987 – dead lock in rte_acl_creat and rte_ring_free by list circled

Bug 987 - dead lock in rte_acl_creat and rte_ring_free by list circled

Summary: dead lock in rte_acl_creat and rte_ring_free by list circled

Status:	UNCONFIRMED

Alias:	None

Product:	DPDK
Classification:	Unclassified
Component:	vhost/virtio (show other bugs)
Version:	20.02
Hardware:	x86 Linux

Importance:	Normal normal
Target Milestone:	---
Assignee:	dev

URL:

Depends on:
Blocks:

Reported:	2022-03-30 13:34 CEST by sofardware
Modified:	2022-03-30 13:34 CEST (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description sofardware 2022-03-30 13:34:20 CEST

In the function rte_acl_creat or rte_ring_free, when run TAILQ_FOREACH, it can not end if not find the target, because the tailq list has became  a circle list, of   
 whitch the last node's next is the first node.
   This issue does not alwayse hapen, and I have not find what result it.

(gdb) disassemble
Dump of assembler code for function rte_acl_create:
   0x00000000006057a0 <+0>:     push   %r15
   0x00000000006057a2 <+2>:     push   %r14
   0x00000000006057a4 <+4>:     push   %r13
   0x00000000006057a6 <+6>:     push   %r12
   0x00000000006057a8 <+8>:     mov    %rdi,%r12
   0x00000000006057ab <+11>:    push   %rbp
   0x00000000006057ac <+12>:    push   %rbx
   0x00000000006057ad <+13>:    sub    $0x38,%rsp
   0x00000000006057b1 <+17>:    test   %rdi,%rdi
   0x00000000006057b4 <+20>:    mov    0x7a2365(%rip),%r13        # 0xda7b20 <rte_acl_tailq>
   0x00000000006057bb <+27>:    je     0x6058f0 <rte_acl_create+336>
   0x00000000006057c1 <+33>:    mov    (%rdi),%rcx
   0x00000000006057c4 <+36>:    test   %rcx,%rcx
   0x00000000006057c7 <+39>:    je     0x6058f0 <rte_acl_create+336>
   0x00000000006057cd <+45>:    lea    0x10(%rsp),%rdi
   0x00000000006057d2 <+50>:    mov    $0xaf5029,%edx
   0x00000000006057d7 <+55>:    mov    $0x20,%esi
   0x00000000006057dc <+60>:    xor    %eax,%eax
   0x00000000006057de <+62>:    callq  0x4395c0 <snprintf@plt>
   0x00000000006057e3 <+67>:    mov    0x10(%r12),%eax
   0x00000000006057e8 <+72>:    mov    0xc(%r12),%r15d
   0x00000000006057ed <+77>:    mov    %eax,0xc(%rsp)
   0x00000000006057f1 <+81>:    callq  0x5b31e0 <rte_mcfg_tailq_write_lock>
   0x00000000006057f6 <+86>:    mov    0x0(%r13),%r14
   0x00000000006057fa <+90>:    test   %r14,%r14
   0x00000000006057fd <+93>:    je     0x605840 <rte_acl_create+160>
   0x00000000006057ff <+95>:    mov    (%r12),%rbp
   0x0000000000605803 <+99>:    jmp    0x605810 <rte_acl_create+112>
   0x0000000000605805 <+101>:   nopl   (%rax)
   0x0000000000605808 <+104>:   mov    (%r14),%r14
   0x000000000060580b <+107>:   test   %r14,%r14
   0x000000000060580e <+110>:   je     0x605840 <rte_acl_create+160>
   0x0000000000605810 <+112>:   mov    0x10(%r14),%rbx
   0x0000000000605814 <+116>:   mov    $0x20,%edx
   0x0000000000605819 <+121>:   mov    %rbp,%rdi
   0x000000000060581c <+124>:   mov    %rbx,%rsi
   0x000000000060581f <+127>:   callq  0x438bc0 <strncmp@plt>
=> 0x0000000000605824 <+132>:   test   %eax,%eax
