From: Jason Wang <jasowang@xxxxxxxxxx> commit 95932ab2ea07b79cdb33121e2f40ccda9e6a73b5 upstream. Commit e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") tries to reject the IOTLB message whose size is zero. But the size is not necessarily meaningful, one example is the batching hint, so the commit breaks that. Fixing this be reject zero size message only if the message is used to update/invalidate the IOTLB. Fixes: e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") Reported-by: Eli Cohen <elic@xxxxxxxxxx> Cc: Anirudh Rayabharam <mail@xxxxxxxxxxxxx> Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx> Link: https://lore.kernel.org/r/20220310075211.4801-1-jasowang@xxxxxxxxxx Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Tested-by: Eli Cohen <elic@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/vhost/vhost.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1170,7 +1170,9 @@ ssize_t vhost_chr_write_iter(struct vhos goto done; } - if (msg.size == 0) { + if ((msg.type == VHOST_IOTLB_UPDATE || + msg.type == VHOST_IOTLB_INVALIDATE) && + msg.size == 0) { ret = -EINVAL; goto done; } Patches currently in stable-queue which might be from jasowang@xxxxxxxxxx are queue-5.15/vduse-fix-returning-wrong-type-in-vduse_domain_alloc.patch queue-5.15/virtio-acknowledge-all-features-before-access.patch queue-5.15/vdpa-mlx5-add-validation-for-virtio_net_ctrl_mq_vq_p.patch queue-5.15/vhost-allow-batching-hint-without-size.patch queue-5.15/virtio-unexport-virtio_finalize_features.patch