From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8E1D4A00C4 for ; Fri, 5 Aug 2022 04:22:56 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 724DE4067C; Fri, 5 Aug 2022 04:22:56 +0200 (CEST) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mails.dpdk.org (Postfix) with ESMTP id BF510400D5 for ; Fri, 5 Aug 2022 04:22:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1659666175; x=1691202175; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=i5YsqlF+irJJp5tU3fZtIkLpntY5QjvPx7ykj4qQngY=; b=RiIyQO/kmN9px+4XALafpyyzICB81f6Xtl5Me/FVz64pMbzjAnWAwkZq +n8mrHiJKAINGqLREAMvGNFn02AcpbRGjDaBZIQ3YydMrFyVU/W376h2J pIbolRD0J9LjMqS5fY9HhtNONvvgACHVYmqRb32+n84WxEF7LKUMjdN7k 7SOl/Io27Kp94Dec2+UgQjkBUzmciymLVzHvdKpgINNZZfcJbblu5JQ+M ndiDF49c/WN+nH9K1mzyCvJf7GB2O8GLKF2Hg3rOGTl1HIlnR4sz/r+rN b37BQfLl3fiJQmoDCDlcll4leDr4ik/36VODHoETOZpBDd2qQZtZVPTBs g==; X-IronPort-AV: E=McAfee;i="6400,9594,10429"; a="291325232" X-IronPort-AV: E=Sophos;i="5.93,216,1654585200"; d="scan'208";a="291325232" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Aug 2022 19:22:46 -0700 X-IronPort-AV: E=Sophos;i="5.93,216,1654585200"; d="scan'208";a="662808087" Received: from unknown (HELO localhost.localdomain) ([10.239.252.251]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Aug 2022 19:22:43 -0700 From: Wenwu Ma To: maxime.coquelin@redhat.com, chenbo.xia@intel.com, stable@dpdk.org Cc: jiayu.hu@intel.com, yinan.wang@intel.com, xingguang.he@intel.com, Wenwu Ma Subject: [PATCH] net/vhost: fix null pointer dereference Date: Fri, 5 Aug 2022 10:21:27 +0800 Message-Id: <20220805022127.757324-1-wenwux.ma@intel.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Because the async member of the vhost_virtqueue struct can be freed in controlpath, so it should be protected by spinlock in datapath, or, it may cause null pointer dereference in the following vhost_poll_enqueue_completed(). Fixes: b737fd613969 ("vhost: add unsafe async API to clear packets") Signed-off-by: Wenwu Ma --- lib/vhost/virtio_net.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c index eed43658cf..858187d1b0 100644 --- a/lib/vhost/virtio_net.c +++ b/lib/vhost/virtio_net.c @@ -1911,16 +1911,22 @@ rte_vhost_poll_enqueue_completed(int vid, uint16_t queue_id, vq = dev->virtqueue[queue_id]; + if (!rte_spinlock_trylock(&vq->access_lock)) { + VHOST_LOG_DATA(DEBUG, + "%s: virtqueue %u is busy.\n", + __func__, queue_id); + return 0; + } + if (unlikely(!vq->async)) { VHOST_LOG_DATA(ERR, "(%d) %s: async not registered for queue id %d.\n", dev->vid, __func__, queue_id); - return 0; + goto out; } - rte_spinlock_lock(&vq->access_lock); - n_pkts_cpl = vhost_poll_enqueue_completed(dev, queue_id, pkts, count); +out: rte_spinlock_unlock(&vq->access_lock); return n_pkts_cpl; -- 2.25.1