From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 68FBD4262C;
	Mon, 25 Sep 2023 12:59:34 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id DFBCA40A79;
	Mon, 25 Sep 2023 12:59:33 +0200 (CEST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id 0C3C14064A
 for <dev@dpdk.org>; Mon, 25 Sep 2023 12:59:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1695639572;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=cYC9RTPdpxNbREnkB4FS6wdOpGf+7qJvE0ok1T9Zo6o=;
 b=ITfQsfor4+IB8Z2sAvVSt+eFLzerqX5m22MYEFksrYrg+QtdC/pf7+sBkzETPaBBr/rKFX
 k/atBRH/aLRj8h695+C4/1DoJZt6E7E8gWkQa4aT8+4GqA/M2mR5MORyduOv5634sVzirk
 fEXvBr1pNrq8tn6RFXhSk92mICFnZKs=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-364-_GvTXf0ROSiBoSNvs60eUw-1; Mon, 25 Sep 2023 06:59:31 -0400
X-MC-Unique: _GvTXf0ROSiBoSNvs60eUw-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9583F800962;
 Mon, 25 Sep 2023 10:59:30 +0000 (UTC)
Received: from [10.39.208.35] (unknown [10.39.208.35])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 85F122156A27;
 Mon, 25 Sep 2023 10:59:29 +0000 (UTC)
Message-ID: <a0d1717f-bf87-7eab-d0a7-94114c861d5a@redhat.com>
Date: Mon, 25 Sep 2023 12:59:28 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.13.0
Subject: Re: [PATCH v3] vhost: avoid potential null pointer access
To: =?UTF-8?Q?Morten_Br=c3=b8rup?= <mb@smartsharesystems.com>,
 Li Feng <fengli@smartx.com>, Chenbo Xia <chenbo.xia@intel.com>
Cc: dev@dpdk.org
References: <20230912074217.2480397-1-fengli@smartx.com>
 <7136f05c-023b-fda5-44ee-8a26b0c8e548@redhat.com>
 <98CBD80474FA8B44BF855DF32C47DC35D87C05@smartserver.smartshare.dk>
From: Maxime Coquelin <maxime.coquelin@redhat.com>
In-Reply-To: <98CBD80474FA8B44BF855DF32C47DC35D87C05@smartserver.smartshare.dk>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org



On 9/25/23 12:37, Morten Brørup wrote:
>> From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com]
>> Sent: Monday, 25 September 2023 10.15
>>
>> On 9/12/23 09:42, Li Feng wrote:
>>> If the user calls rte_vhost_vring_call() on a ring that has been
>>> invalidated, we will encounter SEGV.
>>>
>>> We should check the pointer firstly before accessing it.
>>>
>>> Signed-off-by: Li Feng <fengli@smartx.com>
>>> ---
>>> v2 -> v3:
>>> - Also fix the rte_vhost_vring_call_nonblock.
>>>
>>> v1 -> v2:
>>> - Fix rebase error.
>>>
>>>
>>>
>>>    lib/vhost/vhost.c | 14 ++++++++------
>>>    lib/vhost/vhost.h | 12 ++++++++++--
>>>    2 files changed, 18 insertions(+), 8 deletions(-)
>>
>>
>> Thanks for posting the fix, the segmentation fault may indeed happen
>> when injecting IRQ from the app directly using the Vhost API. It cannot
>> happen when vhost_vring_call() is calle directly from
>> rte_enqueue_burst/rte_dequeue_burst though.
>>
>> so I think below patch would be better:
>>
>> diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
>> index eb6309b681..733e0ab289 100644
>> --- a/lib/vhost/vhost.c
>> +++ b/lib/vhost/vhost.c
>> @@ -1341,6 +1341,9 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
>>
>>           rte_rwlock_read_lock(&vq->access_lock);
>>
>> +       if (unlikely(!vq->access_ok))
>> +               return -1;
> 
> Don't you need to release the lock before returning here?

Of course yes, I actually caught it after sending my reply, it is 
already fixed locally.

But thanks for the review, much appreciated!
Maxime

>> +
>>           if (vq_is_packed(dev))
>>                   vhost_vring_call_packed(dev, vq);
>>           else
>> @@ -1371,6 +1374,9 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t
>> vring_idx)
>>           if (rte_rwlock_read_trylock(&vq->access_lock))
>>                   return -EAGAIN;
>>
>> +       if (unlikely(!vq->access_ok))
>> +               return -1;
> 
> Don't you need to release the lock before returning here?
> 
>> +
>>           if (vq_is_packed(dev))
>>                   vhost_vring_call_packed(dev, vq);
>>           else
>>
>>
>> Do you confirm that fixes your issue?
>>
>> Thanks,
>> Maxime
>