From patchwork Wed Aug 30 09:02:24 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Feng <fengli@smartx.com>
X-Patchwork-Id: 130872
X-Patchwork-Delegate: maxime.coquelin@redhat.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 14DF841FCB;
	Wed, 30 Aug 2023 11:03:46 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 0CA6A4027F;
	Wed, 30 Aug 2023 11:03:46 +0200 (CEST)
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
 by mails.dpdk.org (Postfix) with ESMTP id 1C6D440279
 for <dev@dpdk.org>; Wed, 30 Aug 2023 11:03:45 +0200 (CEST)
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-68bed286169so4546472b3a.1
 for <dev@dpdk.org>; Wed, 30 Aug 2023 02:03:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=smartx-com.20221208.gappssmtp.com; s=20221208; t=1693386224; x=1693991024;
 darn=dpdk.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=z92EQvZ7rmr+DxumZWCrjPvdaO1/NjFJZ3999io2+cY=;
 b=CrYxN4Ud8XByKj/iEy7JuJyXgEuDsY7Nj5Xs/VTEgLK1IhTaT2N4yKW1Py0+u+X4Ba
 /ivGmc51UF0XqEZuRz6l+3F1uukYQw4STNu1ipAbBTSgYZmnTkdSmTT+QcXS4Ac4tc0Y
 3ipFlmvGEpusWCoUJzuDPEOdY+KAN4xqmywwk5Mae2FeREx7UlPWmM+7qWjYUcFjhpoq
 wGo1PTw8FO6UOpffkNq9qTD+9NydcvInB0alLJgSMTSkK+RooGpisgA9yTdmOxpzxHJe
 lEtcxXLg4BKXJkAgNQlZS5M3sOFWLbI4E/cVHGzCzbFItUCTjEgy5rhXFO3wrjg1w12g
 f3tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1693386224; x=1693991024;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=z92EQvZ7rmr+DxumZWCrjPvdaO1/NjFJZ3999io2+cY=;
 b=Ai2lIxVDr7TmUfrObtylrptYOffuMHhV1ON727Ve0J+uOGMM3BT/EI6Ctn8LhA+C0P
 YtLdhAPe4ITv76sz5XEJNc9qMNG9XrWOyoFaAadySo+cKURMpxa77FukoCT16+KgLqzv
 KFZc1Bw/FZM7UanCxPbg4hZSuFYV+/wi+YySbKNolMHA39XeRBAABQYujz2lhzJNWF5a
 HlVS756lzWDxnh68bjLHl6wuyFO0x76ZHSk5UA1RYV1/1sQ6MAIOksuXVR8VvIRJXAE/
 DrSliHqH4QpCbfWDgMkuzqwci0Wbs3EBiyOdgqIHSXtkm4o6l9LKPNWe+/7Ai1eDi44H
 NOpw==
X-Gm-Message-State: AOJu0YzT8R2VYvkR79EYnoD45ka7jqlt/p9xgb2z6ZtQkjS9v3BbIUiW
 LYDDFtTY3nT896RlxQoVNKgPzw==
X-Google-Smtp-Source: 
 AGHT+IH1oNdVYsnm30RlGIMjNc4a1nQeYWuLR7DdlKwPJF2hujmakvdHhw4lfAE2i88xxtvBRuMP8A==
X-Received: by 2002:a17:90b:19c4:b0:268:1dd3:695e with SMTP id
 nm4-20020a17090b19c400b002681dd3695emr1344357pjb.49.1693386224077;
 Wed, 30 Aug 2023 02:03:44 -0700 (PDT)
Received: from 64217.gitgo.cc ([8.210.91.195])
 by smtp.gmail.com with ESMTPSA id
 14-20020a17090a01ce00b00263dfe9b972sm947077pjd.0.2023.08.30.02.03.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 30 Aug 2023 02:03:43 -0700 (PDT)
From: Li Feng <fengli@smartx.com>
To: fengli@smartx.com
Cc: chenbo.xia@intel.com,
	dev@dpdk.org,
	maxime.coquelin@redhat.com
Subject: [PATCH v2] vhost: avoid potential null pointer access
Date: Wed, 30 Aug 2023 17:02:24 +0800
Message-ID: <20230830090224.761417-1-fengli@smartx.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <A6DA4A48-53AC-4CBF-BFE8-30679059EEA2@smartx.com>
References: <A6DA4A48-53AC-4CBF-BFE8-30679059EEA2@smartx.com>
MIME-Version: 1.0
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

If the user calls rte_vhost_vring_call() on a ring that has been
invalidated, we will encounter SEGV.

We should check the pointer firstly before accessing it.

Signed-off-by: Li Feng <fengli@smartx.com>
---
 lib/vhost/vhost.c |  7 ++++---
 lib/vhost/vhost.h | 12 ++++++++++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
index eb6309b681..3af0307cd6 100644
--- a/lib/vhost/vhost.c
+++ b/lib/vhost/vhost.c
@@ -1327,6 +1327,7 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
 {
 	struct virtio_net *dev;
 	struct vhost_virtqueue *vq;
+	int ret = 0;
 
 	dev = get_device(vid);
 	if (!dev)
@@ -1342,13 +1343,13 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
 	rte_rwlock_read_lock(&vq->access_lock);
 
 	if (vq_is_packed(dev))
-		vhost_vring_call_packed(dev, vq);
+		ret = vhost_vring_call_packed(dev, vq);
 	else
-		vhost_vring_call_split(dev, vq);
+		ret = vhost_vring_call_split(dev, vq);
 
 	rte_rwlock_read_unlock(&vq->access_lock);
 
-	return 0;
+	return ret;
 }
 
 int
diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h
index 9723429b1c..4c09c2ef0e 100644
--- a/lib/vhost/vhost.h
+++ b/lib/vhost/vhost.h
@@ -930,12 +930,15 @@ vhost_vring_inject_irq(struct virtio_net *dev, struct vhost_virtqueue *vq)
 		dev->notify_ops->guest_notified(dev->vid);
 }
 
-static __rte_always_inline void
+static __rte_always_inline int
 vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
 {
 	/* Flush used->idx update before we read avail->flags. */
 	rte_atomic_thread_fence(__ATOMIC_SEQ_CST);
 
+	if (!vq->avail || !vq->used)
+		return -1;
+
 	/* Don't kick guest if we don't reach index specified by guest. */
 	if (dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX)) {
 		uint16_t old = vq->signalled_used;
@@ -957,9 +960,10 @@ vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
 		if (!(vq->avail->flags & VRING_AVAIL_F_NO_INTERRUPT))
 			vhost_vring_inject_irq(dev, vq);
 	}
+	return 0;
 }
 
-static __rte_always_inline void
+static __rte_always_inline int
 vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 {
 	uint16_t old, new, off, off_wrap;
@@ -968,6 +972,9 @@ vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 	/* Flush used desc update. */
 	rte_atomic_thread_fence(__ATOMIC_SEQ_CST);
 
+	if (!vq->driver_event)
+		return -1;
+
 	if (!(dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX))) {
 		if (vq->driver_event->flags !=
 				VRING_EVENT_F_DISABLE)
@@ -1008,6 +1015,7 @@ vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 kick:
 	if (kick)
 		vhost_vring_inject_irq(dev, vq);
+	return 0;
 }
 
 static __rte_always_inline void