From: Laurent Vivier <lvivier@redhat.com>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top, David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v3] iov: Add iov_truncate() helper and use it in vu handlers
Date: Fri, 6 Mar 2026 11:41:17 +0100 [thread overview]
Message-ID: <8dd07b62-b7d1-46c6-8378-da8e11d81a67@redhat.com> (raw)
In-Reply-To: <28c1ce99-b58a-48c7-9ab8-53bd8926809f@redhat.com>
On 3/6/26 09:51, Laurent Vivier wrote:
> On 3/6/26 09:25, Stefano Brivio wrote:
>> On Fri, 6 Mar 2026 09:17:32 +0100
>> Laurent Vivier <lvivier@redhat.com> wrote:
>>
>>> On 3/6/26 08:35, Stefano Brivio wrote:
>>>> On Thu, 5 Mar 2026 13:56:48 +0100
>>>> Laurent Vivier <lvivier@redhat.com> wrote:
>>>>> Add a generic iov_truncate() function that truncates an IO vector to a
>>>>> given number of bytes, returning the number of iov entries that contain
>>>>> data after truncation.
>>>>>
>>>>> Use it in udp_vu_sock_recv() and tcp_vu_sock_recv() to replace the
>>>>> open-coded truncation logic that adjusted iov entries after recvmsg().
>>>>> Also convert the direct iov_len assignment in tcp_vu_send_flag() to use
>>>>> iov_truncate() for consistency.
>>>>>
>>>>> Signed-off-by: Laurent Vivier <lvivier@redhat.com>
>>>>> ---
>>>>>
>>>>> Notes:
>>>>> v3: use in tcp_vu_send_flag() too
>>>>> v2: use iov_truncate() in udp_vu_sock_recv() too
>>>>>
>>>>> iov.c | 22 ++++++++++++++++++++++
>>>>> iov.h | 1 +
>>>>> tcp_vu.c | 14 +++-----------
>>>>> udp_vu.c | 12 +++---------
>>>>> 4 files changed, 29 insertions(+), 20 deletions(-)
>>>>>
>>>>> diff --git a/iov.c b/iov.c
>>>>> index ad726daa4cd8..31a3f5bc29e5 100644
>>>>> --- a/iov.c
>>>>> +++ b/iov.c
>>>>> @@ -147,6 +147,28 @@ size_t iov_size(const struct iovec *iov, size_t iov_cnt)
>>>>> return len;
>>>>> }
>>>>> +/**
>>>>> + * iov_truncate() - Truncate an IO vector to a given number of bytes
>>>>> + * @iov: IO vector (modified)
>>>>> + * @iov_cnt: Number of entries in @iov
>>>>> + * @size: Total number of bytes to keep
>>>>> + *
>>>>> + * Return: number of iov entries that contain data after truncation
>>>>> + */
>>>>> +size_t iov_truncate(struct iovec *iov, size_t iov_cnt, size_t size)
>>>>> +{
>>>>> + size_t i, offset;
>>>>> +
>>>>> + i = iov_skip_bytes(iov, iov_cnt, size, &offset);
>>>>> +
>>>>> + if (i < iov_cnt) {
>>>>> + iov[i].iov_len = offset;
>>>>> + i += !!offset;
>>>>> + }
>>>>> +
>>>>> + return i;
>>>>> +}
>>>>> +
>>>>> /**
>>>>> * iov_tail_prune() - Remove any unneeded buffers from an IOV tail
>>>>> * @tail: IO vector tail (modified)
>>>>> diff --git a/iov.h b/iov.h
>>>>> index d1ab91a94e22..b4e50b0fca5a 100644
>>>>> --- a/iov.h
>>>>> +++ b/iov.h
>>>>> @@ -29,6 +29,7 @@ size_t iov_from_buf(const struct iovec *iov, size_t iov_cnt,
>>>>> size_t iov_to_buf(const struct iovec *iov, size_t iov_cnt,
>>>>> size_t offset, void *buf, size_t bytes);
>>>>> size_t iov_size(const struct iovec *iov, size_t iov_cnt);
>>>>> +size_t iov_truncate(struct iovec *iov, size_t iov_cnt, size_t size);
>>>>> /*
>>>>> * DOC: Theory of Operation, struct iov_tail
>>>>> diff --git a/tcp_vu.c b/tcp_vu.c
>>>>> index 88be232dca66..8ca4170f13f6 100644
>>>>> --- a/tcp_vu.c
>>>>> +++ b/tcp_vu.c
>>>>> @@ -131,7 +131,7 @@ int tcp_vu_send_flag(const struct ctx *c, struct tcp_tap_conn
>>>>> *conn, int flags)
>>>>> return ret;
>>>>> }
>>>>> - flags_elem[0].in_sg[0].iov_len = hdrlen + optlen;
>>>>> + iov_truncate(&flags_iov[0], 1, hdrlen + optlen);
>>>>> payload = IOV_TAIL(flags_elem[0].in_sg, 1, hdrlen);
>>>>> if (flags & KEEPALIVE)
