|WARNING| [v4] net/iavf: fix duplicate VF reset during PF reset recovery

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Mon Jun 8 21:32:09 CEST 2026
Previous message (by thread): |WARNING| [7/7] net/ice: add header split mbuf callback support
Next message (by thread): |WARNING| net/iavf: fix misleading AQ failure logging
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Test-Label: ai-code-review
Test-Status: WARNING
https://dpdk.org/patch/165174

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-06-08

# DPDK Patch Review

## Patch Overview
This patch fixes duplicate VF reset operations during PF-initiated reset recovery in the iavf driver by skipping close-time virtchnl operations when PF reset recovery is in progress.

---

## ERRORS

### 1. Resource leak on error path - Missing cleanup after `iavf_dev_stop()`

In `iavf_dev_close()`, if `iavf_dev_stop()` fails (returns non-zero), the function continues to set `adapter->closed = true` and proceeds with cleanup. However, the return value `ret` is never checked or used after the call, and if `iavf_dev_stop()` fails, some resources may not be properly released, yet the function marks the device as closed anyway.

**Suggested fix:**
```c
ret = iavf_dev_stop(dev);
if (ret != 0) {
    PMD_DRV_LOG(ERR, "Failed to stop device: %d", ret);
    /* Consider whether to continue with close or return early */
}
```

---

### 2. Unsafe access to `vf->in_reset_recovery` after NULL check

The code checks `vf->in_reset_recovery` but does not verify that `vf` itself is non-NULL before this access. While `vf` is assigned at the start of the function, there's no explicit NULL check after `IAVF_DEV_PRIVATE_TO_VF(dev->data->dev_private)`.

**Why it matters:** If `dev->data->dev_private` is NULL or invalid, this dereferences NULL.

**Suggested fix:**
Add NULL check after vf assignment:
```c
vf = IAVF_DEV_PRIVATE_TO_VF(dev->data->dev_private);
if (vf == NULL) {
    PMD_DRV_LOG(ERR, "VF private data is NULL");
    return -EINVAL;
}
```

---

### 3. Race condition - `vf->vf_reset` checked without synchronization

In `iavf_read_msg_from_pf()`, the code checks and sets `vf->vf_reset` without any locking or atomic operations:

```c
if (!vf->vf_reset) {
    vf->vf_reset = true;
    ...
}
```

**Why it matters:** If multiple threads or interrupt contexts can call this function concurrently, this is a TOCTOU (time-of-check-time-of-use) race that could result in duplicate reset handling or lost state updates.

**Suggested fix:**
Use atomic operations:
```c
if (rte_atomic_load_explicit(&vf->vf_reset, rte_memory_order_acquire) == false) {
    rte_atomic_store_explicit(&vf->vf_reset, true, rte_memory_order_release);
    ...
}
```

(Note: This assumes `vf->vf_reset` should be converted to an atomic type. If the field is already protected by a lock elsewhere, document that requirement.)

---

### 4. Shared variable `vf->link_up` modified without synchronization

In `VIRTCHNL_EVENT_RESET_IMPENDING` handling, `vf->link_up = false` is a bare write to a shared variable that is likely read by other threads (e.g., link status query functions).

**Suggested fix:**
```c
rte_atomic_store_explicit(&vf->link_up, false, rte_memory_order_release);
```

---

## WARNINGS

### 1. Missing release notes for internal state fix

The release notes describe the user-visible symptom (connection loss) but do not mention the new `vf->in_reset_recovery` flag or the conditions under which close-time operations are now skipped. This is valuable context for users diagnosing upgrade behavior changes.

**Suggested addition to release notes:**
```rst
* **net/iavf: fixed duplicate VF reset during PF reset recovery.**

  Prevented duplicate 'VIRTCHNL_OP_RESET_VF' during a PF-initiated
  reset recovery by skipping close-time virtchnl operations when
  'in_reset_recovery' is set. This resolves virtchnl state corruption
  and connection loss after a top-of-rack (ToR) link flap/power-cycle.
```

---

### 2. Boolean variable `adapter->closed` should use `bool` type

The code uses `adapter->closed = true`, suggesting this field is boolean. If it's declared as `int`, it should be `bool` for clarity and type safety (per the guidelines on boolean usage).

