| Message ID | 20220305095525.5145-1-mail@anirudhrb.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [v3] vhost: fix hung thread due to erroneous iotlb entries | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
On Sat, Mar 5, 2022 at 5:56 PM Anirudh Rayabharam <mail@anirudhrb.com> wrote: > > In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when > start is 0 and last is ULONG_MAX. One instance where it can happen > is when userspace sends an IOTLB message with iova=size=uaddr=0 > (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, > last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, > iotlb_access_ok() loops indefinitely due to that erroneous entry. > > Call Trace: > <TASK> > iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 > vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 > vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 > vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > </TASK> > > Reported by syzbot at: > https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 > > To fix this, do two things: > > 1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map > a range with size 0. > 2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] > by splitting it into two entries. > > Fixes: 0bbe30668d89e ("vhost: factor out IOTLB") > Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com> > --- > Changes in v3: > 1. Simplify expression since start is always 0 > 2. Fix checkpatch issue > 3. Add Fixes tag > > v2: https://lore.kernel.org/kvm/20220224143320.3751-1-mail@anirudhrb.com/ > Changes in v2: > 1. Don't reject range [0, ULONG_MAX], split it instead. > 2. Validate msg.size in vhost_chr_write_iter(). > > v1: https://lore.kernel.org/lkml/20220221195303.13560-1-mail@anirudhrb.com/ > > --- > drivers/vhost/iotlb.c | 11 +++++++++++ > drivers/vhost/vhost.c | 5 +++++ > 2 files changed, 16 insertions(+) > > diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c > index 670d56c879e5..40b098320b2a 100644 > --- a/drivers/vhost/iotlb.c > +++ b/drivers/vhost/iotlb.c > @@ -57,6 +57,17 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > if (last < start) > return -EFAULT; > > + /* If the range being mapped is [0, ULONG_MAX], split it into two entries > + * otherwise its size would overflow u64. > + */ > + if (start == 0 && last == ULONG_MAX) { > + u64 mid = last / 2; > + > + vhost_iotlb_add_range_ctx(iotlb, start, mid, addr, perm, opaque); Do we need to check the errors and fail? Others look good. Thanks > + addr += mid + 1; > + start = mid + 1; > + } > + > if (iotlb->limit && > iotlb->nmaps == iotlb->limit && > iotlb->flags & VHOST_IOTLB_FLAG_RETIRE) { > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 59edb5a1ffe2..55475fd59fb7 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -1170,6 +1170,11 @@ ssize_t vhost_chr_write_iter(struct vhost_dev *dev, > goto done; > } > > + if (msg.size == 0) { > + ret = -EINVAL; > + goto done; > + } > + > if (dev->msg_handler) > ret = dev->msg_handler(dev, &msg); > else > -- > 2.35.1 >
diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c index 670d56c879e5..40b098320b2a 100644 --- a/drivers/vhost/iotlb.c +++ b/drivers/vhost/iotlb.c @@ -57,6 +57,17 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, if (last < start) return -EFAULT; + /* If the range being mapped is [0, ULONG_MAX], split it into two entries + * otherwise its size would overflow u64. + */ + if (start == 0 && last == ULONG_MAX) { + u64 mid = last / 2; + + vhost_iotlb_add_range_ctx(iotlb, start, mid, addr, perm, opaque); + addr += mid + 1; + start = mid + 1; + } + if (iotlb->limit && iotlb->nmaps == iotlb->limit && iotlb->flags & VHOST_IOTLB_FLAG_RETIRE) { diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 59edb5a1ffe2..55475fd59fb7 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1170,6 +1170,11 @@ ssize_t vhost_chr_write_iter(struct vhost_dev *dev, goto done; } + if (msg.size == 0) { + ret = -EINVAL; + goto done; + } + if (dev->msg_handler) ret = dev->msg_handler(dev, &msg); else
In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when start is 0 and last is ULONG_MAX. One instance where it can happen is when userspace sends an IOTLB message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, iotlb_access_ok() loops indefinitely due to that erroneous entry. Call Trace: <TASK> iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 To fix this, do two things: 1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map a range with size 0. 2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] by splitting it into two entries. Fixes: 0bbe30668d89e ("vhost: factor out IOTLB") Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com> --- Changes in v3: 1. Simplify expression since start is always 0 2. Fix checkpatch issue 3. Add Fixes tag v2: https://lore.kernel.org/kvm/20220224143320.3751-1-mail@anirudhrb.com/ Changes in v2: 1. Don't reject range [0, ULONG_MAX], split it instead. 2. Validate msg.size in vhost_chr_write_iter(). v1: https://lore.kernel.org/lkml/20220221195303.13560-1-mail@anirudhrb.com/ --- drivers/vhost/iotlb.c | 11 +++++++++++ drivers/vhost/vhost.c | 5 +++++ 2 files changed, 16 insertions(+)