vhost: fix unsafe vring addresses modifications

[ upstream commit 04c27cb ] This patch adds missing protection around vring_invalidate and translate_ring_addresses calls in vhost_user_iotlb_msg. Fixes: eefac95 ("vhost: postpone device creation until rings are mapped") Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Chenbo Xia <chenbo.xia@intel.com> Reviewed-by: David Marchand <david.marchand@redhat.com>
bluca · Feb 28, 2022 · 33f2e37 · 33f2e37
1 parent 37936eb
commit 33f2e37
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
@@ -2379,8 +2379,11 @@ vhost_user_iotlb_msg(struct virtio_net **pdev, struct VhostUserMsg *msg,
 			vhost_user_iotlb_cache_insert(vq, imsg->iova, vva,
 					len, imsg->perm);
 
-			if (is_vring_iotlb(dev, vq, imsg))
+			if (is_vring_iotlb(dev, vq, imsg)) {
+				rte_spinlock_lock(&vq->access_lock);
 				*pdev = dev = translate_ring_addresses(dev, i);
+				rte_spinlock_unlock(&vq->access_lock);
+			}
 		}
 		break;
 	case VHOST_IOTLB_INVALIDATE:
@@ -2393,8 +2396,11 @@ vhost_user_iotlb_msg(struct virtio_net **pdev, struct VhostUserMsg *msg,
 			vhost_user_iotlb_cache_remove(vq, imsg->iova,
 					imsg->size);
 
-			if (is_vring_iotlb(dev, vq, imsg))
+			if (is_vring_iotlb(dev, vq, imsg)) {
+				rte_spinlock_lock(&vq->access_lock);
 				vring_invalidate(dev, vq);
+				rte_spinlock_unlock(&vq->access_lock);
+			}
 		}
 		break;
 	default: