|SUCCESS| [v1,4/4] app/testpmd: add TPH stash objects configuration

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Fri May 8 13:54:44 CEST 2026
Previous message (by thread): |WARNING| pw163797-163798 [PATCH] [v1,4/4] app/testpmd: add TPH stas
Next message (by thread): |SUCCESS| [v10] eal/x86: optimize memcpy of small sizes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/163798

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-05-08

I'll review this patch series implementing PCIe TPH (TLP Processing Hints) support for DPDK.

git sha: 20260508092855.51987-1-fengchengwen at huawei.com
Author: Chengwen Feng <fengchengwen at huawei.com>
Subject: [PATCH v1 1/4] bus/pci: introduce PCIe TPH support

This patch series adds experimental API and implementation for PCIe TLP
Processing Hints (TPH), including Linux VFIO implementation, generic
ethdev cache stash API, igb PMD support, and testpmd configuration.

> diff --git a/drivers/bus/pci/bsd/pci.c b/drivers/bus/pci/bsd/pci.c
> index aba44492e0..0ba1c9d898 100644
> --- a/drivers/bus/pci/bsd/pci.c
> +++ b/drivers/bus/pci/bsd/pci.c

[ ... ]

> +RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pci_tph_query, 26.07)
> +int
> +rte_pci_tph_query(const struct rte_pci_device *dev, uint32_t *supported_modes,
> +		  uint32_t *st_table_sz)
> +{
> +	RTE_SET_USED(dev);
> +	RTE_SET_USED(supported_modes);
> +	RTE_SET_USED(st_table_sz);
> +	return -ENOTSUP;
> +}

Does this code validate the pointer parameters before marking them as
used? The Linux implementation doesn't check for NULL, which could cause
issues if callers pass NULL for parameters they don't need.

> diff --git a/drivers/bus/pci/linux/pci.c b/drivers/bus/pci/linux/pci.c
> index 5f263f8b28..d2eade14a5 100644
> --- a/drivers/bus/pci/linux/pci.c
> +++ b/drivers/bus/pci/linux/pci.c

[ ... ]

> +RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pci_tph_query, 26.07)
> +int
> +rte_pci_tph_query(const struct rte_pci_device *dev, uint32_t *supported_modes,
> +		  uint32_t *st_table_sz)
> +{
> +	if (dev->kdrv == RTE_PCI_KDRV_VFIO && pci_vfio_is_enabled())
> +		return pci_vfio_tph_query(dev, supported_modes, st_table_sz);
> +	return -ENOTSUP;
> +}

Does this function need to validate dev, supported_modes, and st_table_sz
for NULL before dereferencing or passing to pci_vfio_tph_query()?

> diff --git a/drivers/bus/pci/linux/pci_vfio.c b/drivers/bus/pci/linux/pci_vfio.c
> index bc5c5c2499..d109f44d45 100644
> --- a/drivers/bus/pci/linux/pci_vfio.c
> +++ b/drivers/bus/pci/linux/pci_vfio.c

[ ... ]

> +static struct vfio_device_pci_tph_op *
> +pci_vfio_tph_alloc_st_op(uint32_t count)
> +{
> +	struct vfio_device_pci_tph_op *op;
> +	ssize_t sz = sizeof(struct vfio_device_pci_tph_op) +
> +			count * sizeof(struct vfio_pci_tph_entry);
> +	op = calloc(1, sz);
> +	if (op == NULL)
> +		return NULL;
> +	op->argsz = sz;
> +	op->st.count = count;
> +	return op;
> +}

Does this code check for integer overflow in the size calculation? If
count is large enough, the multiplication count * sizeof() could overflow,
leading to a small allocation and subsequent buffer overflows in
pci_vfio_tph_st_get()->pci_vfio_tph_ioctl().

> +int
> +pci_vfio_tph_st_get(const struct rte_pci_device *dev,
> +		    struct rte_pci_tph_entry *ents, uint32_t count)
> +{
> +	struct vfio_device_pci_tph_op *op;
> +	uint32_t i;
> +	int ret;
> +
> +	op = pci_vfio_tph_alloc_st_op(count);
> +	if (op == NULL)
> +		return -ENOMEM;
> +
> +	op->op = VFIO_PCI_TPH_GET_ST;
> +	for (i = 0; i < count; i++) {
> +		op->st.ents[i].cpu = ents[i].cpu;
> +		op->st.ents[i].mem_type = VFIO_PCI_TPH_MEM_TYPE_VM;
> +	}

Does this loop need validation that count doesn't exceed any kernel limits
like VFIO_PCI_TPH_MAX_ENTRIES defined in the patch? The loop could access
beyond allocated memory if count validation isn't enforced.

> diff --git a/drivers/bus/pci/rte_bus_pci.h b/drivers/bus/pci/rte_bus_pci.h
> index 19a7b15b99..58dd4620a3 100644
> --- a/drivers/bus/pci/rte_bus_pci.h
> +++ b/drivers/bus/pci/rte_bus_pci.h

[ ... ]

> +/**
> + * @struct rte_pci_tph_entry
> + * @warning
> + * @b EXPERIMENTAL: this structure may change without prior notice.
> + *
> + * An entry used for TPH Steering Tag (ST) get/set operations.
> + */
> +struct rte_pci_tph_entry {
> +	/**
> +	 * CPU ID used for both get and set operations.
> +	 * For set operation: if set to U32_MAX, clear the ST entry at
> +	 * specified index.
> +	 */
> +	uint32_t cpu;
> +	/** ST table index, only used for set operation */
> +	uint16_t index;
> +	/** Steering tag value, only used for get operation to return result */
> +	uint16_t st;
> +};

Does the API documentation need to specify what happens if cpu exceeds
RTE_MAX_LCORE or other platform CPU limits? The implementation doesn't
appear to validate this.

> diff --git a/lib/ethdev/rte_ethdev.c b/lib/ethdev/rte_ethdev.c
> index 2edc7a362e..4398aca5e1 100644
> --- a/lib/ethdev/rte_ethdev.c
> +++ b/lib/ethdev/rte_ethdev.c

[ ... ]

> +RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_eth_cache_stash_get, 26.03)
> +int
> +rte_eth_cache_stash_get(uint16_t port_id,
> +			struct rte_eth_cache_stash_capability *capa)
> +{
> +	struct rte_eth_dev *dev;
> +
> +	RTE_ETH_VALID_PORTID_OR_ERR_RET(port_id, -ENODEV);
> +
> +	if (capa == NULL)
> +		return -EINVAL;
> +
> +	dev = &rte_eth_devices[port_id];
> +
> +	if (*dev->dev_ops->cache_stash_get == NULL)
> +		return -ENOTSUP;

Does this code dereference dev->dev_ops without checking if dev->dev_ops
itself is NULL? In rte_ethdev.c->eth_err(), there's a similar pattern but
most ops checks verify dev_ops first.

> +RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_eth_cache_stash_set, 26.03)
> +int
> +rte_eth_cache_stash_set(uint16_t port_id, enum rte_eth_cache_stash_op op,
> +		       struct rte_eth_cache_stash_config *config)
> +{
> +	struct rte_eth_dev *dev;
> +
> +	RTE_ETH_VALID_PORTID_OR_ERR_RET(port_id, -ENODEV);
> +
> +	if (op != RTE_ETH_CACHE_STASH_OP_DEV_DISABLE && config == NULL)
> +		return -EINVAL;
> +
> +	dev = &rte_eth_devices[port_id];
> +
> +	if (*dev->dev_ops->cache_stash_set == NULL)
> +		return -ENOTSUP;

Same question about dev->dev_ops NULL check here.

> diff --git a/drivers/net/intel/e1000/igb_ethdev.c b/drivers/net/intel/e1000/igb_ethdev.c
> index ef1599ac38..7aea37d017 100644
> --- a/drivers/net/intel/e1000/igb_ethdev.c
> +++ b/drivers/net/intel/e1000/igb_ethdev.c

[ ... ]

> +static int
> +eth_igb_cache_stash_dev_enable(struct rte_eth_dev *dev,
> +			       struct rte_eth_cache_stash_config *config)
> +{
> +	struct e1000_hw *hw = E1000_DEV_PRIVATE_TO_HW(dev->data->dev_private);
> +	struct rte_pci_device *pci_dev = RTE_ETH_DEV_TO_PCI(dev);
> +	uint32_t support_modes, st_table_sz;
> +	uint32_t mode;
> +	int ret;
> +
> +	if (hw->tph_mode != 0) {
> +		PMD_DRV_LOG(ERR, "Already enable tph_mode=%u", hw->tph_mode);
> +		return -EINVAL;
> +	}
> +
> +	if (config->dev.type != RTE_ETH_CACHE_STASH_TYPE_TPH) {
> +		PMD_DRV_LOG(ERR, "Unsupported stash type=%u!", config->dev.type);
> +		return -ENOTSUP;
> +	}

Does this code validate config is not NULL before accessing config->dev.type?
The caller eth_igb_cache_stash_set() doesn't validate config for
RTE_ETH_CACHE_STASH_OP_DEV_ENABLE before calling this function.

