From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id D7073A034C
	for <public@inbox.dpdk.org>; Mon, 28 Mar 2022 09:04:55 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id D093741141;
	Mon, 28 Mar 2022 09:04:55 +0200 (CEST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mails.dpdk.org (Postfix) with ESMTP id C484C4285A
 for <stable@dpdk.org>; Mon, 28 Mar 2022 09:04:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1648451094;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=5wuEpWgEzWEjYuCvoEtqzGZa5Bq/xIlcL+DdWFCNYDU=;
 b=BP3AFerWR76fVBGEPezEqvZLeHlug5SHac8mxTZP7bPfi2obI5Hk3oiOsTz8hyJB0a85PH
 828ySlj9jQV+4SWyKSR+wc8gEtjeVeq81Ma2ICyX/C63zZjxBWPdoaGRFl8KdAq8cYnIgc
 6jx+zF7bON1Ao8kJ5x843uorNZbiVrw=
Received: from mail-lj1-f197.google.com (mail-lj1-f197.google.com
 [209.85.208.197]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-91-Kuso8o6nP_CiX714CzLvWw-1; Mon, 28 Mar 2022 03:04:52 -0400
X-MC-Unique: Kuso8o6nP_CiX714CzLvWw-1
Received: by mail-lj1-f197.google.com with SMTP id
 h4-20020a2ea484000000b002480c04898aso5571182lji.6
 for <stable@dpdk.org>; Mon, 28 Mar 2022 00:04:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=5wuEpWgEzWEjYuCvoEtqzGZa5Bq/xIlcL+DdWFCNYDU=;
 b=TZahTf1MC+NG1V2r/pt1e00v4iv8Ht5i3qCr9UK4D7D/rCGzMvuM1WM1gs3EPvDjJX
 /X330hn966X8Iz2zgmX/masC6O32P0+pXDPdjoYg40hQkdP8Ww1feSB2PP+UgDXD0L4o
 bX15aTBSbe1Jb68sScBn9IciuTLTu8uMcFZNDrO0F0BJ5s3QJZl1PJifXoD1TgGEXnan
 79Vnjdb8FG7OAjIwkYBnAsSbGfCDWbvpphcpxalfYwJrKL6UMBa0iuv0p5DQFmvA4z5A
 SvCWPoUPvwxFIFbD+LgBcs3/yW2/hKnHOng5HCgRrciUQQG8rfPo4R2O0LMBbJZpThsv
 yvwA==
X-Gm-Message-State: AOAM532mvbchXBELo1+59lHS51LPwyVdaTKkyd5nz+TXMnpJGQ53gakm
 LiPsAWTAyL4Qwsc1GFVNJy8+C9ph+cJgr3yThJeuUSdRdfvGeB5ahUCwZDj48IEtI3GG3f9vTV7
 1+JJneEF963UsWJtlK+LW+L8=
X-Received: by 2002:a05:651c:201e:b0:24a:c0b6:31a4 with SMTP id
 s30-20020a05651c201e00b0024ac0b631a4mr10809584ljo.159.1648451091498; 
 Mon, 28 Mar 2022 00:04:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzvjtMqouJRuHWQElDbHBDrf66L2gfTlcHCkklx1yN3QRIYUGkVyz9G1FtI4WZB0mJgC+LJA5ZhxwLwwb8Dxx4=
X-Received: by 2002:a05:651c:201e:b0:24a:c0b6:31a4 with SMTP id
 s30-20020a05651c201e00b0024ac0b631a4mr10809568ljo.159.1648451091277; Mon, 28
 Mar 2022 00:04:51 -0700 (PDT)
MIME-Version: 1.0
References: <20220328020754.1155063-1-jiayu.hu@intel.com>
In-Reply-To: <20220328020754.1155063-1-jiayu.hu@intel.com>
From: David Marchand <david.marchand@redhat.com>
Date: Mon, 28 Mar 2022 09:04:39 +0200
Message-ID: <CAJFAV8yArKnhJb8cg2=-rhUN4g8hofUS7kQXkdt_aCvnbuPt+w@mail.gmail.com>
Subject: Re: [PATCH] vhost: fix null pointer dereference
To: Jiayu Hu <jiayu.hu@intel.com>
Cc: dev <dev@dpdk.org>, Maxime Coquelin <maxime.coquelin@redhat.com>, 
 dpdk stable <stable@dpdk.org>
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dmarchan@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

On Mon, Mar 28, 2022 at 4:08 AM Jiayu Hu <jiayu.hu@intel.com> wrote:
>
> NULL check for vq->async must be protected by lock. Otherwise, it is
> possible that the data plane thread dereferences vq->async with NULL
> value, since the control plane thread is freeing vq->async.
>
> Fixes: ee8024b3d4ad (vhost: move async data in dedicated structure)
> Cc: stable@dpdk.org
>
> Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
> ---
>  lib/vhost/vhost.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
> index bc88148347..7f60c2824f 100644
> --- a/lib/vhost/vhost.c
> +++ b/lib/vhost/vhost.c
> @@ -1887,9 +1887,6 @@ rte_vhost_async_get_inflight(int vid, uint16_t queue_id)
>         if (vq == NULL)
>                 return ret;
>
> -       if (!vq->async)
> -               return ret;
> -
>         if (!rte_spinlock_trylock(&vq->access_lock)) {
>                 VHOST_LOG_CONFIG(DEBUG,
>                         "(%s) failed to check in-flight packets. virtqueue busy.\n",
> @@ -1897,6 +1894,9 @@ rte_vhost_async_get_inflight(int vid, uint16_t queue_id)
>                 return ret;
>         }
>
> +       if (!vq->async)
> +               return ret;

Lock is still taken at this point.

FYI, I'll post a series to instrument locks in vhost, soon.

> +
>         ret = vq->async->pkts_inflight_n;
>         rte_spinlock_unlock(&vq->access_lock);
>


-- 
David Marchand