From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 53F4941FCB; Wed, 30 Aug 2023 10:57:27 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 332E240279; Wed, 30 Aug 2023 10:57:27 +0200 (CEST) Received: from mail-ua1-f52.google.com (mail-ua1-f52.google.com [209.85.222.52]) by mails.dpdk.org (Postfix) with ESMTP id F12EA40277 for ; Wed, 30 Aug 2023 10:57:25 +0200 (CEST) Received: by mail-ua1-f52.google.com with SMTP id a1e0cc1a2514c-7a257fabae5so1779478241.2 for ; Wed, 30 Aug 2023 01:57:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smartx-com.20221208.gappssmtp.com; s=20221208; t=1693385845; x=1693990645; darn=dpdk.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=/z8IZWoTV7IaaB3itzgm7qxaZAoklBVIRSjp1MUIbd4=; b=QbFXVG2n0QuKg4lNWsJOWMmubDHvBp4guZmHTqFJoUAvEAN+AmaaW43xu14q3eMiLD RVzbCQ86Dk25ZjIZq4ZL7TAwbl0T+JWJP3aytAuCuyuKspnL6pDaaT/7/hEo8mCTK5s6 5gcgw5Grv/GGaOj1N6lPuML0/qMU/n2NAAZC9KOnAvosp7Fkdrxi62LlC+2S1TyrAjci euZJ6UuBP+5MW7tWX7GRgpSdBfmLzycuKGeUMK0UcyUeoufVggOm+FemPLbYPZJyQrZr AV7tZ0taRWUf81bLTLdmpyMAGN3Ltz1b2axCqu3B4QZLOwdOlKEh3hieFlH8/h+aNM/K W3sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693385845; x=1693990645; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/z8IZWoTV7IaaB3itzgm7qxaZAoklBVIRSjp1MUIbd4=; b=f01YhP0ynDOze9IPlyrhpTu14ItkhuJDfS3EKcrWEaM/yPQUaZJZBuwuUXP6o2Z35J BLzmzUaNh/sdk0laOiJZDOq7w1a1GL/WxqU2NkcRd/T7Kp+91z+0RbjvBLDLOK38jkVD xQE6iMSRk3y+fJrrlM3vMZvbrjrDG4VyZn9SHHXdv/9LkS1lTA2VI4NKOT8uNGhoakBZ IYEZuzLJI3ulf0T7PkNUyJf0ZyjCk7O0fyb2dV+z1fR3+9aB2+oDw4ZnDZ3nW4YWRIV6 LV0SkxcPHCP41tuWCLd+dLyYShH/+FKID1pa8wdgP9tI7B8/IrXjPmkJ/LhMSyLlYS3V ysdA== X-Gm-Message-State: AOJu0YzrnhUTcLIfcquIg8ONrhmGIkFLJEpJc9jy1o9aYXayPB1gslo2 jmVTjXMv+fYJOYly1jv7Gpg6sQ== X-Google-Smtp-Source: AGHT+IFcXhgwnTyOfCbjAOhfuzEbHaFWwxhIsnEFtdeW/maf6mLSuN76uwbqhSkSdrbEQ1B7MOWbPA== X-Received: by 2002:a05:6102:3ce:b0:44e:dd43:38e1 with SMTP id n14-20020a05610203ce00b0044edd4338e1mr1518694vsq.1.1693385844889; Wed, 30 Aug 2023 01:57:24 -0700 (PDT) Received: from smtpclient.apple ([8.210.91.195]) by smtp.gmail.com with ESMTPSA id z11-20020a17090a8b8b00b00267fbd521dbsm851869pjn.5.2023.08.30.01.57.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Aug 2023 01:57:24 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: Re: [PATCH] vhost: avoid potential null pointer access From: Li Feng In-Reply-To: <20230830084708.754084-1-fengli@smartx.com> Date: Wed, 30 Aug 2023 16:57:17 +0800 Cc: dev@dpdk.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20230830084708.754084-1-fengli@smartx.com> To: Maxime Coquelin , Chenbo Xia X-Mailer: Apple Mail (2.3731.700.6) X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sorry, ignore this patch, there is a rebase error. I will fix it in V2. > On 30 Aug 2023, at 4:47 PM, Li Feng wrote: >=20 > If the user calls rte_vhost_vring_call() on a ring that has been > invalidated, we will encounter SEGV. >=20 > We should check the pointer firstly before accessing it. >=20 > Signed-off-by: Li Feng > --- > lib/vhost/vhost.c | 7 ++++--- > lib/vhost/vhost.h | 12 ++++++++++-- > 2 files changed, 14 insertions(+), 5 deletions(-) >=20 > diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c > index eb6309b681..3af0307cd6 100644 > --- a/lib/vhost/vhost.c > +++ b/lib/vhost/vhost.c > @@ -1327,6 +1327,7 @@ rte_vhost_vring_call(int vid, uint16_t = vring_idx) > { > struct virtio_net *dev; > struct vhost_virtqueue *vq; > + int ret =3D 0; >=20 > dev =3D get_device(vid); > if (!dev) > @@ -1342,13 +1343,13 @@ rte_vhost_vring_call(int vid, uint16_t = vring_idx) > rte_rwlock_read_lock(&vq->access_lock); >=20 > if (vq_is_packed(dev)) > - vhost_vring_call_packed(dev, vq); > + ret =3D vhost_vring_call_packed(dev, vq); > else > - vhost_vring_call_split(dev, vq); > + ret =3D vhost_vring_call_split(dev, vq); >=20 > rte_rwlock_read_unlock(&vq->access_lock); >=20 > - return 0; > + return ret; > } >=20 > int > diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h > index 9723429b1c..f38e6d16c9 100644 > --- a/lib/vhost/vhost.h > +++ b/lib/vhost/vhost.h > @@ -930,7 +930,7 @@ vhost_vring_inject_irq(struct virtio_net *dev, = struct vhost_virtqueue *vq) > dev->notify_ops->guest_notified(dev->vid); > } >=20 > -static __rte_always_inline void > +static __rte_always_inline int > vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue = *vq) > { > /* Flush used->idx update before we read avail->flags. */ > @@ -953,13 +953,17 @@ vhost_vring_call_split(struct virtio_net *dev, = struct vhost_virtqueue *vq) > unlikely(!signalled_used_valid)) > vhost_vring_inject_irq(dev, vq); > } else { > + if (!vq->avail) > + return -1; > + > /* Kick the guest if necessary. */ > if (!(vq->avail->flags & VRING_AVAIL_F_NO_INTERRUPT)) > vhost_vring_inject_irq(dev, vq); > } > + return 0; > } >=20 > -static __rte_always_inline void > +static __rte_always_inline int > vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue = *vq) > { > uint16_t old, new, off, off_wrap; > @@ -968,6 +972,9 @@ vhost_vring_call_packed(struct virtio_net *dev, = struct vhost_virtqueue *vq) > /* Flush used desc update. */ > rte_atomic_thread_fence(__ATOMIC_SEQ_CST); >=20 > + if (!vq->driver_event) > + return -1; > + > if (!(dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX))) { > if (vq->driver_event->flags !=3D > VRING_EVENT_F_DISABLE) > @@ -1030,6 +1037,7 @@ restore_mbuf(struct rte_mbuf *m) > rte_mbuf_iova_set(m, rte_mempool_virt2iova(m) + = mbuf_size); > m =3D m->next; > } > + return 0; > } >=20 > static __rte_always_inline bool > --=20 > 2.41.0 >=20