[v3] vhost: avoid potential null pointer access
Checks
Commit Message
If the user calls rte_vhost_vring_call() on a ring that has been
invalidated, we will encounter SEGV.
We should check the pointer firstly before accessing it.
Signed-off-by: Li Feng <fengli@smartx.com>
---
v2 -> v3:
- Also fix the rte_vhost_vring_call_nonblock.
v1 -> v2:
- Fix rebase error.
lib/vhost/vhost.c | 14 ++++++++------
lib/vhost/vhost.h | 12 ++++++++++--
2 files changed, 18 insertions(+), 8 deletions(-)
--
2.41.0
Comments
On 9/12/23 09:42, Li Feng wrote:
> If the user calls rte_vhost_vring_call() on a ring that has been
> invalidated, we will encounter SEGV.
>
> We should check the pointer firstly before accessing it.
>
> Signed-off-by: Li Feng <fengli@smartx.com>
> ---
> v2 -> v3:
> - Also fix the rte_vhost_vring_call_nonblock.
>
> v1 -> v2:
> - Fix rebase error.
>
>
>
> lib/vhost/vhost.c | 14 ++++++++------
> lib/vhost/vhost.h | 12 ++++++++++--
> 2 files changed, 18 insertions(+), 8 deletions(-)
Thanks for posting the fix, the segmentation fault may indeed happen
when injecting IRQ from the app directly using the Vhost API. It cannot
happen when vhost_vring_call() is calle directly from
rte_enqueue_burst/rte_dequeue_burst though.
so I think below patch would be better:
diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
index eb6309b681..733e0ab289 100644
--- a/lib/vhost/vhost.c
+++ b/lib/vhost/vhost.c
@@ -1341,6 +1341,9 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
rte_rwlock_read_lock(&vq->access_lock);
+ if (unlikely(!vq->access_ok))
+ return -1;
+
if (vq_is_packed(dev))
vhost_vring_call_packed(dev, vq);
else
@@ -1371,6 +1374,9 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t
vring_idx)
if (rte_rwlock_read_trylock(&vq->access_lock))
return -EAGAIN;
+ if (unlikely(!vq->access_ok))
+ return -1;
+
if (vq_is_packed(dev))
vhost_vring_call_packed(dev, vq);
else
Do you confirm that fixes your issue?
Thanks,
Maxime
On 9/25/23 10:15, Maxime Coquelin wrote:
>
>
> On 9/12/23 09:42, Li Feng wrote:
>> If the user calls rte_vhost_vring_call() on a ring that has been
>> invalidated, we will encounter SEGV.
>>
>> We should check the pointer firstly before accessing it.
>>
>> Signed-off-by: Li Feng <fengli@smartx.com>
>> ---
>> v2 -> v3:
>> - Also fix the rte_vhost_vring_call_nonblock.
>>
>> v1 -> v2:
>> - Fix rebase error.
>>
>>
>>
>> lib/vhost/vhost.c | 14 ++++++++------
>> lib/vhost/vhost.h | 12 ++++++++++--
>> 2 files changed, 18 insertions(+), 8 deletions(-)
>
>
> Thanks for posting the fix, the segmentation fault may indeed happen
> when injecting IRQ from the app directly using the Vhost API. It cannot
> happen when vhost_vring_call() is calle directly from
> rte_enqueue_burst/rte_dequeue_burst though.
>
> so I think below patch would be better:
>
> diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
> index eb6309b681..733e0ab289 100644
> --- a/lib/vhost/vhost.c
> +++ b/lib/vhost/vhost.c
> @@ -1341,6 +1341,9 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
>
> rte_rwlock_read_lock(&vq->access_lock);
>
> + if (unlikely(!vq->access_ok))
> + return -1;
> +
> if (vq_is_packed(dev))
> vhost_vring_call_packed(dev, vq);
> else
> @@ -1371,6 +1374,9 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t
> vring_idx)
> if (rte_rwlock_read_trylock(&vq->access_lock))
> return -EAGAIN;
>
> + if (unlikely(!vq->access_ok))
> + return -1;
> +
> if (vq_is_packed(dev))
> vhost_vring_call_packed(dev, vq);
> else
>
>
> Do you confirm that fixes your issue?
