From: Alexey Kardashevskiy <aik@ozlabs.ru>
To: "Hoyer, David" <David.Hoyer@netapp.com>,
"Qemu-devel@nongnu.org" <Qemu-devel@nongnu.org>
Cc: "Moyer, Keith" <Keith.Moyer@netapp.com>,
"Best, Tish" <Tish.Best@netapp.com>
Subject: Re: [Qemu-devel] e1000 memory corruption in guest OS
Date: Mon, 24 Feb 2014 15:20:34 +1100 [thread overview]
Message-ID: <530AC892.2080109@ozlabs.ru> (raw)
In-Reply-To: <6777CD901FD53644B082307CD745FB8326AC9348@SACEXCMBX02-PRD.hq.netapp.com>
On 02/16/2014 03:29 PM, Hoyer, David wrote:
> We are using Qemu-1.7.0 with Xen-4.3.0 and Debian jessie. We are
> noticing that when we transfer large files from our network to the
> guestOS via the e1000 virtual network device that we experience memory
> corruption on the guestOS. We have debugged this problem and have
> determined where it appears that the corruption is happening and have
> created a patch file with a fix (at least the corruption is no longer
> happening on our guestOS anymore). Note that our test file is a
> large file consisting of the value 0x61 repeated over the entire file.
>
> To troubleshoot this issue, we enabled tracing in qemu and used the
> xen_map_cache and xen_map_cache_return trace events. We also added some
> of our own debug statements in e1000.c before and after the function
> call to DMA the network packet to the guestOS descriptor address. Below
> is a commented summary of the trace output:
>
> /*** Check if guestOS address 0xe00000 (which maps to 0x7f15c313f000) is corrupted
> xen_map_cache want 0xe00000
> xen_map_cache_return 0x7f15c313f000
> /*** It wasn't corrupted before the dma write
> /*** DMA a packet of length 0x5aa containing '0x61616161...' to guestOS at address 0x12ffac2 (which maps to 0x7f15c313eac2)
> dma write to 12ffac2 len 5aa
> xen_map_cache want 0x12ffac2
> xen_map_cache_return 0x7f15c313eac2
> /*** Check if guestOS address 0xe00000 (which maps to 0x7f15c313f000) is corrupted
> xen_map_cache want 0xe00000
> xen_map_cache_return 0x7f15c313f000
> /*** It is corrupted now.
> e1000: Corrupted 7: test_buf:5aa 5aa
>
> The DMA address 0x12ffac2 mapped to 0x7f15c313eac2. When you add the
> packet length, 0x5aa, the result is 0x7f15c313f06c. This result is 0x6c
> bytes into the mapping of guestOS address 0xe00000, which mapped to
> 0x7f15c313f000. If you dump 0xe00000 in the guestOS, 0x6c bytes are
> corrupted.
> We believe that the correct fix is to use qemu_ram_ptr_length instead of
> qemu_get_ram_ptr in the function address_space_rw to ensure (from what
> we can tell) that the mapped address is valid for the entire length
> specified. It looked like this might also be an issue in
> cpu_physical_memory_write_rom so we made the change there as well.
>
Corrupted DMA buffer is 0x e00000 -- 0x7f15c313f000.
The e1000 packet is at 0x12ffac2 -- 0x7f15c313eac2.
(0x7f15c313f000 - 0x7f15c313eac2) = 0x53e which is less than 0x5aa and
(0x5aa - 0x53e) = 0x6c bytes get corrupted.
I see here buffer overrun from e1000 and I suspect that your patch just
hides this problem. What did I miss?
Does e1000 still work with the patch applied? Are all 100% packets
delivered fine?
> We are fairly new to the qemu source base so we are looking to the
> community to see if this problem has previously been identified and to
> see if this is the correct fix.
>
> Following is the patch
>
> --- orig/exec.c 2013-11-27 16:52:55.000000000 -0600
> +++ new/exec.c 2014-02-15 21:58:34.311518000 -0600
> @@ -1911,7 +1911,7 @@
> } else {
> addr1 += memory_region_get_ram_addr(mr);
> /* RAM case */
> - ptr = qemu_get_ram_ptr(addr1);
> + ptr = qemu_ram_ptr_length(addr1, &l);
> memcpy(ptr, buf, l);
> invalidate_and_set_dirty(addr1, l);
> }
> @@ -1945,7 +1945,7 @@
> }
> } else {
> /* RAM case */
> - ptr = qemu_get_ram_ptr(mr->ram_addr + addr1);
> + ptr = qemu_ram_ptr_length(mr->ram_addr + addr1, &l);
> memcpy(buf, ptr, l);
> }
> }
> @@ -1995,7 +1995,7 @@
> } else {
> addr1 += memory_region_get_ram_addr(mr);
> /* ROM/RAM case */
> - ptr = qemu_get_ram_ptr(addr1);
> + ptr = qemu_ram_ptr_length(addr1, &l);
> memcpy(ptr, buf, l);
> invalidate_and_set_dirty(addr1, l);
> }
>
>
> David Hoyer
> Controller Firmware Development
> Array Products Group
>
> NetApp
> 3718 N. Rock Road
> Wichita, KS 67226
> 316-636-8047 phone
> 316-617-3677 mobile
> David.Hoyer@netapp.com<mailto:David.Hoyer@lsi.com>
> netapp.com<http://www.netapp.com/?ref_source=eSig>
>
> [Description: http://media.netapp.com/images/netapp-logo-sig-5.gif]
>
>
Alexey
next prev parent reply other threads:[~2014-02-24 4:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-16 4:29 [Qemu-devel] e1000 memory corruption in guest OS Hoyer, David
2014-02-24 4:20 ` Alexey Kardashevskiy [this message]
2014-03-01 12:30 ` Alexey Kardashevskiy
2014-03-01 21:31 ` Paolo Bonzini
2014-03-03 1:58 ` Alexey Kardashevskiy
2014-03-03 8:33 ` Paolo Bonzini
2014-03-03 10:47 ` Alexey Kardashevskiy
2014-03-03 11:21 ` Paolo Bonzini
2014-03-03 21:33 ` Don Slutz
2014-03-03 22:53 ` Alexey Kardashevskiy
2014-02-24 14:02 ` Paolo Bonzini
2014-02-24 14:15 ` Hoyer, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=530AC892.2080109@ozlabs.ru \
--to=aik@ozlabs.ru \
--cc=David.Hoyer@netapp.com \
--cc=Keith.Moyer@netapp.com \
--cc=Qemu-devel@nongnu.org \
--cc=Tish.Best@netapp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).