https://bugs.dpdk.org/show_bug.cgi?id=987
Bug ID: 987
Summary: dead lock in rte_acl_creat and rte_ring_free by list
circled
Product: DPDK
Version: 20.02
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: vhost/virtio
Assignee: dev@dpdk.org
Reporter: sofardw...@126.com
Target Milestone: ---
In the function rte_acl_creat or rte_ring_free, when run TAILQ_FOREACH, it can
not end if not find the target, because the tailq list has became a circle
list, of
whitch the last node's next is the first node.
This issue does not alwayse hapen, and I have not find what result it.
(gdb) disassemble
Dump of assembler code for function rte_acl_create:
0x00000000006057a0 <+0>: push %r15
0x00000000006057a2 <+2>: push %r14
0x00000000006057a4 <+4>: push %r13
0x00000000006057a6 <+6>: push %r12
0x00000000006057a8 <+8>: mov %rdi,%r12
0x00000000006057ab <+11>: push %rbp
0x00000000006057ac <+12>: push %rbx
0x00000000006057ad <+13>: sub $0x38,%rsp
0x00000000006057b1 <+17>: test %rdi,%rdi
0x00000000006057b4 <+20>: mov 0x7a2365(%rip),%r13 # 0xda7b20
<rte_acl_tailq>
0x00000000006057bb <+27>: je 0x6058f0 <rte_acl_create+336>
0x00000000006057c1 <+33>: mov (%rdi),%rcx
0x00000000006057c4 <+36>: test %rcx,%rcx
0x00000000006057c7 <+39>: je 0x6058f0 <rte_acl_create+336>
0x00000000006057cd <+45>: lea 0x10(%rsp),%rdi
0x00000000006057d2 <+50>: mov $0xaf5029,%edx
0x00000000006057d7 <+55>: mov $0x20,%esi
0x00000000006057dc <+60>: xor %eax,%eax
0x00000000006057de <+62>: callq 0x4395c0 <snprintf@plt>
0x00000000006057e3 <+67>: mov 0x10(%r12),%eax
0x00000000006057e8 <+72>: mov 0xc(%r12),%r15d
0x00000000006057ed <+77>: mov %eax,0xc(%rsp)
0x00000000006057f1 <+81>: callq 0x5b31e0 <rte_mcfg_tailq_write_lock>
0x00000000006057f6 <+86>: mov 0x0(%r13),%r14
0x00000000006057fa <+90>: test %r14,%r14
0x00000000006057fd <+93>: je 0x605840 <rte_acl_create+160>
0x00000000006057ff <+95>: mov (%r12),%rbp
0x0000000000605803 <+99>: jmp 0x605810 <rte_acl_create+112>
0x0000000000605805 <+101>: nopl (%rax)
0x0000000000605808 <+104>: mov (%r14),%r14
0x000000000060580b <+107>: test %r14,%r14
0x000000000060580e <+110>: je 0x605840 <rte_acl_create+160>
0x0000000000605810 <+112>: mov 0x10(%r14),%rbx
0x0000000000605814 <+116>: mov $0x20,%edx
0x0000000000605819 <+121>: mov %rbp,%rdi
0x000000000060581c <+124>: mov %rbx,%rsi
0x000000000060581f <+127>: callq 0x438bc0 <strncmp@plt>
=> 0x0000000000605824 <+132>: test %eax,%eax
0x0000000000605826 <+134>: jne 0x605808 <rte_acl_create+104>
0x0000000000605828 <+136>: callq 0x5b3230 <rte_mcfg_tailq_write_unlock>
0x000000000060582d <+141>: mov %rbx,%rax
0x0000000000605830 <+144>: add $0x38,%rsp
0x0000000000605834 <+148>: pop %rbx
0x0000000000605835 <+149>: pop %rbp
0x0000000000605836 <+150>: pop %r12
0x0000000000605838 <+152>: pop %r13
0x000000000060583a <+154>: pop %r14
0x000000000060583c <+156>: pop %r15
0x000000000060583e <+158>: retq
0x000000000060583f <+159>: nop
0x0000000000605840 <+160>: xor %edx,%edx
0x0000000000605842 <+162>: mov $0x18,%esi
