This Linux kernel change "vhost: scsi: add weight support" is included in the Linux 4.4.191 release. This change is authored by Jason Wang <jasowang [at] redhat.com> on Wed Aug 28 00:10:49 2019 +0100. The commit for this change in Linux stable tree is 6ca2436 (patch) which is from upstream commit c1ea02f. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream c1ea02f.

commit c1ea02f15ab5efb3e93fc3144d895410bf79fcf2 upstream.

This patch will check the weight and exit the loop if we exceeds the
weight. This is useful for preventing scsi kthread from hogging cpu
which is guest triggerable.

This addresses CVE-2019-3900.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: 057cbf49a1f0 ("tcm_vhost: Initial merge for vhost level target fabric driver")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[bwh: Backported to 4.4:
 - Drop changes in vhost_scsi_ctl_handle_vq()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/vhost/scsi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index 47e659e..269cfdd 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -861,7 +861,7 @@ static void vhost_scsi_submission_work(struct work_struct *work)
    u64 tag;
    u32 exp_data_len, data_direction;
    unsigned out, in;
-   int head, ret, prot_bytes;
+   int head, ret, prot_bytes, c = 0;
    size_t req_size, rsp_size = sizeof(struct virtio_scsi_cmd_resp);
    size_t out_size, in_size;
    u16 lun;
@@ -880,7 +880,7 @@ static void vhost_scsi_submission_work(struct work_struct *work)

    vhost_disable_notify(&vs->dev, vq);

-   for (;;) {
+   do {
        head = vhost_get_vq_desc(vq, vq->iov,
                     ARRAY_SIZE(vq->iov), &out, &in,
                     NULL, NULL);
@@ -1096,7 +1096,7 @@ static void vhost_scsi_submission_work(struct work_struct *work)
        INIT_WORK(&cmd->work, vhost_scsi_submission_work);
        queue_work(vhost_scsi_workqueue, &cmd->work);
-   }
+   } while (likely(!vhost_exceeds_weight(vq, ++c, 0)));

