Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.2.78 2014-04-30T15:23:17Z 2014-04-30T15:23:17Z Michael S. Tsirkin mst@redhat.com 2014-03-27T10:53:37Z urn:sha1:4334fca3512d179726666ad18459965916a1f189 [ Upstream commit a39ee449f96a2cd44ce056d8a0a112211a9b1a1f ] vhost fails to validate negative error code from vhost_get_vq_desc causing a crash: we are using -EFAULT which is 0xfffffff2 as vector size, which exceeds the allocated size. The code in question was introduced in commit 8dd014adfea6f173c1ef6378f7e5e7924866c923 vhost-net: mergeable buffers support CVE-2014-0055 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2014-04-30T15:23:17Z Michael S. Tsirkin mst@redhat.com 2014-03-27T10:00:26Z urn:sha1:cb505037a28ad1d8c378b40366e17fbbc44d10e6 [ Upstream commit d8316f3991d207fe32881a9ac20241be8fa2bad0 ] When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2013-03-27T02:41:02Z Michael S. Tsirkin mst@redhat.com 2013-03-17T02:46:09Z urn:sha1:984cbc9c6686f399cb4ec5bd8fae5ff8ec2fa9a8 commit 46aa92d1ba162b4b3d6b7102440e459d4e4ee255 upstream. ubuf info allocator uses guest controlled head as an index, so a malicious guest could put the same head entry in the ring twice, and we will get two callbacks on the same value. To fix use upend_idx which is guaranteed to be unique. Reported-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2012-10-30T23:27:00Z Michael S. Tsirkin mst@redhat.com 2012-10-24T18:37:51Z urn:sha1:e18dbfae927d33d746f6bf8b14f2d030c12b3ba7 commit 910a578f7e9400a78a3b13aba0b4d2df16a2cb05 upstream. We copy head count to a 16 bit field, this works by chance on LE but on BE guest gets 0. Fix it up. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Alexander Graf <agraf@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2011-07-21T07:48:27Z Shirley Ma mashirle@us.ibm.com 2011-07-20T17:23:12Z urn:sha1:9e380825ab3f5176f65306c4ac119fd23634ce03 The meth for calculating the # of outstanding buffers gives incorrect results when vq->upend_idx wraps around zero. Fix that. Signed-off-by: Shirley Ma <xma@us.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> 2011-07-21T07:23:31Z Michael S. Tsirkin mst@redhat.com 2011-07-20T10:41:31Z urn:sha1:c047e5f3170c2595e66ed67f87cec01afd717212 On backend change, we flushed out outstanding skbs but forgot to update the used ring, so that done entries were left in the ubuf_info ring. As a result we lose heads or complete incorrect ones, crashing the guest or leaking memory. Fix by updating the used ring. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> 2011-07-19T10:28:34Z Jason Wang jasowang@redhat.com 2011-06-21T10:04:27Z urn:sha1:f59281dafb832b161133743fcf3dc29051e6fdb8 Move the used ring initialization after backend was set. This makes it possible to disable the backend and tweak the used ring, then restart. This will also make it possible to log the used ring write correctly. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> 2011-07-18T17:42:32Z Michael S. Tsirkin mst@redhat.com 2011-07-18T03:48:46Z urn:sha1:bab632d69ee48a106e779b60cc01adfe80a72807 >From: Shirley Ma <mashirle@us.ibm.com> This adds experimental zero copy support in vhost-net, disabled by default. To enable, set experimental_zcopytx module option to 1. This patch maintains the outstanding userspace buffers in the sequence it is delivered to vhost. The outstanding userspace buffers will be marked as done once the lower device buffers DMA has finished. This is monitored through last reference of kfree_skb callback. Two buffer indices are used for this purpose. The vhost-net device passes the userspace buffers info to lower device skb through message control. DMA done status check and guest notification are handled by handle_tx: in the worst case is all buffers in the vq are in pending/done status, so we need to notify guest to release DMA done buffers first before we get any new buffers from the vq. One known problem is that if the guest stops submitting buffers, buffers might never get used until some further action, e.g. device reset. This does not seem to affect linux guests. Signed-off-by: Shirley <xma@us.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-05-30T01:44:15Z Michael S. Tsirkin mst@redhat.com 2011-05-19T23:10:54Z urn:sha1:8ea8cf89e19aeb596b818ee5f2bec8a8b0586b60 Support the new event index feature. When acked, utilize it to reduce the # of interrupts sent to the guest. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2011-03-13T21:08:19Z Michael S. Tsirkin mst@redhat.com 2011-03-13T21:00:52Z urn:sha1:de4d768a428d9de943dd6dc82bcd61742955cb6e Use of skb_queue_empty(&sock->sk->sk_receive_queue) without taking the sk_receive_queue.lock is unsafe or useless. Take it out. Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>