Re: [PATCH RESEND 2/3] vhost: fix a null pointer reference of vhost_log

Mon, 09 Mar 2020 19:12:25 -0700 

Hi Michael,

ping...

On 2020/2/24 14:42, Longpeng(Mike) wrote:
> From: Longpeng <longpe...@huawei.com>
> 
> vhost_log_alloc() may fails and returned pointer of log is null.
> However there're two places derefernce the return pointer without
> check.
> 
> Signed-off-by: Longpeng <longpe...@huawei.com>
> ---
>  hw/virtio/vhost.c | 19 +++++++++++++++++--
>  1 file changed, 17 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
> index 9edfadc..c7ad6e5 100644
> --- a/hw/virtio/vhost.c
> +++ b/hw/virtio/vhost.c
> @@ -219,6 +219,10 @@ static struct vhost_log *vhost_log_get(uint64_t size, 
> bool share)
>  
>      if (!log || log->size != size) {
>          log = vhost_log_alloc(size, share);
> +        if (!log) {
> +            return NULL;
> +        }
> +
>          if (share) {
>              vhost_log_shm = log;
>          } else {
> @@ -270,10 +274,17 @@ static bool vhost_dev_log_is_shared(struct vhost_dev 
> *dev)
>  
>  static inline void vhost_dev_log_resize(struct vhost_dev *dev, uint64_t size)
>  {
> -    struct vhost_log *log = vhost_log_get(size, 
> vhost_dev_log_is_shared(dev));
> -    uint64_t log_base = (uintptr_t)log->log;
> +    struct vhost_log *log;
> +    uint64_t log_base;
>      int r;
>  
> +    log = vhost_log_get(size, vhost_dev_log_is_shared(dev));
> +    if (!log) {
> +        return;
> +    }
> +
> +    log_base = (uintptr_t)log->log;
> +
>      /* inform backend of log switching, this must be done before
>         releasing the current log, to ensure no logging is lost */
>      r = dev->vhost_ops->vhost_set_log_base(dev, log_base, log);
> @@ -1640,6 +1651,10 @@ int vhost_dev_start(struct vhost_dev *hdev, 
> VirtIODevice *vdev)
>          hdev->log_size = vhost_get_log_size(hdev);
>          hdev->log = vhost_log_get(hdev->log_size,
>                                    vhost_dev_log_is_shared(hdev));
> +        if (!hdev->log) {
> +            goto fail_vq;
> +        }
> +
>          log_base = (uintptr_t)hdev->log->log;
>          r = hdev->vhost_ops->vhost_set_log_base(hdev,
>                                                  hdev->log_size ? log_base : 
> 0,
> 

-- 
---
Regards,
Longpeng(Mike)
  • Re: [PATCH RES... Longpeng (Mike, Cloud Infrastructure Service Product Dept.)
    • Re: [PATC... Michael S. Tsirkin
      • Re: [... Longpeng (Mike, Cloud Infrastructure Service Product Dept.)
        • R... Michael S. Tsirkin
          • ... Longpeng (Mike)
            • ... Michael S. Tsirkin

Reply via email to