From patchwork Tue Sep 12 07:42:17 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Feng <fengli@smartx.com>
X-Patchwork-Id: 131348
X-Patchwork-Delegate: maxime.coquelin@redhat.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id BB1A342579;
	Tue, 12 Sep 2023 09:42:32 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 88FEE40293;
	Tue, 12 Sep 2023 09:42:32 +0200 (CEST)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
 by mails.dpdk.org (Postfix) with ESMTP id E9C014027E
 for <dev@dpdk.org>; Tue, 12 Sep 2023 09:42:30 +0200 (CEST)
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-1c328b53aeaso46022865ad.2
 for <dev@dpdk.org>; Tue, 12 Sep 2023 00:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=smartx-com.20230601.gappssmtp.com; s=20230601; t=1694504550; x=1695109350;
 darn=dpdk.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=55hXlEvqt/QSuEBKr0VD9QkzyIZ+SAbLPzdWqiEAzHs=;
 b=uutvJk1CRVIB1daCLs+CsdDFkVHrhfPb0oNBaqZZ0M9VoLDrSpvbIViZ4gJgabQpiU
 hA4xOlEFcSJpiEU8z5oFxPekqY5xuPfFbUG5frndNQ91O4inkVu0TMpwCYwGDYGh/iU4
 w6UTkoSBNEHcxVC/JFrmTjCLugGdIIIaEdCyolGOZGEjGhXT6Dv+velESB1JY+jEN05s
 2QWRgPmeH79M2vpPFcXWnZvD3Bw/AlqL8FO83TE8z7w7E5fgy9E1q6sxzsvzdSSDXtvL
 4eK3Yx+NKmhOSnxkuUfKxV0EMhGvtyGVmZRpG0qj5ozzkZQVGcY4/NSZ+vlBlBuP2y9B
 /QTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694504550; x=1695109350;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=55hXlEvqt/QSuEBKr0VD9QkzyIZ+SAbLPzdWqiEAzHs=;
 b=XAvErJdJ/MmS7a9xkhVajTazJ2cc79ao/QqteHpk2Mey9VhRCWTdts8APpRVo5hvij
 e5V7GfmwH/BX2pXDDoE5+gwXHXMtRL5m3E4tfJ+q1WojSTFRVMUni3wZuqMQaW9xNa2Q
 5gFFU+Wna+ne6sp/aWdjfxctrDLv2LFIeZZ30NIkCJeD8PU5giK8/Vcwr4vuPNbDrBXU
 Lu+A/khAC6gz/CIH8Ek9Hzu2m5fukFxXdBXJvNc55cfTXPfpfNair2rrWBszIaJ1JSak
 BwauPxOFV5IEFatuys7ixAo1KuyfEazxLKgnKMGAa8ILLo0zmAyBLOs57t4oIuRjWvYu
 JnHg==
X-Gm-Message-State: AOJu0YzUhA20iVNXDQ8TF3vtj01ZoZcEdQ0K/GtUzBu1aQiW59Rn2dY5
 /LhdVqeuBGYeLgJLpE1C/PuLrA==
X-Google-Smtp-Source: 
 AGHT+IG3X6DmdwH+sWVp8V68XbNP8a2KIUqowAg7DS+/nxj5428jvxfT6yENAkSaAw4brPjeQMNmxQ==
X-Received: by 2002:a17:902:f7c1:b0:1c1:e380:b128 with SMTP id
 h1-20020a170902f7c100b001c1e380b128mr12319420plw.60.1694504549375;
 Tue, 12 Sep 2023 00:42:29 -0700 (PDT)
Received: from 64217.gitgo.cc ([8.210.91.195])
 by smtp.gmail.com with ESMTPSA id
 jk7-20020a170903330700b001c0a414695bsm7783057plb.43.2023.09.12.00.42.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Sep 2023 00:42:28 -0700 (PDT)
From: Li Feng <fengli@smartx.com>
To: Maxime Coquelin <maxime.coquelin@redhat.com>,
 Chenbo Xia <chenbo.xia@intel.com>
Cc: dev@dpdk.org,
	Li Feng <fengli@smartx.com>
Subject: [PATCH v3] vhost: avoid potential null pointer access
Date: Tue, 12 Sep 2023 15:42:17 +0800
Message-ID: <20230912074217.2480397-1-fengli@smartx.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

If the user calls rte_vhost_vring_call() on a ring that has been
invalidated, we will encounter SEGV.