> +static void
> +eth_igb_cache_stash_dev_clear(struct rte_eth_dev *dev)
> +{
> +	uint32_t nb_queues = RTE_MAX(dev->data->nb_rx_queues, dev->data->nb_tx_queues);
> +	struct e1000_hw *hw = E1000_DEV_PRIVATE_TO_HW(dev->data->dev_private);
> +	struct rte_pci_device *pci_dev = RTE_ETH_DEV_TO_PCI(dev);
> +	struct rte_pci_tph_entry ent = {0};
> +	uint32_t reg;
> +	uint32_t i;
> +
> +	for (i = 0; i < nb_queues; i++) {
> +		ent.cpu = UINT32_MAX;
> +		ent.index = i;
> +		rte_pci_tph_st_set(pci_dev, &ent, 1);

Does this code check the return value from rte_pci_tph_st_set()? If the
function fails midway through the loop, some queues may be left in an
inconsistent state.

> +static int
> +eth_igb_cache_stash_queue_enable(struct rte_eth_dev *dev,
> +				 struct rte_eth_cache_stash_config *config)
> +{
> +	struct e1000_hw *hw = E1000_DEV_PRIVATE_TO_HW(dev->data->dev_private);
> +	struct rte_pci_device *pci_dev = RTE_ETH_DEV_TO_PCI(dev);
> +	uint32_t queue_id = config->queue.queue_id;
> +	struct rte_pci_tph_entry ent = {0};
> +	uint32_t reg;
> +	uint16_t st;
> +	int ret;
> +
> +	if (hw->tph_mode == 0) {
> +		PMD_DRV_LOG(ERR, "Device TPH was not enabled!");
> +		return -EINVAL;
> +	}
> +
> +	if (queue_id > RTE_MAX(dev->data->nb_rx_queues, dev->data->nb_tx_queues)) {
> +		PMD_DRV_LOG(ERR, "Invalid queue_id when enable stash!");
> +		return -EINVAL;
> +	}

Does this validation check use >= instead of >? If nb_rx_queues is N, valid
queue IDs are 0 to N-1, so queue_id == N would be invalid but passes this
check.

> diff --git a/app/test-pmd/testpmd.c b/app/test-pmd/testpmd.c
> index e2569d9e30..10d9218a9c 100644
> --- a/app/test-pmd/testpmd.c
> +++ b/app/test-pmd/testpmd.c

[ ... ]

> +static void
> +start_tph_stash(void)
> +{
> +	struct rte_eth_cache_stash_capability capa;
> +	struct rte_eth_cache_stash_config config;
> +	struct fwd_config *cfg = &cur_fwd_config;
> +	struct fwd_stream *fs;
> +	lcoreid_t  lc_id;
> +	streamid_t sm_id;
> +	portid_t pt_id;
> +	int ret;
> +	int i;
> +
> +	for (i = 0; i < cur_fwd_config.nb_fwd_ports; i++) {
> +		pt_id = fwd_ports_ids[i];
> +		ret = rte_eth_cache_stash_get(pt_id, &capa);
> +		if (ret != 0 || (capa.supported_types & RTE_ETH_CACHE_STASH_TYPE_TPH) == 0) {
> +			fprintf(stderr,	"%s: (port %u) don't support tph stash!\n",
> +				__func__, pt_id);
> +			return;
> +		}

Does this function clean up already-enabled ports when it returns early due
to an error? If port 0 succeeds but port 1 fails, port 0 remains enabled
without a corresponding disable call.

> +		memset(&config, 0, sizeof(config));
> +		config.dev.type = RTE_ETH_
Previous message (by thread): |WARNING| pw163797-163798 [PATCH] [v1,4/4] app/testpmd: add TPH stas
Next message (by thread): |SUCCESS| [v10] eal/x86: optimize memcpy of small sizes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the test-report mailing list