From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 612CB489EF for ; Mon, 27 Oct 2025 17:22:27 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5C63340676; Mon, 27 Oct 2025 17:22:27 +0100 (CET) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mails.dpdk.org (Postfix) with ESMTP id 2F75F4028B for ; Mon, 27 Oct 2025 17:22:26 +0100 (CET) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-475dc6029b6so21690005e9.0 for ; Mon, 27 Oct 2025 09:22:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761582146; x=1762186946; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DSFxZ6G1Z9jHIcJ+T7dGwsVVNEJGHaK4IejjdjLJzPA=; b=i+GSpNuzZiExfr0m2VNsSpqP8Hz4ZxsdpBwYiioGFnlHOl9dwtaBHP1S7A6u425V1i ZxvrYHiqL7eyf1AiKrPm98NCE29gokw4Mfpwm1q4XjuIBEATxucyydquWkaxiSFiIsd/ fNKppn9N9tU3KP0fXghVrgmQpJ1LIlSUrmHYnu3pVQJwg3eS/qAW0MHAxCic0InNDv7R 752+Qxgv21eNcfBnHPDEoM4C0M1PV7KXa62OpJCJw2VOSrKceksIOSCE5blAHWLLsstp bzO2sSCq+0wOaUbF0P5/EMP1YzMLEREkAjCHrIBl3AfcjZsirrhHoY68VRiro8Rb2wOX EVMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761582146; x=1762186946; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DSFxZ6G1Z9jHIcJ+T7dGwsVVNEJGHaK4IejjdjLJzPA=; b=mh2lU/LnRbyOVSYbK1kWPN+liSHhARX4P9ZoY9Dcj7C0H2oB1m9/lqXMKeHVGDnsav bGagrnO2gQeMNIIqnb3iZgrHPHUBNGrz7pKBxZofpvV5WFs9Cr/Acy/i0mquV/rBTM4z lb1kVosJ5rYPTaSE+PF4Hyx9GemKzQZgSho7kCR24vntu7yVQAcK9SfrvtJi6SDNWCFS ll6Zbh7EoAtUlxt/RqaBxx8RbrOOFu51vBGuqEzip/dj+KYcG9VIPMsOTklkF9a+0Fyx WI6kI9jiirUyKCpHqLbKpB4SpG/4yHXA5bRrlPrpyvEcojfW0jOOTusc3oEy7A2mnp8N o1Dw== X-Forwarded-Encrypted: i=1; AJvYcCUBvqzGvuPaOg/GY0zgBcGvvMcxI+pwMo/vzrLxs8KIv/8vLOZq5ypjz1rUm9UkZScbbyb91tA=@dpdk.org X-Gm-Message-State: AOJu0YwSolLhhFig4hgaRArdJysH7fCo51PK0qglwK28T1JlPm+SJL8X /KirxopgOzQMCDqtzJxF8ZbdWyIBmXQVtqEc25BxLvXBYACLWmnPjGNT X-Gm-Gg: ASbGncugarqWqJoTDQTtafCCYwdhakC49znjaCTS/Yiltlo9gvPj1e6m8sDv5frWqHM w4PcYDdR4iRB16KnUblXWjuMI67tpLPanCwF+C4jIHUWTJKRblr1p6uiSISnpwVyj9GUCOKGTk6 GvRM3/hq+OQlyRsqS5KSOKRCCuHByKCRlD+NR1VnrGMG94AJUAbcaFv5meXZe9fW2dZB1EA78se o+0ETJ+Jf6XDqH2gPFPe9ULDiHwuXi4jG5gnBPDcSp7aW+tDFoZJD4/cxMOBJ9/roeJYNo62vAU MiC6xoZ1+iDxy1IQ0t3PYzmYxlWuQXzb1cLuzr1ywNcYzlTU8nzQ/x3DM4du1z+NQ0Rq/v2tgK6 hQryto73/bueXH7za+MmMMyAU1rdKt/KMOVteFhOAEvWWMYa9xngs0MqpCW4Tczjys4Y9hGwed8 O0E8j/Mw== X-Google-Smtp-Source: AGHT+IEdcFlTqNQPSOv7Y8qhCJOVNyhHFkI+auIEMlLqCz1ZwpY+yfq3ZDyZ8IBJ1PgU2fP/47ZYCw== X-Received: by 2002:a05:600c:5249:b0:471:7a:7922 with SMTP id 5b1f17b1804b1-47717df7d41mr2775015e9.6.1761582145635; Mon, 27 Oct 2025 09:22:25 -0700 (PDT) Received: from localhost ([2a01:4b00:d036:ae00:6fc5:c3bc:147e:832c]) by smtp.gmail.com with UTF8SMTPSA id 5b1f17b1804b1-475dd4e30f5sm145089955e9.17.2025.10.27.09.22.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Oct 2025 09:22:25 -0700 (PDT) From: luca.boccassi@gmail.com To: Yunjian Wang Cc: Maxime Coquelin , dpdk stable Subject: patch 'vhost: fix double fetch when dequeue offloading' has been queued to stable release 22.11.11 Date: Mon, 27 Oct 2025 16:19:22 +0000 Message-ID: <20251027162001.3710450-44-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251027162001.3710450-1-luca.boccassi@gmail.com> References: <20251027162001.3710450-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 22.11.11 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 10/29/25. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/c92f022ea7c0d2df726ae97830463dab03208fe6 Thanks. Luca Boccassi --- >From c92f022ea7c0d2df726ae97830463dab03208fe6 Mon Sep 17 00:00:00 2001 From: Yunjian Wang Date: Fri, 10 Oct 2025 16:41:36 +0800 Subject: [PATCH] vhost: fix double fetch when dequeue offloading [ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ] The hdr->csum_start does two successive reads from user space to read a variable length data structure. The result overflow if the data structure changes between the two reads. To fix this, we can prevent double fetch issue by copying virtio_hdr to