[PATCH 1/3] net/virtio: fix dev detachable flag

[PATCH 1/3] net/virtio: fix dev detachable flag

[hanxueluo]

From: Huanle Han <hanxueluo@gmail.com>

The dev detachable flag was removed by
commit f229eb4 ("net/virtio: fix rewriting LSC flag").

Signed-off-by: Huanle Han <hanxueluo@gmail.com>
---
 drivers/net/virtio/virtio_ethdev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/virtio/virtio_ethdev.c b/drivers/net/virtio/virtio_ethdev.c
index 4dc03b9..8465e1a 100644
--- a/drivers/net/virtio/virtio_ethdev.c
+++ b/drivers/net/virtio/virtio_ethdev.c
@@ -1336,6 +1336,7 @@ virtio_init_device(struct rte_eth_dev *eth_dev, uint64_t req_features)
 	if (eth_dev->device) {
 		pci_dev = RTE_DEV_TO_PCI(eth_dev->device);
 		rte_eth_copy_pci_info(eth_dev, pci_dev);
+		eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE;
 	}
 
 	/* If host does not support status then disable LSC */
-- 
2.7.4

[PATCH 2/3] net/virtio: fix crash when close virtio dev twice

[hanxueluo]

From: Huanle Han <hanxueluo@gmail.com>

This commit fixs segment fault when rte_eth_dev_close()
is called on a virtio dev more than once.
Assigning zero after free to avoids freed memory to
be accessed again.

Signed-off-by: Huanle Han <hanxueluo@gmail.com>
---
 drivers/net/virtio/virtio_ethdev.c | 5 +++++
 lib/librte_ether/rte_ethdev.c      | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/drivers/net/virtio/virtio_ethdev.c b/drivers/net/virtio/virtio_ethdev.c
index 8465e1a..b9565db 100644
--- a/drivers/net/virtio/virtio_ethdev.c
+++ b/drivers/net/virtio/virtio_ethdev.c
@@ -545,6 +545,9 @@ virtio_free_queues(struct virtio_hw *hw)
 	int queue_type;
 	uint16_t i;
 
+	if (hw->vqs == NULL)
+		return;
+
 	for (i = 0; i < nr_vq; i++) {
 		vq = hw->vqs[i];
 		if (!vq)
@@ -563,9 +566,11 @@ virtio_free_queues(struct virtio_hw *hw)
 		}
 
 		rte_free(vq);
+		hw->vqs[i] = NULL;
 	}
 
 	rte_free(hw->vqs);
+	hw->vqs = NULL;
 }
 
 static int
diff --git a/lib/librte_ether/rte_ethdev.c b/lib/librte_ether/rte_ethdev.c
index eb0a94a..24f82dc 100644
--- a/lib/librte_ether/rte_ethdev.c
+++ b/lib/librte_ether/rte_ethdev.c
@@ -1074,8 +1074,10 @@ rte_eth_dev_close(uint8_t port_id)
 	dev->data->dev_started = 0;
 	(*dev->dev_ops->dev_close)(dev);
 
+	dev->data->nb_rx_queues = 0;
 	rte_free(dev->data->rx_queues);
 	dev->data->rx_queues = NULL;
+	dev->data->nb_tx_queues = 0;
 	rte_free(dev->data->tx_queues);
 	dev->data->tx_queues = NULL;
 }
-- 
2.7.4

[PATCH 3/3] pci: fix crash caused by invaild memory write

[hanxueluo]

From: Huanle Han <hanxueluo@gmail.com>

rte_eal_dev_detach() didn't remove dev from dev_device_list
after free the dev. So the following attached dev wrote to
the freed memory (tailq entry of previous dev) in below stack:

== Invalid write of size 8
==    at 0x43A9CE: rte_eal_device_insert (eal_common_dev.c:71)
==    by 0x42ED9E: pci_scan_one (eal_pci.c:365)
==    by 0x42EF4D: pci_update_device (eal_pci.c:391)
==    by 0x437F59: rte_eal_pci_probe_one (eal_common_pci.c:357)
==    by 0x43AB16: rte_eal_dev_attach (eal_common_dev.c:117)
==    by 0x45B3AA: rte_eth_dev_attach (rte_ethdev.c:489)
==    ...

Signed-off-by: Huanle Han <hanxueluo@gmail.com>
---
 lib/librte_eal/common/eal_common_pci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/librte_eal/common/eal_common_pci.c b/lib/librte_eal/common/eal_common_pci.c
index 72547bd..022fdc7 100644
--- a/lib/librte_eal/common/eal_common_pci.c
+++ b/lib/librte_eal/common/eal_common_pci.c
@@ -393,6 +393,7 @@ rte_eal_pci_detach(const struct rte_pci_addr *addr)
 			goto err_return;
 
 		TAILQ_REMOVE(&pci_device_list, dev, next);
+		rte_eal_device_remove(&dev->device);
 		free(dev);
 		return 0;
 	}
-- 
2.7.4

Re: [PATCH 2/3] net/virtio: fix crash when close virtio dev twice

[Yuanhan Liu]

On Mon, Feb 20, 2017 at 10:04:46PM +0800, hanxueluo@126.com wrote:
> From: Huanle Han <hanxueluo@gmail.com>
> 
> This commit fixs segment fault when rte_eth_dev_close()
> is called on a virtio dev more than once.
> Assigning zero after free to avoids freed memory to
> be accessed again.

