search for: 3a4d5c94e9593

...hrough kernel virtual address, this may result alias in virtually tagged caches that require a dcache flush afterwards. Cc: Christoph Hellwig <hch at infradead.org> Cc: James Bottomley <James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 351af88231ad..34a1cedbc5ba 100644 --- a/drivers/vhost/vho...

...hrough kernel virtual address, this may result alias in virtually tagged caches that require a dcache flush afterwards. Cc: Christoph Hellwig <hch at infradead.org> Cc: James Bottomley <James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 351af88231ad..34a1cedbc5ba 100644 --- a/drivers/vhost/vho...

...t owner, this means we could try to serve any virtqueue kick before reset dev->worker. This will result a warn since the work was pending at llist during owner resetting. Fix this by stopping device during owner reset. Reported-by: syzbot+eb17c6162478cc50632c at syzkaller.appspotmail.com Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/net.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index c7bdeb6..5636c7c 100644 --- a/drivers/vhost/net.c +++ b/drivers...

...lt;James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Cc: Thomas Gleixner <tglx at linutronix.de> Cc: Ingo Molnar <mingo at redhat.com> Cc: Peter Zijlstra <peterz at infradead.org> Cc: Darren Hart <dvhart at infradead.org> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from RFC V2: - drop GUP and provide get_user()/put_user() fallbacks - round down log_base Changes from RFC V1: - switch to use arch_futex_atomic_op_inuser() --- drivers/vhost/...

...lt;James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Cc: Thomas Gleixner <tglx at linutronix.de> Cc: Ingo Molnar <mingo at redhat.com> Cc: Peter Zijlstra <peterz at infradead.org> Cc: Darren Hart <dvhart at infradead.org> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from RFC V2: - drop GUP and provide get_user()/put_user() fallbacks - round down log_base Changes from RFC V1: - switch to use arch_futex_atomic_op_inuser() --- drivers/vhost/...

...lt;James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Cc: Thomas Gleixner <tglx at linutronix.de> Cc: Ingo Molnar <mingo at redhat.com> Cc: Peter Zijlstra <peterz at infradead.org> Cc: Darren Hart <dvhart at infradead.org> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from V1: - switch to use arch_futex_atomic_op_inuser() --- drivers/vhost/vhost.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) d...

...lt;James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Cc: Thomas Gleixner <tglx at linutronix.de> Cc: Ingo Molnar <mingo at redhat.com> Cc: Peter Zijlstra <peterz at infradead.org> Cc: Darren Hart <dvhart at infradead.org> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from V1: - switch to use arch_futex_atomic_op_inuser() --- drivers/vhost/vhost.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) d...

...plement futex helper, we can't log dirty pages. We can fix them on top or simply disable LOG_ALL features of vhost. Cc: Christoph Hellwig <hch at infradead.org> Cc: James Bottomley <James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 351af88..9c...

...plement futex helper, we can't log dirty pages. We can fix them on top or simply disable LOG_ALL features of vhost. Cc: Christoph Hellwig <hch at infradead.org> Cc: James Bottomley <James.Bottomley at HansenPartnership.com> Cc: Andrea Arcangeli <aarcange at redhat.com> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 351af88..9c...

...onsuming the packets in the meanwhile - theoretical TOCTOU attack if guest moving avail index back and forth to hit the continue after vhost find guest just add new buffers This addresses CVE-2019-3900. Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/net.c | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index df5...

...onsuming the packets in the meanwhile - theoretical TOCTOU attack if guest moving avail index back and forth to hit the continue after vhost find guest just add new buffers This addresses CVE-2019-3900. Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/net.c | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index df5...

...this may result alias in virtually tagged > caches that require a dcache flush afterwards. > > Cc: Christoph Hellwig <hch at infradead.org> > Cc: James Bottomley <James.Bottomley at HansenPartnership.com> > Cc: Andrea Arcangeli <aarcange at redhat.com> > Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") This is like saying "everyone with vhost needs this". In practice only might affect some architectures. Which ones? You want to Cc the relevant maintainers who understand this... > Signed-off-by: Jason Wang <jasowang at redhat....

