patch 'vhost: fix double fetch when dequeue offloading' has been queued to stable release 22.11.11

[luca.boccassi at gmail.com]

Hi,

FYI, your patch has been queued to stable release 22.11.11

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 10/29/25. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/c92f022ea7c0d2df726ae97830463dab03208fe6

Thanks.

Luca Boccassi

---
>From c92f022ea7c0d2df726ae97830463dab03208fe6 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian at huawei.com>
Date: Fri, 10 Oct 2025 16:41:36 +0800
Subject: [PATCH] vhost: fix double fetch when dequeue offloading

[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ]

The hdr->csum_start does two successive reads from user space to read a
variable length data structure. The result overflow if the data structure
changes between the two reads.

To fix this, we can prevent double fetch issue by copying virtio_hdr to
the temporary variable.

Fixes: 4dc4e33ffa10 ("net/virtio: fix Rx checksum calculation")

Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 lib/vhost/virtio_net.c | 50 ++++++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index ec8d03d97f..c90964c935 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -2634,25 +2634,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
 	}
 }
 
-static __rte_noinline void
+static __rte_always_inline int
 copy_vnet_hdr_from_desc(struct virtio_net_hdr *hdr,
-		struct buf_vector *buf_vec)
+			const struct buf_vector *buf_vec,
+			uint16_t nr_vec)
 {
-	uint64_t len;
-	uint64_t remain = sizeof(struct virtio_net_hdr);
-	uint64_t src;
-	uint64_t dst = (uint64_t)(uintptr_t)hdr;
+	size_t remain = sizeof(struct virtio_net_hdr);
+	uint8_t *dst = (uint8_t *)hdr;
 
-	while (remain) {
-		len = RTE_MIN(remain, buf_vec->buf_len);
-		src = buf_vec->buf_addr;
-		rte_memcpy((void *)(uintptr_t)dst,
-				(void *)(uintptr_t)src, len);
+	while (remain > 0) {
+		size_t len = RTE_MIN(remain, buf_vec->buf_len);
+		const void *src = (const void *)(uintptr_t)buf_vec->buf_addr;
 
+		if (unlikely(nr_vec == 0))
+			return -1;
+
+		memcpy(dst, src, len);
 		remain -= len;
 		dst += len;
 		buf_vec++;
+		--nr_vec;
 	}
+	return 0;
 }
 
 static __rte_always_inline int
@@ -2679,16 +2682,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	 */
 
 	if (virtio_net_with_host_offload(dev)) {
-		if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
-			/*
-			 * No luck, the virtio-net header doesn't fit
-			 * in a contiguous virtual area.
-			 */
-			copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
-			hdr = &tmp_hdr;
-		} else {
-			hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
-		}
+		if (unlikely(copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec, nr_vec) != 0))
+			return -1;
+
+		/* ensure that compiler does not delay copy */
+		rte_compiler_barrier();
+		hdr = &tmp_hdr;
 	}
 
 	for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
@@ -3048,7 +3047,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
 {
 	uint16_t avail_idx = vq->last_avail_idx;
 	uint32_t buf_offset = sizeof(struct virtio_net_hdr_mrg_rxbuf);
-	struct virtio_net_hdr *hdr;
 	uintptr_t desc_addrs[PACKED_BATCH_SIZE];
 	uint16_t ids[PACKED_BATCH_SIZE];
 	uint16_t i;
@@ -3067,8 +3065,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
 
 	if (virtio_net_with_host_offload(dev)) {
 		vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
-			hdr = (struct virtio_net_hdr *)(desc_addrs[i]);
-			vhost_dequeue_offload(dev, hdr, pkts[i], legacy_ol_flags);
+			struct virtio_net_hdr hdr;
+
+			memcpy(&hdr, (void *)desc_addrs[i], sizeof(struct virtio_net_hdr));
+			rte_compiler_barrier();
+
+			vhost_dequeue_offload(dev, &hdr, pkts[i], legacy_ol_flags);
 		}
 	}
 
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2025-10-27 15:54:36.444357043 +0000
+++ 0044-vhost-fix-double-fetch-when-dequeue-offloading.patch	2025-10-27 15:54:34.811949950 +0000
@@ -1 +1 @@
-From 285e6b8b187485cc69a175261e40d8d2727e20a3 Mon Sep 17 00:00:00 2001
+From c92f022ea7c0d2df726ae97830463dab03208fe6 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 285e6b8b187485cc69a175261e40d8d2727e20a3 ]
+
@@ -14 +15,0 @@
-Cc: stable at dpdk.org
@@ -23 +24 @@
-index 77545d0a4d..0658b81de5 100644
+index ec8d03d97f..c90964c935 100644
@@ -26 +27 @@
-@@ -2870,25 +2870,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
+@@ -2634,25 +2634,28 @@ vhost_dequeue_offload(struct virtio_net *dev, struct virtio_net_hdr *hdr,
@@ -66 +67 @@
-@@ -2917,16 +2920,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -2679,16 +2682,12 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
@@ -89 +90 @@
-@@ -3372,7 +3371,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
+@@ -3048,7 +3047,6 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
@@ -97 +98 @@
-@@ -3391,8 +3389,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,
+@@ -3067,8 +3065,12 @@ virtio_dev_tx_batch_packed(struct virtio_net *dev,