From patchwork Wed Mar 30 15:14:08 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Maximets X-Patchwork-Id: 603424 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3qZrml6qvZz9s5M for ; Thu, 31 Mar 2016 02:15:19 +1100 (AEDT) Received: from localhost ([::1]:54775 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1alHq2-00087z-3Y for incoming@patchwork.ozlabs.org; Wed, 30 Mar 2016 11:15:18 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58651) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1alHpV-0007CZ-8z for qemu-devel@nongnu.org; Wed, 30 Mar 2016 11:14:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1alHpQ-0001iv-94 for qemu-devel@nongnu.org; Wed, 30 Mar 2016 11:14:45 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:61176) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1alHpQ-0001iR-0M for qemu-devel@nongnu.org; Wed, 30 Mar 2016 11:14:40 -0400 Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0O4U002QCYCD0370@mailout3.w1.samsung.com> for qemu-devel@nongnu.org; Wed, 30 Mar 2016 16:14:37 +0100 (BST) X-AuditID: cbfec7f4-f796c6d000001486-89-56fbed5d3fc6 Received: from eusync1.samsung.com ( [203.254.199.211]) by eucpsbgm1.samsung.com (EUCPMTA) with SMTP id A4.F0.05254.D5DEBF65; Wed, 30 Mar 2016 16:14:37 +0100 (BST) Received: from imaximets.rnd.samsung.ru ([106.109.129.180]) by eusync1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0O4U00ACPYBSOO90@eusync1.samsung.com>; Wed, 30 Mar 2016 16:14:37 +0100 (BST) From: Ilya Maximets To: qemu-devel@nongnu.org, "Michael S. Tsirkin" Date: Wed, 30 Mar 2016 18:14:08 +0300 Message-id: <1459350849-31989-4-git-send-email-i.maximets@samsung.com> X-Mailer: git-send-email 2.5.0 In-reply-to: <1459350849-31989-1-git-send-email-i.maximets@samsung.com> References: <1459350849-31989-1-git-send-email-i.maximets@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHJMWRmVeSWpSXmKPExsVy+t/xy7qxb3+HGay6oGdxpf0nu8WyS5+Z LP7/esVqcbx3B4vF5NlSDqweT65tZvJ4v+8qm0ffllWMAcxRXDYpqTmZZalF+nYJXBlflxxg LNgmX/H4806WBsYuyS5GTg4JAROJHfMXs0LYYhIX7q1n62Lk4hASWMoo0dxxihnCaWWSWDft AxNIFZuAjsSp1UcYQWwRAQeJL00/wOLMAiUSh36dZAexhYHiu7YuYAOxWQRUJU73rALawMHB K+AmMXtjHYgpISAnseBCOkgFp4C7xPKN/1lAbCGgil0/pjBPYORdwMiwilE0tTS5oDgpPddQ rzgxt7g0L10vOT93EyMkVL7sYFx8zOoQowAHoxIP7wbp32FCrIllxZW5hxglOJiVRHhXvgQK 8aYkVlalFuXHF5XmpBYfYpTmYFES5527632IkEB6YklqdmpqQWoRTJaJg1OqgZHxfvL8e3O0 uIpc2ldILLlvFH/oa/f+SqajBZlzK2JEWhOd2GYsr3Xx+nfqklz/lSj79zsKv12Zeff4y1vi AUxnXaepR8m9mydX3nZD2lvinw37v+JtTYbxliqSRbUO3/jSLr3epp+c3yU1/6BzQeBlN+kp KeFTbs5l/7qj+spzxWr+UNaPM5VYijMSDbWYi4oTAalEKAwRAgAA X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 210.118.77.13 Cc: Ilya Maximets , Jason Wang , Dyasly Sergey Subject: [Qemu-devel] [PATCH 3/4] vhost: check for vhost_net device validity. X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org After successfull destroying of vhost-user device (may be after virtio driver unbinding after disconnection of vhost-user socket) QEMU will fail to bind virtio driver again with segmentation fault: [-------------------------------- cut -----------------------------------] # After vhost-user socket diconnection. [guest]# ip link show eth0 2: eth0: mtu 1500 qdisc <...