.1 for <dev@dpdk.org>; Thu, 12 Nov 2015 13:46:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bigswitch_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZFekBDuzjWLHUIO2irXmwvsPju9NA+cypoRfjksWI04=; b=L0f+MfpmwjbnG/CI22m28IfVSu2D2S9oi5cfYQCooozM5U8zky7DOrfimoPyPoSL+O 8cxGt/erVmtwZtE7gO33k9dqKKV0nqgFElInGuMz4/qnR/gS1+/scuwDy10hOxucuNOf j5VI9l++OEe5fuH76mh88JmkXVvICo8Fn4mvEp7wTjbh2OHsQYDZGWnAJQZ1QoiSQvkJ xmLMy05gJ+U3fFgApkuy39vL1tB2HmCwCk5G1s3vqwXe8XkiGW8HoHamsrurKgL1XtVA luALG9Ur7vpnHDyS9Uuvjfqu5YdG6v4x4uA2zpf/Qo1uB6gXWm3rsvKUqGHdO+SJRPDY Y2oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ZFekBDuzjWLHUIO2irXmwvsPju9NA+cypoRfjksWI04=; b=JhoqDD6DDqArKrI90WJMG1uE6O3YgNCGN97Tg9fv0sz6oi+s6NnNVF0h+4MdCjVsqD VPwyz62tZ4WIWW0/iVSoVT1VcXUe8M6l3s+duIoXZkME9Ye303TLyc8xi/+auDKuPXA1 FkO5PIgV4gOlkvnAFDJdcx9oe4GQJieYTJhY7ro8Qkh5WqfCkFcbAZUJaHS1v4P1rUZu 0+BmJ+Ab8ligJdWwSXiusdz+YVZ9fNcoogaRNwBDXzbmbiYOuWwIQUbxx5GIBM/eBmxC ZZLYgWm4Yb7CvqP2FHIR7UEaugdQZdvVVzua3D3CqpcGfYRJyRjQDjfYZxP2iMSkiO0d 3Eqw== X-Gm-Message-State: ALoCoQknX+CU7OfMIdYcdUGlvWgcz4+XkODJfBWGz9pL0rjHz+NsUEUxdrZaKkKOw+wA0oXHEXNl MIME-Version: 1.0 X-Received: by 10.13.251.66 with SMTP id l63mr16906631ywf.279.1447364763648; Thu, 12 Nov 2015 13:46:03 -0800 (PST) Received: by 10.31.92.72 with HTTP; Thu, 12 Nov 2015 13:46:03 -0800 (PST) In-Reply-To: <20151112092305.GI2326@yliu-dev.sh.intel.com> References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com> <20151112092305.GI2326@yliu-dev.sh.intel.com> Date: Thu, 12 Nov 2015 13:46:03 -0800 Message-ID: <CAGSMBPOLNsc-+_Zj7FgBhmD0kpUAoy3fu5urxN74YTfmE20Qzw@mail.gmail.com> From: Rich Lane <rich.lane@bigswitch.com> To: Yuanhan Liu <yuanhan.liu@linux.intel.com> Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Cc: dev@dpdk.org Subject: Re: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK <dev.dpdk.org> List-Unsubscribe: <http://dpdk.org/ml/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://dpdk.org/ml/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <http://dpdk.org/ml/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org> |
Commit Message
Rich Lane
Nov. 12, 2015, 9:46 p.m. UTC
You can reproduce this with l2fwd and the vhost PMD. You'll need this patch on top of the vhost PMD patches: 1. Start l2fwd on the host: l2fwd -l 0,1 --vdev eth_null --vdev eth_vhost0,iface=/run/vhost0.sock -- -p3 2. Start a VM using vhost-user and set up uio, hugepages, etc. 3. Start l2fwd inside the VM: l2fwd -l 0,1 --vdev eth_null -- -p3 4. Kill the l2fwd inside the VM with SIGINT. 5. Start l2fwd inside the VM. 6. l2fwd on the host crashes. I found the source of the memory corruption by setting a watchpoint in gdb: watch -l rte_eth_devices[1].data->rx_queues On Thu, Nov 12, 2015 at 1:23 AM, Yuanhan Liu <yuanhan.liu@linux.intel.com> wrote: > On Thu, Nov 12, 2015 at 12:02:33AM -0800, Rich Lane wrote: > > The guest could trigger this buffer overflow by creating a cycle of > descriptors > > (which would also cause an infinite loop). The more common case is that > > vq->avail->idx jumps out of the range [last_used_idx, > last_used_idx+256). This > > happens nearly every time when restarting a DPDK app inside a VM > connected to a > > vhost-user vswitch because the virtqueue memory allocated by the > previous run > > is zeroed. > > Hi, > > I somehow was aware of this issue before while reading the code. > Thinking that we never met that, I delayed the fix (it was still > in my TODO list). > > Would you please tell me the steps (commands would be better) to > reproduce your issue? I'd like to know more about the isue: I'm > guessing maybe we need fix it with a bit more cares. > > --yliu > > > > Signed-off-by: Rich Lane <rlane@bigswitch.com> > > --- > > lib/librte_vhost/vhost_rxtx.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/lib/librte_vhost/vhost_rxtx.c > b/lib/librte_vhost/vhost_rxtx.c > > index 9322ce6..d95b478 100644 > > --- a/lib/librte_vhost/vhost_rxtx.c > > +++ b/lib/librte_vhost/vhost_rxtx.c > > @@ -453,7 +453,7 @@ update_secure_len(struct vhost_virtqueue *vq, > uint32_t id, > > vq->buf_vec[vec_id].desc_idx = idx; > > vec_id++; > > > > - if (vq->desc[idx].flags & VRING_DESC_F_NEXT) { > > + if (vq->desc[idx].flags & VRING_DESC_F_NEXT && vec_id < > BUF_VECTOR_MAX) { > > idx = vq->desc[idx].next; > > next_desc = 1; > > } > > -- > > 1.9.1 >
--- a/lib/librte_vhost/virtio-net.c +++ b/lib/librte_vhost/virtio-net.c @@ -471,7 +471,7 @@ reset_owner(struct vhost_device_ctx ctx) return -1; if (dev->flags & VIRTIO_DEV_RUNNING) - notify_ops->destroy_device(dev); + notify_destroy_device(dev); cleanup_device(dev); reset_device(dev);