Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1733167pxp; Mon, 7 Mar 2022 00:54:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJwqxSAG/RrQIFd4JbadU1wiSdLRkGjpDkq83w4bTfWtp+XPKWX/AVXZKbkntf0Jn+CFMez9 X-Received: by 2002:a17:907:16a6:b0:6da:94d0:3d22 with SMTP id hc38-20020a17090716a600b006da94d03d22mr8225120ejc.160.1646643271908; Mon, 07 Mar 2022 00:54:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646643271; cv=none; d=google.com; s=arc-20160816; b=baB7WBFyO/YWRBpF9+tRRf8Fbg0VvtS2M7iIplG3iuk5slBXVJrmz2pbkdPnmuwR76 g2l55gfZHKX0FejfQovKwtz3aYX9+VR2ElQ2CdOtx7FZntfidC6WSchQcjw2zN6UyxDw oPbB9uaorvyR1eqg/3N3gNBnaSZWT62ISJX+Xc2FI28xuWa8R2FoAl+/ofT8TmJW846B ygfR6k3idfztshRInlsgqn9NtKJUDX3I/OCBklLgOBPK4bxi3OE94fGakexy1GoJCxMV YbvytEt+/MBMwbNVqOdkO6uPpfgZyKewnfVAllsr0ayj4/7H/lNLr37GXDKA9xtMUGw9 jgAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=9tbExO3BDZat3L0Mr6cR1o35ZQT83FwaaZZrCN3AvXs=; b=vwOuHJ1rL+U8JzH7VIPQMrdolxSLrUcrWTDznx1aL2wm1bQF5w2Qbxdsw4FN33Bu4J wcHCx0lnj7BAbNdq5Up0jGel/zX/Ze/w5YFCbm42VtLOMivLTXVDlOvtewUR+vE1pUx2 uLKnZJFbQLTQs2VjzkJk3mOMaNWFys7PVClCBRpMwdHIDcTesyW9+Pvs7XWgCRU1vPOL hBs3QA4jJbsXXrAjqlVdO3LkffZNgSYJ+cjFBBhBSIfo5PgRo9zbQdyz+mX4T7ph8iCu 4gEKQg+BToOyMqyo0Yy2OxViA+afwcII0AK3u6b5MYqhoHoB9KAqze0/3fQNsDwH+wMp q61Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YNSZ0XbY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j2-20020a170906474200b006b8b3969ec3si7190725ejs.190.2022.03.07.00.54.08; Mon, 07 Mar 2022 00:54:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YNSZ0XbY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229575AbiCGE3W (ORCPT + 99 others); Sun, 6 Mar 2022 23:29:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229823AbiCGE3V (ORCPT ); Sun, 6 Mar 2022 23:29:21 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 93A08DFDA for ; Sun, 6 Mar 2022 20:28:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646627305; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9tbExO3BDZat3L0Mr6cR1o35ZQT83FwaaZZrCN3AvXs=; b=YNSZ0XbYf4DUUgEb0nyG3fm7GUkr+MxP4ku5vEqwv35OQxdWYO6p0ibq1SrPwmye2wvSSc MXLcOtm0WH+yY/I2+6cRPNXFkV2DZM9LPRQkd6fdFsm2qLI96E1sGX422OAP61rw/1enGm B3QJV6OyRaCtIRIRA93QlOEwQ4/JBuk= Received: from mail-lj1-f200.google.com (mail-lj1-f200.google.com [209.85.208.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-167-n7ic0avbPneSPlcPwKUREw-1; Sun, 06 Mar 2022 23:28:24 -0500 X-MC-Unique: n7ic0avbPneSPlcPwKUREw-1 Received: by mail-lj1-f200.google.com with SMTP id a5-20020a2eb545000000b002462b5eddb3so5951751ljn.14 for ; Sun, 06 Mar 2022 20:28:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9tbExO3BDZat3L0Mr6cR1o35ZQT83FwaaZZrCN3AvXs=; b=KZuJ7JxBoflc48PTqTkjBKD6WRpd0h8kY9/sMBm8ooU/dV4CATdLHdHODBc5BvUaiz 9r38f70FVmtX2ZHcKbcM8h26CzE2w0N2T92cE28G9hktHCe6QWxkwCyTB1yb4nfWe3Yx eFs6lhh+xC7bKczYwIpuBOQ2ZN7JG4Hi+l/rf2rhmcsYLB8gsewRcAfjwWwdemfTDa+d aQMMZEjZcZokX4mOYt7Gff4nSeRCKPPeH+cg+ls9Cw0xpuew7NCoOVCyzymSG4nsHutf /zztfouL1/nP2UdA3koAJh33YRPw95rpY5iibCZktoi2yoNNCv7+gi1sJwqRzat7Xthw lV5g== X-Gm-Message-State: AOAM533n0p8sGTCTc9IpqqKmFoyZaf9zEaaTSaZs4kAelzqrdUCkul0B xhkvKQT/1Hu0EaXEshUd8IguFL0siLG7EsXgKJ4/Pm1cXAQ3w0oOGwpg0hiPLH8ThCpvNeLfs4i ngHp8lij9P02yisbX9xJxUTI3z/u48JRM3oHFidz6 X-Received: by 2002:a2e:b004:0:b0:247:e29f:fbd4 with SMTP id y4-20020a2eb004000000b00247e29ffbd4mr3315717ljk.315.1646627302466; Sun, 06 Mar 2022 20:28:22 -0800 (PST) X-Received: by 2002:a2e:b004:0:b0:247:e29f:fbd4 with SMTP id y4-20020a2eb004000000b00247e29ffbd4mr3315706ljk.315.1646627302185; Sun, 06 Mar 2022 20:28:22 -0800 (PST) MIME-Version: 1.0 References: <20220305095525.5145-1-mail@anirudhrb.com> In-Reply-To: <20220305095525.5145-1-mail@anirudhrb.com> From: Jason Wang Date: Mon, 7 Mar 2022 12:28:10 +0800 Message-ID: Subject: Re: [PATCH v3] vhost: fix hung thread due to erroneous iotlb entries To: Anirudh Rayabharam Cc: "Michael S. Tsirkin" , syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com, kvm , virtualization , netdev , linux-kernel Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 5, 2022 at 5:56 PM Anirudh Rayabharam wrote: > > In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when > start is 0 and last is ULONG_MAX. One instance where it can happen > is when userspace sends an IOTLB message with iova=size=uaddr=0 > (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, > last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, > iotlb_access_ok() loops indefinitely due to that erroneous entry. > > Call Trace: > > iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 > vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 > vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 > vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > > Reported by syzbot at: > https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 > > To fix this, do two things: > > 1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map > a range with size 0. > 2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] > by splitting it into two entries. > > Fixes: 0bbe30668d89e ("vhost: factor out IOTLB") > Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Signed-off-by: Anirudh Rayabharam > --- > Changes in v3: > 1. Simplify expression since start is always 0 > 2. Fix checkpatch issue > 3. Add Fixes tag > > v2: https://lore.kernel.org/kvm/20220224143320.3751-1-mail@anirudhrb.com/ > Changes in v2: > 1. Don't reject range [0, ULONG_MAX], split it instead. > 2. Validate msg.size in vhost_chr_write_iter(). > > v1: https://lore.kernel.org/lkml/20220221195303.13560-1-mail@anirudhrb.com/ > > --- > drivers/vhost/iotlb.c | 11 +++++++++++ > drivers/vhost/vhost.c | 5 +++++ > 2 files changed, 16 insertions(+) > > diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c > index 670d56c879e5..40b098320b2a 100644 > --- a/drivers/vhost/iotlb.c > +++ b/drivers/vhost/iotlb.c > @@ -57,6 +57,17 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > if (last < start) > return -EFAULT; > > + /* If the range being mapped is [0, ULONG_MAX], split it into two entries > + * otherwise its size would overflow u64. > + */ > + if (start == 0 && last == ULONG_MAX) { > + u64 mid = last / 2; > + > + vhost_iotlb_add_range_ctx(iotlb, start, mid, addr, perm, opaque); Do we need to check the errors and fail? Others look good. Thanks > + addr += mid + 1; > + start = mid + 1; > + } > + > if (iotlb->limit && > iotlb->nmaps == iotlb->limit && > iotlb->flags & VHOST_IOTLB_FLAG_RETIRE) { > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 59edb5a1ffe2..55475fd59fb7 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -1170,6 +1170,11 @@ ssize_t vhost_chr_write_iter(struct vhost_dev *dev, > goto done; > } > > + if (msg.size == 0) { > + ret = -EINVAL; > + goto done; > + } > + > if (dev->msg_handler) > ret = dev->msg_handler(dev, &msg); > else > -- > 2.35.1 >