...rtnership.com> > Cc: Andrea Arcangeli <aarcange at redhat.com> > Cc: Thomas Gleixner <tglx at linutronix.de> > Cc: Ingo Molnar <mingo at redhat.com> > Cc: Peter Zijlstra <peterz at infradead.org> > Cc: Darren Hart <dvhart at infradead.org> > Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") > Signed-off-by: Jason Wang <jasowang at redhat.com> I want to see a review from Michael for this change before applying.

...at getname use sockaddr_ll parameter beyond its size, we add a little bit of security here. It should do not do beyond MAX_ADDR_LEN, but syzbot found that ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro). Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Reported-by: syzbot+f2a62d07a5198c819c7b at syzkaller.appspotmail.com Signed-off-by: Eugenio P?rez <eperezma at redhat.com> Acked-by: Michael S. Tsirkin <mst at redhat.com> Signed-off-by: David S. Miller <davem at davemloft.net&gt...

...at getname use sockaddr_ll parameter beyond its size, we add a little bit of security here. It should do not do beyond MAX_ADDR_LEN, but syzbot found that ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro). Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Reported-by: syzbot+f2a62d07a5198c819c7b at syzkaller.appspotmail.com Signed-off-by: Eugenio P?rez <eperezma at redhat.com> Acked-by: Michael S. Tsirkin <mst at redhat.com> Signed-off-by: David S. Miller <davem at davemloft.net&gt...

...at getname use sockaddr_ll parameter beyond its size, we add a little bit of security here. It should do not do beyond MAX_ADDR_LEN, but syzbot found that ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro). Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Reported-by: syzbot+f2a62d07a5198c819c7b at syzkaller.appspotmail.com Signed-off-by: Eugenio P?rez <eperezma at redhat.com> Acked-by: Michael S. Tsirkin <mst at redhat.com> Signed-off-by: David S. Miller <davem at davemloft.net&gt...

...Or implement futex_atomic_cmpxchg using kmap if they don't have virtually tagged caches. > > Cc: Christoph Hellwig <hch at infradead.org> > Cc: James Bottomley <James.Bottomley at HansenPartnership.com> > Cc: Andrea Arcangeli <aarcange at redhat.com> > Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") > Signed-off-by: Jason Wang <jasowang at redhat.com> > --- > drivers/vhost/vhost.c | 27 +++++++++++++++------------ > 1 file changed, 15 insertions(+), 12 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/v...

...rtnership.com> > Cc: Andrea Arcangeli <aarcange at redhat.com> > Cc: Thomas Gleixner <tglx at linutronix.de> > Cc: Ingo Molnar <mingo at redhat.com> > Cc: Peter Zijlstra <peterz at infradead.org> > Cc: Darren Hart <dvhart at infradead.org> > Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") > Signed-off-by: Jason Wang <jasowang at redhat.com> > --- > Changes from RFC V2: > - drop GUP and provide get_user()/put_user() fallbacks > - round down log_base > Changes from RFC V1: > - switch to use arch_futex_ato...

...ack and forth >> to hit the continue after vhost find guest just add new buffers >> >> This addresses CVE-2019-3900. >> >> Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") > I agree this is the real issue. > >> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") > This is just a red herring imho. We can stick this on any vhost patch :) > >> Signed-off-by: Jason Wang <jasowang at redhat.com> >> --- >> drivers/vhost/net.c | 41 +++++++++++++++++++++-------------------- >&...

...ack and forth >> to hit the continue after vhost find guest just add new buffers >> >> This addresses CVE-2019-3900. >> >> Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") > I agree this is the real issue. > >> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") > This is just a red herring imho. We can stick this on any vhost patch :) > >> Signed-off-by: Jason Wang <jasowang at redhat.com> >> --- >> drivers/vhost/net.c | 41 +++++++++++++++++++++-------------------- >&...