From nobody Thu Apr 16 06:57:10 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C053B375ABD
	for <linux-kernel@vger.kernel.org>; Mon,  2 Mar 2026 08:51:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772441517; cv=none;
 b=AYd66bqsp1wsnQUy+DdhNZyH715iYvOrkbrsbNKFHJhY1F8w1y2FVPMzRbRIYeft0kaEJGqy/0j2wbOPZv8L0IafrCEuM42mJsA3voYR/qpj2WsysjeR5Pp12YzkAdV0BNXv+8XeogNcDYLAzJBnV3RxWBRm8NR5p036AiBcgcY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772441517; c=relaxed/simple;
	bh=ejoxH+LGsx0lf40D7kcEz2BR8ZKftH4l7JfUa0+NqoQ=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition;
 b=HvxsmcZ1r1nfces47KqEwWOAZOamQ9nKpZ8ApRxCfqLiyEbOjtW4DG66wued64Gf61v5nurdwtR8kwsGYIp20Or7ZHnp2e+SHvc02E6hPJ5TMgLMfMY3vUyNYGj/ctf8EkXPMg2AFPXqlvmD+NtYNTgzh5+26FJqCuXO0fe60HY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=KY5AMMQr;
 dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=ORYhLeps; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="KY5AMMQr";
	dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="ORYhLeps"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1772441515;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type;
	bh=Z9WT3KJPKaJS7kZ732QoTptenX1xk5GVKXR5OHJOtrk=;
	b=KY5AMMQr/1UMD23OF39s4doog0XG0e/lBySPMg3YZhxCteP3ANnzqSJvgKg0aqrlxsnomA
	8N6Il9wkJMAR6w30gGGOPhBaPrpO8QAbwrwIPTjycv3pho3M1v/7XUEZMDYZOKg3wBqbfM
	aNIGwLJ9m639dCIQi0LegE1Azleutv4=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-587-6A0YOcsxNSmWfizC9cLTqw-1; Mon, 02 Mar 2026 03:51:53 -0500
X-MC-Unique: 6A0YOcsxNSmWfizC9cLTqw-1
X-Mimecast-MFC-AGG-ID: 6A0YOcsxNSmWfizC9cLTqw_1772441513
Received: by mail-wm1-f70.google.com with SMTP id
 5b1f17b1804b1-4836fbfa35cso20714155e9.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 02 Mar 2026 00:51:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=redhat.com; s=google; t=1772441512; x=1773046312;
 darn=vger.kernel.org;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Z9WT3KJPKaJS7kZ732QoTptenX1xk5GVKXR5OHJOtrk=;
        b=ORYhLepsLZhmUY8NiCMWZzli7YpKTEQFZ+FYkAqOscemomwxu0+96eJBFtJ33Lx6Pn
         FCpj+u210l1JleaxCFb9u81b97+oy0nxuzjtOVPiSaqqVfXMWwx8ITWyWcx1Aj0P3Vzb
         wiWw2DD7TM2RCKA6oK1+ZYN3eMnaDSktzGuSlD1lSrJTmN5yPK+gf2KLu5HQ54NG6pxK
         8NNq/W6fA/13MBGOgRoybFqof3Rjx8g5GywwDnm96nvNWGmwVp1Q0XKdxEyShorz/rbx
         /ZAsqwAPlG1YqVWT6XeDttkH/6J54cTrsGAugvYuQUxmW03oCMv5NK6Xxll4jGM61DM8
         8nUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772441512; x=1773046312;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Z9WT3KJPKaJS7kZ732QoTptenX1xk5GVKXR5OHJOtrk=;
        b=f9lvCZ0mDFAF/sV3KtZ0NCXsEr/vNTokHptfR//4fzzdv4g0/pO9DJ+/6vNy4kVdzo
         EUq+DApYNmcfOoAAFo/LhOZqCb6ZeDj1nS0GCO1eu/4cq+UZWEYWOMXQ0KzQNjP8O9qG
         C6osQVGZbOK784WJ2pLdii2MjOih5BiFlUQuWUyvzQKDdtbIRpT0CDiVDxPnsYPdBm10
         Qoe7NwMbMA/U9YBw5tYydEmfAg9vvFl+oGjmKyemUmBPASe0nscJWiz0DHsGz4atJMvv
         gmhAwegXf9PtUH0zyk5V4OPHVD0kqBBDb0VDJfgeu+tkaSyneievujTLh2HWPMg+jVRY
         5gGQ==
X-Gm-Message-State: AOJu0YxcdxtNjkTFESArSdQ+7ByCYstRV2dgi95Gm8/EiCSvlDJQXyjw
	MZc1q4rJs9Oo6VjOBehjeNQ4HnScM1FiatHPq7XKx0mCCzCfS4jbzqS1bv0ZVdyJUW1nuB8lFr+
	z9Bu3DAm1yWyHSYIygE4TK19fpRw2oLpLTA7XDoddfSa/ImeSRnV3KgcS8rqRjlQ2rc4acfbSco
	b3elP88M0HNZ4FGc3s3Bdb/gUlt4h3nJe/LmMtj92lJjo=
X-Gm-Gg: ATEYQzyyJFzA4PkGMxN7zKEoJfax7AvlkoReIi+ReIo5rfPQECpd4TohEKE6qnIx+Zs
	UUir7ckvHbhX/Pem3Tl/m2IYwipcAOelCazlX8Rw7Ex5ENviYji5ELV+lQKSz7zNytRP49+auYE
	JdwVBGHh+kMhp08Ze6BfYHXZAWIO+27pD8l79uYSMlRMTAI8//ReUcrmFtD2IpZGl65haKMjBBM
	5hYDq0sNpVdG8qOWCqZ3aVjPLJePZbtkPWWXMOofMdCuhQ15GLI5GAW4e4frpLi0mkTm+DJBVt6
	7EXAoL2VSiEFwpNqORQ7Ff93LNkJjm+/EuKSZrxK0X7AId4pYWgC58ZHZ0C9PP8oWbG/HdKCGi4
	6v163wMn62118JhiovHel4eEid6l10qdSAmVugQU46kRPMA==
X-Received: by 2002:a05:600c:4fc8:b0:483:6f37:1b51 with SMTP id
 5b1f17b1804b1-483c9bedb07mr228268015e9.23.1772441512256;
        Mon, 02 Mar 2026 00:51:52 -0800 (PST)
X-Received: by 2002:a05:600c:4fc8:b0:483:6f37:1b51 with SMTP id
 5b1f17b1804b1-483c9bedb07mr228267415e9.23.1772441511572;
        Mon, 02 Mar 2026 00:51:51 -0800 (PST)
Received: from redhat.com (IGLD-80-230-79-166.inter.net.il. [80.230.79.166])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-483bfcbd781sm233836855e9.8.2026.03.02.00.51.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 02 Mar 2026 00:51:51 -0800 (PST)
Date: Mon, 2 Mar 2026 03:51:49 -0500
From: "Michael S. Tsirkin" <mst@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: ShuangYu <shuangyu@yunyoo.cc>, Stefano Garzarella <sgarzare@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	Jason Wang <jasowang@redhat.com>,
	Eugenio =?utf-8?B?UMOpcmV6?= <eperezma@redhat.com>,
	kvm@vger.kernel.org, virtualization@lists.linux.dev,
	netdev@vger.kernel.org
Subject: [PATCH RFC] vhost: fix vhost_get_avail_idx for a non empty ring
Message-ID: 
 <559b04ae6ce52973c535dc47e461638b7f4c3d63.1772441455.git.mst@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
X-Mailer: git-send-email 2.27.0.106.g8ac3dc51b1
X-Mutt-Fcc: =sent
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

