From: luca.boccassi@gmail.com
To: Yunjian Wang <wangyunjian@huawei.com>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
dpdk stable <stable@dpdk.org>
Subject: patch 'vhost: fix double fetch when dequeue offloading' has been queued to stable release 22.11.11
Date: Mon, 27 Oct 2025 16:19:22 +0000 [thread overview]
Message-ID: <20251027162001.3710450-44-luca.boccassi@gmail.com> (raw)
In-Reply-To: <20251027162001.3710450-1-luca.boccassi@gmail.com>
Hi,
FYI, your patch has been queued to stable release 22.11.11
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 10/29/25. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable
This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/c92f022ea7c0d2df726ae97830463dab03208fe6
Thanks.
Luca Boccassi
---
From c92f022ea7c0d2df726ae97830463dab03208fe6 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian@huawei.com>
Date: Fri, 10 Oct 2025 16:41:36 +0800
Subject: [PATCH] vhost: fix double fetch when dequeue offloading
[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ]
The hdr->csum_start does two successive reads from user space to read a
variable length data structure. The result overflow if the data structure
changes between the two reads.
To fix this, we can prevent double fetch issue by copying virtio_hdr to
the temporary variable.
Fixes: 4dc4e33ffa10 ("net/virtio: fix Rx checksum calculation")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/vhost/virtio_net.c | 50 ++++++++++++++++++++++--------------------
1 file changed, 26 insertions(+), 24 deletions(-)
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index ec8d03d97f..c90964c935 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -2634,25 +2634,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
}
}
-static __rte_noinline void
+static __rte_always_inline int
copy_vnet_hdr_from_desc(struct virtio_net_hdr *hdr,
- struct buf_vector *buf_vec)
+ const struct buf_vector *buf_vec,
+ uint16_t nr_vec)
{
- uint64_t len;
- uint64_t remain = sizeof(struct virtio_net_hdr);
- uint64_t src;
- uint64_t dst = (uint64_t)(uintptr_t)hdr;
+ size_t remain = sizeof(struct virtio_net_hdr);
+ uint8_t *dst = (uint8_t *)hdr;
- while (remain) {
- len = RTE_MIN(remain, buf_vec->buf_len);
- src = buf_vec->buf_addr;
- rte_memcpy((void *)(uintptr_t)dst,
- (void *)(uintptr_t)src, len);
+ while (remain > 0) {
+ size_t len = RTE_MIN(remain, buf_vec->buf_len);
+ const void *src = (const void *)(uintptr_t)buf_vec->buf_addr;
+ if (unlikely(nr_vec == 0))
+ return -1;
+
+ memcpy(dst, src, len);
remain -= len;
dst += len;
buf_vec++;
+ --nr_vec;
}
+ return 0;
}
static __rte_always_inline int
@@ -2679,16 +2682,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
*/
if (virtio_net_with_host_offload(dev)) {
- if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
- /*
- * No luck, the virtio-net header doesn't fit
- * in a contiguous virtual area.
- */
- copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
- hdr = &tmp_hdr;
- } else {
- hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
- }
+ if (unlikely(copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec, nr_vec) != 0))
+ return -1;
+
+ /* ensure that compiler does not delay copy */
+ rte_compiler_barrier();
+ hdr = &tmp_hdr;
}
for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
@@ -3048,7 +3047,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
{
uint16_t avail_idx = vq->last_avail_idx;
uint32_t buf_offset = sizeof(struct virtio_net_hdr_mrg_rxbuf);
- struct virtio_net_hdr *hdr;
uintptr_t desc_addrs[PACKED_BATCH_SIZE];
uint16_t ids[PACKED_BATCH_SIZE];
uint16_t i;
@@ -3067,8 +3065,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
if (virtio_net_with_host_offload(dev)) {
vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
- hdr = (struct virtio_net_hdr *)(desc_addrs[i]);
- vhost_dequeue_offload(dev, hdr, pkts[i], legacy_ol_flags);
+ struct virtio_net_hdr hdr;
+
+ memcpy(&hdr, (void *)desc_addrs[i], sizeof(struct virtio_net_hdr));
+ rte_compiler_barrier();
+
+ vhost_dequeue_offload(dev, &hdr, pkts[i], legacy_ol_flags);
}
}
--
2.47.3
