Message ID | 1463986200-205860-1-git-send-email-arei.gonglei@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Hi On Mon, May 23, 2016 at 8:50 AM, Gonglei <arei.gonglei@huawei.com> wrote: > At present all corresponding functions which calling vhost_user_read() > don't return failure when vhost_user_read() executed failed. That's > dangerous, because VhostUserMsg will be a random value, and cause the > virtual machine panic finally. > > A example: > > In Qemu side report: > qemu-kvm: -netdev type=vhost-user,id=hostnet0,chardev=charnet0: \ > Failed to read msg header. Read -1 instead of 12. > > Then, the guest panic with the below serial message: > > [ 13.853740] ------------[ cut here ]------------ > [ 13.855709] kernel BUG at virtio_net.c:893! > [ 13.857006] invalid opcode: 0000 [#1] SMP > [ 13.857006] last sysfs file: /sys/devices/pci0000:00/0000:00:03.0/virtio0/device > [ 13.857006] CPU 2 > [ 13.857006] Supported: Yes > [ 13.857006] Pid: 2474, comm: ip Tainted: G N 2.6.32.12-0.7-default #1 Standard PC (i440FX + PIIX, 1996) > [ 13.857006] RIP: 0010:[<ffffffffa001369a>] [<ffffffffa001369a>] virtnet_send_command+0x12a/0x140 [virtio_net] > [ 13.857006] RSP: 0018:ffff880137241758 EFLAGS: 00010246 > [ 13.857006] RAX: 0000000000000011 RBX: ffff880138f88400 RCX: ffffffffa00160d8 > [ 13.857006] RDX: 000000000000000e RSI: 0000000000000011 RDI: 0000000000000015 > [ 13.857006] RBP: ffff88013b724780 R08: 0000000000000000 R09: ffff880137241818 > [ 13.857006] R10: 0000000000000001 R11: ffffffffa00137f0 R12: 0000000000000000 > [ 13.857006] R13: 0000000000000000 R14: ffff880137241818 R15: 0000000000000000 > [ 13.857006] FS: 00007f19cee00700(0000) GS:ffff880005900000(0000) knlGS:0000000000000000 > [ 13.857006] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 13.857006] CR2: 00007f19ce562bd0 CR3: 00000001375cc000 CR4: 00000000000406e0 > [ 13.857006] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 13.917524] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > [ 13.917524] Process ip (pid: 2474, threadinfo ffff880137240000, task ffff880137b021c0) > > Reported-by: Yunjian Wang <wangyunjian@huawei.com> > Signed-off-by: Gonglei <arei.gonglei@huawei.com> fwiw, I have the same patch in my queue for the "reconnect" series: https://github.com/elmarco/qemu/commit/8b9148d356a2837fceebd04b74fee7a8709bfa59 > --- > hw/virtio/vhost-user.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c > index 5082e04..8118910 100644 > --- a/hw/virtio/vhost-user.c > +++ b/hw/virtio/vhost-user.c > @@ -220,7 +220,7 @@ static int vhost_user_set_log_base(struct vhost_dev *dev, uint64_t base, > if (shmfd) { > msg.size = 0; > if (vhost_user_read(dev, &msg) < 0) { > - return 0; > + return -1; > } > > if (msg.request != VHOST_USER_SET_LOG_BASE) { > @@ -365,7 +365,7 @@ static int vhost_user_get_vring_base(struct vhost_dev *dev, > vhost_user_write(dev, &msg, NULL, 0); > > if (vhost_user_read(dev, &msg) < 0) { > - return 0; > + return -1; > } > > if (msg.request != VHOST_USER_GET_VRING_BASE) { > @@ -460,7 +460,7 @@ static int vhost_user_get_u64(struct vhost_dev *dev, int request, uint64_t *u64) > vhost_user_write(dev, &msg, NULL, 0); > > if (vhost_user_read(dev, &msg) < 0) { > - return 0; > + return -1; > } > > if (msg.request != request) { > -- > 1.7.12.4 > > >
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index 5082e04..8118910 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -220,7 +220,7 @@ static int vhost_user_set_log_base(struct vhost_dev *dev, uint64_t base, if (shmfd) { msg.size = 0; if (vhost_user_read(dev, &msg) < 0) { - return 0; + return -1; } if (msg.request != VHOST_USER_SET_LOG_BASE) { @@ -365,7 +365,7 @@ static int vhost_user_get_vring_base(struct vhost_dev *dev, vhost_user_write(dev, &msg, NULL, 0); if (vhost_user_read(dev, &msg) < 0) { - return 0; + return -1; } if (msg.request != VHOST_USER_GET_VRING_BASE) { @@ -460,7 +460,7 @@ static int vhost_user_get_u64(struct vhost_dev *dev, int request, uint64_t *u64) vhost_user_write(dev, &msg, NULL, 0); if (vhost_user_read(dev, &msg) < 0) { - return 0; + return -1; } if (msg.request != request) {
At present all corresponding functions which calling vhost_user_read() don't return failure when vhost_user_read() executed failed. That's dangerous, because VhostUserMsg will be a random value, and cause the virtual machine panic finally. A example: In Qemu side report: qemu-kvm: -netdev type=vhost-user,id=hostnet0,chardev=charnet0: \ Failed to read msg header. Read -1 instead of 12. Then, the guest panic with the below serial message: [ 13.853740] ------------[ cut here ]------------ [ 13.855709] kernel BUG at virtio_net.c:893! [ 13.857006] invalid opcode: 0000 [#1] SMP [ 13.857006] last sysfs file: /sys/devices/pci0000:00/0000:00:03.0/virtio0/device [ 13.857006] CPU 2 [ 13.857006] Supported: Yes [ 13.857006] Pid: 2474, comm: ip Tainted: G N 2.6.32.12-0.7-default #1 Standard PC (i440FX + PIIX, 1996) [ 13.857006] RIP: 0010:[<ffffffffa001369a>] [<ffffffffa001369a>] virtnet_send_command+0x12a/0x140 [virtio_net] [ 13.857006] RSP: 0018:ffff880137241758 EFLAGS: 00010246 [ 13.857006] RAX: 0000000000000011 RBX: ffff880138f88400 RCX: ffffffffa00160d8 [ 13.857006] RDX: 000000000000000e RSI: 0000000000000011 RDI: 0000000000000015 [ 13.857006] RBP: ffff88013b724780 R08: 0000000000000000 R09: ffff880137241818 [ 13.857006] R10: 0000000000000001 R11: ffffffffa00137f0 R12: 0000000000000000 [ 13.857006] R13: 0000000000000000 R14: ffff880137241818 R15: 0000000000000000 [ 13.857006] FS: 00007f19cee00700(0000) GS:ffff880005900000(0000) knlGS:0000000000000000 [ 13.857006] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 13.857006] CR2: 00007f19ce562bd0 CR3: 00000001375cc000 CR4: 00000000000406e0 [ 13.857006] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 13.917524] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 13.917524] Process ip (pid: 2474, threadinfo ffff880137240000, task ffff880137b021c0) Reported-by: Yunjian Wang <wangyunjian@huawei.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> --- hw/virtio/vhost-user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)