vhost_get_avail_idx is supposed to report whether it has updated
vq->avail_idx. Instead, it returns whether all entries have been
consumed, which is usually the same. But not always - in
drivers/vhost/net.c and when mergeable buffers have been enabled, the
driver checks whether the combined entries are big enough to store an
incoming packet. If not, the driver re-enables notifications with
available entries still in the ring. The incorrect return value from
vhost_get_avail_idx propagates through vhost_enable_notify and causes
the host to livelock if the guest is not making progress, as vhost will
immediately disable notifications and retry using the available entries.

The obvious fix is to make vhost_get_avail_idx do what the comment
says it does and report whether new entries have been added.

Reported-by: ShuangYu <shuangyu@yunyoo.cc>
Fixes: d3bb267bbdcb ("vhost: cache avail index in vhost_enable_notify()")
Cc: Stefano Garzarella <sgarzare@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Tested-by: ShuangYu <shuangyu@yunyoo.cc>
---

Lightly tested, posting early to simplify testing for the reporter.

 drivers/vhost/vhost.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 2f2c45d20883..db329a6f6145 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1522,6 +1522,7 @@ static void vhost_dev_unlock_vqs(struct vhost_dev *d)
 static inline int vhost_get_avail_idx(struct vhost_virtqueue *vq)
 {
 	__virtio16 idx;
+	u16 avail_idx;
 	int r;
=20
 	r =3D vhost_get_avail(vq, idx, &vq->avail->idx);
@@ -1532,17 +1533,19 @@ static inline int vhost_get_avail_idx(struct vhost_=
virtqueue *vq)
 	}
=20
 	/* Check it isn't doing very strange thing with available indexes */
-	vq->avail_idx =3D vhost16_to_cpu(vq, idx);
-	if (unlikely((u16)(vq->avail_idx - vq->last_avail_idx) > vq->num)) {
+	avail_idx =3D vhost16_to_cpu(vq, idx);
+	if (unlikely((u16)(avail_idx - vq->last_avail_idx) > vq->num)) {
 		vq_err(vq, "Invalid available index change from %u to %u",
-		       vq->last_avail_idx, vq->avail_idx);
+		       vq->last_avail_idx, avail_idx);
 		return -EINVAL;
 	}
=20
 	/* We're done if there is nothing new */
-	if (vq->avail_idx =3D=3D vq->last_avail_idx)
+	if (avail_idx =3D=3D vq->avail_idx)
 		return 0;
=20
+	vq->avail_idx =3D avail_idx;
+
 	/*
 	 * We updated vq->avail_idx so we need a memory barrier between
 	 * the index read above and the caller reading avail ring entries.
--=20
MST