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2025-10-27 15:54:36.444357043 +0000
+++ 0044-vhost-fix-double-fetch-when-dequeue-offloading.patch 2025-10-27 15:54:34.811949950 +0000
@@ -1 +1 @@
-From 285e6b8b187485cc69a175261e40d8d2727e20a3 Mon Sep 17 00:00:00 2001
+From c92f022ea7c0d2df726ae97830463dab03208fe6 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ]
+
@@ -14 +15,0 @@
-Cc: stable@dpdk.org
@@ -23 +24 @@
-index 77545d0a4d..0658b81de5 100644
+index ec8d03d97f..c90964c935 100644
@@ -26 +27 @@
-@@ -2870,25 +2870,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
+@@ -2634,25 +2634,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
@@ -66 +67 @@
-@@ -2917,16 +2920,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -2679,16 +2682,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
@@ -89 +90 @@
-@@ -3372,7 +3371,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
+@@ -3048,7 +3047,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
@@ -97 +98 @@
-@@ -3391,8 +3389,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
+@@ -3067,8 +3065,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
next prev parent reply other threads:[~2025-10-27 16:22 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 16:18 patch 'net/gve: allocate Rx QPL pages using malloc' " luca.boccassi
2025-10-27 16:18 ` patch 'eal: fix plugin dir walk' " luca.boccassi
2025-10-27 16:18 ` patch 'cmdline: fix port list parsing' " luca.boccassi
2025-10-27 16:18 ` patch 'cmdline: fix highest bit " luca.boccassi
2025-10-27 16:18 ` patch 'tailq: fix lookup macro' " luca.boccassi
2025-10-27 16:18 ` patch 'hash: fix unaligned access in predictable RSS' " luca.boccassi
2025-10-27 16:18 ` patch 'graph: fix unaligned access in stats' " luca.boccassi
2025-10-27 16:18 ` patch 'eventdev: fix listing timer adapters with telemetry' " luca.boccassi
2025-10-27 16:18 ` patch 'cfgfile: fix section count with no name' " luca.boccassi
2025-10-27 16:18 ` patch 'net/vmxnet3: fix mapping of mempools to queues' " luca.boccassi
2025-10-27 16:18 ` patch 'app/testpmd: increase size of set cores list command' " luca.boccassi
2025-10-27 16:18 ` patch 'net/dpaa2: fix shaper rate' " luca.boccassi
2025-10-27 16:18 ` patch 'app/testpmd: monitor state of primary process' " luca.boccassi
2025-10-27 16:18 ` patch 'app/testpmd: fix conntrack action query' " luca.boccassi
2025-10-27 16:18 ` patch 'doc: add conntrack state inspect command to testpmd guide' " luca.boccassi
2025-10-27 16:18 ` patch 'app/testpmd: validate DSCP and VLAN for meter creation' " luca.boccassi
2025-10-27 16:18 ` patch 'net/mlx5: fix min and max MTU reporting' " luca.boccassi
2025-10-27 16:18 ` patch 'net/mlx5: fix unsupported flow rule port action' " luca.boccassi
2025-10-27 16:18 ` patch 'net/mlx5: fix non-template age rules flush' " luca.boccassi
2025-10-27 16:18 ` patch 'net/mlx5: fix connection tracking state item validation' " luca.boccassi
2025-10-27 16:18 ` patch 'net/mlx5: fix indirect flow age action handling' " luca.boccassi
2025-10-27 16:19 ` patch 'net/mlx5: fix Direct Verbs counter offset detection' " luca.boccassi
2025-10-27 16:19 ` patch 'net/mlx5: fix interface name parameter definition' " luca.boccassi
2025-10-27 16:19 ` patch 'net/intel: fix assumption about tag placement order' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ice/base: fix adding special words' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ice/base: fix memory leak in HW profile handling' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ice/base: fix memory leak in recipe " luca.boccassi
2025-10-27 16:19 ` patch 'eal: fix DMA mask validation with IOVA mode option' " luca.boccassi
2025-10-27 16:19 ` patch 'eal: fix MP socket cleanup' " luca.boccassi
2025-10-27 16:19 ` patch 'crypto/ipsec_mb: fix QP release in secondary' " luca.boccassi
2025-10-27 16:19 ` patch 'efd: fix AVX2 support' " luca.boccassi
2025-10-27 16:19 ` patch 'common/cnxk: fix async event handling' " luca.boccassi
2025-10-27 16:19 ` patch 'doc: fix feature list of ice driver' " luca.boccassi