>>>>> @@ -192,9 +192,9 @@ static ssize_t tcp_vu_sock_recv(const struct ctx *c, struct
>>>>> vu_virtq *vq,
>>>>> struct msghdr mh_sock = { 0 };
>>>>> uint16_t mss = MSS_GET(conn);
>>>>> int s = conn->sock;
>>>>> - ssize_t ret, len;
>>>>> size_t hdrlen;
>>>>> int elem_cnt;
>>>>> + ssize_t ret;
>>>>> int i;
>>>>> *iov_cnt = 0;
>>>>> @@ -247,15 +247,7 @@ static ssize_t tcp_vu_sock_recv(const struct ctx *c, struct
>>>>> vu_virtq *vq,
>>>>> ret -= already_sent;
>>>>> /* adjust iov number and length of the last iov */
>>>>> - len = ret;
>>>>> - for (i = 0; len && i < elem_cnt; i++) {
>>>>> - struct iovec *iov = &elem[i].in_sg[0];
>>>>> -
>>>>> - if (iov->iov_len > (size_t)len)
>>>>> - iov->iov_len = len;
>>>>> -
>>>>> - len -= iov->iov_len;
>>>>> - }
>>>>> + i = iov_truncate(&iov_vu[DISCARD_IOV_NUM], elem_cnt, ret);
>>>>
>>>> I had a quick look, but I couldn't figure this out. This causes
>>>> Coverity Scan to report:
>>>>
>>>> /home/sbrivio/passt/tcp_vu.c:457:3:
>>>> Type: Overflowed constant (INTEGER_OVERFLOW)
>>>>
>>>> /home/sbrivio/passt/tcp_vu.c:355:2:
>>>> 1. path: Condition "!vu_queue_enabled(vq)", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:355:2:
>>>> 2. path: Condition "!vu_queue_started(vq)", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:362:2:
>>>> 3. path: Condition "0U /* (uint32_t)0 */ - (uint32_t)already_sent - 1 <
>>>> (16777216U /* 1 << 16 + 8 */)", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:374:2:
>>>> 4. path: Condition "!wnd_scaled", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:374:2:
>>>> 5. path: Condition "already_sent >= wnd_scaled", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:388:2:
>>>> 6. path: Condition "v6", taking true branch.
>>>> /home/sbrivio/passt/tcp_vu.c:390:2:
>>>> 7. path: Condition "len < 0", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:402:2:
>>>> 8. path: Condition "!len", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:425:2:
>>>> 9. path: Condition "log_trace", taking true branch.
>>>> /home/sbrivio/passt/tcp_vu.c:426:2:
>>>> 10. path: Condition "log_trace", taking true branch.
>>>> /home/sbrivio/passt/tcp_vu.c:439:2:
>>>> 11. path: Condition "v6", taking true branch.
>>>> /home/sbrivio/passt/tcp_vu.c:439:2:
>>>> 12. function_return: Function "tcp_vu_hdrlen(v6)" returns 86.
>>>> /home/sbrivio/passt/tcp_vu.c:439:2:
>>>> 13. known_value_assign: "hdrlen" = "tcp_vu_hdrlen(v6)", its value is now 86.
>>>> /home/sbrivio/passt/tcp_vu.c:440:2:
>>>> 14. path: Condition "i < head_cnt", taking true branch.
>>>> /home/sbrivio/passt/tcp_vu.c:443:3:
>>>> 15. function_return: Function "iov_size(iov, buf_cnt)" returns 0.
>>>> /home/sbrivio/passt/tcp_vu.c:443:3:
>>>> 16. known_value_assign: "dlen" = "iov_size(iov, buf_cnt) - hdrlen", its value is
>>>> now 18446744073709551530.
>>>> /home/sbrivio/passt/tcp_vu.c:450:3:
>>>> 17. path: Condition "previous_dlen != dlen", taking true branch.
>>>> /home/sbrivio/passt/tcp_vu.c:454:3:
>>>> 18. path: Condition "!*c->pcap", taking false branch.
>>>> /home/sbrivio/passt/tcp_vu.c:457:3:
>>>> 19. overflow_const: Expression "dlen + hdrlen", where "dlen" is known to be equal
>>>> to -86, and "hdrlen" is known to be equal to 86, underflows the type of "dlen +
>>>> hdrlen", which is type "unsigned long".
>>>
>>> if iov_size(iov, buf_cnt) = 0 and hdrlen = 86 (all unsigned)
>>> "dlen" = "iov_size(iov, buf_cnt) - hdrlen", its value is now 18446744073709551530 (see
>>> 16.) (i.e. -hdrlen, unsigned -86)
>>> so "dlen + hdrlen" overflows (I guess).
