From: Shani Peretz <shperetz@nvidia.com>
To: Yunjian Wang <wangyunjian@huawei.com>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
dpdk stable <stable@dpdk.org>
Subject: patch 'vhost: fix double fetch when dequeue offloading' has been queued to stable release 23.11.6
Date: Sun, 21 Dec 2025 16:56:48 +0200 [thread overview]
Message-ID: <20251221145746.763179-60-shperetz@nvidia.com> (raw)
In-Reply-To: <20251221145746.763179-1-shperetz@nvidia.com>
Hi,
FYI, your patch has been queued to stable release 23.11.6
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/26/25. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/shanipr/dpdk-stable
This queued commit can be viewed at:
https://github.com/shanipr/dpdk-stable/commit/045c3af0cb1282598864ed7b3f65d33343fb7e91
Thanks.
Shani
---
From 045c3af0cb1282598864ed7b3f65d33343fb7e91 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian@huawei.com>
Date: Fri, 10 Oct 2025 16:41:36 +0800
Subject: [PATCH] vhost: fix double fetch when dequeue offloading
[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ]
The hdr->csum_start does two successive reads from user space to read a
variable length data structure. The result overflow if the data structure
changes between the two reads.
To fix this, we can prevent double fetch issue by copying virtio_hdr to
the temporary variable.
Fixes: 4dc4e33ffa10 ("net/virtio: fix Rx checksum calculation")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/vhost/virtio_net.c | 50 ++++++++++++++++++++++--------------------
1 file changed, 26 insertions(+), 24 deletions(-)
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index da14271c6d..d41b99812b 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -2872,25 +2872,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
}
}
-static __rte_noinline void
+static __rte_always_inline int
copy_vnet_hdr_from_desc(struct virtio_net_hdr *hdr,
- struct buf_vector *buf_vec)
+ const struct buf_vector *buf_vec,
+ uint16_t nr_vec)
{
- uint64_t len;
- uint64_t remain = sizeof(struct virtio_net_hdr);
- uint64_t src;
- uint64_t dst = (uint64_t)(uintptr_t)hdr;
+ size_t remain = sizeof(struct virtio_net_hdr);
+ uint8_t *dst = (uint8_t *)hdr;
- while (remain) {
- len = RTE_MIN(remain, buf_vec->buf_len);
- src = buf_vec->buf_addr;
- rte_memcpy((void *)(uintptr_t)dst,
- (void *)(uintptr_t)src, len);
+ while (remain > 0) {
+ size_t len = RTE_MIN(remain, buf_vec->buf_len);
+ const void *src = (const void *)(uintptr_t)buf_vec->buf_addr;
+ if (unlikely(nr_vec == 0))
+ return -1;
+
+ memcpy(dst, src, len);
remain -= len;
dst += len;
buf_vec++;
+ --nr_vec;
}
+ return 0;
}
static __rte_always_inline int
@@ -2919,16 +2922,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
*/
if (virtio_net_with_host_offload(dev)) {
- if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
- /*
- * No luck, the virtio-net header doesn't fit
- * in a contiguous virtual area.
- */
- copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
- hdr = &tmp_hdr;
- } else {
- hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
- }
+ if (unlikely(copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec, nr_vec) != 0))
+ return -1;
+
+ /* ensure that compiler does not delay copy */
+ rte_compiler_barrier();
+ hdr = &tmp_hdr;
}
for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
@@ -3370,7 +3369,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
{
uint16_t avail_idx = vq->last_avail_idx;
uint32_t buf_offset = sizeof(struct virtio_net_hdr_mrg_rxbuf);
- struct virtio_net_hdr *hdr;
uintptr_t desc_addrs[PACKED_BATCH_SIZE];
uint16_t ids[PACKED_BATCH_SIZE];
uint16_t i;
@@ -3389,8 +3387,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
if (virtio_net_with_host_offload(dev)) {
vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
- hdr = (struct virtio_net_hdr *)(desc_addrs[i]);
- vhost_dequeue_offload(dev, hdr, pkts[i], legacy_ol_flags);
+ struct virtio_net_hdr hdr;
+
+ memcpy(&hdr, (void *)desc_addrs[i], sizeof(struct virtio_net_hdr));
+ rte_compiler_barrier();
+
+ vhost_dequeue_offload(dev, &hdr, pkts[i], legacy_ol_flags);
}
}
--
2.43.0
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2025-12-21 16:54:20.259525614 +0200
+++ 0060-vhost-fix-double-fetch-when-dequeue-offloading.patch 2025-12-21 16:54:17.160114000 +0200
@@ -1 +1 @@
-From 285e6b8b187485cc69a175261e40d8d2727e20a3 Mon Sep 17 00:00:00 2001
+From 045c3af0cb1282598864ed7b3f65d33343fb7e91 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ]
+
@@ -14 +15,0 @@
