• Anirudh Rayabharam's avatar
    vhost: fix hung thread due to erroneous iotlb entries · e2ae38cf
    Anirudh Rayabharam authored
    In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
    start is 0 and last is ULONG_MAX. One instance where it can happen
    is when userspace sends an IOTLB message with iova=size=uaddr=0
    (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
    last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
    iotlb_access_ok() loops indefinitely due to that erroneous entry.
    
    	Call Trace:
    	 <TASK>
    	 iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
    	 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
    	 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
    	 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
    	 kthread+0x2e9/0x3a0 kernel/kthread.c:377
    	 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
    	 </TASK>
    
    Reported by syzbot at:
    	https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87
    
    To fix this, do two things:
    
    1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map
       a range with size 0.
    2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]
       by splitting it into two entries.
    
    Fixes: 0bbe3066 ("vhost: factor out IOTLB")
    Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com
    Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com
    Signed-off-by: default avatarAnirudh Rayabharam <mail@anirudhrb.com>
    Link: https://lore.kernel.org/r/20220305095525.5145-1-mail@anirudhrb.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
    e2ae38cf
vhost.c 62.7 KB