   0x0000000000605826 <+134>:   jne    0x605808 <rte_acl_create+104>
   0x0000000000605828 <+136>:   callq  0x5b3230 <rte_mcfg_tailq_write_unlock>
   0x000000000060582d <+141>:   mov    %rbx,%rax
   0x0000000000605830 <+144>:   add    $0x38,%rsp
   0x0000000000605834 <+148>:   pop    %rbx
   0x0000000000605835 <+149>:   pop    %rbp
   0x0000000000605836 <+150>:   pop    %r12
   0x0000000000605838 <+152>:   pop    %r13
   0x000000000060583a <+154>:   pop    %r14
   0x000000000060583c <+156>:   pop    %r15
   0x000000000060583e <+158>:   retq   
   0x000000000060583f <+159>:   nop
   0x0000000000605840 <+160>:   xor    %edx,%edx
   0x0000000000605842 <+162>:   mov    $0x18,%esi
   0x0000000000605847 <+167>:   mov    $0xaf5030,%edi
   0x000000000060584c <+172>:   callq  0x5c0460 <rte_zmalloc>
   0x0000000000605851 <+177>:   test   %rax,%rax
   0x0000000000605854 <+180>:   mov    %rax,%rbp
   0x0000000000605857 <+183>:   je     0x605935 <rte_acl_create+405>
---Type <return> to continue, or q <return> to quit--- 
   0x000000000060585d <+189>:   mov    0xc(%rsp),%r14d
   0x0000000000605862 <+194>:   mov    0x8(%r12),%ecx
   0x0000000000605867 <+199>:   lea    0x10(%rsp),%rdi
   0x000000000060586c <+204>:   mov    $0x40,%edx
   0x0000000000605871 <+209>:   imul   %r15d,%r14d
   0x0000000000605875 <+213>:   add    $0x388,%r14
   0x000000000060587c <+220>:   mov    %r14,%rsi
   0x000000000060587f <+223>:   callq  0x5c0380 <rte_zmalloc_socket>
   0x0000000000605884 <+228>:   test   %rax,%rax
   0x0000000000605887 <+231>:   mov    %rax,%rbx
   0x000000000060588a <+234>:   je     0x605905 <rte_acl_create+357>
   0x000000000060588c <+236>:   lea    0x388(%rax),%rax
   0x0000000000605893 <+243>:   mov    (%r12),%rcx
   0x0000000000605897 <+247>:   mov    $0xaecc2d,%edx
   0x000000000060589c <+252>:   mov    $0x20,%esi
   0x00000000006058a1 <+257>:   mov    %rbx,%rdi
   0x00000000006058a4 <+260>:   mov    %rax,0x28(%rbx)
   0x00000000006058a8 <+264>:   mov    0x10(%r12),%eax
   0x00000000006058ad <+269>:   mov    %eax,0x30(%rbx)
   0x00000000006058b0 <+272>:   mov    0xc(%r12),%eax
   0x00000000006058b5 <+277>:   mov    %eax,0x34(%rbx)
   0x00000000006058b8 <+280>:   mov    0x8(%r12),%eax
   0x00000000006058bd <+285>:   mov    %eax,0x20(%rbx)
   0x00000000006058c0 <+288>:   mov    0x7a223a(%rip),%eax        # 0xda7b00 <rte_acl_default_classify>
   0x00000000006058c6 <+294>:   mov    %eax,0x24(%rbx)
   0x00000000006058c9 <+297>:   xor    %eax,%eax
   0x00000000006058cb <+299>:   callq  0x4395c0 <snprintf@plt>
   0x00000000006058d0 <+304>:   mov    0x8(%r13),%rax
   0x00000000006058d4 <+308>:   mov    %rbx,0x10(%rbp)
   0x00000000006058d8 <+312>:   movq   $0x0,0x0(%rbp)
   0x00000000006058e0 <+320>:   mov    %rax,0x8(%rbp)
   0x00000000006058e4 <+324>:   mov    %rbp,(%rax)
   0x00000000006058e7 <+327>:   mov    %rbp,0x8(%r13)
   0x00000000006058eb <+331>:   jmpq   0x605828 <rte_acl_create+136>
   0x00000000006058f0 <+336>:   mov    0x7916f1(%rip),%rax        # 0xd96fe8
   0x00000000006058f7 <+343>:   movl   $0x16,%fs:(%rax)
