scripts-decode_stacktrace-match-basepath-using-shell.patch
clk-s2mps11-add-used-attribute-to-s2mps11_dt_match.patch
kernel-module-fix-mem-leak-in-module_add_modinfo_att.patch
-vhost-block-speculation-of-translated-descriptors.patch
vhost-make-sure-log_num-in_num.patch
+++ /dev/null
-From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Sun, 8 Sep 2019 07:04:08 -0400
-Subject: vhost: block speculation of translated descriptors
-
-From: Michael S. Tsirkin <mst@redhat.com>
-
-commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream.
-
-iovec addresses coming from vhost are assumed to be
-pre-validated, but in fact can be speculated to a value
-out of range.
-
-Userspace address are later validated with array_index_nospec so we can
-be sure kernel info does not leak through these addresses, but vhost
-must also not leak userspace info outside the allowed memory table to
-guests.
-
-Following the defence in depth principle, make sure
-the address is not validated out of node range.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Cc: stable@vger.kernel.org
-Acked-by: Jason Wang <jasowang@redhat.com>
-Tested-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/vhost/vhost.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -1954,8 +1954,10 @@ static int translate_desc(struct vhost_v
- _iov = iov + ret;
- size = node->size - addr + node->start;
- _iov->iov_len = min((u64)len - s, size);
-- _iov->iov_base = (void __user *)(unsigned long)
-- (node->userspace_addr + addr - node->start);
-+ _iov->iov_base = (void __user *)
-+ ((unsigned long)node->userspace_addr +
-+ array_index_nospec((unsigned long)(addr - node->start),
-+ node->size));
- s += size;
- addr += size;
- ++ret;
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
-@@ -2068,7 +2068,7 @@ static int get_indirect(struct vhost_vir
+@@ -2066,7 +2066,7 @@ static int get_indirect(struct vhost_vir
/* If this is an input descriptor, increment that count. */
if (access == VHOST_ACCESS_WO) {
*in_num += ret;
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
++*log_num;
-@@ -2211,7 +2211,7 @@ int vhost_get_vq_desc(struct vhost_virtq
+@@ -2209,7 +2209,7 @@ int vhost_get_vq_desc(struct vhost_virtq
/* If this is an input descriptor,
* increment that count. */
*in_num += ret;
pci-reset-both-nvidia-gpu-and-hda-in-thinkpad-p50-wo.patch
powerpc-tm-remove-msr_tm_active.patch
powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly.patch
-vhost-block-speculation-of-translated-descriptors.patch
vhost-make-sure-log_num-in_num.patch
+++ /dev/null
-From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Sun, 8 Sep 2019 07:04:08 -0400
-Subject: vhost: block speculation of translated descriptors
-
-From: Michael S. Tsirkin <mst@redhat.com>
-
-commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream.
-
-iovec addresses coming from vhost are assumed to be
-pre-validated, but in fact can be speculated to a value
-out of range.
-
-Userspace address are later validated with array_index_nospec so we can
-be sure kernel info does not leak through these addresses, but vhost
-must also not leak userspace info outside the allowed memory table to
-guests.
-
-Following the defence in depth principle, make sure
-the address is not validated out of node range.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Cc: stable@vger.kernel.org
-Acked-by: Jason Wang <jasowang@redhat.com>
-Tested-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/vhost/vhost.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -1966,8 +1966,10 @@ static int translate_desc(struct vhost_v
- _iov = iov + ret;
- size = node->size - addr + node->start;
- _iov->iov_len = min((u64)len - s, size);
-- _iov->iov_base = (void __user *)(unsigned long)
-- (node->userspace_addr + addr - node->start);
-+ _iov->iov_base = (void __user *)
-+ ((unsigned long)node->userspace_addr +
-+ array_index_nospec((unsigned long)(addr - node->start),
-+ node->size));
- s += size;
- addr += size;
- ++ret;
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
-@@ -2075,7 +2075,7 @@ static int get_indirect(struct vhost_vir
+@@ -2073,7 +2073,7 @@ static int get_indirect(struct vhost_vir
/* If this is an input descriptor, increment that count. */
if (access == VHOST_ACCESS_WO) {
*in_num += ret;
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
++*log_num;
-@@ -2218,7 +2218,7 @@ int vhost_get_vq_desc(struct vhost_virtq
+@@ -2216,7 +2216,7 @@ int vhost_get_vq_desc(struct vhost_virtq
/* If this is an input descriptor,
* increment that count. */
*in_num += ret;
batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch
scripts-decode_stacktrace-match-basepath-using-shell.patch
clk-s2mps11-add-used-attribute-to-s2mps11_dt_match.patch
-vhost-block-speculation-of-translated-descriptors.patch
vhost-make-sure-log_num-in_num.patch
+++ /dev/null
-From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Sun, 8 Sep 2019 07:04:08 -0400
-Subject: vhost: block speculation of translated descriptors
-
-From: Michael S. Tsirkin <mst@redhat.com>
-
-commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream.
