From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [Bug 987] dead lock in rte_acl_creat and rte_ring_free by list circled
Date: Wed, 30 Mar 2022 11:34:20 +0000 [thread overview]
Message-ID: <bug-987-3@http.bugs.dpdk.org/> (raw)
https://bugs.dpdk.org/show_bug.cgi?id=987
Bug ID: 987
Summary: dead lock in rte_acl_creat and rte_ring_free by list
circled
Product: DPDK
Version: 20.02
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: vhost/virtio
Assignee: dev@dpdk.org
Reporter: sofardware@126.com
Target Milestone: ---
In the function rte_acl_creat or rte_ring_free, when run TAILQ_FOREACH, it can
not end if not find the target, because the tailq list has became a circle
list, of
whitch the last node's next is the first node.
This issue does not alwayse hapen, and I have not find what result it.
(gdb) disassemble
Dump of assembler code for function rte_acl_create:
0x00000000006057a0 <+0>: push %r15
0x00000000006057a2 <+2>: push %r14
0x00000000006057a4 <+4>: push %r13
0x00000000006057a6 <+6>: push %r12
0x00000000006057a8 <+8>: mov %rdi,%r12
0x00000000006057ab <+11>: push %rbp
0x00000000006057ac <+12>: push %rbx
0x00000000006057ad <+13>: sub $0x38,%rsp
0x00000000006057b1 <+17>: test %rdi,%rdi
0x00000000006057b4 <+20>: mov 0x7a2365(%rip),%r13 # 0xda7b20
<rte_acl_tailq>
0x00000000006057bb <+27>: je 0x6058f0 <rte_acl_create+336>
0x00000000006057c1 <+33>: mov (%rdi),%rcx
0x00000000006057c4 <+36>: test %rcx,%rcx
0x00000000006057c7 <+39>: je 0x6058f0 <rte_acl_create+336>
0x00000000006057cd <+45>: lea 0x10(%rsp),%rdi
0x00000000006057d2 <+50>: mov $0xaf5029,%edx
0x00000000006057d7 <+55>: mov $0x20,%esi
0x00000000006057dc <+60>: xor %eax,%eax
0x00000000006057de <+62>: callq 0x4395c0 <snprintf@plt>
0x00000000006057e3 <+67>: mov 0x10(%r12),%eax
0x00000000006057e8 <+72>: mov 0xc(%r12),%r15d
0x00000000006057ed <+77>: mov %eax,0xc(%rsp)
0x00000000006057f1 <+81>: callq 0x5b31e0 <rte_mcfg_tailq_write_lock>
0x00000000006057f6 <+86>: mov 0x0(%r13),%r14
0x00000000006057fa <+90>: test %r14,%r14
0x00000000006057fd <+93>: je 0x605840 <rte_acl_create+160>
0x00000000006057ff <+95>: mov (%r12),%rbp
0x0000000000605803 <+99>: jmp 0x605810 <rte_acl_create+112>
0x0000000000605805 <+101>: nopl (%rax)
0x0000000000605808 <+104>: mov (%r14),%r14
0x000000000060580b <+107>: test %r14,%r14
0x000000000060580e <+110>: je 0x605840 <rte_acl_create+160>
0x0000000000605810 <+112>: mov 0x10(%r14),%rbx
0x0000000000605814 <+116>: mov $0x20,%edx
0x0000000000605819 <+121>: mov %rbp,%rdi
0x000000000060581c <+124>: mov %rbx,%rsi
0x000000000060581f <+127>: callq 0x438bc0 <strncmp@plt>
=> 0x0000000000605824 <+132>: test %eax,%eax
0x0000000000605826 <+134>: jne 0x605808 <rte_acl_create+104>
0x0000000000605828 <+136>: callq 0x5b3230 <rte_mcfg_tailq_write_unlock>
0x000000000060582d <+141>: mov %rbx,%rax
0x0000000000605830 <+144>: add $0x38,%rsp
0x0000000000605834 <+148>: pop %rbx
0x0000000000605835 <+149>: pop %rbp
0x0000000000605836 <+150>: pop %r12
0x0000000000605838 <+152>: pop %r13
0x000000000060583a <+154>: pop %r14
0x000000000060583c <+156>: pop %r15
0x000000000060583e <+158>: retq
