From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 05CFBA034C;
	Mon, 28 Mar 2022 09:04:56 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id F07C542871;
	Mon, 28 Mar 2022 09:04:55 +0200 (CEST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id CB75B4286B
 for <dev@dpdk.org>; Mon, 28 Mar 2022 09:04:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1648451094;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=5wuEpWgEzWEjYuCvoEtqzGZa5Bq/xIlcL+DdWFCNYDU=;
 b=BP3AFerWR76fVBGEPezEqvZLeHlug5SHac8mxTZP7bPfi2obI5Hk3oiOsTz8hyJB0a85PH
 828ySlj9jQV+4SWyKSR+wc8gEtjeVeq81Ma2ICyX/C63zZjxBWPdoaGRFl8KdAq8cYnIgc
 6jx+zF7bON1Ao8kJ5x843uorNZbiVrw=
Received: from mail-lj1-f197.google.com (mail-lj1-f197.google.com
 [209.85.208.197]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-462-EXTgtVzGMoWuvjfBC-KBpA-1; Mon, 28 Mar 2022 03:04:53 -0400
X-MC-Unique: EXTgtVzGMoWuvjfBC-KBpA-1
Received: by mail-lj1-f197.google.com with SMTP id
 q5-20020a2e9145000000b002497bf0eaa1so5533476ljg.5
 for <dev@dpdk.org>; Mon, 28 Mar 2022 00:04:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=5wuEpWgEzWEjYuCvoEtqzGZa5Bq/xIlcL+DdWFCNYDU=;
 b=uyruKGjHNpYvLmI6uTu07rEb3mxxYC/k7rmOXWQ4dKv2riSciPnkpFiqeilCbYdMh2
 ZYDYO73FasK3rCEExgZUbtP5zVuuStbJawTt3vuxstiauogQvu/zdADQSFB1IzRZ1ZFR
 AQuQ3yB8acvTpi8+QYXOrf38F61/OJOYXnT66wYGHrIsA3Ovfe0JDVbny9XIC2qPxdht
 +FN/twyO9Eb3sXGSI1JlO9j8XXMQMZTHAzbfqIXmMXRPqoGx/cI8bmOvDRP2VZ4UT3+o
 hJVIj3xvIrYH9K9OzXqyKHDMeQxc2jsEbCov/8h3s4FCPuVKUR3lbYp5YbSZrLuejaSp
 Cvjw==
X-Gm-Message-State: AOAM533kPf7Ssdks9PeEVwP/LRcfwNPIlX7co3UylQ8eBKQYnobPno6i
 7sEsyXxniL+SSXV2WO0YR0lyy25LWDYFTJAVcBMWG1nl5akZcs8tjDk6SwKmi5xtBJe7TQK2zqK
 akmRB9oAviiGPwk9zCGA=
X-Received: by 2002:a05:651c:201e:b0:24a:c0b6:31a4 with SMTP id
 s30-20020a05651c201e00b0024ac0b631a4mr10809591ljo.159.1648451091572; 
 Mon, 28 Mar 2022 00:04:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzvjtMqouJRuHWQElDbHBDrf66L2gfTlcHCkklx1yN3QRIYUGkVyz9G1FtI4WZB0mJgC+LJA5ZhxwLwwb8Dxx4=
X-Received: by 2002:a05:651c:201e:b0:24a:c0b6:31a4 with SMTP id
 s30-20020a05651c201e00b0024ac0b631a4mr10809568ljo.159.1648451091277; Mon, 28
 Mar 2022 00:04:51 -0700 (PDT)
MIME-Version: 1.0
References: <20220328020754.1155063-1-jiayu.hu@intel.com>
In-Reply-To: <20220328020754.1155063-1-jiayu.hu@intel.com>
From: David Marchand <david.marchand@redhat.com>
Date: Mon, 28 Mar 2022 09:04:39 +0200
Message-ID: <CAJFAV8yArKnhJb8cg2=-rhUN4g8hofUS7kQXkdt_aCvnbuPt+w@mail.gmail.com>
Subject: Re: [PATCH] vhost: fix null pointer dereference
To: Jiayu Hu <jiayu.hu@intel.com>
Cc: dev <dev@dpdk.org>, Maxime Coquelin <maxime.coquelin@redhat.com>, 
 dpdk stable <stable@dpdk.org>
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dmarchan@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

On Mon, Mar 28, 2022 at 4:08 AM Jiayu Hu <jiayu.hu@intel.com> wrote:
>
> NULL check for vq->async must be protected by lock. Otherwise, it is
> possible that the data plane thread dereferences vq->async with NULL
> value, since the control plane thread is freeing vq->async.
>
> Fixes: ee8024b3d4ad (vhost: move async data in dedicated structure)
> Cc: stable@dpdk.org
>
> Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
> ---
>  lib/vhost/vhost.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
> index bc88148347..7f60c2824f 100644
> --- a/lib/vhost/vhost.c
> +++ b/lib/vhost/vhost.c
> @@ -1887,9 +1887,6 @@ rte_vhost_async_get_inflight(int vid, uint16_t queue_id)
>         if (vq == NULL)
>                 return ret;
>
> -       if (!vq->async)
> -               return ret;
> -
>         if (!rte_spinlock_trylock(&vq->access_lock)) {
>                 VHOST_LOG_CONFIG(DEBUG,
>                         "(%s) failed to check in-flight packets. virtqueue busy.\n",
> @@ -1897,6 +1894,9 @@ rte_vhost_async_get_inflight(int vid, uint16_t queue_id)
>                 return ret;
>         }
>
> +       if (!vq->async)
> +               return ret;

Lock is still taken at this point.

FYI, I'll post a series to instrument locks in vhost, soon.

> +
>         ret = vq->async->pkts_inflight_n;
>         rte_spinlock_unlock(&vq->access_lock);
>


-- 
David Marchand