search for: vhost_get_vq_desc

vhost fails to validate negative error code from vhost_get_vq_desc causing a crash: we are using -EFAULT which is 0xfffffff2 as vector size, which exceeds the allocated size. The code in question was introduced in commit 8dd014adfea6f173c1ef6378f7e5e7924866c923 vhost-net: mergeable buffers support CVE-2014-0055 Signed-off-by: Michael S. Tsirkin <mst at r...

vhost fails to validate negative error code from vhost_get_vq_desc causing a crash: we are using -EFAULT which is 0xfffffff2 as vector size, which exceeds the allocated size. The code in question was introduced in commit 8dd014adfea6f173c1ef6378f7e5e7924866c923 vhost-net: mergeable buffers support CVE-2014-0055 Signed-off-by: Michael S. Tsirkin <mst at r...

...of output then some number of input descriptors, it's actually two * iovecs, but we pack them into one and note how many of each there were. * - * This function returns the descriptor number found, or vq->num (which - * is never a valid descriptor number) if none was found. */ -unsigned vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq, - struct iovec iov[], unsigned int iov_size, - unsigned int *out_num, unsigned int *in_num, - struct vhost_log *log, unsigned int *log_num) + * This function returns the descriptor number found, or vq->num (which is + * never a va...

...of output then some number of input descriptors, it's actually two * iovecs, but we pack them into one and note how many of each there were. * - * This function returns the descriptor number found, or vq->num (which - * is never a valid descriptor number) if none was found. */ -unsigned vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq, - struct iovec iov[], unsigned int iov_size, - unsigned int *out_num, unsigned int *in_num, - struct vhost_log *log, unsigned int *log_num) + * This function returns the descriptor number found, or vq->num (which is + * never a va...

...o > * iovecs, but we pack them into one and note how many of each there were. > * > - * This function returns the descriptor number found, or vq->num (which is > - * never a valid descriptor number) if none was found. A negative code is > - * returned on error. */ > -int vhost_get_vq_desc(struct vhost_virtqueue *vq, > - struct iovec iov[], unsigned int iov_size, > - unsigned int *out_num, unsigned int *in_num, > - struct vhost_log *log, unsigned int *log_num) > + * This function returns a value > 0 if a descriptor was found, or 0 if none were foun...

...o > * iovecs, but we pack them into one and note how many of each there were. > * > - * This function returns the descriptor number found, or vq->num (which is > - * never a valid descriptor number) if none was found. A negative code is > - * returned on error. */ > -int vhost_get_vq_desc(struct vhost_virtqueue *vq, > - struct iovec iov[], unsigned int iov_size, > - unsigned int *out_num, unsigned int *in_num, > - struct vhost_log *log, unsigned int *log_num) > + * This function returns a value > 0 if a descriptor was found, or 0 if none were foun...

...used */ + bool urgent; + /* Log writes to used structure. */ bool log_used; u64 log_addr; @@ -138,20 +141,24 @@ long vhost_vring_ioctl(struct vhost_dev *d, int ioctl, void __user *argp); int vhost_vq_access_ok(struct vhost_virtqueue *vq); int vhost_log_access_ok(struct vhost_dev *); -int vhost_get_vq_desc(struct vhost_virtqueue *, +int vhost_get_vq_desc(struct vhost_virtqueue *, bool *urgent, struct iovec iov[], unsigned int iov_count, unsigned int *out_num, unsigned int *in_num, struct vhost_log *log, unsigned int *log_num); void vhost_discard_vq_desc(struct vhost_virtqu...

A test case which generates memory pressure while performing guest administration fails with vhost triggering "page allocation failure" and guest not starting up. After some analysis we discovered the allocation order of vhost to be rensponsible for this behaviour. Thus we suggest patch 1/1 which dynamically allocates the required memory. Please see its description for details. Thanks,

A test case which generates memory pressure while performing guest administration fails with vhost triggering "page allocation failure" and guest not starting up. After some analysis we discovered the allocation order of vhost to be rensponsible for this behaviour. Thus we suggest patch 1/1 which dynamically allocates the required memory. Please see its description for details. Thanks,

...escriptors, it's actually two * iovecs, but we pack them into one and note how many of each there were. * - * This function returns the descriptor number found, or vq->num (which is - * never a valid descriptor number) if none was found. A negative code is - * returned on error. */ -int vhost_get_vq_desc(struct vhost_virtqueue *vq, - struct iovec iov[], unsigned int iov_size, - unsigned int *out_num, unsigned int *in_num, - struct vhost_log *log, unsigned int *log_num) + * This function returns a value > 0 if a descriptor was found, or 0 if none were found. + * A negative co...

Refactor code to make sure features are only accessed under VQ mutex. This makes everything simpler, no need for RCU here anymore. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- Note: this is on top of my last pull request drivers/vhost/vhost.h | 11 +++-------- drivers/vhost/net.c | 8 +++----- drivers/vhost/scsi.c | 22 +++++++++++++--------- drivers/vhost/test.c | 9

Refactor code to make sure features are only accessed under VQ mutex. This makes everything simpler, no need for RCU here anymore. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- Note: this is on top of my last pull request drivers/vhost/vhost.h | 11 +++-------- drivers/vhost/net.c | 8 +++----- drivers/vhost/scsi.c | 22 +++++++++++++--------- drivers/vhost/test.c | 9

...e pack them into one and note how many of each there were. > > * > > - * This function returns the descriptor number found, or vq->num (which is > > - * never a valid descriptor number) if none was found. A negative code is > > - * returned on error. */ > > -int vhost_get_vq_desc(struct vhost_virtqueue *vq, > > - struct iovec iov[], unsigned int iov_size, > > - unsigned int *out_num, unsigned int *in_num, > > - struct vhost_log *log, unsigned int *log_num) > > + * This function returns a value > 0 if a descriptor was found, or...

From what I know, qemu and vhost backends use some functions in order to access the memory between the guest and the backend. From what I see, vhost does this with vhost_get_vq_desc(). How much do vq->iov mappings remain valid? Does it get unmapped at some time (you could answer me within vhost-net or vhost-scsi as examples)?

...o > + * iovecs, but we pack them into one and note how many of each there were. > + * > + * This function returns the descriptor number found, or vq->num (which is > + * never a valid descriptor number) if none was found. A negative code is > + * returned on error. */ > +int __vhost_get_vq_desc(struct vhost_virtqueue *vq, > + struct iovec iov[], unsigned int iov_size, > + unsigned int *out_num, unsigned int *in_num, > + struct vhost_log *log, unsigned int *log_num, > + __virtio16 head) [...] > +int vhost_get_vq_desc(struct vhost_virtqueue *vq, > + struct i...

From what I know, qemu and vhost backends use some functions in order to access the memory between the guest and the backend. From what I see, vhost does this with vhost_get_vq_desc(). How much do vq->iov mappings remain valid? Does it get unmapped at some time (you could answer me within vhost-net or vhost-scsi as examples)?

...o > + * iovecs, but we pack them into one and note how many of each there were. > + * > + * This function returns the descriptor number found, or vq->num (which is > + * never a valid descriptor number) if none was found. A negative code is > + * returned on error. */ > +int __vhost_get_vq_desc(struct vhost_virtqueue *vq, > + struct iovec iov[], unsigned int iov_size, > + unsigned int *out_num, unsigned int *in_num, > + struct vhost_log *log, unsigned int *log_num, > + __virtio16 head) [...] > +int vhost_get_vq_desc(struct vhost_virtqueue *vq, > + struct i...

...escriptors, it's actually two - * iovecs, but we pack them into one and note how many of each there were. - * - * This function returns the descriptor number found, or vq->num (which is - * never a valid descriptor number) if none was found. A negative code is - * returned on error. */ -int vhost_get_vq_desc(struct vhost_virtqueue *vq, - struct iovec iov[], unsigned int iov_size, - unsigned int *out_num, unsigned int *in_num, - struct vhost_log *log, unsigned int *log_num) +static unsigned int vhost_get_vq_head(struct vhost_virtqueue *vq, int *err) { - struct vring_desc desc; - un...

On 2020/6/10 ??7:05, Michael S. Tsirkin wrote: >>> +EXPORT_SYMBOL_GPL(vhost_get_vq_desc); >>> /* Reverse the effect of vhost_get_vq_desc. Useful for error handling. */ >>> void vhost_discard_vq_desc(struct vhost_virtqueue *vq, int n) >>> { >>> + unfetch_descs(vq); >>> vq->last_avail_idx -= n; >> So unfetch_descs() has...

On 2020/6/10 ??7:05, Michael S. Tsirkin wrote: >>> +EXPORT_SYMBOL_GPL(vhost_get_vq_desc); >>> /* Reverse the effect of vhost_get_vq_desc. Useful for error handling. */ >>> void vhost_discard_vq_desc(struct vhost_virtqueue *vq, int n) >>> { >>> + unfetch_descs(vq); >>> vq->last_avail_idx -= n; >> So unfetch_descs() has...