passt/vhost_user.c, branch 2026_05_26.038c51e Plug A Simple Socket Transport vhost_user: Offer VIRTIO_NET_F_GUEST_CSUM 2026-05-26T16:24:31+00:00 Laurent Vivier lvivier@redhat.com 2026-04-16T16:21:39+00:00 038c51e324695b65c154bc0eee30bd19a7423ad2 According to the virtio-net specification, when the VIRTIO_NET_F_GUEST_CSUM is negotiated, the device can set VIRTIO_NET_HDR_F_DATA_VALID in the virtio-net header to indicate that packet checksums have been validated, allowing the guest to skip verification. Without this feature, the device must provide fully checksummed packets. The vhost-user TCP and UDP paths were unconditionally skipping checksum computation, regardless of whether GUEST_CSUM was negotiated. This went undetected with Linux guests because Linux's virtio-net driver honours VIRTIO_NET_HDR_F_DATA_VALID regardless of whether VIRTIO_NET_F_GUEST_CSUM was negotiated, marking such packets as CHECKSUM_UNNECESSARY and skipping verification. iPXE, however, does not negotiate GUEST_CSUM, ignores the DATA_VALID flag entirely, and always verifies checksums. This caused TCP connections to fail: the SYN-ACK had a zero TCP checksum, iPXE rejected it, and the connection timed out in SYN_RCVD. Adding --pcap happened to mask the bug, because the pcap code path forces checksum computation to ensure correct captures. Offer VIRTIO_NET_F_GUEST_CSUM in the device features, and only skip checksum computation when the guest has actually negotiated it. When GUEST_CSUM is not negotiated, always compute valid checksums as required by the specification. We keep setting VIRTIO_NET_HDR_F_DATA_VALID unconditionally in VU_HEADER: when GUEST_CSUM is negotiated, the flag lets the guest skip checksum verification; when it is not, the spec says the guest should ignore the flags field, so setting it is harmless. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Resolved conflicts, in particular with commit dec66c02b5e4 ("udp: Pass iov_tail to udp_update_hdr4()/udp_update_hdr6()")] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
According to the virtio-net specification, when the VIRTIO_NET_F_GUEST_CSUM
is negotiated, the device can set VIRTIO_NET_HDR_F_DATA_VALID in the
virtio-net header to indicate that packet checksums have been validated,
allowing the guest to skip verification. Without this feature, the device
must provide fully checksummed packets.

The vhost-user TCP and UDP paths were unconditionally skipping checksum
computation, regardless of whether GUEST_CSUM was negotiated. This
went undetected with Linux guests because Linux's virtio-net driver
honours VIRTIO_NET_HDR_F_DATA_VALID regardless of whether
VIRTIO_NET_F_GUEST_CSUM was negotiated, marking such packets as
CHECKSUM_UNNECESSARY and skipping verification.

iPXE, however, does not negotiate GUEST_CSUM, ignores the DATA_VALID
flag entirely, and always verifies checksums. This caused TCP
connections to fail: the SYN-ACK had a zero TCP checksum, iPXE rejected
it, and the connection timed out in SYN_RCVD.

Adding --pcap happened to mask the bug, because the pcap code path
forces checksum computation to ensure correct captures.

Offer VIRTIO_NET_F_GUEST_CSUM in the device features, and only skip
checksum computation when the guest has actually negotiated it. When
GUEST_CSUM is not negotiated, always compute valid checksums as required
by the specification.