Thanks for the fix! And here are few more minor nits you might want be
awre of:

- a fix patch needs a fixline (check http://dpdk.org/dev for howto just
  in case you don't know)

- if it fixes a fatal bug (like this one), it should also be picked (or
  backported) to a specific stable release. In this case, you should add
     Cc: stable@dpdk.org

  just before your SoB (Signed-off-by).

	--yliu
> 
> Signed-off-by: Huanle Han <hanxueluo@gmail.com>
> ---
>  drivers/net/virtio/virtio_ethdev.c | 5 +++++
>  lib/librte_ether/rte_ethdev.c      | 2 ++
>  2 files changed, 7 insertions(+)
> 
> diff --git a/drivers/net/virtio/virtio_ethdev.c b/drivers/net/virtio/virtio_ethdev.c
> index 8465e1a..b9565db 100644
> --- a/drivers/net/virtio/virtio_ethdev.c
> +++ b/drivers/net/virtio/virtio_ethdev.c
> @@ -545,6 +545,9 @@ virtio_free_queues(struct virtio_hw *hw)
>  	int queue_type;
>  	uint16_t i;
>  
> +	if (hw->vqs == NULL)
> +		return;
> +
>  	for (i = 0; i < nr_vq; i++) {
>  		vq = hw->vqs[i];
>  		if (!vq)
> @@ -563,9 +566,11 @@ virtio_free_queues(struct virtio_hw *hw)
>  		}
>  
>  		rte_free(vq);
> +		hw->vqs[i] = NULL;
>  	}
>  
>  	rte_free(hw->vqs);
> +	hw->vqs = NULL;
>  }
>  
>  static int
> diff --git a/lib/librte_ether/rte_ethdev.c b/lib/librte_ether/rte_ethdev.c
> index eb0a94a..24f82dc 100644
> --- a/lib/librte_ether/rte_ethdev.c
> +++ b/lib/librte_ether/rte_ethdev.c
> @@ -1074,8 +1074,10 @@ rte_eth_dev_close(uint8_t port_id)
>  	dev->data->dev_started = 0;
>  	(*dev->dev_ops->dev_close)(dev);
>  
> +	dev->data->nb_rx_queues = 0;
>  	rte_free(dev->data->rx_queues);
>  	dev->data->rx_queues = NULL;
> +	dev->data->nb_tx_queues = 0;
>  	rte_free(dev->data->tx_queues);
>  	dev->data->tx_queues = NULL;
>  }
> -- 
> 2.7.4
> 

Re: [PATCH 1/3] net/virtio: fix dev detachable flag

[Yuanhan Liu]

On Mon, Feb 20, 2017 at 10:04:45PM +0800, hanxueluo@126.com wrote:
> From: Huanle Han <hanxueluo@gmail.com>
> 
> The dev detachable flag was removed by
> commit f229eb4 ("net/virtio: fix rewriting LSC flag").
> 
> Signed-off-by: Huanle Han <hanxueluo@gmail.com>
> ---
>  drivers/net/virtio/virtio_ethdev.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/virtio/virtio_ethdev.c b/drivers/net/virtio/virtio_ethdev.c
> index 4dc03b9..8465e1a 100644
> --- a/drivers/net/virtio/virtio_ethdev.c
> +++ b/drivers/net/virtio/virtio_ethdev.c
> @@ -1336,6 +1336,7 @@ virtio_init_device(struct rte_eth_dev *eth_dev, uint64_t req_features)
>  	if (eth_dev->device) {
>  		pci_dev = RTE_DEV_TO_PCI(eth_dev->device);
>  		rte_eth_copy_pci_info(eth_dev, pci_dev);
> +		eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE;

This is a partial fix. The major issue here is rte_eth_copy_pci_info has
an undocumented side effect: it resets the dev_flags unconditionally. 

Removing such reset should be able to fix it: it also looks like the right
fix to me. Thomas, Ferruh?

If not, we could at least call rte_eth_copy_pci_info() at eth_virtio_dev_init(),
before we set any dev_flags bits.

	--yliu

Re: [PATCH 3/3] pci: fix crash caused by invaild memory write

[Yuanhan Liu]

cc the EAL maintainer, David Marchand.

