Skip to content

Commit

Permalink
vhost: fix missing vring call check on virtqueue access
Browse files Browse the repository at this point in the history 
[ upstream commit af7f683615244675fc4f472a2aa42880896476ad ]

Acquiring the access lock is not enough to ensure
virtqueue's metadata such as vring pointers are valid.

The access status must also be checked.

Fixes: 6c299bb ("vhost: introduce vring call API")
Fixes: c573699 ("vhost: fix missing virtqueue lock protection")
Fixes: 830f7e7 ("vhost: add non-blocking API for posting interrupt")

Reported-by: Li Feng <fengli@smartx.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: David Marchand <david.marchand@redhat.com>
  • Loading branch information
@mcoquelin @bluca
mcoquelin authored and bluca committed Nov 8, 2023
1 parent 1945571 commit db07b9f
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions lib/librte_vhost/vhost.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1253,6 +1253,7 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)
{
struct virtio_net *dev;
struct vhost_virtqueue *vq;
int ret = 0;

dev = get_device(vid);
if (!dev)
Expand All @@ -1267,21 +1268,28 @@ rte_vhost_vring_call(int vid, uint16_t vring_idx)

rte_spinlock_lock(&vq->access_lock);

if (unlikely(!vq->access_ok)) {
ret = -1;
goto out_unlock;
}

if (vq_is_packed(dev))
vhost_vring_call_packed(dev, vq);
else
vhost_vring_call_split(dev, vq);

out_unlock:
rte_spinlock_unlock(&vq->access_lock);

return 0;
return ret;
}

int
rte_vhost_vring_call_nonblock(int vid, uint16_t vring_idx)
{
struct virtio_net *dev;
struct vhost_virtqueue *vq;
int ret = 0;

dev = get_device(vid);
if (!dev)
Expand All @@ -1297,14 +1305,20 @@ rte_vhost_vring_call_nonblock(int vid, uint16_t vring_idx)
if (!rte_spinlock_trylock(&vq->access_lock))
return -EAGAIN;

if (unlikely(!vq->access_ok)) {
ret = -1;
goto out_unlock;
}

if (vq_is_packed(dev))
vhost_vring_call_packed(dev, vq);
else
vhost_vring_call_split(dev, vq);

out_unlock:
rte_spinlock_unlock(&vq->access_lock);

return 0;
return ret;
}

uint16_t
Expand Down

0 comments on commit db07b9f

Please sign in to comment.