We should check the pointer firstly before accessing it.

Signed-off-by: Li Feng <fengli@smartx.com>
---
v2 -> v3:
- Also fix the rte_vhost_vring_call_nonblock.

v1 -> v2:
- Fix rebase error.



 lib/vhost/vhost.c | 14 ++++++++------
 lib/vhost/vhost.h | 12 ++++++++++--
 2 files changed, 18 insertions(+), 8 deletions(-)

--
2.41.0

diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
index eb6309b681..46f3391167 100644
--- a/lib/vhost/vhost.c
+++ b/lib/vhost/vhost.c
@@ -1327,6 +1327,7 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
 {
 	struct virtio_net *dev;
 	struct vhost_virtqueue *vq;
+	int ret = 0;

 	dev = get_device(vid);
 	if (!dev)
@@ -1342,13 +1343,13 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
 	rte_rwlock_read_lock(&vq->access_lock);

 	if (vq_is_packed(dev))
-		vhost_vring_call_packed(dev, vq);
+		ret = vhost_vring_call_packed(dev, vq);
 	else
-		vhost_vring_call_split(dev, vq);
+		ret = vhost_vring_call_split(dev, vq);

 	rte_rwlock_read_unlock(&vq->access_lock);

-	return 0;
+	return ret;
 }

 int
@@ -1356,6 +1357,7 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t vring_idx)
 {
 	struct virtio_net *dev;
 	struct vhost_virtqueue *vq;
+	int ret = 0;

 	dev = get_device(vid);
 	if (!dev)
@@ -1372,13 +1374,13 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t vring_idx)
 		return -EAGAIN;

 	if (vq_is_packed(dev))
-		vhost_vring_call_packed(dev, vq);
+		ret = vhost_vring_call_packed(dev, vq);
 	else
-		vhost_vring_call_split(dev, vq);
+		ret = vhost_vring_call_split(dev, vq);

 	rte_rwlock_read_unlock(&vq->access_lock);

-	return 0;
+	return ret;
 }

 uint16_t
diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h
index 9723429b1c..4c09c2ef0e 100644
--- a/lib/vhost/vhost.h
+++ b/lib/vhost/vhost.h
@@ -930,12 +930,15 @@ vhost_vring_inject_irq(struct virtio_net *dev, struct vhost_virtqueue *vq)
 		dev->notify_ops->guest_notified(dev->vid);
 }

-static __rte_always_inline void
+static __rte_always_inline int
 vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
 {
 	/* Flush used->idx update before we read avail->flags. */
 	rte_atomic_thread_fence(__ATOMIC_SEQ_CST);

+	if (!vq->avail || !vq->used)
+		return -1;
+
 	/* Don't kick guest if we don't reach index specified by guest. */
 	if (dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX)) {
 		uint16_t old = vq->signalled_used;
@@ -957,9 +960,10 @@ vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
 		if (!(vq->avail->flags & VRING_AVAIL_F_NO_INTERRUPT))
 			vhost_vring_inject_irq(dev, vq);
 	}
+	return 0;
 }

-static __rte_always_inline void
+static __rte_always_inline int
 vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 {
 	uint16_t old, new, off, off_wrap;
@@ -968,6 +972,9 @@ vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 	/* Flush used desc update. */
 	rte_atomic_thread_fence(__ATOMIC_SEQ_CST);

+	if (!vq->driver_event)
+		return -1;
+
 	if (!(dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX))) {
 		if (vq->driver_event->flags !=
 				VRING_EVENT_F_DISABLE)
@@ -1008,6 +1015,7 @@ vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
 kick:
 	if (kick)
 		vhost_vring_inject_irq(dev, vq);
+	return 0;
 }

 static __rte_always_inline void