-Cc: stable@dpdk.org
@@ -23 +24 @@
-index 77545d0a4d..0658b81de5 100644
+index da14271c6d..d41b99812b 100644
@@ -26 +27 @@
-@@ -2870,25 +2870,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
+@@ -2872,25 +2872,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
@@ -66 +67 @@
-@@ -2917,16 +2920,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -2919,16 +2922,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
@@ -89 +90 @@
-@@ -3372,7 +3371,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
+@@ -3370,7 +3369,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
@@ -97 +98 @@
-@@ -3391,8 +3389,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
+@@ -3389,8 +3387,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
next prev parent reply other threads:[~2025-12-21 15:03 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-21 14:55 patch 'test/telemetry: fix test calling all commands' " Shani Peretz
2025-12-21 14:55 ` patch 'eal: fix plugin dir walk' " Shani Peretz
2025-12-21 14:55 ` patch 'cmdline: fix port list parsing' " Shani Peretz
2025-12-21 14:55 ` patch 'cmdline: fix highest bit " Shani Peretz
2025-12-21 14:55 ` patch 'tailq: fix lookup macro' " Shani Peretz
2025-12-21 14:55 ` patch 'hash: fix unaligned access in predictable RSS' " Shani Peretz
2025-12-21 14:55 ` patch 'graph: fix unaligned access in stats' " Shani Peretz
2025-12-21 14:55 ` patch 'eventdev: fix listing timer adapters with telemetry' " Shani Peretz
2025-12-21 14:55 ` patch 'cfgfile: fix section count with no name' " Shani Peretz
2025-12-21 14:55 ` patch 'net/gve: do not write zero-length descriptors' " Shani Peretz
2025-12-21 14:55 ` patch 'net/gve: validate Tx packet before sending' " Shani Peretz
2025-12-21 14:56 ` patch 'net/vmxnet3: fix mapping of mempools to queues' " Shani Peretz
2025-12-21 14:56 ` patch 'app/testpmd: increase size of set cores list command' " Shani Peretz
2025-12-21 14:56 ` patch 'net/dpaa2: fix shaper rate' " Shani Peretz
2025-12-21 14:56 ` patch 'app/testpmd: monitor state of primary process' " Shani Peretz
2025-12-21 14:56 ` patch 'net/gve: fix disabling interrupts on DQ' " Shani Peretz
2025-12-21 14:56 ` patch 'app/testpmd: fix conntrack action query' " Shani Peretz
2025-12-21 14:56 ` patch 'doc: add conntrack state inspect command to testpmd guide' " Shani Peretz
2025-12-21 14:56 ` patch 'net/gve: free Rx mbufs if allocation fails on ring setup' " Shani Peretz
2025-12-21 14:56 ` patch 'app/testpmd: validate DSCP and VLAN for meter creation' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix min and max MTU reporting' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix storage of shared Rx queues' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5/hws: fix ESP header match in strict mode' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix unsupported flow rule port action' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix non-template age rules flush' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix connection tracking state item validation' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5/hws: fix TIR action support in FDB' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix indirect flow age action handling' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix Direct Verbs counter offset detection' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix interface name parameter definition' " Shani Peretz
2025-12-21 14:56 ` patch 'net/iavf: fix Tx vector path selection logic' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice: fix vector Rx VLAN offload flags' " Shani Peretz
2025-12-21 14:56 ` patch 'net/intel: fix assumption about tag placement order' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice: fix VLAN tag reporting on Rx' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice/base: fix adding special words' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice/base: fix memory leak in HW profile handling' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice/base: fix memory leak in recipe " Shani Peretz
2025-12-21 14:56 ` patch 'gro: fix payload corruption in coalescing packets' " Shani Peretz
2025-12-21 14:56 ` patch 'eal: fix DMA mask validation with IOVA mode option' " Shani Peretz
2025-12-21 14:56 ` patch 'eal: fix MP socket cleanup' " Shani Peretz
2025-12-21 14:56 ` patch 'crypto/ipsec_mb: fix QP release in secondary' " Shani Peretz
2025-12-21 14:56 ` patch 'efd: fix AVX2 support' " Shani Peretz
2025-12-21 14:56 ` patch 'net/octeon_ep: fix device start' " Shani Peretz