We keep setting VIRTIO_NET_HDR_F_DATA_VALID unconditionally in
VU_HEADER: when GUEST_CSUM is negotiated, the flag lets the guest skip
checksum verification; when it is not, the spec says the guest should
ignore the flags field, so setting it is harmless.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Resolved conflicts, in particular with commit dec66c02b5e4
 ("udp: Pass iov_tail to udp_update_hdr4()/udp_update_hdr6()")]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
vhost_user: Fix assorted minor cppcheck warnings 2026-03-28T13:35:39+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-27T04:34:15+00:00 41b0c7bf3147bbc0640a1d64c3b492fe81d04ece This fixes a batch of minor incorrect format specifier and "could be const" warnings in the vhost_user code. For some very strange reason, cppcheck doesn't catch these errors right now, but does after code rearrangements we're making for the dynamic forwarding update stuff. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This fixes a batch of minor incorrect format specifier and "could be const"
warnings in the vhost_user code.  For some very strange reason, cppcheck
doesn't catch these errors right now, but does after code rearrangements
we're making for the dynamic forwarding update stuff.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
treewide: Spell ASSERT() as assert() 2026-03-20T20:05:29+00:00 David Gibson david@gibson.dropbear.id.au 2026-03-19T06:11:43+00:00 bc872d91765dfd6ff34b0e9a34bce410fac1cef3 The standard library assert(3), at least with glibc, hits our seccomp filter and dies with SIGSYS before it's able to print a message, making it near useless. Therefore, since 7a8ed9459dfe ("Make assertions actually useful") we've instead used our own implementation, named ASSERT(). This makes our code look slightly odd though - ASSERT() has the same overall effect as assert(), it's just a different implementation. More importantly this makes it awkward to share code between passt/pasta proper and things that compile in a more typical environment. We're going to want that for our upcoming dynamic configuration tool. Address this by overriding the standard library's assert() implementation with our own, instead of giving ours its own name. The standard assert() is supposed to be omitted if NDEBUG is defined, which ours doesn't do. Implement that as well, so ours doesn't unexpectedly differ. For the -DNDEBUG case we do this by *not* overriding assert(), since it will be a no-op anyway. This requires a few places to add a #include <assert.h> to let us compile (albeit with warnings) when -DNDEBUG. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: Fix some conflicts and missing conversions as a result of applying "vu_common: Move iovec management into vu_collect()" first] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The standard library assert(3), at least with glibc, hits our seccomp
filter and dies with SIGSYS before it's able to print a message, making it
near useless.  Therefore, since 7a8ed9459dfe ("Make assertions actually
useful") we've instead used our own implementation, named ASSERT().

This makes our code look slightly odd though - ASSERT() has the same
overall effect as assert(), it's just a different implementation.  More
importantly this makes it awkward to share code between passt/pasta proper
and things that compile in a more typical environment.  We're going to want
that for our upcoming dynamic configuration tool.

Address this by overriding the standard library's assert() implementation
with our own, instead of giving ours its own name.

The standard assert() is supposed to be omitted if NDEBUG is defined,
which ours doesn't do.  Implement that as well, so ours doesn't
unexpectedly differ.  For the -DNDEBUG case we do this by *not* overriding
assert(), since it will be a no-op anyway.  This requires a few places to
add a #include <assert.h> to let us compile (albeit with warnings) when
-DNDEBUG.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Fix some conflicts and missing conversions as a result of
 applying "vu_common: Move iovec management into vu_collect()" first]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
treewide: Fix more pointers which can be const 2026-01-14T00:07:51+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-13T03:54:13+00:00 4af3d83170fd227b177f9861d93391e3d2008d34 Here are some more pointers which can be const, as reported by cppcheck 2.19.1. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Here are some more pointers which can be const, as reported by cppcheck
2.19.1.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
treewide: Fix places where we incorrectly indented with spaces 2026-01-11T00:31:50+00:00 David Gibson david@gibson.dropbear.id.au 2026-01-09T04:09:22+00:00 b973f4a6cc50571f8375c60a7e511a77bcf5c202 Had a moment to address this trivial issue. The passt convention is to indent code with tabs (K&R / kernel style). However there were a handful of places where we used spaces instead. Fix them. Link: https://bugs.passt.top/show_bug.cgi?id=135 Reported-by: Xun Gu <xugu@redhat.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Had a moment to address this trivial issue.

The passt convention is to indent code with tabs (K&R / kernel style).
However there were a handful of places where we used spaces instead.  Fix
them.

Link: https://bugs.passt.top/show_bug.cgi?id=135
Reported-by: Xun Gu <xugu@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
treewide: Introduce passt_exit() helper 2025-12-12T21:20:02+00:00 David Gibson david@gibson.dropbear.id.au 2025-12-11T03:54:35+00:00 e6612fe0a7cf4860b0d81d3b886f95273d979d1d In d0006fa78 ("treewide: use _exit() over exit()"), we replaced use of the normal exit(3) with direct calls to _exit(2). That was because glibc exit(3) made some unexpected futex() calls, which hit our seccomp profile. We've since had some bugs due to missing the extra cleanup that exit(3) implemented, for which we've added explicit cleanup calls. Specifically, we have fflush() calls in some places to avoid leaving incomplete messages on stdout/stderr, and in other places fsync_pcap_and_log() to avoid leaving incomplete log or pcap files. It's easy to forget these when adding new error paths, so instead, implement our own passt_exit() wrapper to perform vital cleanup then call _exit(2). This also provides an obvious place to add any additional cleanups we discover we need in future. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In d0006fa78 ("treewide: use _exit() over exit()"), we replaced use of
the normal exit(3) with direct calls to _exit(2).  That was because glibc
exit(3) made some unexpected futex() calls, which hit our seccomp profile.

