patch 'vhost: fix virtqueue array size for control queue' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Thu Feb 26 14:08:50 CET 2026

Previous message (by thread): patch 'eal: fix annotation on lcore variable allocator' has been queued to stable release 25.11.1
Next message (by thread): patch 'vhost: fix descriptor chain bounds check in control queue' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/02/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/a32a6239306a6f39c3418e9ee8b9cb63a6742c45

Thanks.

Kevin

---
>From a32a6239306a6f39c3418e9ee8b9cb63a6742c45 Mon Sep 17 00:00:00 2001
From: Maxime Coquelin <maxime.coquelin at redhat.com>
Date: Wed, 14 Jan 2026 16:34:43 +0100
Subject: [PATCH] vhost: fix virtqueue array size for control queue

[ upstream commit 7cc4f260bf1c01ff717b6490f6c0ca205cb08953 ]

When max_queue_pairs is set to VHOST_MAX_QUEUE_PAIRS (128), VDUSE
calculates total_queues as max_queue_pairs * 2 + 1 = 257 to account
for the control queue. However, the virtqueue array was sized as
VHOST_MAX_QUEUE_PAIRS * 2, causing an out-of-bounds array access.

Fix by defining VHOST_MAX_VRING to explicitly account for the control
queue (VHOST_MAX_QUEUE_PAIRS * 2 + 1) and using it for the virtqueue
array size.

Fixes: 653327e191f0 ("vhost: add multiqueue support to VDUSE")

Signed-off-by: Maxime Coquelin <maxime.coquelin at redhat.com>
Reviewed-by: David Marchand <david.marchand at redhat.com>
Reviewed-by: Chenbo Xia <chenbox at nvidia.com>
---
 lib/vhost/vhost.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h
index e9e71c1707..ee61f7415e 100644
--- a/lib/vhost/vhost.h
+++ b/lib/vhost/vhost.h
@@ -262,6 +262,7 @@ struct vhost_async {
 
 #define VHOST_RECONNECT_VERSION		0x0
-#define VHOST_MAX_VRING			0x100
 #define VHOST_MAX_QUEUE_PAIRS		0x80
+/* Max vring count: 2 per queue pair plus 1 control queue */
+#define VHOST_MAX_VRING			(VHOST_MAX_QUEUE_PAIRS * 2 + 1)
 
 struct __rte_cache_aligned vhost_reconnect_vring {
@@ -502,5 +503,5 @@ struct __rte_cache_aligned virtio_net {
 	int			extbuf;
 	int			linearbuf;
-	struct vhost_virtqueue	*virtqueue[VHOST_MAX_QUEUE_PAIRS * 2];
+	struct vhost_virtqueue	*virtqueue[VHOST_MAX_VRING];
 
 	rte_rwlock_t	iotlb_pending_lock;
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-02-26 10:16:49.002528547 +0000
+++ 0048-vhost-fix-virtqueue-array-size-for-control-queue.patch	2026-02-26 10:16:46.964459295 +0000
@@ -1 +1 @@
-From 7cc4f260bf1c01ff717b6490f6c0ca205cb08953 Mon Sep 17 00:00:00 2001
+From a32a6239306a6f39c3418e9ee8b9cb63a6742c45 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 7cc4f260bf1c01ff717b6490f6c0ca205cb08953 ]
+
@@ -16 +17,0 @@
-Cc: stable at dpdk.org

Previous message (by thread): patch 'eal: fix annotation on lcore variable allocator' has been queued to stable release 25.11.1
Next message (by thread): patch 'vhost: fix descriptor chain bounds check in control queue' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list