diff mbox

vhost-user: fix unreasonable return value when vhost-user read failed

Message ID 1463986200-205860-1-git-send-email-arei.gonglei@huawei.com (mailing list archive)
State New, archived
Headers show

Commit Message

Gonglei (Arei) May 23, 2016, 6:50 a.m. UTC
At present all corresponding functions which calling vhost_user_read()
don't return failure when vhost_user_read() executed failed. That's
dangerous, because VhostUserMsg will be a random value, and cause the
virtual machine panic finally.

A example:

In Qemu side report:
qemu-kvm: -netdev type=vhost-user,id=hostnet0,chardev=charnet0: \
Failed to read msg header. Read -1 instead of 12.

Then, the guest panic with the below serial message:

[   13.853740] ------------[ cut here ]------------
[   13.855709] kernel BUG at virtio_net.c:893!
[   13.857006] invalid opcode: 0000 [#1] SMP
[   13.857006] last sysfs file: /sys/devices/pci0000:00/0000:00:03.0/virtio0/device
[   13.857006] CPU 2
[   13.857006] Supported: Yes
[   13.857006] Pid: 2474, comm: ip Tainted: G          N  2.6.32.12-0.7-default #1 Standard PC (i440FX + PIIX, 1996)
[   13.857006] RIP: 0010:[<ffffffffa001369a>]  [<ffffffffa001369a>] virtnet_send_command+0x12a/0x140 [virtio_net]
[   13.857006] RSP: 0018:ffff880137241758  EFLAGS: 00010246
[   13.857006] RAX: 0000000000000011 RBX: ffff880138f88400 RCX: ffffffffa00160d8
[   13.857006] RDX: 000000000000000e RSI: 0000000000000011 RDI: 0000000000000015
[   13.857006] RBP: ffff88013b724780 R08: 0000000000000000 R09: ffff880137241818
[   13.857006] R10: 0000000000000001 R11: ffffffffa00137f0 R12: 0000000000000000
[   13.857006] R13: 0000000000000000 R14: ffff880137241818 R15: 0000000000000000
[   13.857006] FS:  00007f19cee00700(0000) GS:ffff880005900000(0000) knlGS:0000000000000000
[   13.857006] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   13.857006] CR2: 00007f19ce562bd0 CR3: 00000001375cc000 CR4: 00000000000406e0
[   13.857006] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   13.917524] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   13.917524] Process ip (pid: 2474, threadinfo ffff880137240000, task ffff880137b021c0)

Reported-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
 hw/virtio/vhost-user.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Marc-André Lureau June 1, 2016, 4:42 p.m. UTC | #1
Hi

On Mon, May 23, 2016 at 8:50 AM, Gonglei <arei.gonglei@huawei.com> wrote:
> At present all corresponding functions which calling vhost_user_read()
> don't return failure when vhost_user_read() executed failed. That's
> dangerous, because VhostUserMsg will be a random value, and cause the
> virtual machine panic finally.
>
> A example:
>
> In Qemu side report:
> qemu-kvm: -netdev type=vhost-user,id=hostnet0,chardev=charnet0: \
> Failed to read msg header. Read -1 instead of 12.
>
> Then, the guest panic with the below serial message:
>
> [   13.853740] ------------[ cut here ]------------
> [   13.855709] kernel BUG at virtio_net.c:893!
> [   13.857006] invalid opcode: 0000 [#1] SMP
> [   13.857006] last sysfs file: /sys/devices/pci0000:00/0000:00:03.0/virtio0/device
> [   13.857006] CPU 2
> [   13.857006] Supported: Yes
> [   13.857006] Pid: 2474, comm: ip Tainted: G          N  2.6.32.12-0.7-default #1 Standard PC (i440FX + PIIX, 1996)
> [   13.857006] RIP: 0010:[<ffffffffa001369a>]  [<ffffffffa001369a>] virtnet_send_command+0x12a/0x140 [virtio_net]
> [   13.857006] RSP: 0018:ffff880137241758  EFLAGS: 00010246
> [   13.857006] RAX: 0000000000000011 RBX: ffff880138f88400 RCX: ffffffffa00160d8
> [   13.857006] RDX: 000000000000000e RSI: 0000000000000011 RDI: 0000000000000015
> [   13.857006] RBP: ffff88013b724780 R08: 0000000000000000 R09: ffff880137241818
> [   13.857006] R10: 0000000000000001 R11: ffffffffa00137f0 R12: 0000000000000000
> [   13.857006] R13: 0000000000000000 R14: ffff880137241818 R15: 0000000000000000
> [   13.857006] FS:  00007f19cee00700(0000) GS:ffff880005900000(0000) knlGS:0000000000000000
> [   13.857006] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   13.857006] CR2: 00007f19ce562bd0 CR3: 00000001375cc000 CR4: 00000000000406e0
> [   13.857006] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   13.917524] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   13.917524] Process ip (pid: 2474, threadinfo ffff880137240000, task ffff880137b021c0)
>
> Reported-by: Yunjian Wang <wangyunjian@huawei.com>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>

fwiw, I have the same patch in my queue for the "reconnect" series:
https://github.com/elmarco/qemu/commit/8b9148d356a2837fceebd04b74fee7a8709bfa59

> ---
>  hw/virtio/vhost-user.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
> index 5082e04..8118910 100644
> --- a/hw/virtio/vhost-user.c
> +++ b/hw/virtio/vhost-user.c
> @@ -220,7 +220,7 @@ static int vhost_user_set_log_base(struct vhost_dev *dev, uint64_t base,
>      if (shmfd) {
>          msg.size = 0;
>          if (vhost_user_read(dev, &msg) < 0) {
> -            return 0;
> +            return -1;
>          }
>
>          if (msg.request != VHOST_USER_SET_LOG_BASE) {
> @@ -365,7 +365,7 @@ static int vhost_user_get_vring_base(struct vhost_dev *dev,
>      vhost_user_write(dev, &msg, NULL, 0);
>
>      if (vhost_user_read(dev, &msg) < 0) {
> -        return 0;
> +        return -1;
>      }
>
>      if (msg.request != VHOST_USER_GET_VRING_BASE) {
> @@ -460,7 +460,7 @@ static int vhost_user_get_u64(struct vhost_dev *dev, int request, uint64_t *u64)
>      vhost_user_write(dev, &msg, NULL, 0);
>
>      if (vhost_user_read(dev, &msg) < 0) {
> -        return 0;
> +        return -1;
>      }
>
>      if (msg.request != request) {
> --
> 1.7.12.4
>
>
>
diff mbox

Patch

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 5082e04..8118910 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -220,7 +220,7 @@  static int vhost_user_set_log_base(struct vhost_dev *dev, uint64_t base,
     if (shmfd) {
         msg.size = 0;
         if (vhost_user_read(dev, &msg) < 0) {
-            return 0;
+            return -1;
         }
 
         if (msg.request != VHOST_USER_SET_LOG_BASE) {
@@ -365,7 +365,7 @@  static int vhost_user_get_vring_base(struct vhost_dev *dev,
     vhost_user_write(dev, &msg, NULL, 0);
 
     if (vhost_user_read(dev, &msg) < 0) {
-        return 0;
+        return -1;
     }
 
     if (msg.request != VHOST_USER_GET_VRING_BASE) {
@@ -460,7 +460,7 @@  static int vhost_user_get_u64(struct vhost_dev *dev, int request, uint64_t *u64)
     vhost_user_write(dev, &msg, NULL, 0);
 
     if (vhost_user_read(dev, &msg) < 0) {
-        return 0;
+        return -1;
     }
 
     if (msg.request != request) {