From: Cindy Lu <lulu@redhat.com>
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, qemu-stable@nongnu.org,
Lei Yang <leiyang@redhat.com>, Jason Wang <jasowang@redhat.com>
Subject: Re: [PATCH v8] virtio-pci: fix use of a released vector
Date: Thu, 9 May 2024 09:43:35 +0800 [thread overview]
Message-ID: <CACLfguUF7+Kyafo-pkRpM94m-r7UPqet6xNuP6NDVXxAAD3ccQ@mail.gmail.com> (raw)
In-Reply-To: <f1d4bddc-f2e9-4cb7-8866-5f010b21b756@tls.msk.ru>
On Thu, May 9, 2024 at 4:18 AM Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> 15.04.2024 12:34, Michael S. Tsirkin wrote:
> > From: Cindy Lu <lulu@redhat.com>
> >
> > During the booting process of the non-standard image, the behavior of the
> > called function in qemu is as follows:
> >
> > 1. vhost_net_stop() was triggered by guest image. This will call the function
> > virtio_pci_set_guest_notifiers() with assgin= false,
> > virtio_pci_set_guest_notifiers() will release the irqfd for vector 0
> >
> > 2. virtio_reset() was triggered, this will set configure vector to VIRTIO_NO_VECTOR
> >
> > 3.vhost_net_start() was called (at this time, the configure vector is
> > still VIRTIO_NO_VECTOR) and then call virtio_pci_set_guest_notifiers() with
> > assgin=true, so the irqfd for vector 0 is still not "init" during this process
> >
> > 4. The system continues to boot and sets the vector back to 0. After that
> > msix_fire_vector_notifier() was triggered to unmask the vector 0 and meet the crash
> >
> > To fix the issue, we need to support changing the vector after VIRTIO_CONFIG_S_DRIVER_OK is set.
>
> This change breaks both 9.0 and stable-8.2.3:
>
> https://gitlab.com/qemu-project/qemu/-/issues/2321
> https://gitlab.com/qemu-project/qemu/-/issues/2334
>
> So something's not right here.
>
> Thanks,
>
I have checked the stack, seems there is a crash while set the vector
to NO_VECTOER?
#0 kvm_virtio_pci_vq_vector_release (proxy=0x55bd979fd130,
vector=<optimized out>) at ../hw/virtio/virtio-pci.c:834
#1 kvm_virtio_pci_vector_release_one
(proxy=proxy@entry=0x55bd979fd130, queue_no=queue_no@entry=0) at
../hw/virtio/virtio-pci.c:965
#2 0x000055bd9380c430 in virtio_pci_set_vector (vdev=0x55bd97a05500,
proxy=0x55bd979fd130, queue_no=0, old_vector=1, new_vector=65535)
at ../hw/virtio/virtio-pci.c:1445
#3 0x000055bd939c5490 in memory_region_write_accessor
(mr=0x55bd979fdc70, addr=26, value=<optimized out>, size=2,
shift=<optimized out>,
mask=<optimized out>, attrs=...) at ../system/memory.c:497
I will try to reproduce and work in it
thanks
Cindy
> /mjt
>
> ...
> > MST: coding style and typo fixups
> >
> > Fixes: f9a09ca3ea ("vhost: add support for configure interrupt")
> > Cc: qemu-stable@nongnu.org
> > Signed-off-by: Cindy Lu <lulu@redhat.com>
> > Message-Id: <20240412062750.475180-1-lulu@redhat.com>
> > Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > ---
> > hw/virtio/virtio-pci.c | 37 +++++++++++++++++++++++++++++++++++--
> > 1 file changed, 35 insertions(+), 2 deletions(-)
> >
> > v7->v8:
> > more cleanups, suggested by Philip
> >
> > still untested, i just got involved to help address coding style
> > issues
> >
> > diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
> > index cb6940fc0e..cb159fd078 100644
> > --- a/hw/virtio/virtio-pci.c
> > +++ b/hw/virtio/virtio-pci.c
> > @@ -1424,6 +1424,38 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy,
> > return offset;
> > }
> >
> > +static void virtio_pci_set_vector(VirtIODevice *vdev,
> > + VirtIOPCIProxy *proxy,
> > + int queue_no, uint16_t old_vector,
> > + uint16_t new_vector)
> > +{
> > + bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
> > + msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled();
> > +
> > + if (new_vector == old_vector) {
> > + return;
> > + }
> > +
> > + /*
> > + * If the device uses irqfd and the vector changes after DRIVER_OK is
> > + * set, we need to release the old vector and set up the new one.
> > + * Otherwise just need to set the new vector on the device.
> > + */
> > + if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) {
> > + kvm_virtio_pci_vector_release_one(proxy, queue_no);
> > + }
> > + /* Set the new vector on the device. */
> > + if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
> > + vdev->config_vector = new_vector;
> > + } else {
> > + virtio_queue_set_vector(vdev, queue_no, new_vector);
> > + }
> > + /* If the new vector changed need to set it up. */
> > + if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) {
> > + kvm_virtio_pci_vector_use_one(proxy, queue_no);
> > + }
> > +}
> > +
> > int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy,
> > uint8_t bar, uint64_t offset, uint64_t length,
> > uint8_t id)
> > @@ -1570,7 +1602,8 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
> > } else {
> > val = VIRTIO_NO_VECTOR;
> > }
> > - vdev->config_vector = val;
> > + virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX,
> > + vdev->config_vector, val);
> > break;
> > case VIRTIO_PCI_COMMON_STATUS:
> > if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {
> > @@ -1610,7 +1643,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
> > } else {
> > val = VIRTIO_NO_VECTOR;
> > }
> > - virtio_queue_set_vector(vdev, vdev->queue_sel, val);
> > + virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val);
> > break;
> > case VIRTIO_PCI_COMMON_Q_ENABLE:
> > if (val == 1) {
>
> --
> GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24.
> New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E
> Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5
> Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt
>
next prev parent reply other threads:[~2024-05-09 1:45 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-15 9:34 [PATCH v8] virtio-pci: fix use of a released vector Michael S. Tsirkin
2024-04-15 9:42 ` Cindy Lu
2024-04-15 10:40 ` Cindy Lu
2024-04-16 3:20 ` Jason Wang
2024-04-17 2:42 ` Cindy Lu
2024-05-08 20:17 ` Michael Tokarev
2024-05-09 1:43 ` Cindy Lu [this message]
2024-05-09 4:54 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACLfguUF7+Kyafo-pkRpM94m-r7UPqet6xNuP6NDVXxAAD3ccQ@mail.gmail.com \
--to=lulu@redhat.com \
--cc=jasowang@redhat.com \
--cc=leiyang@redhat.com \
--cc=mjt@tls.msk.ru \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).