Patch "virtio_ring: fix avail_wrap_counter in virtqueue_add_packed" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    virtio_ring: fix avail_wrap_counter in virtqueue_add_packed

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0f5db70fc50f53ffe85809148fc9b11da02bde3a
Author: Yuan Yao <yuanyaogoog@xxxxxxxxxxxx>
Date:   Tue Aug 8 05:10:59 2023 +0000

    virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
    
    [ Upstream commit 1acfe2c1225899eab5ab724c91b7e1eb2881b9ab ]
    
    In current packed virtqueue implementation, the avail_wrap_counter won't
    flip, in the case when the driver supplies a descriptor chain with a
    length equals to the queue size; total_sg == vq->packed.vring.num.
    
    Let’s assume the following situation:
    vq->packed.vring.num=4
    vq->packed.next_avail_idx: 1
    vq->packed.avail_wrap_counter: 0
    
    Then the driver adds a descriptor chain containing 4 descriptors.
    
    We expect the following result with avail_wrap_counter flipped:
    vq->packed.next_avail_idx: 1
    vq->packed.avail_wrap_counter: 1
    
    But, the current implementation gives the following result:
    vq->packed.next_avail_idx: 1
    vq->packed.avail_wrap_counter: 0
    
    To reproduce the bug, you can set a packed queue size as small as
    possible, so that the driver is more likely to provide a descriptor
    chain with a length equal to the packed queue size. For example, in
    qemu run following commands:
    sudo qemu-system-x86_64 \
    -enable-kvm \
    -nographic \
    -kernel "path/to/kernel_image" \
    -m 1G \
    -drive file="path/to/rootfs",if=none,id=disk \
    -device virtio-blk,drive=disk \
    -drive file="path/to/disk_image",if=none,id=rwdisk \
    -device virtio-blk,drive=rwdisk,packed=on,queue-size=4,\
    indirect_desc=off \
    -append "console=ttyS0 root=/dev/vda rw init=/bin/bash"
    
    Inside the VM, create a directory and mount the rwdisk device on it. The
    rwdisk will hang and mount operation will not complete.
    
    This commit fixes the wrap counter error by flipping the
    packed.avail_wrap_counter, when start of descriptor chain equals to the
    end of descriptor chain (head == i).
    
    Fixes: 1ce9e6055fa0 ("virtio_ring: introduce packed ring support")
    Signed-off-by: Yuan Yao <yuanyaogoog@xxxxxxxxxxxx>
    Message-Id: <20230808051110.3492693-1-yuanyaogoog@xxxxxxxxxxxx>
    Acked-by: Jason Wang <jasowang@xxxxxxxxxx>
    Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index c5310eaf8b468..da1150d127c24 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -1461,7 +1461,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
 		}
 	}
 
-	if (i < head)
+	if (i <= head)
 		vq->packed.avail_wrap_counter ^= 1;
 
 	/* We're using some buffers from the free list. */



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux