vhost: fix missing check on virtqueue access

[ upstream commit 094c442cdbf1da3a19ae82ca7069fee8b3a43343 ] Acquiring the access lock is not enough to ensure virtqueue's metadata such as vring pointers are valid. The access status must also be checked. Fixes: 4e0de8d ("vhost: protect vring access done by application") Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Acked-by: David Marchand <david.marchand@redhat.com>
bluca · Nov 8, 2023 · 6a3395a · 6a3395a
1 parent db07b9f
commit 6a3395a
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/lib/librte_vhost/vhost.c b/lib/librte_vhost/vhost.c
@@ -1341,7 +1341,10 @@ rte_vhost_avail_entries(int vid, uint16_t queue_id)
 
 	rte_spinlock_lock(&vq->access_lock);
 
-	if (unlikely(!vq->enabled || vq->avail == NULL))
+	if (unlikely(!vq->access_ok))
+		goto out;
+
+	if (unlikely(!vq->enabled))
 		goto out;
 
 	ret = *(volatile uint16_t *)&vq->avail->idx - vq->last_used_idx;
@@ -1433,9 +1436,15 @@ rte_vhost_enable_guest_notification(int vid, uint16_t queue_id, int enable)
 
 	rte_spinlock_lock(&vq->access_lock);
 
+	if (unlikely(!vq->access_ok)) {
+		ret = -1;
+		goto out_unlock;
+	}
+
 	vq->notif_enable = enable;
 	ret = vhost_enable_guest_notification(dev, vq, enable);
 
+out_unlock:
 	rte_spinlock_unlock(&vq->access_lock);
 
 	return ret;
@@ -1495,7 +1504,10 @@ rte_vhost_rx_queue_count(int vid, uint16_t qid)
 
 	rte_spinlock_lock(&vq->access_lock);
 
-	if (unlikely(vq->enabled == 0 || vq->avail == NULL))
+	if (unlikely(!vq->access_ok))
+		goto out;
+
+	if (unlikely(!vq->enabled))
 		goto out;
 
 	ret = *((volatile uint16_t *)&vq->avail->idx) - vq->last_avail_idx;