From e2db610c0b0cb9130ba1ce2668a57318a416fdc4 Mon Sep 17 00:00:00 2001
From: fangyi <eric.fangyi@huawei.com>
Date: Mon, 4 Dec 2023 14:48:18 +0800
Subject: [PATCH] vhost: fix null pointer access

Check vhost_get/set_used_memslots function before calling it.

Signed-off-by: libai <libai12@huawei.com>
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
Signed-off-by: fangyi <eric.fangyi@huawei.com>
---
 hw/virtio/vhost.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 59a12735f9..7930b37499 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -58,6 +58,10 @@ bool vhost_has_free_slot(void)
     struct vhost_dev *hdev;
 
     QLIST_FOREACH(hdev, &vhost_devices, entry) {
+        if (!hdev->vhost_ops->vhost_get_used_memslots ||
+            !hdev->vhost_ops->vhost_backend_memslots_limit) {
+            continue;
+        }
         if (hdev->vhost_ops->vhost_get_used_memslots() >=
             hdev->vhost_ops->vhost_backend_memslots_limit(hdev)) {
 	    return false;
@@ -748,7 +752,9 @@ static void vhost_region_add_section(struct vhost_dev *dev,
         dev->tmp_sections[dev->n_tmp_sections - 1].fv = NULL;
         memory_region_ref(section->mr);
     }
-    dev->vhost_ops->vhost_set_used_memslots(dev);
+    if (dev->vhost_ops->vhost_set_used_memslots) {
+        dev->vhost_ops->vhost_set_used_memslots(dev);
+    }
 }
 
 /* Used for both add and nop callbacks */
@@ -772,7 +778,9 @@ static void vhost_region_del(MemoryListener *listener,
     if (!vhost_section(dev, section)) {
         return;
     }
-    dev->vhost_ops->vhost_set_used_memslots(dev);
+    if (dev->vhost_ops->vhost_set_used_memslots) {
+        dev->vhost_ops->vhost_set_used_memslots(dev);
+    }
 }
 
 static void vhost_iommu_unmap_notify(IOMMUNotifier *n, IOMMUTLBEntry *iotlb)
@@ -1367,6 +1375,11 @@ static void vhost_virtqueue_cleanup(struct vhost_virtqueue *vq)
 
 static bool vhost_dev_used_memslots_is_exceeded(struct vhost_dev *hdev)
 {
+    if (!hdev->vhost_ops->vhost_get_used_memslots ||
+        !hdev->vhost_ops->vhost_backend_memslots_limit) {
+        goto out;
+    }
+
     if (hdev->vhost_ops->vhost_get_used_memslots() >
         hdev->vhost_ops->vhost_backend_memslots_limit(hdev)) {
         error_report("vhost backend memory slots limit is less"
@@ -1375,6 +1388,7 @@ static bool vhost_dev_used_memslots_is_exceeded(struct vhost_dev *hdev)
         return true;
     }
 
+out:
     used_memslots_exceeded = false;
     return false;
 }
-- 
2.27.0