As pointed out by David off-list, there are other places where we need
to add this check. I will prepare a patch fixing them all.
Thanks,
Maxime
> Thanks,
> Maxime
> From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com]
> Sent: Monday, 25 September 2023 10.15
>
> On 9/12/23 09:42, Li Feng wrote:
> > If the user calls rte_vhost_vring_call() on a ring that has been
> > invalidated, we will encounter SEGV.
> >
> > We should check the pointer firstly before accessing it.
> >
> > Signed-off-by: Li Feng <fengli@smartx.com>
> > ---
> > v2 -> v3:
> > - Also fix the rte_vhost_vring_call_nonblock.
> >
> > v1 -> v2:
> > - Fix rebase error.
> >
> >
> >
> > lib/vhost/vhost.c | 14 ++++++++------
> > lib/vhost/vhost.h | 12 ++++++++++--
> > 2 files changed, 18 insertions(+), 8 deletions(-)
>
>
> Thanks for posting the fix, the segmentation fault may indeed happen
> when injecting IRQ from the app directly using the Vhost API. It cannot
> happen when vhost_vring_call() is calle directly from
> rte_enqueue_burst/rte_dequeue_burst though.
>
> so I think below patch would be better:
>
> diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
> index eb6309b681..733e0ab289 100644
> --- a/lib/vhost/vhost.c
> +++ b/lib/vhost/vhost.c
> @@ -1341,6 +1341,9 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
>
> rte_rwlock_read_lock(&vq->access_lock);
>
> + if (unlikely(!vq->access_ok))
> + return -1;
Don't you need to release the lock before returning here?
> +
> if (vq_is_packed(dev))
> vhost_vring_call_packed(dev, vq);
> else
> @@ -1371,6 +1374,9 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t
> vring_idx)
> if (rte_rwlock_read_trylock(&vq->access_lock))
> return -EAGAIN;
>
> + if (unlikely(!vq->access_ok))
> + return -1;
Don't you need to release the lock before returning here?
> +
> if (vq_is_packed(dev))
> vhost_vring_call_packed(dev, vq);
> else
>
>
> Do you confirm that fixes your issue?
>
> Thanks,
> Maxime
On 9/25/23 12:37, Morten Brørup wrote:
>> From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com]
>> Sent: Monday, 25 September 2023 10.15
>>
>> On 9/12/23 09:42, Li Feng wrote:
>>> If the user calls rte_vhost_vring_call() on a ring that has been
>>> invalidated, we will encounter SEGV.
>>>
>>> We should check the pointer firstly before accessing it.
>>>
>>> Signed-off-by: Li Feng <fengli@smartx.com>
>>> ---
>>> v2 -> v3:
>>> - Also fix the rte_vhost_vring_call_nonblock.
>>>
>>> v1 -> v2:
>>> - Fix rebase error.
>>>
>>>
>>>
>>> lib/vhost/vhost.c | 14 ++++++++------
>>> lib/vhost/vhost.h | 12 ++++++++++--
>>> 2 files changed, 18 insertions(+), 8 deletions(-)
>>
>>
>> Thanks for posting the fix, the segmentation fault may indeed happen
>> when injecting IRQ from the app directly using the Vhost API. It cannot
>> happen when vhost_vring_call() is calle directly from
>> rte_enqueue_burst/rte_dequeue_burst though.
