Patch "scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 15 Jan 2023 18:59:13 -0500

This is a note to let you know that I've just added the patch titled

    scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-storvsc-fix-swiotlb-bounce-buffer-leak-in-confi.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4332ec1394ed16170d756433aa7867f97709eb08
Author: Michael Kelley <mikelley@xxxxxxxxxxxxx>
Date:   Sun Dec 4 11:52:44 2022 -0800

    scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM
    
    [ Upstream commit 67ff3d0a49f3d445c3922e30a54e03c161da561e ]
    
    storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),
    which in a confidential VM allocates swiotlb bounce buffers. If the I/O
    submission fails in storvsc_do_io(), the I/O is typically retried by higher
    level code, but the bounce buffer memory is never freed.  The mostly like
    cause of I/O submission failure is a full VMBus channel ring buffer, which
    is not uncommon under high I/O loads.  Eventually enough bounce buffer
    memory leaks that the confidential VM can't do any I/O. The same problem
    can arise in a non-confidential VM with kernel boot parameter
    swiotlb=force.
    
    Fix this by doing scsi_dma_unmap() in the case of an I/O submission
    error, which frees the bounce buffer memory.
    
    Fixes: 743b237c3a7b ("scsi: storvsc: Add Isolation VM support for storvsc driver")
    Signed-off-by: Michael Kelley <mikelley@xxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/1670183564-76254-1-git-send-email-mikelley@xxxxxxxxxxxxx
    Tested-by: Dexuan Cui <decui@xxxxxxxxxxxxx>
    Reviewed-by: Dexuan Cui <decui@xxxxxxxxxxxxx>
    Reviewed-by: Tianyu Lan <Tianyu.Lan@xxxxxxxxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 3c5b7e4227b2..55d6fb452680 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1823,6 +1823,9 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
 	ret = storvsc_do_io(dev, cmd_request, get_cpu());
 	put_cpu();
 
+	if (ret)
+		scsi_dma_unmap(scmnd);
+
 	if (ret == -EAGAIN) {
 		/* no more space */
 		ret = SCSI_MLQUEUE_DEVICE_BUSY;