On Mon, Feb 20, 2017 at 10:04:47PM +0800, hanxueluo@126.com wrote:
> From: Huanle Han <hanxueluo@gmail.com>
> 
> rte_eal_dev_detach() didn't remove dev from dev_device_list
> after free the dev. So the following attached dev wrote to
> the freed memory (tailq entry of previous dev) in below stack:
> 
> == Invalid write of size 8
> ==    at 0x43A9CE: rte_eal_device_insert (eal_common_dev.c:71)
> ==    by 0x42ED9E: pci_scan_one (eal_pci.c:365)
> ==    by 0x42EF4D: pci_update_device (eal_pci.c:391)
> ==    by 0x437F59: rte_eal_pci_probe_one (eal_common_pci.c:357)
> ==    by 0x43AB16: rte_eal_dev_attach (eal_common_dev.c:117)
> ==    by 0x45B3AA: rte_eth_dev_attach (rte_ethdev.c:489)
> ==    ...
> 
> Signed-off-by: Huanle Han <hanxueluo@gmail.com>

The two minor nits also apply here, besides that,

Reviewed-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>

	--yliu

Re: [PATCH 2/3] net/virtio: fix crash when close virtio dev twice

[Yuanhan Liu]

On Wed, Feb 22, 2017 at 10:24:13AM +0800, Yuanhan Liu wrote:
> On Mon, Feb 20, 2017 at 10:04:46PM +0800, hanxueluo@126.com wrote:
> > From: Huanle Han <hanxueluo@gmail.com>
> > 
> > This commit fixs segment fault when rte_eth_dev_close()
> > is called on a virtio dev more than once.
> > Assigning zero after free to avoids freed memory to
> > be accessed again.
> 
> Thanks for the fix! And here are few more minor nits you might want be
> awre of:
> 
> - a fix patch needs a fixline (check http://dpdk.org/dev for howto just
>   in case you don't know)
> 
> - if it fixes a fatal bug (like this one), it should also be picked (or
>   backported) to a specific stable release. In this case, you should add
>      Cc: stable@dpdk.org
> 
>   just before your SoB (Signed-off-by).

Applied to dpdk-next-virtio with:

    Fixes: 69c80d4ef89b ("net/virtio: allocate queue at init stage")

    Cc: stable@dpdk.org

Thanks.

	--yliu

Re: [PATCH 1/3] net/virtio: fix dev detachable flag

[Yuanhan Liu]

On Wed, Feb 22, 2017 at 10:34:23AM +0800, Yuanhan Liu wrote:
> On Mon, Feb 20, 2017 at 10:04:45PM +0800, hanxueluo@126.com wrote:
> > From: Huanle Han <hanxueluo@gmail.com>
> > 
> > The dev detachable flag was removed by
> > commit f229eb4 ("net/virtio: fix rewriting LSC flag").
> > 
> > Signed-off-by: Huanle Han <hanxueluo@gmail.com>
> > ---
> >  drivers/net/virtio/virtio_ethdev.c | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/drivers/net/virtio/virtio_ethdev.c b/drivers/net/virtio/virtio_ethdev.c
> > index 4dc03b9..8465e1a 100644
> > --- a/drivers/net/virtio/virtio_ethdev.c
> > +++ b/drivers/net/virtio/virtio_ethdev.c
> > @@ -1336,6 +1336,7 @@ virtio_init_device(struct rte_eth_dev *eth_dev, uint64_t req_features)
> >  	if (eth_dev->device) {
> >  		pci_dev = RTE_DEV_TO_PCI(eth_dev->device);
> >  		rte_eth_copy_pci_info(eth_dev, pci_dev);
> > +		eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE;
> 
> This is a partial fix. The major issue here is rte_eth_copy_pci_info has
> an undocumented side effect: it resets the dev_flags unconditionally. 
> 
> Removing such reset should be able to fix it: it also looks like the right
> fix to me. Thomas, Ferruh?
> 
> If not, we could at least call rte_eth_copy_pci_info() at eth_virtio_dev_init(),
> before we set any dev_flags bits.

This issue has been fixed by http://dpdk.org/dev/patchwork/patch/23949/.

	--yliu

Re: [PATCH 3/3] pci: fix crash caused by invaild memory write

[Thomas Monjalon]

22/02/2017 03:36, Yuanhan Liu:
> On Mon, Feb 20, 2017 at 10:04:47PM +0800, hanxueluo@126.com wrote:
> > From: Huanle Han <hanxueluo@gmail.com>
> > 
> > rte_eal_dev_detach() didn't remove dev from dev_device_list
> > after free the dev. So the following attached dev wrote to
> > the freed memory (tailq entry of previous dev) in below stack:
> > 
> > == Invalid write of size 8
> > ==    at 0x43A9CE: rte_eal_device_insert (eal_common_dev.c:71)
> > ==    by 0x42ED9E: pci_scan_one (eal_pci.c:365)
> > ==    by 0x42EF4D: pci_update_device (eal_pci.c:391)
> > ==    by 0x437F59: rte_eal_pci_probe_one (eal_common_pci.c:357)
> > ==    by 0x43AB16: rte_eal_dev_attach (eal_common_dev.c:117)
> > ==    by 0x45B3AA: rte_eth_dev_attach (rte_ethdev.c:489)
> > ==    ...
> > 
> > Signed-off-by: Huanle Han <hanxueluo@gmail.com>
> 
> The two minor nits also apply here, besides that,
> 
> Reviewed-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>

Nack

The right fix is to remove the functions insert and remove.
The list dev_device_list is not used anymore.

I will make a patch.