From patchwork Wed Aug 30 08:47:08 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Feng <fengli@smartx.com>
X-Patchwork-Id: 130870
X-Patchwork-Delegate: maxime.coquelin@redhat.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 14EEC41FCB;
	Wed, 30 Aug 2023 10:47:41 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id A92DF40279;
	Wed, 30 Aug 2023 10:47:40 +0200 (CEST)
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
 by mails.dpdk.org (Postfix) with ESMTP id 5E92540277
 for <dev@dpdk.org>; Wed, 30 Aug 2023 10:47:39 +0200 (CEST)
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-68a3cae6d94so4575022b3a.0
 for <dev@dpdk.org>; Wed, 30 Aug 2023 01:47:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=smartx-com.20221208.gappssmtp.com; s=20221208; t=1693385258; x=1693990058;
 darn=dpdk.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=FZfpubqq5hiYA6LFBLdgDovPV9S9/O2Tid0aog5TU8M=;
 b=HFtLSNZQKVrM2yADeCrDnVP5cMq3uNUvwvKorr74QFqPQqg//qBSI9A5CzE4AK4bBY
 nyhZCPNRVY9M1PbEwKddSmSX8geq4AQUwyq/Eb/xN7aTYAd6INHTS0FQG3ZeJ+yiF5il
 mfa7P00sjbzDa8Vi2GQVN2a+IcSwhbpEuWgrG++946fajsQTRqDba30TBgpe5vPmGvKv
 wRhvwxVxPnFsCOgeNelCeg+dMUPoIk7kbWc2o37MoyYAq85lBoiaTBetAf87aFQSptkc
 YNDsAtBCrado414NMpNlj6T1Abz0r6lf2xZgw3UK0mxh9O8RM6kO1PCjUpbvcc7JHIjg
 ZSYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1693385258; x=1693990058;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=FZfpubqq5hiYA6LFBLdgDovPV9S9/O2Tid0aog5TU8M=;
 b=HW+jxE3JeCFDfA9vAzegN/vjBpkPJ8PdN25puBlouSist2SD0DING3MNZEJB+4xqc8
 cDqY61oaXAk82E00I/Bz6afBGgNgXti0O/h6KGiF80B+G5cZlIdDnfToi4BuIN+RhQsz
 eZEc6uZlJSAp6xxyR457V5jcBNpO6IgSy5cUizY7yUMjuXx/Mg9HWb71ssbz/xLPLXct
 CPmmMMcojq6tAa2AeLGeXSmoCry62J/508rrpCsiyEuqsjQe9lOH9thWG7FxAhIO84Z8
 huneK5Hv3D0p0PmyPhYp1RBLUxakyidU/BqhSxIEFnxA0ca9uko0athLWH1Wvc/gVMaw
 rfmQ==
X-Gm-Message-State: AOJu0Yychw+oaPKJD8CrPi+4WZBk9UIAey6Dwq18kmEOQ3l/fcBwmOCr
 WwQvzaQLiTnxCuB7aEl60fj1/g==
X-Google-Smtp-Source: 
 AGHT+IG3dFAX8tBE/9XjTUVRHg6jbeYI++K7TjOmDOCRMHVA0S15ONr7U+++6ZmD1ahj+zvBcklKFw==
X-Received: by 2002:a05:6a00:a28:b0:68a:4d66:ca1 with SMTP id
 p40-20020a056a000a2800b0068a4d660ca1mr1950804pfh.6.1693385258079;
 Wed, 30 Aug 2023 01:47:38 -0700 (PDT)
Received: from 64217.gitgo.cc ([8.210.91.195])
 by smtp.gmail.com with ESMTPSA id
 21-20020aa79255000000b006887b72ba38sm9645709pfp.164.2023.08.30.01.47.36
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 30 Aug 2023 01:47:37 -0700 (PDT)
From: Li Feng <fengli@smartx.com>
To: Maxime Coquelin <maxime.coquelin@redhat.com>,
 Chenbo Xia <chenbo.xia@intel.com>
Cc: dev@dpdk.org,
	Li Feng <fengli@smartx.com>
Subject: [PATCH] vhost: avoid potential null pointer access
Date: Wed, 30 Aug 2023 16:47:08 +0800
Message-ID: <20230830084708.754084-1-fengli@smartx.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

If the user calls rte_vhost_vring_call() on a ring that has been
invalidated, we will encounter SEGV.

We should check the pointer firstly before accessing it.

Signed-off-by: Li Feng <fengli@smartx.com>
---
 lib/vhost/vhost.c |  7 ++++---
 lib/vhost/vhost.h | 12 ++++++++++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
index eb6309b681..3af0307cd6 100644
--- a/lib/vhost/vhost.c
+++ b/lib/vhost/vhost.c
@@ -1327,6 +1327,7 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
 {
 	struct virtio_net *dev;
 	struct vhost_virtqueue *vq;
+	int ret = 0;
 
 	dev = get_device(vid);
 	if (!dev)
@@ -1342,13 +1343,13 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
 	rte_rwlock_read_lock(&vq->access_lock);
 
 	if (vq_is_packed(dev))
-		vhost_vring_call_packed(dev, vq);
+		ret = vhost_vring_call_packed(dev, vq);
 	else
-		vhost_vring_call_split(dev, vq);
+		ret = vhost_vring_call_split(dev, vq);
 
 	rte_rwlock_read_unlock(&vq->access_lock);
 
-	return 0;
+	return ret;
 }
 
 int
diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h
index 9723429b1c..f38e6d16c9 100644
--- a/lib/vhost/vhost.h
+++ b/lib/vhost/vhost.h
@@ -930,7 +930,7 @@ vhost_vring_inject_irq(struct virtio_net *dev, struct vhost_virtqueue *vq)
 		dev->notify_ops->guest_notified(dev->vid);
 }
 
-static __rte_always_inline void
+static __rte_always_inline int
 vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
 {
 	/* Flush used->idx update before we read avail->flags. */
@@ -953,13 +953,17 @@ vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
 				unlikely(!signalled_used_valid))
 			vhost_vring_inject_irq(dev, vq);
 	} else {
+		if (!vq->avail)
+			return -1;
+
 		/* Kick the guest if necessary. */
 		if (!(vq->avail->flags & VRING_AVAIL_F_NO_INTERRUPT))
 			vhost_vring_inject_irq(dev, vq);
 	}
+	return 0;
 }
 
-static __rte_always_inline void
+static __rte_always_inline int
 vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 {
 	uint16_t old, new, off, off_wrap;
@@ -968,6 +972,9 @@ vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 	/* Flush used desc update. */
 	rte_atomic_thread_fence(__ATOMIC_SEQ_CST);
 
+	if (!vq->driver_event)
+		return -1;
+
 	if (!(dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX))) {
 		if (vq->driver_event->flags !=
 				VRING_EVENT_F_DISABLE)
@@ -1030,6 +1037,7 @@ restore_mbuf(struct rte_mbuf *m)
 		rte_mbuf_iova_set(m, rte_mempool_virt2iova(m) + mbuf_size);
 		m = m->next;
 	}
+	return 0;
 }
 
 static __rte_always_inline bool