user/sven/linux.git/drivers/vhost, branch v5.4.3

vringh: fix copy direction of vringh_iov_push_kern()

2019-10-28T08:25:04Z

We want to copy from iov to buf, so the direction was wrong. Note: no real user for the helper, but it will be used by future features. Signed-off-by: Jason Wang Signed-off-by: Michael S. Tsirkin

vhost/test: stop device before reset

2019-10-13T13:38:27Z

When device stop was moved out of reset, test device wasn't updated to stop before reset, this resulted in a use after free. Fix by invoking stop appropriately. Fixes: b211616d7125 ("vhost: move -net specific code out") Signed-off-by: Michael S. Tsirkin

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2019-09-15T12:17:27Z

Minor overlapping changes in the btusb and ixgbe drivers. Signed-off-by: David S. Miller

Revert "vhost: block speculation of translated descriptors"

2019-09-14T19:21:51Z

This reverts commit a89db445fbd7f1f8457b03759aa7343fa530ef6b. I was hasty to include this patch, and it breaks the build on 32 bit. Defence in depth is good but let's do it properly. Cc: stable@vger.kernel.org Signed-off-by: Michael S. Tsirkin

vhost: make sure log_num < in_num

2019-09-11T19:15:26Z

The code assumes log_num < in_num everywhere, and that is true as long as in_num is incremented by descriptor iov count, and log_num by 1. However this breaks if there's a zero sized descriptor. As a result, if a malicious guest creates a vring desc with desc.len = 0, it may cause the host kernel to crash by overflowing the log array. This bug can be triggered during the VM migration. There's no need to log when desc.len = 0, so just don't increment log_num in this case. Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server") Cc: stable@vger.kernel.org Reviewed-by: Lidong Chen Signed-off-by: ruippan Signed-off-by: yongduan Acked-by: Michael S. Tsirkin Reviewed-by: Tyler Hicks Signed-off-by: Michael S. Tsirkin

vhost: block speculation of translated descriptors

2019-09-11T19:15:07Z

iovec addresses coming from vhost are assumed to be pre-validated, but in fact can be speculated to a value out of range. Userspace address are later validated with array_index_nospec so we can be sure kernel info does not leak through these addresses, but vhost must also not leak userspace info outside the allowed memory table to guests. Following the defence in depth principle, make sure the address is not validated out of node range. Signed-off-by: Michael S. Tsirkin Cc: stable@vger.kernel.org Acked-by: Jason Wang Tested-by: Jason Wang

Revert "vhost: access vq metadata through kernel virtual address"

2019-09-04T11:39:48Z

This reverts commit 7f466032dc ("vhost: access vq metadata through kernel virtual address"). The commit caused a bunch of issues, and while commit 73f628ec9e ("vhost: disable metadata prefetch optimization") disabled the optimization it's not nice to keep lots of dead code around. Signed-off-by: Michael S. Tsirkin

vhost: Remove unnecessary variable

2019-09-04T10:21:17Z

It is unnecessary to use ret variable to return the error code, just return the error code directly. Signed-off-by: Yunsheng Lin Signed-off-by: Michael S. Tsirkin

vhost/test: fix build for vhost test

2019-09-04T10:21:17Z

Since vhost_exceeds_weight() was introduced, callers need to specify the packet weight and byte weight in vhost_dev_init(). Note that, the packet weight isn't counted in this patch to keep the original behavior unchanged. Fixes: e82b9b0727ff ("vhost: introduce vhost_exceeds_weight()") Cc: stable@vger.kernel.org Signed-off-by: Tiwei Bie Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang

vhost/test: fix build for vhost test

2019-09-04T10:21:17Z

Since below commit, callers need to specify the iov_limit in vhost_dev_init() explicitly. Fixes: b46a0bf78ad7 ("vhost: fix OOB in get_rx_bufs()") Cc: stable@vger.kernel.org Signed-off-by: Tiwei Bie Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang