vhost_net: zerocopy: fix possible NULL pointer dereference of vq->bufs

When we want to disable vhost_net backend while there's a tx work, a possible
NULL pointer defernece may happen we we try to deference the vq->bufs after
vhost_net_set_backend() assign a NULL to it.

As suggested by Michael, fix this by checking the vq->bufs instead of
vhost_sock_zcopy().

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 1f21d2a1e52885af8db0a691170b8ab0364aa7b4..35abe9019ba7b2d7242d54f819b7f6a4d57e506a 100644 (file)
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -166,7 +166,7 @@ static void handle_tx(struct vhost_net *net)
        if (wmem < sock->sk->sk_sndbuf / 2)
                tx_poll_stop(net);
        hdr_size = vq->vhost_hlen;
-       zcopy = vhost_sock_zcopy(sock);
+       zcopy = vq->ubufs;
 
        for (;;) {
                /* Release DMAs done buffers first */