**Check the structure definition.** If it's `int`, consider changing to `bool` in a separate patch.

---

### 3. Boolean variable `vf->vf_reset` should use `bool` type

Same issue as above - `vf->vf_reset = true` suggests boolean semantics. If declared as `int`, it should be `bool`.

---

### 4. Log level inconsistency - `PMD_DRV_LOG(INFO, ...)` changed to `DEBUG`

The patch changes:
```c
PMD_DRV_LOG(INFO, "VF is resetting");
```
to:
```c
PMD_DRV_LOG(DEBUG, "VF is resetting");
```

This may make reset events harder to diagnose in production. If this is intentional (to reduce log spam), it should be mentioned in the commit message. If not, this is a potentially unintended side effect of the refactor.

**Recommendation:** Either revert to `INFO` level or document why `DEBUG` is appropriate.

---

### 5. Missing NULL check on `vf->eth_dev` before event post

In the new code:
```c
iavf_dev_event_post(vf->eth_dev, RTE_ETH_EVENT_INTR_RESET, NULL, 0);
```

If `vf->eth_dev` is NULL (e.g., during teardown), this will dereference NULL inside `iavf_dev_event_post()`.

**Suggested fix:**
```c
if (vf->eth_dev != NULL)
    iavf_dev_event_post(vf->eth_dev, RTE_ETH_EVENT_INTR_RESET, NULL, 0);
```

---

### 6. Confusing double-negative condition

The condition:
```c
if (!adapter->closed && !vf->in_reset_recovery)
```

is a double-negative that could be rewritten for clarity as:
```c
/* Perform close-time cleanup only if device is open and not in PF-initiated reset */
if (!adapter->closed && !vf->in_reset_recovery)
```

Or consider renaming `in_reset_recovery` to `pf_reset_in_progress` for clearer intent.

---

### 7. Potential memory leak if `iavf_config_promisc()` fails

The code calls `iavf_config_promisc(adapter, false, false)` but ignores any error return. If this fails, the VF may remain in promiscuous mode on the PF side, leaking resources or leaving inconsistent state.

**Suggested fix:**
```c
ret = iavf_config_promisc(adapter, false, false);
if (ret != 0)
    PMD_DRV_LOG(WARNING, "Failed to disable promiscuous mode during close: %d", ret);
```

---

## STYLE OBSERVATIONS (Info Level)

### 1. Comment placement and formatting

The comment:
```c
/* Skip RESET_VF on a PF-initiated reset */
```
appears twice in the same function. Consider consolidating the logic or using a helper function to make the intent clearer and avoid repetition.

---

### 2. Whitespace in comment

The comment:
```c
/*
 * Disable promiscuous mode before resetting the VF. This is to avoid
 * potential issues when the PF is bound to the kernel driver.
 */
```

is now inside a conditional block. The indentation and flow suggest this comment should be updated to reflect that it's now conditional on `!adapter->closed && !vf->in_reset_recovery`.

---

## SUMMARY

**Critical issues (must fix):**
- Resource leak potential if `iavf_dev_stop()` fails
- Missing NULL check on `vf` after retrieval from `dev_private`
- Race condition on `vf->vf_reset` and `vf->link_up` (no synchronization)
- Missing NULL check on `vf->eth_dev` before event post

**Important issues (should fix):**
- Log level change from `INFO` to `DEBUG` may hinder diagnostics
- Error handling for `iavf_config_promisc()` ignored
- Boolean types should be used for `adapter->closed`, `vf->vf_reset`, and similar flags

**Style/clarity:**
- Double-negative condition could be clearer
- Duplicate comment could be consolidated

The patch addresses a real bug (duplicate VF reset) but introduces or reveals several synchronization and error-handling issues that should be addressed before merging.
Previous message (by thread): |WARNING| [7/7] net/ice: add header split mbuf callback support
Next message (by thread): |WARNING| net/iavf: fix misleading AQ failure logging
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the test-report mailing list