From 2c0eb46f51b3d1364379243b5c9accb3ba49725d Mon Sep 17 00:00:00 2001 From: Jianfeng Tan Date: Mon, 25 Apr 2016 02:37:45 +0000 Subject: [PATCH] virtio: fix segfault on Tx desc flags setup After the do-while loop, idx could be VQ_RING_DESC_CHAIN_END (32768) when it's the last vring desc buf we can get. Therefore, following expresssion could lead to a segfault error, as it tries to access beyond the desc memory boundary. start_dp[idx].flags &= ~VRING_DESC_F_NEXT; This bug could be reproduced easily with "set fwd txonly" in the guest PMD, where the dequeue on host is slower than the guest Tx, that running out of free desc buf is pretty easy. The fix is straightforward and easy, just remove it, as we have already set desc flags properly inside the do-while loop. Fixes: dd856dfcb9e ("virtio: use any layout on Tx") [Yuanhan Liu: commit log reword] Signed-off-by: Jianfeng Tan Acked-by: Huawei Xie Acked-by: Yuanhan Liu --- drivers/net/virtio/virtio_rxtx.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/net/virtio/virtio_rxtx.c b/drivers/net/virtio/virtio_rxtx.c index 2dafebdfd3..f326222ded 100644 --- a/drivers/net/virtio/virtio_rxtx.c +++ b/drivers/net/virtio/virtio_rxtx.c @@ -271,8 +271,6 @@ virtqueue_enqueue_xmit(struct virtqueue *txvq, struct rte_mbuf *cookie, idx = start_dp[idx].next; } while ((cookie = cookie->next) != NULL); - start_dp[idx].flags &= ~VRING_DESC_F_NEXT; - if (use_indirect) idx = txvq->vq_ring.desc[head_idx].next; -- 2.20.1