0x000000000060583f <+159>: nop
0x0000000000605840 <+160>: xor %edx,%edx
0x0000000000605842 <+162>: mov $0x18,%esi
0x0000000000605847 <+167>: mov $0xaf5030,%edi
0x000000000060584c <+172>: callq 0x5c0460 <rte_zmalloc>
0x0000000000605851 <+177>: test %rax,%rax
0x0000000000605854 <+180>: mov %rax,%rbp
0x0000000000605857 <+183>: je 0x605935 <rte_acl_create+405>
---Type <return> to continue, or q <return> to quit---
0x000000000060585d <+189>: mov 0xc(%rsp),%r14d
0x0000000000605862 <+194>: mov 0x8(%r12),%ecx
0x0000000000605867 <+199>: lea 0x10(%rsp),%rdi
0x000000000060586c <+204>: mov $0x40,%edx
0x0000000000605871 <+209>: imul %r15d,%r14d
0x0000000000605875 <+213>: add $0x388,%r14
0x000000000060587c <+220>: mov %r14,%rsi
0x000000000060587f <+223>: callq 0x5c0380 <rte_zmalloc_socket>
0x0000000000605884 <+228>: test %rax,%rax
0x0000000000605887 <+231>: mov %rax,%rbx
0x000000000060588a <+234>: je 0x605905 <rte_acl_create+357>
0x000000000060588c <+236>: lea 0x388(%rax),%rax
0x0000000000605893 <+243>: mov (%r12),%rcx
0x0000000000605897 <+247>: mov $0xaecc2d,%edx
0x000000000060589c <+252>: mov $0x20,%esi
0x00000000006058a1 <+257>: mov %rbx,%rdi
0x00000000006058a4 <+260>: mov %rax,0x28(%rbx)
0x00000000006058a8 <+264>: mov 0x10(%r12),%eax
0x00000000006058ad <+269>: mov %eax,0x30(%rbx)
0x00000000006058b0 <+272>: mov 0xc(%r12),%eax
0x00000000006058b5 <+277>: mov %eax,0x34(%rbx)
0x00000000006058b8 <+280>: mov 0x8(%r12),%eax
0x00000000006058bd <+285>: mov %eax,0x20(%rbx)
0x00000000006058c0 <+288>: mov 0x7a223a(%rip),%eax # 0xda7b00
<rte_acl_default_classify>
0x00000000006058c6 <+294>: mov %eax,0x24(%rbx)
0x00000000006058c9 <+297>: xor %eax,%eax
0x00000000006058cb <+299>: callq 0x4395c0 <snprintf@plt>
0x00000000006058d0 <+304>: mov 0x8(%r13),%rax
0x00000000006058d4 <+308>: mov %rbx,0x10(%rbp)
0x00000000006058d8 <+312>: movq $0x0,0x0(%rbp)
0x00000000006058e0 <+320>: mov %rax,0x8(%rbp)
0x00000000006058e4 <+324>: mov %rbp,(%rax)
0x00000000006058e7 <+327>: mov %rbp,0x8(%r13)
0x00000000006058eb <+331>: jmpq 0x605828 <rte_acl_create+136>
0x00000000006058f0 <+336>: mov 0x7916f1(%rip),%rax # 0xd96fe8
0x00000000006058f7 <+343>: movl $0x16,%fs:(%rax)
0x00000000006058fe <+350>: xor %eax,%eax
0x0000000000605900 <+352>: jmpq 0x605830 <rte_acl_create+144>
0x0000000000605905 <+357>: mov 0x8(%r12),%r8d
0x000000000060590a <+362>: lea 0x10(%rsp),%r9
0x000000000060590f <+367>: mov %r14,%rcx
0x0000000000605912 <+370>: mov $0xaf50f0,%edx
0x0000000000605917 <+375>: mov $0x9,%esi
0x000000000060591c <+380>: mov $0x4,%edi
0x0000000000605921 <+385>: xor %eax,%eax
0x0000000000605923 <+387>: callq 0x43ebc6 <rte_log>
0x0000000000605928 <+392>: mov %rbp,%rdi
0x000000000060592b <+395>: callq 0x5c01b0 <rte_free>
0x0000000000605930 <+400>: jmpq 0x605828 <rte_acl_create+136>
0x0000000000605935 <+405>: mov $0xaf50c8,%edx
0x000000000060593a <+410>: mov $0x9,%esi
0x000000000060593f <+415>: mov $0x4,%edi
0x0000000000605944 <+420>: xor %eax,%eax
0x0000000000605946 <+422>: xor %ebx,%ebx
0x0000000000605948 <+424>: callq 0x43ebc6 <rte_log>
0x000000000060594d <+429>: jmpq 0x605828 <rte_acl_create+136>
End of assembler dump.
