From 7f4bbb4c2f19cc66417f0ba41123aeeca30815fb Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Thu, 6 Jun 2019 11:13:20 +0800 Subject: [PATCH] vhost: scsi: add weight support mainline inclusion from mainline-5.2-rc2 commit c1ea02f15ab5efb3e93fc3144d895410bf79fcf2 category: bugfix bugzilla: 13690 CVE: CVE-2019-3900 ------------------------------------------------- This patch will check the weight and exit the loop if we exceeds the weight. This is useful for preventing scsi kthread from hogging cpu which is guest triggerable. This addresses CVE-2019-3900. Cc: Paolo Bonzini Cc: Stefan Hajnoczi Fixes: 057cbf49a1f0 ("tcm_vhost: Initial merge for vhost level target fabric driver") Signed-off-by: Jason Wang Reviewed-by: Stefan Hajnoczi Signed-off-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Conflict: drivers/vhost/scsi.c [yyl: adjust context] Signed-off-by: Yang Yingliang Reviewed-by: Zhen Lei Signed-off-by: Yang Yingliang --- drivers/vhost/scsi.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index 087ce17b0c39..0535f4abd37d 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -820,6 +820,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) int head, ret, prot_bytes; size_t req_size, rsp_size = sizeof(struct virtio_scsi_cmd_resp); size_t out_size, in_size; + int c = 0; u16 lun; u8 *target, *lunp, task_attr; bool t10_pi = vhost_has_feature(vq, VIRTIO_SCSI_F_T10_PI); @@ -836,7 +837,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) vhost_disable_notify(&vs->dev, vq); - for (;;) { + do { head = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov), &out, &in, NULL, NULL); @@ -1051,7 +1052,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq) */ INIT_WORK(&cmd->work, vhost_scsi_submission_work); queue_work(vhost_scsi_workqueue, &cmd->work); - } + } while (likely(!vhost_exceeds_weight(vq, ++c, 0))); out: mutex_unlock(&vq->mutex); } -- GitLab