[Devel] [PATCH RHEL10 COMMIT] drivers/vhost/blk: ensure total request size

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 19 19:36:11 MSK 2026


The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.12.4.vz10
------>
commit 9f0de39aaf6a639c376943d0a45c4fe385a442a7
Author: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
Date:   Fri Jun 19 16:33:13 2026 +0300

    drivers/vhost/blk: ensure total request size
    
    before caluclating payload letght, otherwise size->len can
    underflow.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-134034
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
    
    ======
    Patchset description:
    vhost-blk: handling of failing requests
    
    This series mainly addresses the handling of failing requests.
    Previously the driver will always retry all requests failed at
    processing and will always complete the requests if they are
    past bio submission point.
    
    Using vhost-net and vhost-scsi as a model, we adopt the following
    approach:
     - requests failed at processing phase with ENOMEM/EAGAIN are re-tried
     - requests failed at processing phase with other errors are not
    reported completed and are not processed further. It is higly likely
    they are just incorrect
     - requests failed at status write after the completion are not
    reported completed
    
    This may sometime lead to guests stalling, but the alternatives are
    always worse.
    
    Also the patchset improves logging and adds a few sanity checks.
    
    Feature: vhost-blk: in-kernel accelerator for virtio-blk guests
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 drivers/vhost/blk.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/vhost/blk.c b/drivers/vhost/blk.c
index 00101816e7694..fb70b381eae92 100644
--- a/drivers/vhost/blk.c
+++ b/drivers/vhost/blk.c
@@ -458,6 +458,9 @@ static int vhost_blk_req_handle(struct vhost_virtqueue *vq,
 	req->iov	= blk_vq->iov;
 	req->bio_err	= 0;
 
+	if (iov_length(vq->iov, total_iov_nr) < sizeof(status))
+		return -EINVAL;
+
 	req->len	= iov_length(vq->iov, total_iov_nr) - sizeof(status);
 	req->iov_nr	= move_iovec(vq->iov, req->iov, req->len, total_iov_nr,
 				     ARRAY_SIZE(blk_vq->iov));


More information about the Devel mailing list