the temporary variable. Fixes: 4dc4e33ffa10 ("net/virtio: fix Rx checksum calculation") Signed-off-by: Yunjian Wang Reviewed-by: Maxime Coquelin --- lib/vhost/virtio_net.c | 50 ++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c index ec8d03d97f..c90964c935 100644 --- a/lib/vhost/virtio_net.c +++ b/lib/vhost/virtio_net.c @@ -2634,25 +2634,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr, } } -static __rte_noinline void +static __rte_always_inline int copy_vnet_hdr_from_desc(struct virtio_net_hdr *hdr, - struct buf_vector *buf_vec) + const struct buf_vector *buf_vec, + uint16_t nr_vec) { - uint64_t len; - uint64_t remain = sizeof(struct virtio_net_hdr); - uint64_t src; - uint64_t dst = (uint64_t)(uintptr_t)hdr; + size_t remain = sizeof(struct virtio_net_hdr); + uint8_t *dst = (uint8_t *)hdr; - while (remain) { - len = RTE_MIN(remain, buf_vec->buf_len); - src = buf_vec->buf_addr; - rte_memcpy((void *)(uintptr_t)dst, - (void *)(uintptr_t)src, len); + while (remain > 0) { + size_t len = RTE_MIN(remain, buf_vec->buf_len); + const void *src = (const void *)(uintptr_t)buf_vec->buf_addr; + if (unlikely(nr_vec == 0)) + return -1; + + memcpy(dst, src, len); remain -= len; dst += len; buf_vec++; + --nr_vec; } + return 0; } static __rte_always_inline int @@ -2679,16 +2682,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, */ if (virtio_net_with_host_offload(dev)) { - if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) { - /* - * No luck, the virtio-net header doesn't fit - * in a contiguous virtual area. - */ - copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec); - hdr = &tmp_hdr; - } else { - hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr); - } + if (unlikely(copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec, nr_vec) != 0)) + return -1; + + /* ensure that compiler does not delay copy */ + rte_compiler_barrier(); + hdr = &tmp_hdr; } for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) { @@ -3048,7 +3047,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, { uint16_t avail_idx = vq->last_avail_idx; uint32_t buf_offset = sizeof(struct virtio_net_hdr_mrg_rxbuf); - struct virtio_net_hdr *hdr; uintptr_t desc_addrs[PACKED_BATCH_SIZE]; uint16_t ids[PACKED_BATCH_SIZE]; uint16_t i; @@ -3067,8 +3065,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, if (virtio_net_with_host_offload(dev)) { vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { - hdr = (struct virtio_net_hdr *)(desc_addrs[i]); - vhost_dequeue_offload(dev, hdr, pkts[i], legacy_ol_flags); + struct virtio_net_hdr hdr; + + memcpy(&hdr, (void *)desc_addrs[i], sizeof(struct virtio_net_hdr)); + rte_compiler_barrier(); + + vhost_dequeue_offload(dev, &hdr, pkts[i], legacy_ol_flags); } } -- 2.47.3 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2025-10-27 15:54:36.444357043 +0000 +++ 0044-vhost-fix-double-fetch-when-dequeue-offloading.patch 2025-10-27 15:54:34.811949950 +0000 @@ -1 +1 @@ -From 285e6b8b187485cc69a175261e40d8d2727e20a3 Mon Sep 17 00:00:00 2001 +From c92f022ea7c0d2df726ae97830463dab03208fe6 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ] + @@ -14 +15,0 @@ -Cc: stable@dpdk.org @@ -23 +24 @@ -index 77545d0a4d..0658b81de5 100644 +index ec8d03d97f..c90964c935 100644 @@ -26 +27 @@ -@@ -2870,25 +2870,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr, +@@ -2634,25 +2634,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr, @@ -66 +67 @@ -@@ -2917,16 +2920,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, +@@ -2679,16 +2682,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, @@ -89 +90 @@ -@@ -3372,7 +3371,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, +@@ -3048,7 +3047,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, @@ -97 +98 @@ -@@ -3391,8 +3389,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, +@@ -3067,8 +3065,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,