The following changes since commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d: Linux 4.19 (2018-10-22 07:37:37 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to 79f800b2e76923cd8ce0aa659cb5c019d9643bc9: MAINTAINERS: remove reference to bogus vsock file (2018-10-24 21:16:14 -0400) ---------------------------------------------------------------- virtio, vhost: fixes, tweaks virtio balloon page hinting support vhost scsi control queue misc fixes. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> ---------------------------------------------------------------- Bijan Mottahedeh (3): vhost/scsi: Respond to control queue operations vhost/scsi: Extract common handling code from control queue handler vhost/scsi: Use common handling code in request queue handler Greg Edwards (1): vhost/scsi: truncate T10 PI iov_iter to prot_bytes L?na?c Huard (1): kvm_config: add CONFIG_VIRTIO_MENU Stefan Hajnoczi (1): MAINTAINERS: remove reference to bogus vsock file Wei Wang (3): virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT mm/page_poison: expose page_poisoning_enabled to kernel modules virtio-balloon: VIRTIO_BALLOON_F_PAGE_POISON MAINTAINERS | 1 - drivers/vhost/scsi.c | 426 ++++++++++++++++++++++++++++-------- drivers/virtio/virtio_balloon.c | 380 +++++++++++++++++++++++++++++--- include/uapi/linux/virtio_balloon.h | 8 + kernel/configs/kvm_guest.config | 1 + mm/page_poison.c | 6 + 6 files changed, 688 insertions(+), 134 deletions(-)
On Thu, Nov 1, 2018 at 2:19 PM Michael S. Tsirkin <mst at redhat.com> wrote:> > virtio, vhost: fixes, tweaksPulled. Linus
On Thu, Nov 1, 2018 at 2:19 PM, Michael S. Tsirkin <mst at redhat.com> wrote:> The following changes since commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d: > > Linux 4.19 (2018-10-22 07:37:37 +0100) > > are available in the Git repository at: > > git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus > > for you to fetch changes up to 79f800b2e76923cd8ce0aa659cb5c019d9643bc9: > > MAINTAINERS: remove reference to bogus vsock file (2018-10-24 21:16:14 -0400) > > ---------------------------------------------------------------- > virtio, vhost: fixes, tweaks > > virtio balloon page hinting support > vhost scsi control queue > > misc fixes. > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > > ---------------------------------------------------------------- > Bijan Mottahedeh (3): > vhost/scsi: Respond to control queue operations+static void +vhost_scsi_send_tmf_resp(struct vhost_scsi *vs, + struct vhost_virtqueue *vq, + int head, unsigned int out) +{ + struct virtio_scsi_ctrl_tmf_resp __user *resp; + struct virtio_scsi_ctrl_tmf_resp rsp; + int ret; + + pr_debug("%s\n", __func__); + memset(&rsp, 0, sizeof(rsp)); + rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED; + resp = vq->iov[out].iov_base; + ret = __copy_to_user(resp, &rsp, sizeof(rsp)); Is it actually safe to trust that iov_base has passed an earlier access_ok() check here? Why not just use copy_to_user() instead? -Kees> vhost/scsi: Extract common handling code from control queue handler > vhost/scsi: Use common handling code in request queue handler > > Greg Edwards (1): > vhost/scsi: truncate T10 PI iov_iter to prot_bytes > > L?na?c Huard (1): > kvm_config: add CONFIG_VIRTIO_MENU > > Stefan Hajnoczi (1): > MAINTAINERS: remove reference to bogus vsock file > > Wei Wang (3): > virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT > mm/page_poison: expose page_poisoning_enabled to kernel modules > virtio-balloon: VIRTIO_BALLOON_F_PAGE_POISON > > MAINTAINERS | 1 - > drivers/vhost/scsi.c | 426 ++++++++++++++++++++++++++++-------- > drivers/virtio/virtio_balloon.c | 380 +++++++++++++++++++++++++++++--- > include/uapi/linux/virtio_balloon.h | 8 + > kernel/configs/kvm_guest.config | 1 + > mm/page_poison.c | 6 + > 6 files changed, 688 insertions(+), 134 deletions(-)-- Kees Cook
On Thu, Nov 1, 2018 at 4:00 PM Kees Cook <keescook at chromium.org> wrote:> > + memset(&rsp, 0, sizeof(rsp)); > + rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED; > + resp = vq->iov[out].iov_base; > + ret = __copy_to_user(resp, &rsp, sizeof(rsp)); > > Is it actually safe to trust that iov_base has passed an earlier > access_ok() check here? Why not just use copy_to_user() instead?Good point. We really should have removed those double-underscore things ages ago. Also, apart from the address, what about the size? Wouldn't it be better to use copy_to_iter() rather than implement it badly by hand? Linus
On Thu, Nov 01, 2018 at 04:00:23PM -0700, Kees Cook wrote:> On Thu, Nov 1, 2018 at 2:19 PM, Michael S. Tsirkin <mst at redhat.com> wrote: > > The following changes since commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d: > > > > Linux 4.19 (2018-10-22 07:37:37 +0100) > > > > are available in the Git repository at: > > > > git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus > > > > for you to fetch changes up to 79f800b2e76923cd8ce0aa659cb5c019d9643bc9: > > > > MAINTAINERS: remove reference to bogus vsock file (2018-10-24 21:16:14 -0400) > > > > ---------------------------------------------------------------- > > virtio, vhost: fixes, tweaks > > > > virtio balloon page hinting support > > vhost scsi control queue > > > > misc fixes. > > > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > > > > ---------------------------------------------------------------- > > Bijan Mottahedeh (3): > > vhost/scsi: Respond to control queue operations > > +static void > +vhost_scsi_send_tmf_resp(struct vhost_scsi *vs, > + struct vhost_virtqueue *vq, > + int head, unsigned int out) > +{ > + struct virtio_scsi_ctrl_tmf_resp __user *resp; > + struct virtio_scsi_ctrl_tmf_resp rsp; > + int ret; > + > + pr_debug("%s\n", __func__); > + memset(&rsp, 0, sizeof(rsp)); > + rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED; > + resp = vq->iov[out].iov_base; > + ret = __copy_to_user(resp, &rsp, sizeof(rsp)); > > Is it actually safe to trust that iov_base has passed an earlier > access_ok() check here? Why not just use copy_to_user() instead? > > -KeesI am not sure copy_to_user will do the right thing here, because all this runs in context of a kernel thread. We do need access_ok which takes place way earlier in context of the task. Another reason it is safe is because the address is not coming from userspace at all.> > vhost/scsi: Extract common handling code from control queue handler > > vhost/scsi: Use common handling code in request queue handler > > > > Greg Edwards (1): > > vhost/scsi: truncate T10 PI iov_iter to prot_bytes > > > > L?na?c Huard (1): > > kvm_config: add CONFIG_VIRTIO_MENU > > > > Stefan Hajnoczi (1): > > MAINTAINERS: remove reference to bogus vsock file > > > > Wei Wang (3): > > virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT > > mm/page_poison: expose page_poisoning_enabled to kernel modules > > virtio-balloon: VIRTIO_BALLOON_F_PAGE_POISON > > > > MAINTAINERS | 1 - > > drivers/vhost/scsi.c | 426 ++++++++++++++++++++++++++++-------- > > drivers/virtio/virtio_balloon.c | 380 +++++++++++++++++++++++++++++--- > > include/uapi/linux/virtio_balloon.h | 8 + > > kernel/configs/kvm_guest.config | 1 + > > mm/page_poison.c | 6 + > > 6 files changed, 688 insertions(+), 134 deletions(-) > > > > -- > Kees Cook