0x0000000000605847 <+167>: mov $0xaf5030,%edi
0x000000000060584c <+172>: callq 0x5c0460 <rte_zmalloc>
0x0000000000605851 <+177>: test %rax,%rax
0x0000000000605854 <+180>: mov %rax,%rbp
0x0000000000605857 <+183>: je 0x605935 <rte_acl_create+405>
---Type <return> to continue, or q <return> to quit---
0x000000000060585d <+189>: mov 0xc(%rsp),%r14d
0x0000000000605862 <+194>: mov 0x8(%r12),%ecx
0x0000000000605867 <+199>: lea 0x10(%rsp),%rdi
0x000000000060586c <+204>: mov $0x40,%edx
0x0000000000605871 <+209>: imul %r15d,%r14d
0x0000000000605875 <+213>: add $0x388,%r14
0x000000000060587c <+220>: mov %r14,%rsi
0x000000000060587f <+223>: callq 0x5c0380 <rte_zmalloc_socket>
0x0000000000605884 <+228>: test %rax,%rax
0x0000000000605887 <+231>: mov %rax,%rbx
0x000000000060588a <+234>: je 0x605905 <rte_acl_create+357>
0x000000000060588c <+236>: lea 0x388(%rax),%rax
0x0000000000605893 <+243>: mov (%r12),%rcx
0x0000000000605897 <+247>: mov $0xaecc2d,%edx
0x000000000060589c <+252>: mov $0x20,%esi
0x00000000006058a1 <+257>: mov %rbx,%rdi
0x00000000006058a4 <+260>: mov %rax,0x28(%rbx)
0x00000000006058a8 <+264>: mov 0x10(%r12),%eax
0x00000000006058ad <+269>: mov %eax,0x30(%rbx)
0x00000000006058b0 <+272>: mov 0xc(%r12),%eax
0x00000000006058b5 <+277>: mov %eax,0x34(%rbx)
0x00000000006058b8 <+280>: mov 0x8(%r12),%eax
0x00000000006058bd <+285>: mov %eax,0x20(%rbx)
0x00000000006058c0 <+288>: mov 0x7a223a(%rip),%eax # 0xda7b00
<rte_acl_default_classify>
0x00000000006058c6 <+294>: mov %eax,0x24(%rbx)
0x00000000006058c9 <+297>: xor %eax,%eax
0x00000000006058cb <+299>: callq 0x4395c0 <snprintf@plt>
0x00000000006058d0 <+304>: mov 0x8(%r13),%rax
0x00000000006058d4 <+308>: mov %rbx,0x10(%rbp)
0x00000000006058d8 <+312>: movq $0x0,0x0(%rbp)
0x00000000006058e0 <+320>: mov %rax,0x8(%rbp)
0x00000000006058e4 <+324>: mov %rbp,(%rax)
0x00000000006058e7 <+327>: mov %rbp,0x8(%r13)
0x00000000006058eb <+331>: jmpq 0x605828 <rte_acl_create+136>
0x00000000006058f0 <+336>: mov 0x7916f1(%rip),%rax # 0xd96fe8
0x00000000006058f7 <+343>: movl $0x16,%fs:(%rax)
0x00000000006058fe <+350>: xor %eax,%eax
0x0000000000605900 <+352>: jmpq 0x605830 <rte_acl_create+144>
0x0000000000605905 <+357>: mov 0x8(%r12),%r8d
0x000000000060590a <+362>: lea 0x10(%rsp),%r9
0x000000000060590f <+367>: mov %r14,%rcx
0x0000000000605912 <+370>: mov $0xaf50f0,%edx
0x0000000000605917 <+375>: mov $0x9,%esi
0x000000000060591c <+380>: mov $0x4,%edi
0x0000000000605921 <+385>: xor %eax,%eax
0x0000000000605923 <+387>: callq 0x43ebc6 <rte_log>
0x0000000000605928 <+392>: mov %rbp,%rdi
0x000000000060592b <+395>: callq 0x5c01b0 <rte_free>
0x0000000000605930 <+400>: jmpq 0x605828 <rte_acl_create+136>
0x0000000000605935 <+405>: mov $0xaf50c8,%edx
0x000000000060593a <+410>: mov $0x9,%esi
0x000000000060593f <+415>: mov $0x4,%edi
0x0000000000605944 <+420>: xor %eax,%eax
0x0000000000605946 <+422>: xor %ebx,%ebx
0x0000000000605948 <+424>: callq 0x43ebc6 <rte_log>
0x000000000060594d <+429>: jmpq 0x605828 <rte_acl_create+136>
End of assembler dump.