> link/ether 00:16:35:af:aa:4b brd ff:ff:ff:ff:ff:ff [guest]# echo -n '0000:00:01.0' > /sys/bus/pci/drivers/virtio-pci/unbind qemu: Failed to read msg header. Read 0 instead of 12. Original request 11. qemu: Failed to read msg header. Read 0 instead of 12. Original request 11. [guest]# echo -n '0000:00:01.0' > /sys/bus/pci/drivers/virtio-pci/bind Child terminated with signal = 0xb (SIGSEGV) GDBserver exiting [-------------------------------- cut -----------------------------------] [host]# gdb Program received signal SIGSEGV, Segmentation fault. vhost_set_vring_enable (<...>) at /hw/net/vhost_net.c:425 425 if (vhost_ops->vhost_set_vring_enable) { (gdb) bt #0 vhost_set_vring_enable (nc=0xfff8a0, enable=enable@entry=1) net = 0x0 # NULL pointer to vhost_net device ! vhost_ops = <(Cannot access memory at address 0x110)> res = 0 #1 peer_attach #2 virtio_net_set_queues #3 virtio_net_set_multiqueue #4 virtio_net_set_features #5 virtio_set_features_nocheck #6 memory_region_write_accessor #7 access_with_adjusted_size #8 memory_region_dispatch_write #9 address_space_write_continue #10 address_space_write <...> [-------------------------------- cut -----------------------------------] This happens because of invalid vhost_net device pointer. Fix that by checking this pointer in all functions before using. Result: [-------------------------------- cut -----------------------------------] [guest]# echo -n '0000:00:01.0' > /sys/bus/pci/drivers/virtio-pci/bind # Check link in guest. No crashes here, link in DOWN state. [guest]# ip link show eth0 7: eth0: mtu 1500 qdisc <...> link/ether 00:16:35:af:aa:4b brd ff:ff:ff:ff:ff:ff [-------------------------------- cut -----------------------------------] Signed-off-by: Ilya Maximets --- hw/net/vhost_net.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c index 0996e5d..4c3363f 100644 --- a/hw/net/vhost_net.c +++ b/hw/net/vhost_net.c @@ -202,6 +202,10 @@ static int vhost_net_start_one(struct vhost_net *net, struct vhost_vring_file file = { }; int r; + if (!net) { + return -1; + } + net->dev.nvqs = 2; net->dev.vqs = net->vqs; @@ -256,6 +260,10 @@ static void vhost_net_stop_one(struct vhost_net *net, { struct vhost_vring_file file = { .fd = -1 }; + if (!net) { + return; + } + if (net->nc->info->type == NET_CLIENT_OPTIONS_KIND_TAP) { for (file.index = 0; file.index < net->dev.nvqs; ++file.index) { const VhostOps *vhost_ops = net->dev.vhost_ops; @@ -287,6 +295,9 @@ int vhost_net_start(VirtIODevice *dev, NetClientState *ncs, struct vhost_net *net; net = get_vhost_net(ncs[i].peer); + if (!net) { + return -1; + } vhost_net_set_vq_index(net, i * 2); /* Suppress the masking guest notifiers on vhost user @@ -419,9 +430,14 @@ void put_vhost_net(NetClientState *nc) int vhost_set_vring_enable(NetClientState *nc, int enable) { VHostNetState *net = get_vhost_net(nc); - const VhostOps *vhost_ops = net->dev.vhost_ops; + const VhostOps *vhost_ops; int res = 0; + if (!net) { + return 0; + } + + vhost_ops = net->dev.vhost_ops; if (vhost_ops->vhost_set_vring_enable) { res = vhost_ops->vhost_set_vring_enable(&net->dev, enable); }