-
-iovec addresses coming from vhost are assumed to be
-pre-validated, but in fact can be speculated to a value
-out of range.
-
-Userspace address are later validated with array_index_nospec so we can
-be sure kernel info does not leak through these addresses, but vhost
-must also not leak userspace info outside the allowed memory table to
-guests.
-
-Following the defence in depth principle, make sure
-the address is not validated out of node range.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Cc: stable@vger.kernel.org
-Acked-by: Jason Wang <jasowang@redhat.com>
-Tested-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/vhost/vhost.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -1874,8 +1874,10 @@ static int translate_desc(struct vhost_v
- _iov = iov + ret;
- size = node->size - addr + node->start;
- _iov->iov_len = min((u64)len - s, size);
-- _iov->iov_base = (void __user *)(unsigned long)
-- (node->userspace_addr + addr - node->start);
-+ _iov->iov_base = (void __user *)
-+ ((unsigned long)node->userspace_addr +
-+ array_index_nospec((unsigned long)(addr - node->start),
-+ node->size));
- s += size;
- addr += size;
- ++ret;
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
-@@ -1989,7 +1989,7 @@ static int get_indirect(struct vhost_vir
+@@ -1987,7 +1987,7 @@ static int get_indirect(struct vhost_vir
/* If this is an input descriptor, increment that count. */
if (access == VHOST_ACCESS_WO) {
*in_num += ret;
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
++*log_num;
-@@ -2125,7 +2125,7 @@ int vhost_get_vq_desc(struct vhost_virtq
+@@ -2123,7 +2123,7 @@ int vhost_get_vq_desc(struct vhost_virtq
/* If this is an input descriptor,
* increment that count. */
*in_num += ret;
drm-i915-add-whitelist-workarounds-for-icl.patch
drm-i915-icl-whitelist-ps_-depth-invocation-_count.patch
btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch
-vhost-block-speculation-of-translated-descriptors.patch
vhost-make-sure-log_num-in_num.patch
+++ /dev/null
-From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Sun, 8 Sep 2019 07:04:08 -0400
-Subject: vhost: block speculation of translated descriptors
-
-From: Michael S. Tsirkin <mst@redhat.com>
-
-commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream.
-
-iovec addresses coming from vhost are assumed to be
-pre-validated, but in fact can be speculated to a value
-out of range.
-
-Userspace address are later validated with array_index_nospec so we can
-be sure kernel info does not leak through these addresses, but vhost
-must also not leak userspace info outside the allowed memory table to
-guests.
-
-Following the defence in depth principle, make sure
-the address is not validated out of node range.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Cc: stable@vger.kernel.org
-Acked-by: Jason Wang <jasowang@redhat.com>
-Tested-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/vhost/vhost.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -1965,8 +1965,10 @@ static int translate_desc(struct vhost_v
- _iov = iov + ret;
- size = node->size - addr + node->start;
- _iov->iov_len = min((u64)len - s, size);
-- _iov->iov_base = (void __user *)(unsigned long)
-- (node->userspace_addr + addr - node->start);
-+ _iov->iov_base = (void __user *)
-+ ((unsigned long)node->userspace_addr +
-+ array_index_nospec((unsigned long)(addr - node->start),
-+ node->size));
- s += size;
- addr += size;
- ++ret;
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
-@@ -2074,7 +2074,7 @@ static int get_indirect(struct vhost_vir
+@@ -2072,7 +2072,7 @@ static int get_indirect(struct vhost_vir
/* If this is an input descriptor, increment that count. */
if (access == VHOST_ACCESS_WO) {
*in_num += ret;
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
++*log_num;
-@@ -2217,7 +2217,7 @@ int vhost_get_vq_desc(struct vhost_virtq
+@@ -2215,7 +2215,7 @@ int vhost_get_vq_desc(struct vhost_virtq
/* If this is an input descriptor,
* increment that count. */
*in_num += ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
