tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

vhost: scsi: add weight support

This patch will check the weight and exit the loop if we exceeds the
weight. This is useful for preventing scsi kthread from hogging cpu
which is guest triggerable.

This addresses CVE-2019-3900.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: 057cbf49a1f0 ("tcm_vhost: Initial merge for vhost level target fabric driver")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

authored by

Jason Wang and committed by
Michael S. Tsirkin c1ea02f1 e79b431f

+6 -6
+6 -6
drivers/vhost/scsi.c
··· 918 918 struct iov_iter in_iter, prot_iter, data_iter; 919 919 u64 tag; 920 920 u32 exp_data_len, data_direction; 921 - int ret, prot_bytes; 921 + int ret, prot_bytes, c = 0; 922 922 u16 lun; 923 923 u8 task_attr; 924 924 bool t10_pi = vhost_has_feature(vq, VIRTIO_SCSI_F_T10_PI); ··· 938 938 939 939 vhost_disable_notify(&vs->dev, vq); 940 940 941 - for (;;) { 941 + do { 942 942 ret = vhost_scsi_get_desc(vs, vq, &vc); 943 943 if (ret) 944 944 goto err; ··· 1118 1118 break; 1119 1119 else if (ret == -EIO) 1120 1120 vhost_scsi_send_bad_target(vs, vq, vc.head, vc.out); 1121 - } 1121 + } while (likely(!vhost_exceeds_weight(vq, ++c, 0))); 1122 1122 out: 1123 1123 mutex_unlock(&vq->mutex); 1124 1124 } ··· 1177 1177 } v_req; 1178 1178 struct vhost_scsi_ctx vc; 1179 1179 size_t typ_size; 1180 - int ret; 1180 + int ret, c = 0; 1181 1181 1182 1182 mutex_lock(&vq->mutex); 1183 1183 /* ··· 1191 1191 1192 1192 vhost_disable_notify(&vs->dev, vq); 1193 1193 1194 - for (;;) { 1194 + do { 1195 1195 ret = vhost_scsi_get_desc(vs, vq, &vc); 1196 1196 if (ret) 1197 1197 goto err; ··· 1270 1270 break; 1271 1271 else if (ret == -EIO) 1272 1272 vhost_scsi_send_bad_target(vs, vq, vc.head, vc.out); 1273 - } 1273 + } while (likely(!vhost_exceeds_weight(vq, ++c, 0))); 1274 1274 out: 1275 1275 mutex_unlock(&vq->mutex); 1276 1276 }