   0x00000000006058fe <+350>:   xor    %eax,%eax
   0x0000000000605900 <+352>:   jmpq   0x605830 <rte_acl_create+144>
   0x0000000000605905 <+357>:   mov    0x8(%r12),%r8d
   0x000000000060590a <+362>:   lea    0x10(%rsp),%r9
   0x000000000060590f <+367>:   mov    %r14,%rcx
   0x0000000000605912 <+370>:   mov    $0xaf50f0,%edx
   0x0000000000605917 <+375>:   mov    $0x9,%esi
   0x000000000060591c <+380>:   mov    $0x4,%edi
   0x0000000000605921 <+385>:   xor    %eax,%eax
   0x0000000000605923 <+387>:   callq  0x43ebc6 <rte_log>
   0x0000000000605928 <+392>:   mov    %rbp,%rdi
   0x000000000060592b <+395>:   callq  0x5c01b0 <rte_free>
   0x0000000000605930 <+400>:   jmpq   0x605828 <rte_acl_create+136>
   0x0000000000605935 <+405>:   mov    $0xaf50c8,%edx
   0x000000000060593a <+410>:   mov    $0x9,%esi
   0x000000000060593f <+415>:   mov    $0x4,%edi
   0x0000000000605944 <+420>:   xor    %eax,%eax
   0x0000000000605946 <+422>:   xor    %ebx,%ebx
   0x0000000000605948 <+424>:   callq  0x43ebc6 <rte_log>
   0x000000000060594d <+429>:   jmpq   0x605828 <rte_acl_create+136>
End of assembler dump.
(gdb) p $r14
$16 = 8615101376
(gdb) p/x $r14
$17 = 0x2018003c0
(gdb) p/x *((long long*)0x2018003c0)
$18 = 0xf9d5e00
(gdb) p/x *((long long*)0xf9d5e00)
$19 = 0x1b1a00200
(gdb) p/x *((long long*)0x1b1a00200)
$20 = 0x201800540
(gdb) p/x *((long long*)0x201800540)
$21 = 0x2018003c0
(gdb) p/x *((long long*)0x2018003c0)
$22 = 0xf9d5e00
------------------------------------------------------
Dump of assembler code for function rte_ring_free:
   0x00000000005cbb00 <+0>:     push   %r12
   0x00000000005cbb02 <+2>:     test   %rdi,%rdi                                     //判断第一个参数r 是否为NULL
   0x00000000005cbb05 <+5>:     push   %rbp
   0x00000000005cbb06 <+6>:     mov    %rdi,%rbp
   0x00000000005cbb09 <+9>:     push   %rbx
   0x00000000005cbb0a <+10>:    je     0x5cbb98 <rte_ring_free+152>                  //如果第一个参数为NULL，调到152帧，函数返回
   0x00000000005cbb10 <+16>:    mov    0x28(%rdi),%rdi                               //取r->memzone的值
   0x00000000005cbb14 <+20>:    test   %rdi,%rdi
   0x00000000005cbb17 <+23>:    je     0x5cbbb7 <rte_ring_free+183>                  //判断r->memzone是否为NULL，如果是，则调到183帧返回。
   0x00000000005cbb1d <+29>:    callq  0x5b2290 <rte_memzone_free>                   //如果 r->memzone不为NULL，则释放r->memzone
   0x00000000005cbb22 <+34>:    test   %eax,%eax                                     //如果是否失败，调到157帧返回
   0x00000000005cbb24 <+36>:    jne    0x5cbb9d <rte_ring_free+157>
   0x00000000005cbb26 <+38>:    mov    0x7db973(%rip),%r12        # 0xda74a0 <rte_ring_tailq>  //获取rte_ring链表
   0x00000000005cbb2d <+45>:    callq  0x5b31e0 <rte_mcfg_tailq_write_lock>
   0x00000000005cbb32 <+50>:    mov    (%r12),%rbx  //(var) = ((head)->tqh_first)    //获取链表第一个节点
   0x00000000005cbb36 <+54>:    test   %rbx,%rbx                                     //判断该节点是否为空
   0x00000000005cbb39 <+57>:    jne    0x5cbb48 <rte_ring_free+72>                   //如何不为空，跳到72帧判断数据是否等于待删除节点。
   0x00000000005cbb3b <+59>:    jmp    0x5cbb80 <rte_ring_free+128>                  //如果为空，跳到128帧，解锁返回