>>
>> I was also thinking it was something like that but:
>>
>>>
>>> Try:
>>> diff --git a/tcp_vu.c b/tcp_vu.c
>>> index 8ca4170f13f6..787ee004a66a 100644
>>> --- a/tcp_vu.c
>>> +++ b/tcp_vu.c
>>> @@ -440,7 +440,7 @@ int tcp_vu_data_from_sock(const struct ctx *c, struct tcp_tap_conn
>>> *conn)
>>> for (i = 0, previous_dlen = -1, check = NULL; i < head_cnt; i++) {
>>> struct iovec *iov = &elem[head[i]].in_sg[0];
>>> int buf_cnt = head[i + 1] - head[i];
>>> - ssize_t dlen = iov_size(iov, buf_cnt) - hdrlen;
>>> + ssize_t dlen = (ssize_t)iov_size(iov, buf_cnt) - hdrlen;
>>> bool push = i == head_cnt - 1;
>>> size_t l2len;
>>
>> ...still not happy because of how we use dlen later (I think?):
>>
>> /home/sbrivio/passt/tcp_vu.c:457:3:
>> Type: Overflowed constant (INTEGER_OVERFLOW)
>>
>> /home/sbrivio/passt/tcp_vu.c:355:2:
>> 1. path: Condition "!vu_queue_enabled(vq)", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:355:2:
>> 2. path: Condition "!vu_queue_started(vq)", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:362:2:
>> 3. path: Condition "0U /* (uint32_t)0 */ - (uint32_t)already_sent - 1 < (16777216U /*
>> 1 << 16 + 8 */)", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:374:2:
>> 4. path: Condition "!wnd_scaled", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:374:2:
>> 5. path: Condition "already_sent >= wnd_scaled", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:388:2:
>> 6. path: Condition "v6", taking true branch.
>> /home/sbrivio/passt/tcp_vu.c:390:2:
>> 7. path: Condition "len < 0", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:402:2:
>> 8. path: Condition "!len", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:425:2:
>> 9. path: Condition "log_trace", taking true branch.
>> /home/sbrivio/passt/tcp_vu.c:426:2:
>> 10. path: Condition "log_trace", taking true branch.
>> /home/sbrivio/passt/tcp_vu.c:439:2:
>> 11. path: Condition "v6", taking true branch.
>> /home/sbrivio/passt/tcp_vu.c:440:2:
>> 12. path: Condition "i < head_cnt", taking true branch.
>> /home/sbrivio/passt/tcp_vu.c:443:3:
>> 13. known_value_assign: "dlen" = "(ssize_t)iov_size(iov, buf_cnt) - hdrlen", its
>> value is now 18446744073709551530.
>> /home/sbrivio/passt/tcp_vu.c:450:3:
>> 14. path: Condition "previous_dlen != dlen", taking true branch.
>> /home/sbrivio/passt/tcp_vu.c:454:3:
>> 15. path: Condition "!*c->pcap", taking false branch.
>> /home/sbrivio/passt/tcp_vu.c:457:3:
>> 16. overflow_const: Expression "dlen + hdrlen", where "dlen" is known to be equal to
>> -86, and "hdrlen" is known to be equal to 86, underflows the type of "dlen + hdrlen",
>> which is type "unsigned long".
>>
>> /home/sbrivio/passt/conf.c:2373:4:
>> Type: Untrusted value as argument (TAINTED_SCALAR)
>>
>
> Could you try:
> diff --git a/tcp_vu.c b/tcp_vu.c
> index 8ca4170f13f6..fd734e857b3b 100644
> --- a/tcp_vu.c
> +++ b/tcp_vu.c
> @@ -440,10 +440,14 @@ int tcp_vu_data_from_sock(const struct ctx *c, struct tcp_tap_conn
> *conn)
> for (i = 0, previous_dlen = -1, check = NULL; i < head_cnt; i++) {
> struct iovec *iov = &elem[head[i]].in_sg[0];
> int buf_cnt = head[i + 1] - head[i];
> - ssize_t dlen = iov_size(iov, buf_cnt) - hdrlen;
> + size_t frame_size = iov_size(iov, buf_cnt);
> bool push = i == head_cnt - 1;
> + ssize_t dlen;
> size_t l2len;
>
> + ASSERT(frame_size >= hdrlen);
> +
> + dlen = frame_size - hdrlen;
> vu_set_vnethdr(iov->iov_base, buf_cnt);
>
> /* The IPv4 header checksum varies only with dlen */
>
> Coverity likes "ASSERT()"...
This seems to fix the problem for me.
Do you want a separate patch or to merge with this one?
Thanks,
Laurent
next prev parent reply other threads:[~2026-03-06 10:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 12:56 Laurent Vivier
2026-03-06 0:05 ` David Gibson
2026-03-06 7:35 ` Stefano Brivio
2026-03-06 8:17 ` Laurent Vivier
2026-03-06 8:25 ` Stefano Brivio
2026-03-06 8:51 ` Laurent Vivier
2026-03-06 10:41 ` Laurent Vivier [this message]
2026-03-06 10:52 ` Stefano Brivio
2026-03-06 10:56 ` Laurent Vivier
2026-03-06 11:01 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8dd07b62-b7d1-46c6-8378-da8e11d81a67@redhat.com \
--to=lvivier@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).