From patchwork Wed Dec 6 13:06:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Maximets X-Patchwork-Id: 845177 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=samsung.com header.i=@samsung.com header.b="RPHHyG9k"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ysJmY3PrLz9s83 for ; Thu, 7 Dec 2017 00:07:07 +1100 (AEDT) Received: from localhost ([::1]:55551 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMZPk-0007qF-FY for incoming@patchwork.ozlabs.org; Wed, 06 Dec 2017 08:07:04 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59513) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMZPJ-0007oC-Ae for qemu-devel@nongnu.org; Wed, 06 Dec 2017 08:06:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eMZPE-0001C6-BV for qemu-devel@nongnu.org; Wed, 06 Dec 2017 08:06:37 -0500 Received: from mailout1.w1.samsung.com ([210.118.77.11]:46952) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eMZPD-00018q-Rt for qemu-devel@nongnu.org; Wed, 06 Dec 2017 08:06:32 -0500 Received: from eucas1p2.samsung.com (unknown [182.198.249.207]) by mailout1.w1.samsung.com (KnoxPortal) with ESMTP id 20171206130626euoutp0185d112c5a98fe7a684e822e8058eff43~9tmL9oKd22670426704euoutp01N; Wed, 6 Dec 2017 13:06:26 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20171206130626euoutp0185d112c5a98fe7a684e822e8058eff43~9tmL9oKd22670426704euoutp01N DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1512565586; bh=08Za2csWUh1s/9wk96BERoROroDonW25VTMxxi5gPkU=; h=From:To:Cc:Subject:Date:References:From; b=RPHHyG9kSz00Dm/qfcOVEOW5/bbdPWkY6tI9QiVsHQqbQI6RW/5wcUGMkPcT4s83X fc7lBAwBbAr9HgT4CVNy+w4Q0VYdLbmfOAQW64KPn8h8ACfE8b0R/XRkq9nJ9XHmiZ 3b47/DTu9yydV67KfMyR3BfHTPoBhWn+YM52KCQo= Received: from eusmges4.samsung.com (unknown [203.254.199.244]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20171206130625eucas1p183b8892f0009a6fae6260a1dd3493958~9tmLfiXZy1213712137eucas1p1v; Wed, 6 Dec 2017 13:06:25 +0000 (GMT) Received: from eucas1p2.samsung.com ( [182.198.249.207]) by eusmges4.samsung.com (EUCPMTA) with SMTP id 53.10.30163.15BE72A5; Wed, 6 Dec 2017 13:06:25 +0000 (GMT) Received: from eusmgms1.samsung.com (unknown [182.198.249.179]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20171206130624eucas1p1f73fd4cf613eaf3ce4ce6918c807f8e1~9tmK4KCN42382423824eucas1p1y; Wed, 6 Dec 2017 13:06:24 +0000 (GMT) X-AuditID: cbfec7f4-f790c6d0000075d3-26-5a27eb51b82d Received: from eusync2.samsung.com ( [203.254.199.212]) by eusmgms1.samsung.com (EUCPMTA) with SMTP id 6D.89.18832.05BE72A5; Wed, 6 Dec 2017 13:06:24 +0000 (GMT) Received: from imaximets.rnd.samsung.ru ([106.109.129.180]) by eusync2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0P0J00HF0J2KQN90@eusync2.samsung.com>; Wed, 06 Dec 2017 13:06:24 +0000 (GMT) From: Ilya Maximets To: "Michael S . Tsirkin" Date: Wed, 06 Dec 2017 16:06:18 +0300 Message-id: <1512565578-12078-1-git-send-email-i.maximets@samsung.com> X-Mailer: git-send-email 2.7.4 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGIsWRmVeSWpSXmKPExsWy7djP87qBr9WjDD6fFbeY9vk2u8WV9p/s Fgva2lktjnXuYbH4/+sVq8Xx3h0sDmweT65tZvJ4v+8qm0ffllWMAcxRXDYpqTmZZalF+nYJ XBkLNj9iLVglU7Fq9h/mBsYPYl2MnBwSAiYS72e/Z4KwxSQu3FvP1sXIxSEksJRR4tSDWSwQ zmdGiYXN91hgOm5PXAdVtYxR4v2l+8wQTjOTRMeZhWwgVWwCOhKnVh9hBLFFBLQk/j2axghS xCxwGqjjah/YQmEBZ4n5LdvAGlgEVCWWv3oLZvMKuEmcnrmEFWKdnMTNc51gGyQE7rJK/Dwy mQ0i4SIxp2sbVJGwxKvjW9ghbBmJzo6DTBANzYwSDasuMUI4ExglvjQvh/rVXuLUzatgNrMA n8SkbdOBVnAAxXklOtqEIEo8JKa0TmOGsB0ljl07CA4AIYFYiY2fnrNOYJRawMiwilEktbQ4 Nz212ESvODG3uDQvXS85P3cTIzD2Tv87/mUH4+JjVocYBTgYlXh4L7xUjxJiTSwrrsw9xCjB wawkwnv5MlCINyWxsiq1KD++qDQntfgQozQHi5I4r21UW6SQQHpiSWp2ampBahFMlomDU6qB 0XHXbr7S0Gf7nq9iXmjv/GDdhE8vFvGvKds402D5CUmJjTdd/OVjfhp8+LfY8/LO3KAlHkmH PU8KRKv8KZXM4WuUb8rjPPdIMq3Oyn6Fx5YbG08du6qt8VQ/0bJvb1vCndyZ4mxzrHckHJyk PN9sUd2bqTPnWN3gYJoa8CPL6stSzV/WnbUzfyqxFGckGmoxFxUnAgDt8UCquQIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHJMWRmVeSWpSXmKPExsVy+t/xK7oBr9WjDB5ttbKY9vk2u8WV9p/s Fgva2lktjnXuYbH4/+sVq8Xx3h0sDmweT65tZvJ4v+8qm0ffllWMAcxRXDYpqTmZZalF+nYJ XBkLNj9iLVglU7Fq9h/mBsYPYl2MnBwSAiYStyeuY4OwxSQu3FsPZHNxCAksYZR4tfsyO4TT yiRx4vU3RpAqNgEdiVOrj4DZIgJaEv8eTWMEKWIWOMsosXLJBbCEsICzxPyWbWBjWQRUJZa/ egtm8wq4SZyeuYQVYp2cxM1zncwTGLkXMDKsYhRJLS3OTc8tNtQrTswtLs1L10vOz93ECAyF bcd+bt7BeGlj8CFGAQ5GJR7eCy/Vo4RYE8uKK3MPMUpwMCuJ8F6+DBTiTUmsrEotyo8vKs1J LT7EKM3BoiTO27tndaSQQHpiSWp2ampBahFMlomDU6qBcWrX9LWpDwLrS/WXvhGeVR8fsvQZ 146m4n/8DJ3K3pun5B84Gv7X3lrbfu6MyWeUb7L36S5p6OJSv5Srz7Zi/UwGvmfh+SoXVkQw XowSFv/1PzOsoNO5O8p7smuVpcRChtXRqTuCjv5nOnjjbL5V8o47/TMLan2P9b7Y8+Eha4DK fLNtfppmSizFGYmGWsxFxYkAU0e6ugECAAA= X-CMS-MailID: 20171206130624eucas1p1f73fd4cf613eaf3ce4ce6918c807f8e1 X-Msg-Generator: CA CMS-TYPE: 201P X-CMS-RootMailID: 20171206130624eucas1p1f73fd4cf613eaf3ce4ce6918c807f8e1 X-RootMTR: 20171206130624eucas1p1f73fd4cf613eaf3ce4ce6918c807f8e1 References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 210.118.77.11 Subject: [Qemu-devel] [PATCH] vhost: fix crash on virtio_error while device stop X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ilya Maximets , Marc-Andre Lureau , Maxime Coquelin , qemu-devel@nongnu.org, Heetae Ahn Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" In case virtio error occured after vhost_dev_close(), qemu will crash in nested cleanup while checking IOMMU flag because dev->vdev already set to zero and resources are already freed. Example: Program received signal SIGSEGV, Segmentation fault. vhost_virtqueue_stop at hw/virtio/vhost.c:1155 #0 vhost_virtqueue_stop at hw/virtio/vhost.c:1155 #1 vhost_dev_stop at hw/virtio/vhost.c:1594 #2 vhost_net_stop_one at hw/net/vhost_net.c:289 #3 vhost_net_stop at hw/net/vhost_net.c:368 Nested call to vhost_net_stop(). First time was at #14. #4 virtio_net_vhost_status at hw/net/virtio-net.c:180 #5 virtio_net_set_status (status=79) at hw/net/virtio-net.c:254 #6 virtio_set_status at hw/virtio/virtio.c:1146 #7 virtio_error at hw/virtio/virtio.c:2455 virtqueue_get_head() failed here. #8 virtqueue_get_head at hw/virtio/virtio.c:543 #9 virtqueue_drop_all at hw/virtio/virtio.c:984 #10 virtio_net_drop_tx_queue_data at hw/net/virtio-net.c:240 #11 virtio_bus_set_host_notifier at hw/virtio/virtio-bus.c:297 #12 vhost_dev_disable_notifiers at hw/virtio/vhost.c:1431 vhost_dev_stop() was executed here. dev->vdev == NULL now. #13 vhost_net_stop_one at hw/net/vhost_net.c:290 #14 vhost_net_stop at hw/net/vhost_net.c:368 #15 virtio_net_vhost_status at hw/net/virtio-net.c:180 #16 virtio_net_set_status (status=15) at hw/net/virtio-net.c:254 #17 qmp_set_link ("hostnet0", up=false) at net/net.c:1430 #18 chr_closed_bh at net/vhost-user.c:214 #19 aio_bh_call at util/async.c:90 #20 aio_bh_poll at util/async.c:118 #21 aio_dispatch at util/aio-posix.c:429 #22 aio_ctx_dispatch at util/async.c:261 #23 g_main_context_dispatch #24 glib_pollfds_poll at util/main-loop.c:213 #25 os_host_main_loop_wait at util/main-loop.c:261 #26 main_loop_wait at util/main-loop.c:515 #27 main_loop () at vl.c:1917 #28 main at vl.c:4795 Above backtrace captured from qemu crash on vhost disconnect while virtio driver in guest was in failed state. We can just add checking for 'vdev' in 'vhost_dev_has_iommu()' but it will assert further trying to free already freed ioeventfds. The real problem is that we're allowing nested calls to 'vhost_net_stop'. This patch is aimed to forbid nested calls to 'vhost_net_stop' to avoid any possible double frees and segmentation faults doue to using of already freed resources by setting 'vhost_started' flag to zero prior to 'vhost_net_stop' call. Signed-off-by: Ilya Maximets Signed-off-by: Michael S. Tsirkin --- This issue was already addressed more than a year ago by the following patch: https://lists.gnu.org/archive/html/qemu-devel/2016-03/msg06732.html but it was dropped without review due to not yet implemented re-connection of vhost-user. Re-connection implementation lately fixed most of the nested calls, but few of them still exists. For example, above backtrace captured after 'virtqueue_get_head()' failure on vhost-user disconnection. hw/net/virtio-net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 38674b0..4d95a18 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -177,8 +177,8 @@ static void virtio_net_vhost_status(VirtIONet *n, uint8_t status) n->vhost_started = 0; } } else { - vhost_net_stop(vdev, n->nic->ncs, queues); n->vhost_started = 0; + vhost_net_stop(vdev, n->nic->ncs, queues); } }