2025-10-27 16:19 ` patch 'doc: fix feature list of iavf " luca.boccassi
2025-10-27 16:19 ` patch 'baseband/acc: fix exported header' " luca.boccassi
2025-10-27 16:19 ` patch 'gpudev: fix driver header for Windows' " luca.boccassi
2025-10-27 16:19 ` patch 'drivers: fix some exported headers' " luca.boccassi
2025-10-27 16:19 ` patch 'test/debug: fix crash with mlx5 devices' " luca.boccassi
2025-10-27 16:19 ` patch 'bus/pci: fix build with MinGW 13' " luca.boccassi
2025-10-27 16:19 ` patch 'net/mlx5: " luca.boccassi
2025-10-27 16:19 ` patch 'dma/hisilicon: fix stop with pending transfers' " luca.boccassi
2025-10-27 16:19 ` patch 'test/dma: fix failure condition' " luca.boccassi
2025-10-27 16:19 ` patch 'fib6: fix tbl8 allocation check logic' " luca.boccassi
2025-10-27 16:19 ` luca.boccassi [this message]
2025-10-27 16:19 ` patch 'net/ice/base: fix integer overflow on NVM init' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ice: fix initialization with 8 ports' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ice: remove indirection for FDIR filters' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ice: fix memory leak in raw pattern parse' " luca.boccassi
2025-10-27 16:19 ` patch 'net/i40e: fix symmetric Toeplitz hashing for SCTP' " luca.boccassi
2025-10-27 16:19 ` patch 'net/mlx5: fix multicast' " luca.boccassi
2025-10-27 16:19 ` patch 'net/mlx5: fix MTU initialization' " luca.boccassi
2025-10-27 16:19 ` patch 'net/mlx5: fix leak of flow indexed pools' " luca.boccassi
2025-10-27 16:19 ` patch 'net/hns3: fix inconsistent lock' " luca.boccassi
2025-10-27 16:19 ` patch 'net/hns3: fix VLAN resources freeing' " luca.boccassi
2025-10-27 16:19 ` patch 'net/af_packet: fix crash in secondary process' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ark: remove double mbuf free' " luca.boccassi
2025-10-27 16:19 ` patch 'net/hns3: fix VLAN tag loss for short tunnel frame' " luca.boccassi
2025-10-27 16:19 ` patch 'ethdev: fix VLAN filter parameter description' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: fix file descriptor leak on read error' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: fix out-of-bounds access in UIO mapping' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: fix buffer descriptor size configuration' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: fix Tx queue free' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: fix checksum flag handling and error return' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: reject multi-queue configuration' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: fix memory leak in Rx buffer cleanup' " luca.boccassi
2025-10-27 16:19 ` patch 'net/enetfec: reject Tx deferred queue' " luca.boccassi
2025-10-27 16:19 ` patch 'net/tap: fix interrupt callback crash after failed start' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ena: fix PCI BAR mapping on 64K page size' " luca.boccassi
2025-10-27 16:19 ` patch 'net/ena/base: fix unsafe memcpy on invalid memory' " luca.boccassi
2025-10-27 16:19 ` patch 'net/dpaa2: fix uninitialized variable' " luca.boccassi
2025-10-27 16:19 ` patch 'net/dpaa2: fix L3/L4 checksum results' " luca.boccassi
2025-10-27 16:19 ` patch 'net/dpaa2: receive packets with additional parse errors' " luca.boccassi
2025-10-27 16:19 ` patch 'crypto/qat: fix source buffer alignment' " luca.boccassi
2025-10-27 16:19 ` patch 'crypto/cnxk: refactor RSA verification' " luca.boccassi
2025-10-27 16:19 ` patch 'test/crypto: fix mbuf handling' " luca.boccassi
2025-10-27 16:19 ` patch 'app/crypto-perf: fix plaintext size exceeds buffer size' " luca.boccassi
2025-10-27 16:19 ` patch 'test/crypto: fix vector initialization' " luca.boccassi
2025-10-27 16:19 ` patch 'crypto/virtio: fix cookies leak' " luca.boccassi
2025-10-27 16:19 ` patch 'sched: fix WRR parameter data type' " luca.boccassi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251027162001.3710450-44-luca.boccassi@gmail.com \
--to=luca.boccassi@gmail.com \
--cc=maxime.coquelin@redhat.com \
--cc=stable@dpdk.org \
--cc=wangyunjian@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).