   0x00000000005cbb3d <+61>:    nopl   (%rax)
=> 0x00000000005cbb40 <+64>:    mov    (%rbx),%rbx                                   //取下一个节点
   0x00000000005cbb43 <+67>:    test   %rbx,%rbx                                     //判断该节点是否为空
   0x00000000005cbb46 <+70>:    je     0x5cbb80 <rte_ring_free+128> if               //如果为空，跳到128帧，解锁返回。
   0x00000000005cbb48 <+72>:    cmp    %rbp,0x10(%rbx)  //var = ring                 //当前所取的节点中的数据是否等于待删除节点
   0x00000000005cbb4c <+76>:    jne    0x5cbb40 <rte_ring_free+64>                   // 如果不等,跳到64帧继续取下一个节点
   0x00000000005cbb4e <+78>:    mov    (%rbx),%rax
   0x00000000005cbb51 <+81>:    test   %rax,%rax                                     //判断当前节点是否为空,也就是说是否链表轮询到末尾了仍未找到和待删除节点相等的节点。
   0x00000000005cbb54 <+84>:    je     0x5cbb89 <rte_ring_free+137>                  //如果为空，则解锁返回。否则删除节点后解锁，再是否内存，再返回。
   0x00000000005cbb56 <+86>:    mov    0x8(%rbx),%rdx                                //这里代表所取的节点中的数据等于待删除节点， 从链表删除节点。
   0x00000000005cbb5a <+90>:    mov    %rdx,0x8(%rax)
   0x00000000005cbb5e <+94>:    mov    0x8(%rbx),%rdx
   0x00000000005cbb62 <+98>:    mov    %rax,(%rdx)
   0x00000000005cbb65 <+101>:   callq  0x5b3230 <rte_mcfg_tailq_write_unlock>        //解锁
   0x00000000005cbb6a <+106>:   mov    %rbx,%rdi
   0x00000000005cbb6d <+109>:   pop    %rbx
   0x00000000005cbb6e <+110>:   pop    %rbp
   0x00000000005cbb6f <+111>:   pop    %r12
   0x00000000005cbb71 <+113>:   jmpq   0x5c01b0 <rte_free>                          //释放内存,返回
   0x00000000005cbb76 <+118>:   nopw   %cs:0x0(%rax,%rax,1)
   0x00000000005cbb80 <+128>:   pop    %rbx
   0x00000000005cbb81 <+129>:   pop    %rbp
   0x00000000005cbb82 <+130>:   pop    %r12
   0x00000000005cbb84 <+132>:   jmpq   0x5b3230 <rte_mcfg_tailq_write_unlock>
   0x00000000005cbb89 <+137>:   mov    0x8(%rbx),%rdx
   0x00000000005cbb8d <+141>:   mov    %rdx,0x8(%r12)
   0x00000000005cbb92 <+146>:   jmp    0x5cbb62 <rte_ring_free+98>
   0x00000000005cbb94 <+148>:   nopl   0x0(%rax)
   0x00000000005cbb98 <+152>:   pop    %rbx
   0x00000000005cbb99 <+153>:   pop    %rbp
   0x00000000005cbb9a <+154>:   pop    %r12
   0x00000000005cbb9c <+156>:   retq   
   0x00000000005cbb9d <+157>:   mov    $0xaecad3,%edx
   0x00000000005cbba2 <+162>:   mov    $0x2,%esi
   0x00000000005cbba7 <+167>:   mov    $0x4,%edi
   0x00000000005cbbac <+172>:   pop    %rbx
   0x00000000005cbbad <+173>:   pop    %rbp
   0x00000000005cbbae <+174>:   pop    %r12
   0x00000000005cbbb0 <+176>:   xor    %eax,%eax  
   0x00000000005cbbb2 <+178>:   jmpq   0x43ebc6 <rte_log>
   0x00000000005cbbb7 <+183>:   mov    $0xaeca60,%edx
   0x00000000005cbbbc <+188>:   mov    $0x2,%esi
   0x00000000005cbbc1 <+193>:   mov    $0x4,%dil
   0x00000000005cbbc4 <+196>:   jmp    0x5cbbac <rte_ring_free+172>

(gdb) p/x *(long long *)0x1b2004840
$26 = 0x299a01480
(gdb) p/x *(long long *)0x299a01480    
$27 = 0xf9d5e00
(gdb) p/x *(long long *)0xf9d5e00  
$28 = 0x1b2004840

Note You need to log in before you can comment on or make changes to this bug.