(gdb) p $r14
$16 = 8615101376
(gdb) p/x $r14
$17 = 0x2018003c0
(gdb) p/x *((long long*)0x2018003c0)
$18 = 0xf9d5e00
(gdb) p/x *((long long*)0xf9d5e00)
$19 = 0x1b1a00200
(gdb) p/x *((long long*)0x1b1a00200)
$20 = 0x201800540
(gdb) p/x *((long long*)0x201800540)
$21 = 0x2018003c0
(gdb) p/x *((long long*)0x2018003c0)
$22 = 0xf9d5e00
------------------------------------------------------
Dump of assembler code for function rte_ring_free:
0x00000000005cbb00 <+0>: push %r12
0x00000000005cbb02 <+2>: test %rdi,%rdi
//判断第一个参数r 是否为NULL
0x00000000005cbb05 <+5>: push %rbp
0x00000000005cbb06 <+6>: mov %rdi,%rbp
0x00000000005cbb09 <+9>: push %rbx
0x00000000005cbb0a <+10>: je 0x5cbb98 <rte_ring_free+152>
//如果第一个参数为NULL,调到152帧,函数返回
0x00000000005cbb10 <+16>: mov 0x28(%rdi),%rdi
//取r->memzone的值
0x00000000005cbb14 <+20>: test %rdi,%rdi
0x00000000005cbb17 <+23>: je 0x5cbbb7 <rte_ring_free+183>
//判断r->memzone是否为NULL,如果是,则调到183帧返回。
0x00000000005cbb1d <+29>: callq 0x5b2290 <rte_memzone_free>
//如果 r->memzone不为NULL,则释放r->memzone
0x00000000005cbb22 <+34>: test %eax,%eax
//如果是否失败,调到157帧返回
0x00000000005cbb24 <+36>: jne 0x5cbb9d <rte_ring_free+157>
0x00000000005cbb26 <+38>: mov 0x7db973(%rip),%r12 # 0xda74a0
<rte_ring_tailq> //获取rte_ring链表
0x00000000005cbb2d <+45>: callq 0x5b31e0 <rte_mcfg_tailq_write_lock>
0x00000000005cbb32 <+50>: mov (%r12),%rbx //(var) =
((head)->tqh_first) //获取链表第一个节点
0x00000000005cbb36 <+54>: test %rbx,%rbx
//判断该节点是否为空
0x00000000005cbb39 <+57>: jne 0x5cbb48 <rte_ring_free+72>
//如何不为空,跳到72帧判断数据是否等于待删除节点。
0x00000000005cbb3b <+59>: jmp 0x5cbb80 <rte_ring_free+128>
//如果为空,跳到128帧,解锁返回
0x00000000005cbb3d <+61>: nopl (%rax)
=> 0x00000000005cbb40 <+64>: mov (%rbx),%rbx
//取下一个节点
0x00000000005cbb43 <+67>: test %rbx,%rbx
//判断该节点是否为空
0x00000000005cbb46 <+70>: je 0x5cbb80 <rte_ring_free+128> if
//如果为空,跳到128帧,解锁返回。
0x00000000005cbb48 <+72>: cmp %rbp,0x10(%rbx) //var = ring
//当前所取的节点中的数据是否等于待删除节点
0x00000000005cbb4c <+76>: jne 0x5cbb40 <rte_ring_free+64>
// 如果不等,跳到64帧继续取下一个节点
