search for: vhost_msg_node

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com Is this patch going anywhere ? The p...

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com Is this patch going anywhere ? The p...

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com > --- > drivers/vhost/vhost.c |...

On Tue, May 29, 2018 at 03:19:08PM -0700, Guenter Roeck wrote: > On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > > so it should be allocated with kzalloc() to ensure all structure padding > > is zeroed. > > > > Signed-off-by: Kevin Easton <kevin at guarana.org> > > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com > > Is...

...Subject: vhost: fix info leak Fixes: CVE-2018-1118 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index f0be5f35ab28..9beefa6ed1ce 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); if (!node) return NULL; + + /* Make sure all padding within the structure is initialized. */ + memset(&node->msg, 0, sizeof node->msg); node->vq = vq; node-&...

...Subject: vhost: fix info leak Fixes: CVE-2018-1118 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index f0be5f35ab28..9beefa6ed1ce 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); if (!node) return NULL; + + /* Make sure all padding within the structure is initialized. */ + memset(&node->msg, 0, sizeof node->msg); node->vq = vq; node-&...

...ff-by: Michael S. Tsirkin <mst at redhat.com> > > --- > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > index f0be5f35ab28..9beefa6ed1ce 100644 > > --- a/drivers/vhost/vhost.c > > +++ b/drivers/vhost/vhost.c > > @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > > struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > > if (!node) > > return NULL; > > + > > + /* Make sure all padding within the structure is initialized. */ > > + memset(&node-&g...

...ff-by: Michael S. Tsirkin <mst at redhat.com> > > --- > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > index f0be5f35ab28..9beefa6ed1ce 100644 > > --- a/drivers/vhost/vhost.c > > +++ b/drivers/vhost/vhost.c > > @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > > struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > > if (!node) > > return NULL; > > + > > + /* Make sure all padding within the structure is initialized. */ > > + memset(&node-&g...

...umem_interval_tree_remove(node, &umem->umem_tree); - list_del(&node->link); - kvfree(node); - } + list_for_each_entry_safe(node, tmp, &umem->umem_list, link) + vhost_umem_free(umem, node); + kvfree(umem); } +static void vhost_clear_msg(struct vhost_dev *dev) +{ + struct vhost_msg_node *node, *n; + + spin_lock(&dev->iotlb_lock); + + list_for_each_entry_safe(node, n, &dev->read_list, node) { + list_del(&node->node); + kfree(node); + } + + list_for_each_entry_safe(node, n, &dev->pending_list, node) { + list_del(&node->node); + kfree(node); + }...

...g endianness. Defaults to legacy native endianness. - * Set to true when starting a modern virtio device. */ - bool is_le; -#ifdef CONFIG_VHOST_CROSS_ENDIAN_LEGACY - /* Ring endianness requested by userspace for cross-endian support. */ - bool user_be; -#endif - u32 busyloop_timeout; -}; - -struct vhost_msg_node { - struct vhost_msg msg; - struct vhost_virtqueue *vq; - struct list_head node; -}; - -struct vhost_dev { - struct mm_struct *mm; - struct mutex mutex; - struct vhost_virtqueue **vqs; - int nvqs; - struct file *log_file; - struct eventfd_ctx *log_ctx; - struct llist_head work_list; - struct tas...

...g endianness. Defaults to legacy native endianness. - * Set to true when starting a modern virtio device. */ - bool is_le; -#ifdef CONFIG_VHOST_CROSS_ENDIAN_LEGACY - /* Ring endianness requested by userspace for cross-endian support. */ - bool user_be; -#endif - u32 busyloop_timeout; -}; - -struct vhost_msg_node { - struct vhost_msg msg; - struct vhost_virtqueue *vq; - struct list_head node; -}; - -struct vhost_dev { - struct mm_struct *mm; - struct mutex mutex; - struct vhost_virtqueue **vqs; - int nvqs; - struct file *log_file; - struct eventfd_ctx *log_ctx; - struct llist_head work_list; - struct tas...

