diff options
| author | Laurent Vivier <lvivier@redhat.com> | 2026-04-16 18:21:39 +0200 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2026-05-26 18:24:31 +0200 |
| commit | 038c51e324695b65c154bc0eee30bd19a7423ad2 (patch) | |
| tree | c6e838da6cbcdb8e5c148d527766ed9e8838f33b | |
| parent | 196a9e555ef3507430948ee4cc46ad574d643965 (diff) | |
| download | passt-038c51e324695b65c154bc0eee30bd19a7423ad2.tar passt-038c51e324695b65c154bc0eee30bd19a7423ad2.tar.gz passt-038c51e324695b65c154bc0eee30bd19a7423ad2.tar.bz2 passt-038c51e324695b65c154bc0eee30bd19a7423ad2.tar.lz passt-038c51e324695b65c154bc0eee30bd19a7423ad2.tar.xz passt-038c51e324695b65c154bc0eee30bd19a7423ad2.tar.zst passt-038c51e324695b65c154bc0eee30bd19a7423ad2.zip | |
vhost_user: Offer VIRTIO_NET_F_GUEST_CSUM2026_05_26.038c51e
According to the virtio-net specification, when the VIRTIO_NET_F_GUEST_CSUM
is negotiated, the device can set VIRTIO_NET_HDR_F_DATA_VALID in the
virtio-net header to indicate that packet checksums have been validated,
allowing the guest to skip verification. Without this feature, the device
must provide fully checksummed packets.
The vhost-user TCP and UDP paths were unconditionally skipping checksum
computation, regardless of whether GUEST_CSUM was negotiated. This
went undetected with Linux guests because Linux's virtio-net driver
honours VIRTIO_NET_HDR_F_DATA_VALID regardless of whether
VIRTIO_NET_F_GUEST_CSUM was negotiated, marking such packets as
CHECKSUM_UNNECESSARY and skipping verification.
iPXE, however, does not negotiate GUEST_CSUM, ignores the DATA_VALID
flag entirely, and always verifies checksums. This caused TCP
connections to fail: the SYN-ACK had a zero TCP checksum, iPXE rejected
it, and the connection timed out in SYN_RCVD.
Adding --pcap happened to mask the bug, because the pcap code path
forces checksum computation to ensure correct captures.
Offer VIRTIO_NET_F_GUEST_CSUM in the device features, and only skip
checksum computation when the guest has actually negotiated it. When
GUEST_CSUM is not negotiated, always compute valid checksums as required
by the specification.
We keep setting VIRTIO_NET_HDR_F_DATA_VALID unconditionally in
VU_HEADER: when GUEST_CSUM is negotiated, the flag lets the guest skip
checksum verification; when it is not, the spec says the guest should
ignore the flags field, so setting it is harmless.
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: Resolved conflicts, in particular with commit dec66c02b5e4
("udp: Pass iov_tail to udp_update_hdr4()/udp_update_hdr6()")]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
| -rw-r--r-- | tcp_vu.c | 8 | ||||
| -rw-r--r-- | udp_vu.c | 7 | ||||
| -rw-r--r-- | vhost_user.c | 1 |
3 files changed, 12 insertions, 4 deletions
@@ -129,6 +129,7 @@ int tcp_vu_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) struct vu_virtq_element flags_elem[2]; struct iov_tail payload, l2frame; int elem_cnt, dup_elem_cnt = 0; + uint32_t csum_flags = IP4_CSUM; struct iovec flags_iov[64]; struct tcp_syn_opts opts; struct tcphdr th = { 0 }; @@ -138,6 +139,9 @@ int tcp_vu_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) uint32_t seq; int ret; + if (*c->pcap || !vu_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM)) + csum_flags |= TCP_CSUM; + hdrlen = tcp_vu_hdrlen(CONN_V6(conn)); elem_cnt = vu_collect(vdev, vq, &flags_elem[0], 1, @@ -174,7 +178,7 @@ int tcp_vu_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) iov_from_buf(payload.iov, payload.cnt, payload.off, &opts, optlen); tcp_fill_headers(c, conn, &eh, CONN_V4(conn) ? &ip4h : NULL, CONN_V6(conn) ? &ip6h : NULL, &th, &payload, - optlen, IP4_CSUM | (*c->pcap ? TCP_CSUM : 0), seq); + optlen, csum_flags, seq); vu_pad(flags_elem[0].in_sg, iov_cnt, hdrlen + optlen); @@ -520,7 +524,7 @@ int tcp_vu_data_from_sock(const struct ctx *c, struct tcp_tap_conn *conn) hdrlen = tcp_vu_hdrlen(v6); check = IP4_CSUM; - if (*c->pcap) + if (*c->pcap || !vu_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM)) check |= TCP_CSUM; for (i = 0, previous_dlen = -1; i < frame_cnt; i++) { struct iovec *iov = &iov_vu[frame[i].idx_iovec]; @@ -103,6 +103,7 @@ static void udp_vu_prepare(const struct ctx *c, struct iov_tail *data, bool ipv4 = inany_v4(&toside->eaddr) && inany_v4(&toside->oaddr); struct ethhdr eh; struct udphdr uh; + bool no_csum; /* ethernet header */ memcpy(eh.h_dest, c->guest_mac, sizeof(eh.h_dest)); @@ -114,17 +115,19 @@ static void udp_vu_prepare(const struct ctx *c, struct iov_tail *data, eh.h_proto = htons(ETH_P_IPV6); IOV_PUSH_HEADER(data, eh); + no_csum = vu_has_feature(c->vdev, VIRTIO_NET_F_GUEST_CSUM) && !*c->pcap; + /* initialize header */ if (ipv4) { struct iphdr iph = (struct iphdr)L2_BUF_IP4_INIT(IPPROTO_UDP); - udp_update_hdr4(&iph, &uh, payload, toside, dlen, !*c->pcap); + udp_update_hdr4(&iph, &uh, payload, toside, dlen, no_csum); IOV_PUSH_HEADER(data, iph); } else { struct ipv6hdr ip6h = (struct ipv6hdr)L2_BUF_IP6_INIT(IPPROTO_UDP); - udp_update_hdr6(&ip6h, &uh, payload, toside, dlen, !*c->pcap); + udp_update_hdr6(&ip6h, &uh, payload, toside, dlen, no_csum); IOV_PUSH_HEADER(data, ip6h); } diff --git a/vhost_user.c b/vhost_user.c index f062bad..a1259c2 100644 --- a/vhost_user.c +++ b/vhost_user.c @@ -322,6 +322,7 @@ static bool vu_get_features_exec(struct vu_dev *vdev, { uint64_t features = 1ULL << VIRTIO_F_VERSION_1 | + 1ULL << VIRTIO_NET_F_GUEST_CSUM | 1ULL << VIRTIO_NET_F_MRG_RXBUF | 1ULL << VHOST_F_LOG_ALL | 1ULL << VHOST_USER_F_PROTOCOL_FEATURES; |