0x00000000005cbb4e <+78>: mov (%rbx),%rax
0x00000000005cbb51 <+81>: test %rax,%rax
//判断当前节点是否为空,也就是说是否链表轮询到末尾了仍未找到和待删除节点相等的节点。
0x00000000005cbb54 <+84>: je 0x5cbb89 <rte_ring_free+137>
//如果为空,则解锁返回。否则删除节点后解锁,再是否内存,再返回。
0x00000000005cbb56 <+86>: mov 0x8(%rbx),%rdx
//这里代表所取的节点中的数据等于待删除节点, 从链表删除节点。
0x00000000005cbb5a <+90>: mov %rdx,0x8(%rax)
0x00000000005cbb5e <+94>: mov 0x8(%rbx),%rdx
0x00000000005cbb62 <+98>: mov %rax,(%rdx)
0x00000000005cbb65 <+101>: callq 0x5b3230 <rte_mcfg_tailq_write_unlock>
//解锁
0x00000000005cbb6a <+106>: mov %rbx,%rdi
0x00000000005cbb6d <+109>: pop %rbx
0x00000000005cbb6e <+110>: pop %rbp
0x00000000005cbb6f <+111>: pop %r12
0x00000000005cbb71 <+113>: jmpq 0x5c01b0 <rte_free>
//释放内存,返回
0x00000000005cbb76 <+118>: nopw %cs:0x0(%rax,%rax,1)
0x00000000005cbb80 <+128>: pop %rbx
0x00000000005cbb81 <+129>: pop %rbp
0x00000000005cbb82 <+130>: pop %r12
0x00000000005cbb84 <+132>: jmpq 0x5b3230 <rte_mcfg_tailq_write_unlock>
0x00000000005cbb89 <+137>: mov 0x8(%rbx),%rdx
0x00000000005cbb8d <+141>: mov %rdx,0x8(%r12)
0x00000000005cbb92 <+146>: jmp 0x5cbb62 <rte_ring_free+98>
0x00000000005cbb94 <+148>: nopl 0x0(%rax)
0x00000000005cbb98 <+152>: pop %rbx
0x00000000005cbb99 <+153>: pop %rbp
0x00000000005cbb9a <+154>: pop %r12
0x00000000005cbb9c <+156>: retq
0x00000000005cbb9d <+157>: mov $0xaecad3,%edx
0x00000000005cbba2 <+162>: mov $0x2,%esi
0x00000000005cbba7 <+167>: mov $0x4,%edi
0x00000000005cbbac <+172>: pop %rbx
0x00000000005cbbad <+173>: pop %rbp
0x00000000005cbbae <+174>: pop %r12
0x00000000005cbbb0 <+176>: xor %eax,%eax
0x00000000005cbbb2 <+178>: jmpq 0x43ebc6 <rte_log>
0x00000000005cbbb7 <+183>: mov $0xaeca60,%edx
0x00000000005cbbbc <+188>: mov $0x2,%esi
0x00000000005cbbc1 <+193>: mov $0x4,%dil
0x00000000005cbbc4 <+196>: jmp 0x5cbbac <rte_ring_free+172>
(gdb) p/x *(long long *)0x1b2004840
$26 = 0x299a01480
(gdb) p/x *(long long *)0x299a01480
$27 = 0xf9d5e00
(gdb) p/x *(long long *)0xf9d5e00
$28 = 0x1b2004840
--
You are receiving this mail because:
You are the assignee for the bug.
