> -----Original Message-----
> From: Maxime Coquelin <maxime.coque...@redhat.com>
> Sent: Tuesday, October 20, 2020 1:34 AM
> To: dev@dpdk.org; Xia, Chenbo <chenbo....@intel.com>; amore...@redhat.com
> Cc: Maxime Coquelin <maxime.coque...@redhat.com>
> Subject: [PATCH 7/7] vhost: check virtqueue metadata pointer
>
> This patch checks whether the virtqueue metadata pointer
> is valid before dereferencing it. It is not considered
> a fix as earlier patch ensures there are no holes in the
> array of virtqueue metadata pointers.
>
> Signed-off-by: Maxime Coquelin <maxime.coque...@redhat.com>
> ---
> lib/librte_vhost/vhost.c | 11 +++++++++++
> lib/librte_vhost/vhost_user.c | 12 ++++++++++++
> 2 files changed, 23 insertions(+)
>
> diff --git a/lib/librte_vhost/vhost.c b/lib/librte_vhost/vhost.c
> index e92ff618ac..8a151a9c1d 100644
> --- a/lib/librte_vhost/vhost.c
> +++ b/lib/librte_vhost/vhost.c
> @@ -544,6 +544,11 @@ init_vring_queue(struct virtio_net *dev, uint32_t
> vring_idx)
> }
>
> vq = dev->virtqueue[vring_idx];
> + if (!vq) {
> + VHOST_LOG_CONFIG(ERR, "Virtqueue not allocated (%d)\n",
> + vring_idx);
> + return;
> + }
>
> memset(vq, 0, sizeof(struct vhost_virtqueue));
>
> @@ -570,6 +575,12 @@ reset_vring_queue(struct virtio_net *dev, uint32_t
> vring_idx)
> }
>
> vq = dev->virtqueue[vring_idx];
> + if (!vq) {
> + VHOST_LOG_CONFIG(ERR, "Virtqueue not allocated (%d)\n",
> + vring_idx);
> + return;
> + }
> +
> callfd = vq->callfd;
> init_vring_queue(dev, vring_idx);
> vq->callfd = callfd;
> diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
> index d20c8c57ad..8a8726f8b8 100644
> --- a/lib/librte_vhost/vhost_user.c
> +++ b/lib/librte_vhost/vhost_user.c
> @@ -1235,6 +1235,9 @@ vhost_user_set_mem_table(struct virtio_net **pdev,
> struct VhostUserMsg *msg,
> for (i = 0; i < dev->nr_vring; i++) {
> struct vhost_virtqueue *vq = dev->virtqueue[i];
>
> + if (!vq)
> + continue;
> +
> if (vq->desc || vq->avail || vq->used) {
> /*
> * If the memory table got updated, the ring addresses
> @@ -1556,6 +1559,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev,
> VhostUserMsg *msg,
>
> for (i = 0; i < num_queues; i++) {
> vq = dev->virtqueue[i];
> + if (!vq)
> + continue;
> +
> if (vq_is_packed(dev)) {
> vq->inflight_packed = addr;
> vq->inflight_packed->desc_num = queue_size;
> @@ -2310,6 +2316,9 @@ vhost_user_iotlb_msg(struct virtio_net **pdev,
> struct VhostUserMsg *msg,
> for (i = 0; i < dev->nr_vring; i++) {
> struct vhost_virtqueue *vq = dev->virtqueue[i];
>
> + if (!vq)
> + continue;
> +
> vhost_user_iotlb_cache_insert(vq, imsg->iova, vva,
> len, imsg->perm);
>
> @@ -2321,6 +2330,9 @@ vhost_user_iotlb_msg(struct virtio_net **pdev,
> struct VhostUserMsg *msg,
> for (i = 0; i < dev->nr_vring; i++) {
> struct vhost_virtqueue *vq = dev->virtqueue[i];
>
> + if (!vq)
> + continue;
> +
> vhost_user_iotlb_cache_remove(vq, imsg->iova,
> imsg->size);
>
> --
> 2.26.2
Reviewed-by: Chenbo Xia <chenbo....@intel.com>