...s: CVE-2018-1118 > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > --- > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index f0be5f35ab28..9beefa6ed1ce 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > if (!node) > return NULL; > + > + /* Make sure all padding within the structure is initialized. */ > + memset(&node->msg, 0, sizeof node->msg)...

...mst at redhat.com> > > > --- > > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > > index f0be5f35ab28..9beefa6ed1ce 100644 > > > --- a/drivers/vhost/vhost.c > > > +++ b/drivers/vhost/vhost.c > > > @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > > > struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > > > if (!node) > > > return NULL; > > > + > > > + /* Make sure all padding within the structure is initialized. */ > &...

...etions(-) > >diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c >index a92af08e7864..579ecb4ee4d2 100644 >--- a/drivers/vhost/vhost.c >+++ b/drivers/vhost/vhost.c >@@ -2575,12 +2575,11 @@ EXPORT_SYMBOL_GPL(vhost_disable_notify); > /* Create a new message. */ > struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > { >- struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); >+ /* Make sure all padding within the structure is initialized. */ >+ struct vhost_msg_node *node = kzalloc(sizeof(*node), GFP_KERNEL); > if (!node) > r...

.... > - * Set to true when starting a modern virtio device. */ > - bool is_le; > -#ifdef CONFIG_VHOST_CROSS_ENDIAN_LEGACY > - /* Ring endianness requested by userspace for cross-endian support. */ > - bool user_be; > -#endif > - u32 busyloop_timeout; > -}; > - > -struct vhost_msg_node { > - struct vhost_msg msg; > - struct vhost_virtqueue *vq; > - struct list_head node; > -}; > - > -struct vhost_dev { > - struct mm_struct *mm; > - struct mutex mutex; > - struct vhost_virtqueue **vqs; > - int nvqs; > - struct file *log_file; > - struct event...

...res = 0; + vq->acked_backend_features = 0; vq->log_base = NULL; vq->error_ctx = NULL; vq->kick = NULL; @@ -1027,28 +1028,40 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev, ssize_t vhost_chr_write_iter(struct vhost_dev *dev, struct iov_iter *from) { - struct vhost_msg_node node; - unsigned size = sizeof(struct vhost_msg); - size_t ret; - int err; + struct vhost_iotlb_msg msg; + size_t offset; + int type, ret; - if (iov_iter_count(from) < size) - return 0; - ret = copy_from_iter(&node.msg, size, from); - if (ret != size) + ret = copy_from_iter(&type, siz...

...res = 0; + vq->acked_backend_features = 0; vq->log_base = NULL; vq->error_ctx = NULL; vq->kick = NULL; @@ -1027,28 +1028,40 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev, ssize_t vhost_chr_write_iter(struct vhost_dev *dev, struct iov_iter *from) { - struct vhost_msg_node node; - unsigned size = sizeof(struct vhost_msg); - size_t ret; - int err; + struct vhost_iotlb_msg msg; + size_t offset; + int type, ret; - if (iov_iter_count(from) < size) - return 0; - ret = copy_from_iter(&node.msg, size, from); - if (ret != size) + ret = copy_from_iter(&type, siz...

This patch tries to implement an device IOTLB for vhost. This could be used with for co-operation with userspace IOMMU implementation (qemu) for a secure DMA environment (DMAR) in guest. The idea is simple. When vhost meets an IOTLB miss, it will request the assistance of userspace to do the translation, this is done through: - when there's a IOTLB miss, it will notify userspace through

This patch tries to implement an device IOTLB for vhost. This could be used with for co-operation with userspace IOMMU implementation (qemu) for a secure DMA environment (DMAR) in guest. The idea is simple. When vhost meets an IOTLB miss, it will request the assistance of userspace to do the translation, this is done through: - when there's a IOTLB miss, it will notify userspace through

This patch tries to implement an device IOTLB for vhost. This could be used with for co-operation with userspace IOMMU implementation (qemu) for a secure DMA environment (DMAR) in guest. The idea is simple. When vhost meets an IOTLB miss, it will request the assistance of userspace to do the translation, this is done through: - when there's a IOTLB miss, it will notify userspace through