[v2,2/5] vhost: fix virtqueue access check in VDUSE setup
Checks
Commit Message
vring_translate and vring_invalidate change the vq access_ok field.
The access_ok field should only be updated under a (write) lock.
Fixes: a9120db8b98b ("vhost: add VDUSE device startup")
Fixes: ad67c65efda1 ("vhost: add VDUSE device stop")
Cc: stable@dpdk.org
Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
---
Changes since v1:
- moved fix out of patch 3,
---
lib/vhost/vduse.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
On 12/5/23 10:45, David Marchand wrote:
> vring_translate and vring_invalidate change the vq access_ok field.
> The access_ok field should only be updated under a (write) lock.
>
> Fixes: a9120db8b98b ("vhost: add VDUSE device startup")
> Fixes: ad67c65efda1 ("vhost: add VDUSE device stop")
> Cc: stable@dpdk.org
>
> Signed-off-by: David Marchand <david.marchand@redhat.com>
> Acked-by: Eelco Chaudron <echaudro@redhat.com>
> ---
> Changes since v1:
> - moved fix out of patch 3,
>
> ---
> lib/vhost/vduse.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Thanks,
Maxime
@@ -196,6 +196,7 @@ vduse_vring_setup(struct virtio_net *dev, unsigned int index)
vq->size * sizeof(struct batch_copy_elem),
RTE_CACHE_LINE_SIZE, 0);
+ rte_rwlock_write_lock(&vq->access_lock);
vhost_user_iotlb_rd_lock(vq);
if (vring_translate(dev, vq))
VHOST_LOG_CONFIG(dev->ifname, ERR, "Failed to translate vring %d addresses\n",
@@ -206,6 +207,7 @@ vduse_vring_setup(struct virtio_net *dev, unsigned int index)
"Failed to disable guest notifications on vring %d\n",
index);
vhost_user_iotlb_rd_unlock(vq);
+ rte_rwlock_write_unlock(&vq->access_lock);
vq_efd.index = index;
vq_efd.fd = vq->kickfd;
@@ -259,7 +261,9 @@ vduse_vring_cleanup(struct virtio_net *dev, unsigned int index)
close(vq->kickfd);
vq->kickfd = VIRTIO_UNINITIALIZED_EVENTFD;
+ rte_rwlock_write_lock(&vq->access_lock);
vring_invalidate(dev, vq);
+ rte_rwlock_write_unlock(&vq->access_lock);
rte_free(vq->batch_copy_elems);
vq->batch_copy_elems = NULL;