From: David Marchand <david.marchand@redhat.com>
To: dev@dpdk.org
Cc: stable@dpdk.org, Maxime Coquelin <maxime.coquelin@redhat.com>,
Chenbo Xia <chenbox@nvidia.com>
Subject: [PATCH] vhost: fix wrapping on control virtqueue rings
Date: Wed, 2 Apr 2025 08:53:58 +0200 [thread overview]
Message-ID: <20250402065358.3612788-1-david.marchand@redhat.com> (raw)
The idx field of a virtqueue available ring is increased by the driver
regardless of the ring size. It is for the device to mask this index
modulo the ring size (2.7.6 of the virtio 1.3 specification).
The same applies to the used ring.
Failing to mask triggers:
- crashes when popping message received on the cvq,
- system lockups (in the case of VDUSE) when the virtio-net driver waits
infinitely,
Fixes: 474f4d7840ad ("vhost: add control virtqueue")
Cc: stable@dpdk.org
Signed-off-by: David Marchand <david.marchand@redhat.com>
---
lib/vhost/virtio_net_ctrl.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/lib/vhost/virtio_net_ctrl.c b/lib/vhost/virtio_net_ctrl.c
index 999e84db7c..63c0a06b4f 100644
--- a/lib/vhost/virtio_net_ctrl.c
+++ b/lib/vhost/virtio_net_ctrl.c
@@ -40,7 +40,7 @@ virtio_net_ctrl_pop(struct virtio_net *dev, struct vhost_virtqueue *cvq,
return 0;
}
- desc_idx = cvq->avail->ring[cvq->last_avail_idx];
+ desc_idx = cvq->avail->ring[cvq->last_avail_idx & (cvq->size - 1)];
if (desc_idx >= cvq->size) {
VHOST_CONFIG_LOG(dev->ifname, ERR, "Out of range desc index, dropping");
goto err;
@@ -167,8 +167,6 @@ virtio_net_ctrl_pop(struct virtio_net *dev, struct vhost_virtqueue *cvq,
}
cvq->last_avail_idx++;
- if (cvq->last_avail_idx >= cvq->size)
- cvq->last_avail_idx -= cvq->size;
vhost_virtqueue_reconnect_log_split(cvq);
if (dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX))
@@ -180,8 +178,6 @@ virtio_net_ctrl_pop(struct virtio_net *dev, struct vhost_virtqueue *cvq,
free(ctrl_elem->ctrl_req);
err:
cvq->last_avail_idx++;
- if (cvq->last_avail_idx >= cvq->size)
- cvq->last_avail_idx -= cvq->size;
vhost_virtqueue_reconnect_log_split(cvq);
if (dev->features & (1ULL << VIRTIO_RING_F_EVENT_IDX))
@@ -231,13 +227,11 @@ virtio_net_ctrl_push(struct virtio_net *dev, struct virtio_net_ctrl_elem *ctrl_e
struct vhost_virtqueue *cvq = dev->cvq;
struct vring_used_elem *used_elem;
- used_elem = &cvq->used->ring[cvq->last_used_idx];
+ used_elem = &cvq->used->ring[cvq->last_used_idx & (cvq->size - 1)];
used_elem->id = ctrl_elem->head_idx;
used_elem->len = ctrl_elem->n_descs;
cvq->last_used_idx++;
- if (cvq->last_used_idx >= cvq->size)
- cvq->last_used_idx -= cvq->size;
rte_atomic_store_explicit((unsigned short __rte_atomic *)&cvq->used->idx,
cvq->last_used_idx, rte_memory_order_release);
--
2.48.1
reply other threads:[~2025-04-02 6:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250402065358.3612788-1-david.marchand@redhat.com \
--to=david.marchand@redhat.com \
--cc=chenbox@nvidia.com \
--cc=dev@dpdk.org \
--cc=maxime.coquelin@redhat.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).