>>
>> so I think below patch would be better:
>>
>> diff --git a/lib/vhost/vhost.c b/lib/vhost/vhost.c
>> index eb6309b681..733e0ab289 100644
>> --- a/lib/vhost/vhost.c
>> +++ b/lib/vhost/vhost.c
>> @@ -1341,6 +1341,9 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
>>
>> rte_rwlock_read_lock(&vq->access_lock);
>>
>> + if (unlikely(!vq->access_ok))
>> + return -1;
>
> Don't you need to release the lock before returning here?
Of course yes, I actually caught it after sending my reply, it is
already fixed locally.
But thanks for the review, much appreciated!
Maxime
>> +
>> if (vq_is_packed(dev))
>> vhost_vring_call_packed(dev, vq);
>> else
>> @@ -1371,6 +1374,9 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t
>> vring_idx)
>> if (rte_rwlock_read_trylock(&vq->access_lock))
>> return -EAGAIN;
>>
>> + if (unlikely(!vq->access_ok))
>> + return -1;
>
> Don't you need to release the lock before returning here?
>
>> +
>> if (vq_is_packed(dev))
>> vhost_vring_call_packed(dev, vq);
>> else
>>
>>
>> Do you confirm that fixes your issue?
>>
>> Thanks,
>> Maxime
>
@@ -1327,6 +1327,7 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
{
struct virtio_net *dev;
struct vhost_virtqueue *vq;
+ int ret = 0;
dev = get_device(vid);
if (!dev)
@@ -1342,13 +1343,13 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
rte_rwlock_read_lock(&vq->access_lock);
if (vq_is_packed(dev))
- vhost_vring_call_packed(dev, vq);
+ ret = vhost_vring_call_packed(dev, vq);
else
- vhost_vring_call_split(dev, vq);
+ ret = vhost_vring_call_split(dev, vq);
rte_rwlock_read_unlock(&vq->access_lock);
- return 0;
+ return ret;
}
int
@@ -1356,6 +1357,7 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t vring_idx)
{
struct virtio_net *dev;
struct vhost_virtqueue *vq;
+ int ret = 0;
dev = get_device(vid);
if (!dev)
@@ -1372,13 +1374,13 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t vring_idx)
return -EAGAIN;
if (vq_is_packed(dev))
- vhost_vring_call_packed(dev, vq);
+ ret = vhost_vring_call_packed(dev, vq);
else
- vhost_vring_call_split(dev, vq);
+ ret = vhost_vring_call_split(dev, vq);
rte_rwlock_read_unlock(&vq->access_lock);
- return 0;
+ return ret;
}
uint16_t
@@ -930,12 +930,15 @@ vhost_vring_inject_irq(struct virtio_net *dev, struct vhost_virtqueue *vq)
dev->notify_ops->guest_notified(dev->vid);
}
-static __rte_always_inline void
+static __rte_always_inline int
vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
{
/* Flush used->idx update before we read avail->flags. */
rte_atomic_thread_fence(__ATOMIC_SEQ_CST);
+ if (!vq->avail || !vq->used)
+ return -1;
+
/* Don't kick guest if we don't reach index specified by guest. */
if (dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX)) {
uint16_t old = vq->signalled_used;
@@ -957,9 +960,10 @@ vhost_vring_call_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
if (!(vq->avail->flags & VRING_AVAIL_F_NO_INTERRUPT))
vhost_vring_inject_irq(dev, vq);
}
+ return 0;
}
-static __rte_always_inline void
+static __rte_always_inline int
vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
{
uint16_t old, new, off, off_wrap;
@@ -968,6 +972,9 @@ vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
/* Flush used desc update. */
rte_atomic_thread_fence(__ATOMIC_SEQ_CST);
+ if (!vq->driver_event)
+ return -1;
+
if (!(dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX))) {
if (vq->driver_event->flags !=
VRING_EVENT_F_DISABLE)
@@ -1008,6 +1015,7 @@ vhost_vring_call_packed(struct virtio_net *dev, struct vhost_virtqueue *vq)
kick:
if (kick)
vhost_vring_inject_irq(dev, vq);
+ return 0;
}
static __rte_always_inline void