[Bug 253521] bhyve crash with e1000 emulation

Sun Feb 14 22:52:27 UTC 2021

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253521

            Bug ID: 253521
           Summary: bhyve crash with e1000 emulation
           Product: Base System
           Version: 12.2-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bhyve
          Assignee: virtualization at FreeBSD.org
          Reporter: sigsys at gmail.com

bhyve sometimes crashes with a Windows 10 guest and a e1000 emulated NIC.  It
only happened on boot with a VNC viewer connected to bhyve but I don't know how
related that might be.

(gdb) bt
#0  memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306
#1  0x0000104da5a873e2 in e82545_transmit (sc=<optimized out>, head=<optimized
out>, tail=<optimized out>, dsize=<optimized out>, rhead=0x1e10f92,
tdwb=0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301
#2  0x0000104da5a8642c in e82545_tx_run (sc=0x1056f8b1c000) at
/usr/src/usr.sbin/bhyve/pci_e82545.c:1458
#3  e82545_tx_thread (param=0x1056f8b1c000) at
/usr/src/usr.sbin/bhyve/pci_e82545.c:1497
#4  0x00001055a934efac in thread_start (curthread=0x1056fd98d500) at
/usr/src/lib/libthr/thread/thr_create.c:292
#5  0x0000000000000000 in ?? ()
Backtrace stopped: Cannot access memory at address 0x1e11000
(gdb) frame 1
#1  0x0000104da5a873e2 in e82545_transmit (sc=<optimized out>, head=<optimized
out>, tail=<optimized out>, dsize=<optimized out>, rhead=0x1e10f92,
tdwb=0x1e10f84) at /usr/src/usr.sbin/bhyve/pci_e82545.c:1301
1301                            memcpy(hdrp, iov->iov_base, now);
(gdb) p iovcnt
$14 = 1
(gdb) p *iov
$15 = {
  iov_base = 0x0,
  iov_len = 286
}

I don't understand most of this function, but there's clearly a bug in
e82545_transmit() with an uninitialized iov being used.

diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c
index dca981be85fa..a4b631b8b8de 100644
--- a/usr.sbin/bhyve/pci_e82545.c
+++ b/usr.sbin/bhyve/pci_e82545.c
@@ -1145,22 +1145,22 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head,
uint16_t tail,
                if (len > 0) {
                        /* Strip checksum supplied by guest. */
                        if ((dsc->td.lower.data & E1000_TXD_CMD_EOP) != 0 &&
                            (dsc->td.lower.data & E1000_TXD_CMD_IFCS) == 0)
                                len -= 2;
                        tlen += len;
                        if (iovcnt < I82545_MAX_TXSEGS) {
                                iov[iovcnt].iov_base = paddr_guest2host(
                                    sc->esc_ctx, dsc->td.buffer_addr, len);
                                iov[iovcnt].iov_len = len;
+                               iovcnt++;
                        }
-                       iovcnt++;
                }

                /*
                 * Pull out info that is valid in the final descriptor
                 * and exit descriptor loop.
                 */
                if (dsc->td.lower.data & E1000_TXD_CMD_EOP) {
                        if (dtype == E1000_TXD_TYP_L) {
                                if (dsc->td.lower.data & E1000_TXD_CMD_IC) {
                                        ckinfo[0].ck_valid = 1;

-- 
You are receiving this mail because:
You are the assignee for the bug.
