Skip to content

Commit c1ea02f

Browse files
jasowangmstsirkin
jasowang
authored and
mstsirkin
committed
vhost: scsi: add weight support
This patch will check the weight and exit the loop if we exceeds the weight. This is useful for preventing scsi kthread from hogging cpu which is guest triggerable. This addresses CVE-2019-3900. Cc: Paolo Bonzini <[email protected]> Cc: Stefan Hajnoczi <[email protected]> Fixes: 057cbf4 ("tcm_vhost: Initial merge for vhost level target fabric driver") Signed-off-by: Jason Wang <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]>
1 parent e79b431 commit c1ea02f

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

drivers/vhost/scsi.c

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -918,7 +918,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
918918
struct iov_iter in_iter, prot_iter, data_iter;
919919
u64 tag;
920920
u32 exp_data_len, data_direction;
921-
int ret, prot_bytes;
921+
int ret, prot_bytes, c = 0;
922922
u16 lun;
923923
u8 task_attr;
924924
bool t10_pi = vhost_has_feature(vq, VIRTIO_SCSI_F_T10_PI);
@@ -938,7 +938,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
938938

939939
vhost_disable_notify(&vs->dev, vq);
940940

941-
for (;;) {
941+
do {
942942
ret = vhost_scsi_get_desc(vs, vq, &vc);
943943
if (ret)
944944
goto err;
@@ -1118,7 +1118,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
11181118
break;
11191119
else if (ret == -EIO)
11201120
vhost_scsi_send_bad_target(vs, vq, vc.head, vc.out);
1121-
}
1121+
} while (likely(!vhost_exceeds_weight(vq, ++c, 0)));
11221122
out:
11231123
mutex_unlock(&vq->mutex);
11241124
}
@@ -1177,7 +1177,7 @@ vhost_scsi_ctl_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
11771177
} v_req;
11781178
struct vhost_scsi_ctx vc;
11791179
size_t typ_size;
1180-
int ret;
1180+
int ret, c = 0;
11811181

11821182
mutex_lock(&vq->mutex);
11831183
/*
@@ -1191,7 +1191,7 @@ vhost_scsi_ctl_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
11911191

11921192
vhost_disable_notify(&vs->dev, vq);
11931193

1194-
for (;;) {
1194+
do {
11951195
ret = vhost_scsi_get_desc(vs, vq, &vc);
11961196
if (ret)
11971197
goto err;
@@ -1270,7 +1270,7 @@ vhost_scsi_ctl_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
12701270
break;
12711271
else if (ret == -EIO)
12721272
vhost_scsi_send_bad_target(vs, vq, vc.head, vc.out);
1273-
}
1273+
} while (likely(!vhost_exceeds_weight(vq, ++c, 0)));
12741274
out:
12751275
mutex_unlock(&vq->mutex);
12761276
}

0 commit comments

Comments
 (0)