A possible DOS from guest to host via zero length descriptor. This is because currently the vringh_kiov_advance() did something like this: while (len && iov->i < iov->used) { ... if (!iov->iov[iov->i].iov_len) { ... iov->i++; } } When the length of the descriptor is zero, we miss the chance to advance iov->i. The fix is to revert b8c06ad4d67db56ed6bdfb685c134da74e92a2c7 ("vringh: implement vringh_kiov_advance()").
(In reply to Rohit Keshri from comment #0) > > The fix is to revert b8c06ad4d67db56ed6bdfb685c134da74e92a2c7 ("vringh: > implement vringh_kiov_advance()"). We use vringh_kiov_advance() also in vdpa-sim-blk, so we can't just revert that patch. So I just posted a patch reverting only the changes in vringh_iov_xfer() that should fix the issue reported in this BZ: https://lore.kernel.org/virtualization/20230925103057.104541-1-sgarzare@redhat.com/T/#u
The Bugzilla entry mentions "Fixed In Version: kernel 5.13-rc1" but that should rather be that this version is introducing the issue.
In reply to comment #7: > The Bugzilla entry mentions "Fixed In Version: kernel 5.13-rc1" but that > should rather be that this version is introducing the issue. Thanks Carnil for correction. $ git describe --contains b8c06ad4d67db56ed6bdfb685c134da74e92a2c7 v5.13-rc1~42^2~14 This is the patch that possibly introduces the DOS.
Patch mentioned in comment 6 now merged upstream and in stable branches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7aed44babc7f97e82b38e9a68515e699692cc100