We've since had some bugs due to missing the extra cleanup that exit(3)
implemented, for which we've added explicit cleanup calls.  Specifically,
we have fflush() calls in some places to avoid leaving incomplete messages
on stdout/stderr, and in other places fsync_pcap_and_log() to avoid
leaving incomplete log or pcap files.

It's easy to forget these when adding new error paths, so instead,
implement our own passt_exit() wrapper to perform vital cleanup then call
_exit(2).  This also provides an obvious place to add any additional
cleanups we discover we need in future.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
epoll_ctl: Extract epoll operations 2025-10-30T14:32:12+00:00 Laurent Vivier lvivier@redhat.com 2025-10-21T21:01:11+00:00 965ea66068e653934c0016281df86c17e2a65625 Centralize epoll_add() and epoll_del() helper functions into new epoll_ctl.c/h files. This also moves the union epoll_ref definition from passt.h to epoll_ctl.h where it's more logically placed. The new epoll_add() helper simplifies adding file descriptors to epoll by taking an epoll_ref and events, handling error reporting consistently across all call sites. Signed-off-by: Laurent Vivier <lvivier@redhat.com> [sbrivio: Include epoll_ctl.h from netlink.c as it's now needed there] Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Centralize epoll_add() and epoll_del() helper functions into new
epoll_ctl.c/h files.

This also moves the union epoll_ref definition from passt.h to
epoll_ctl.h where it's more logically placed.

The new epoll_add() helper simplifies adding file descriptors to epoll
by taking an epoll_ref and events, handling error reporting
consistently across all call sites.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
[sbrivio: Include epoll_ctl.h from netlink.c as it's now needed there]
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
util: Simplify epoll_del() interface to take epollfd directly 2025-10-30T14:32:03+00:00 Laurent Vivier lvivier@redhat.com 2025-10-21T21:01:10+00:00 8bfa47a5cf0576dd18e8716e1c1e142954a0b72d Change epoll_del() to accept the epoll file descriptor directly instead of the full context structure. This simplifies the interface and aligns with the threading refactoring by reducing dependency on the context structure for basic epoll operations as we will manage an epollfd per thread. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Change epoll_del() to accept the epoll file descriptor directly instead
of the full context structure. This simplifies the interface and aligns
with the threading refactoring by reducing dependency on the context
structure for basic epoll operations as we will manage an epollfd per
thread.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
clang-tidy: Suppress redundant expression warning 2025-10-07T13:33:14+00:00 David Gibson david@gibson.dropbear.id.au 2025-10-02T05:04:32+00:00 b4b3b082e37698aa8daeb043d070ee40844d9598 clang-tidy 20.1.8 doesn't like (VHOST_USER_MAX_VQS / 2), because it expands to (2 / 2). But in the context of the #define, this makes logical sense, so suppress the warning. I'm not sure why it isn't firing on the debug() line just below. Possibly it only complains once per expression per function, so we only have to suppress it once? Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
clang-tidy 20.1.8 doesn't like (VHOST_USER_MAX_VQS / 2), because it expands
to (2 / 2).  But in the context of the #define, this makes logical sense,
so suppress the warning.

I'm not sure why it isn't firing on the debug() line just below.  Possibly
it only complains once per expression per function, so we only have to
suppress it once?

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
vhost-user: Fix VHOST_USER_GET_QUEUE_NUM to return number of queues 2025-09-09T19:13:59+00:00 Laurent Vivier lvivier@redhat.com 2025-09-05T15:49:33+00:00 62399155319479f86b07d259b284f6a2991aaba7 The vhost-user specification states that VHOST_USER_GET_QUEUE_NUM should return the maximum number of queues supported by the back-end, not the number of virtqueues. Since each queue pair consists of RX and TX virtqueues, we need to divide VHOST_USER_MAX_QUEUES by 2 to get the correct queue count. Also rename VHOST_USER_MAX_QUEUES to VHOST_USER_MAX_VQS throughout the codebase to better reflect that it represents the maximum number of virtqueues, not queue pairs. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
The vhost-user specification states that VHOST_USER_GET_QUEUE_NUM should
return the maximum number of queues supported by the back-end, not the
number of virtqueues. Since each queue pair consists of RX and TX
virtqueues, we need to divide VHOST_USER_MAX_QUEUES by 2 to get the
correct queue count.

Also rename VHOST_USER_MAX_QUEUES to VHOST_USER_MAX_VQS throughout the
codebase to better reflect that it represents the maximum number of
virtqueues, not queue pairs.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>