From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9496648A44 for ; Fri, 31 Oct 2025 15:38:23 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8C73740150; Fri, 31 Oct 2025 15:38:23 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id E1F8940150 for ; Fri, 31 Oct 2025 15:38:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761921501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xqaRP9xPiQubLCcqf4zGuq/ysOS4LaQoohSdJIWY09w=; b=OMPuudFlAnBKRtuWKnVl66P29tmiI4SRLJg/5XqPIwYz2Z7CTjyBUkrLbxfS7sAp2T4duf wkOsEEi1SvjYgtU0v0KIvViO3sTnhJCtxm9FwQqroh/ASGqzsyt7F5MIF93ZO2ALWH8Zbv YLQcdUGWvvKmaZ09TXVQ/SpQ6ufHvQo= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-477-Fs2QP1MePPSwgMku7DuIyg-1; Fri, 31 Oct 2025 10:38:17 -0400 X-MC-Unique: Fs2QP1MePPSwgMku7DuIyg-1 X-Mimecast-MFC-AGG-ID: Fs2QP1MePPSwgMku7DuIyg_1761921495 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A781D1956048; Fri, 31 Oct 2025 14:38:15 +0000 (UTC) Received: from rh.redhat.com (unknown [10.44.32.50]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 04E4618004D4; Fri, 31 Oct 2025 14:38:13 +0000 (UTC) From: Kevin Traynor To: Yunjian Wang Cc: Maxime Coquelin , dpdk stable Subject: patch 'vhost: fix double fetch when dequeue offloading' has been queued to stable release 24.11.4 Date: Fri, 31 Oct 2025 14:33:18 +0000 Message-ID: <20251031143421.324432-76-ktraynor@redhat.com> In-Reply-To: <20251031143421.324432-1-ktraynor@redhat.com> References: <20251031143421.324432-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 7eZwLUsLSboaZPxKlHWcLCvAmjYhYPIo2cPWj8OjynQ_1761921495 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit content-type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 24.11.4 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/05/25. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/d4748e8863004ff3b9e966e12669c5750011dd95 Thanks. Kevin --- >From d4748e8863004ff3b9e966e12669c5750011dd95 Mon Sep 17 00:00:00 2001 From: Yunjian Wang Date: Fri, 10 Oct 2025 16:41:36 +0800 Subject: [PATCH] vhost: fix double fetch when dequeue offloading [ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ] The hdr->csum_start does two successive reads from user space to read a variable length data structure. The result overflow if the data structure changes between the two reads. To fix this, we can prevent double fetch issue by copying virtio_hdr to the temporary variable. Fixes: 4dc4e33ffa10 ("net/virtio: fix Rx checksum calculation") Signed-off-by: Yunjian Wang Reviewed-by: Maxime Coquelin --- lib/vhost/virtio_net.c | 50 ++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c index 9a670df274..4fc44f14f7 100644 --- a/lib/vhost/virtio_net.c +++ b/lib/vhost/virtio_net.c @@ -2865,23 +2865,26 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr, } -static __rte_noinline void +static __rte_always_inline int copy_vnet_hdr_from_desc(struct virtio_net_hdr *hdr, - struct buf_vector *buf_vec) + const struct buf_vector *buf_vec, + uint16_t nr_vec) { - uint64_t len; - uint64_t remain = sizeof(struct virtio_net_hdr); - uint64_t src; - uint64_t dst = (uint64_t)(uintptr_t)hdr; + size_t remain = sizeof(struct virtio_net_hdr); + uint8_t *dst = (uint8_t *)hdr; - while (remain) { - len = RTE_MIN(remain, buf_vec->buf_len); - src = buf_vec->buf_addr; - rte_memcpy((void *)(uintptr_t)dst, - (void *)(uintptr_t)src, len); + while (remain > 0) { + size_t len = RTE_MIN(remain, buf_vec->buf_len); + const void *src = (const void *)(uintptr_t)buf_vec->buf_addr; + if (unlikely(nr_vec == 0)) + return -1; + + memcpy(dst, src, len); remain -= len; dst += len; buf_vec++; + --nr_vec; } + return 0; } @@ -2912,14 +2915,10 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, if (virtio_net_with_host_offload(dev)) { - if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) { - /* - * No luck, the virtio-net header doesn't fit - * in a contiguous virtual area. - */ - copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec); - hdr = &tmp_hdr; - } else { - hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr); - } + if (unlikely(copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec, nr_vec) != 0)) + return -1; + + /* ensure that compiler does not delay copy */ + rte_compiler_barrier(); + hdr = &tmp_hdr; } @@ -3367,5 +3366,4 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, uint16_t avail_idx = vq->last_avail_idx; uint32_t buf_offset = sizeof(struct virtio_net_hdr_mrg_rxbuf); - struct virtio_net_hdr *hdr; uintptr_t desc_addrs[PACKED_BATCH_SIZE]; uint16_t ids[PACKED_BATCH_SIZE]; @@ -3386,6 +3384,10 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, if (virtio_net_with_host_offload(dev)) { vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { - hdr = (struct virtio_net_hdr *)(desc_addrs[i]); - vhost_dequeue_offload(dev, hdr, pkts[i], legacy_ol_flags); + struct virtio_net_hdr hdr; + + memcpy(&hdr, (void *)desc_addrs[i], sizeof(struct virtio_net_hdr)); + rte_compiler_barrier(); + + vhost_dequeue_offload(dev, &hdr, pkts[i], legacy_ol_flags); } } -- 2.51.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2025-10-31 13:53:54.546072511 +0000 +++ 0076-vhost-fix-double-fetch-when-dequeue-offloading.patch 2025-10-31 13:53:52.178523811 +0000 @@ -1 +1 @@ -From 285e6b8b187485cc69a175261e40d8d2727e20a3 Mon Sep 17 00:00:00 2001 +From d4748e8863004ff3b9e966e12669c5750011dd95 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ] + @@ -14 +15,0 @@ -Cc: stable@dpdk.org @@ -23 +24 @@ -index 77545d0a4d..0658b81de5 100644 +index 9a670df274..4fc44f14f7 100644 @@ -26 +27 @@ -@@ -2871,23 +2871,26 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr, +@@ -2865,23 +2865,26 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr, @@ -64 +65 @@ -@@ -2918,14 +2921,10 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, +@@ -2912,14 +2915,10 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, @@ -85 +86 @@ -@@ -3373,5 +3372,4 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, +@@ -3367,5 +3366,4 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, @@ -91 +92 @@ -@@ -3392,6 +3390,10 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev, +@@ -3386,6 +3384,10 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,