(gdb) p $r14
$16 = 8615101376
(gdb) p/x $r14
$17 = 0x2018003c0
(gdb) p/x *((long long*)0x2018003c0)
$18 = 0xf9d5e00
(gdb) p/x *((long long*)0xf9d5e00)
$19 = 0x1b1a00200
(gdb) p/x *((long long*)0x1b1a00200)
$20 = 0x201800540
(gdb) p/x *((long long*)0x201800540)
$21 = 0x2018003c0
(gdb) p/x *((long long*)0x2018003c0)
$22 = 0xf9d5e00
------------------------------------------------------
Dump of assembler code for function rte_ring_free:
0x00000000005cbb00 <+0>: push %r12
0x00000000005cbb02 <+2>: test %rdi,%rdi
//判断第一个参数r 是否为NULL
0x00000000005cbb05 <+5>: push %rbp
0x00000000005cbb06 <+6>: mov %rdi,%rbp
0x00000000005cbb09 <+9>: push %rbx
0x00000000005cbb0a <+10>: je 0x5cbb98 <rte_ring_free+152>
//如果第一个参数为NULL,调到152帧,函数返回
0x00000000005cbb10 <+16>: mov 0x28(%rdi),%rdi
//取r->memzone的值
0x00000000005cbb14 <+20>: test %rdi,%rdi
0x00000000005cbb17 <+23>: je 0x5cbbb7 <rte_ring_free+183>
//判断r->memzone是否为NULL,如果是,则调到183帧返回。
0x00000000005cbb1d <+29>: callq 0x5b2290 <rte_memzone_free>
//如果 r->memzone不为NULL,则释放r->memzone
0x00000000005cbb22 <+34>: test %eax,%eax
//如果是否失败,调到157帧返回
0x00000000005cbb24 <+36>: jne 0x5cbb9d <rte_ring_free+157>
0x00000000005cbb26 <+38>: mov 0x7db973(%rip),%r12 # 0xda74a0
<rte_ring_tailq> //获取rte_ring链表
0x00000000005cbb2d <+45>: callq 0x5b31e0 <rte_mcfg_tailq_write_lock>
0x00000000005cbb32 <+50>: mov (%r12),%rbx //(var) =
((head)->tqh_first) //获取链表第一个节点
0x00000000005cbb36 <+54>: test %rbx,%rbx
//判断该节点是否为空
0x00000000005cbb39 <+57>: jne 0x5cbb48 <rte_ring_free+72>
//如何不为空,跳到72帧判断数据是否等于待删除节点。
0x00000000005cbb3b <+59>: jmp 0x5cbb80 <rte_ring_free+128>
//如果为空,跳到128帧,解锁返回
0x00000000005cbb3d <+61>: nopl (%rax)
=> 0x00000000005cbb40 <+64>: mov (%rbx),%rbx
//取下一个节点
0x00000000005cbb43 <+67>: test %rbx,%rbx
//判断该节点是否为空
0x00000000005cbb46 <+70>: je 0x5cbb80 <rte_ring_free+128> if
//如果为空,跳到128帧,解锁返回。
0x00000000005cbb48 <+72>: cmp %rbp,0x10(%rbx) //var = ring
//当前所取的节点中的数据是否等于待删除节点
0x00000000005cbb4c <+76>: jne 0x5cbb40 <rte_ring_free+64>
// 如果不等,跳到64帧继续取下一个节点
0x00000000005cbb4e <+78>: mov (%rbx),%rax
0x00000000005cbb51 <+81>: test %rax,%rax
//判断当前节点是否为空,也就是说是否链表轮询到末尾了仍未找到和待删除节点相等的节点。
