Return early when userspace sends zero regions in the VHOST_SET_MEM_TABLE ioctl. Otherwise, this causes an erroneous entry to be added to the iotlb. This entry has a range size of 0 (due to u64 overflow). This then causes iotlb_access_ok() to loop indefinitely resulting in a hung thread. Syzbot has reported this here: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 Reported-and-tested-by: syzbot+0abd373e2e50d704db87@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Anirudh Rayabharam <mail@xxxxxxxxxxxxx> --- drivers/vhost/vhost.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 59edb5a1ffe2..821aba60eac2 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1428,6 +1428,8 @@ static long vhost_set_memory(struct vhost_dev *d, struct vhost_memory __user *m) return -EFAULT; if (mem.padding) return -EOPNOTSUPP; + if (mem.nregions == 0) + return 0; if (mem.nregions > max_mem_regions) return -E2BIG; newmem = kvzalloc(struct_size(newmem, regions, mem.nregions), -- 2.35.1