2025-12-21 14:56 ` patch 'common/cnxk: fix async event handling' " Shani Peretz
2025-12-21 14:56 ` patch 'doc: fix feature list of ice driver' " Shani Peretz
2025-12-21 14:56 ` patch 'doc: fix feature list of iavf " Shani Peretz
2025-12-21 14:56 ` patch 'baseband/acc: fix exported header' " Shani Peretz
2025-12-21 14:56 ` patch 'eventdev: do not include driver header in DMA adapter' " Shani Peretz
2025-12-21 14:56 ` patch 'gpudev: fix driver header for Windows' " Shani Peretz
2025-12-21 14:56 ` patch 'drivers: fix some exported headers' " Shani Peretz
2025-12-21 14:56 ` patch 'test/debug: fix crash with mlx5 devices' " Shani Peretz
2025-12-21 14:56 ` patch 'bus/pci: fix build with MinGW 13' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: " Shani Peretz
2025-12-21 14:56 ` patch 'dma/hisilicon: fix stop with pending transfers' " Shani Peretz
2025-12-21 14:56 ` patch 'test/dma: fix failure condition' " Shani Peretz
2025-12-21 14:56 ` patch 'eal/x86: enable timeout in AMD power monitor' " Shani Peretz
2025-12-21 14:56 ` patch 'fib6: fix tbl8 allocation check logic' " Shani Peretz
2025-12-21 14:56 ` patch 'vhost: add VDUSE virtqueue ready state polling workaround' " Shani Peretz
2025-12-21 14:56 ` patch 'vhost: fix virtqueue info init in VDUSE vring setup' " Shani Peretz
2025-12-21 14:56 ` Shani Peretz [this message]
2025-12-21 14:56 ` patch 'net/ice/base: fix integer overflow on NVM init' " Shani Peretz
2025-12-21 14:56 ` patch 'doc: fix display of commands in cpfl guide' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice: fix initialization with 8 ports' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice: remove indirection for FDIR filters' " Shani Peretz
2025-12-21 14:56 ` patch 'net/ice: fix memory leak in raw pattern parse' " Shani Peretz
2025-12-21 14:56 ` patch 'net/i40e: fix symmetric Toeplitz hashing for SCTP' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5/hws: fix ESP header match in strict mode' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix ESP header match after UDP for group 0' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix multicast' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix indirect flow action memory leak' " Shani Peretz
2025-12-21 14:56 ` patch 'net/mlx5: fix MTU initialization' " Shani Peretz
2025-12-21 14:57 ` patch 'net/mlx5: fix leak of flow indexed pools' " Shani Peretz
2025-12-21 14:57 ` patch 'net/hns3: fix inconsistent lock' " Shani Peretz
2025-12-21 14:57 ` patch 'net/hns3: fix VLAN resources freeing' " Shani Peretz
2025-12-21 14:57 ` patch 'net/hns3: fix overwrite mbuf in vector path' " Shani Peretz
2025-12-21 14:57 ` patch 'net/af_packet: fix crash in secondary process' " Shani Peretz
2025-12-21 14:57 ` patch 'net/ark: remove double mbuf free' " Shani Peretz
2025-12-21 14:57 ` patch 'app/testpmd: stop forwarding in secondary process' " Shani Peretz
2025-12-21 14:57 ` patch 'net/tap: fix build with LTO' " Shani Peretz
2025-12-21 14:57 ` patch 'net/hns3: fix VLAN tag loss for short tunnel frame' " Shani Peretz
2025-12-21 14:57 ` patch 'ethdev: fix VLAN filter parameter description' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: fix file descriptor leak on read error' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: fix out-of-bounds access in UIO mapping' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: fix buffer descriptor size configuration' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: fix Tx queue free' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: fix checksum flag handling and error return' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: reject multi-queue configuration' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: fix memory leak in Rx buffer cleanup' " Shani Peretz
2025-12-21 14:57 ` patch 'net/enetfec: reject Tx deferred queue' " Shani Peretz
2025-12-21 14:57 ` patch 'net/tap: fix interrupt callback crash after failed start' " Shani Peretz
2025-12-21 14:57 ` patch 'net/ena: fix PCI BAR mapping on 64K page size' " Shani Peretz
2025-12-21 14:57 ` patch 'net/ena/base: fix unsafe memcpy on invalid memory' " Shani Peretz
2025-12-21 14:57 ` patch 'net/dpaa2: fix uninitialized variable' " Shani Peretz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251221145746.763179-60-shperetz@nvidia.com \
--to=shperetz@nvidia.com \
--cc=maxime.coquelin@redhat.com \
--cc=stable@dpdk.org \
--cc=wangyunjian@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).