0x00000000005cbb54 <+84>: je 0x5cbb89 <rte_ring_free+137>
//如果为空,则解锁返回。否则删除节点后解锁,再是否内存,再返回。
0x00000000005cbb56 <+86>: mov 0x8(%rbx),%rdx
//这里代表所取的节点中的数据等于待删除节点, 从链表删除节点。
0x00000000005cbb5a <+90>: mov %rdx,0x8(%rax)
0x00000000005cbb5e <+94>: mov 0x8(%rbx),%rdx
0x00000000005cbb62 <+98>: mov %rax,(%rdx)
0x00000000005cbb65 <+101>: callq 0x5b3230 <rte_mcfg_tailq_write_unlock>
//解锁
0x00000000005cbb6a <+106>: mov %rbx,%rdi
0x00000000005cbb6d <+109>: pop %rbx
0x00000000005cbb6e <+110>: pop %rbp
0x00000000005cbb6f <+111>: pop %r12
0x00000000005cbb71 <+113>: jmpq 0x5c01b0 <rte_free>
//释放内存,返回
0x00000000005cbb76 <+118>: nopw %cs:0x0(%rax,%rax,1)
0x00000000005cbb80 <+128>: pop %rbx
0x00000000005cbb81 <+129>: pop %rbp
0x00000000005cbb82 <+130>: pop %r12
0x00000000005cbb84 <+132>: jmpq 0x5b3230 <rte_mcfg_tailq_write_unlock>
0x00000000005cbb89 <+137>: mov 0x8(%rbx),%rdx
0x00000000005cbb8d <+141>: mov %rdx,0x8(%r12)
0x00000000005cbb92 <+146>: jmp 0x5cbb62 <rte_ring_free+98>
0x00000000005cbb94 <+148>: nopl 0x0(%rax)
0x00000000005cbb98 <+152>: pop %rbx
0x00000000005cbb99 <+153>: pop %rbp
0x00000000005cbb9a <+154>: pop %r12
0x00000000005cbb9c <+156>: retq
0x00000000005cbb9d <+157>: mov $0xaecad3,%edx
0x00000000005cbba2 <+162>: mov $0x2,%esi
0x00000000005cbba7 <+167>: mov $0x4,%edi
0x00000000005cbbac <+172>: pop %rbx
0x00000000005cbbad <+173>: pop %rbp
0x00000000005cbbae <+174>: pop %r12
0x00000000005cbbb0 <+176>: xor %eax,%eax
0x00000000005cbbb2 <+178>: jmpq 0x43ebc6 <rte_log>
0x00000000005cbbb7 <+183>: mov $0xaeca60,%edx
0x00000000005cbbbc <+188>: mov $0x2,%esi
0x00000000005cbbc1 <+193>: mov $0x4,%dil
0x00000000005cbbc4 <+196>: jmp 0x5cbbac <rte_ring_free+172>
(gdb) p/x *(long long *)0x1b2004840
$26 = 0x299a01480
(gdb) p/x *(long long *)0x299a01480
$27 = 0xf9d5e00
(gdb) p/x *(long long *)0xf9d5e00
$28 = 0x1b2004840
--
You are receiving this mail because:
You are the assignee for the bug.
reply other threads:[~2022-03-30 11:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-987-3@http.bugs.dpdk.org/ \
--to=bugzilla@dpdk.org \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.