virtio: last minute bugfixes

A couple of security things. And an error handling bugfix that is never encountered by most people, but that also makes it kind of safe to push at the last minute, and it helps push the fix to stable a bit sooner. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> -----BEGIN PGP SIGNATURE----- iQEcBAABAgAGBQJdeUfXAAoJECgfDbjSjVRpfFoH/2B58dJasWK9CiHlu1Pm9sGZ 44JOA3M9uqNCev0sXEYXB/ldRW0BK8BgOKv1UJ6Za2bvO0mEz6Go8jr8EUId5kaO YSwSscn7Fp1XJgRzJunhJNo/t70zptsDHpeVU68ObP4ubQgSQWLlVMvA9EQOz8M+ Fq1FCmnLdPpu/8u2dN4bstt5uaUQSCOLOB9Sq0U8qNRuuVnNgwLtDqCw8chZRrfn Wl1XGzDp22wtf/Beey8YFB+IGP2BnPNbxNeuPI33SkLM6ZVjR6511lpihfZyN2AF Fb+yajOfLGnAftff5Lpn0dXxOOfwe+D20ymKa1rGCf6iVI5ZnZYZavrYmVy7X9k= =P20D -----END PGP SIGNATURE----- Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "Last minute bugfixes. A couple of security things. And an error handling bugfix that is never encountered by most people, but that also makes it kind of safe to push at the last minute, and it helps push the fix to stable a bit sooner" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vhost: make sure log_num < in_num vhost: block speculation of translated descriptors virtio_ring: fix unmap of indirect descriptors
2019-09-12 11:07:31 +01:00 · 2019-09-12 11:07:31 +01:00 · ad32b4800c
parent 6dcf6a4eb9 060423bfde
commit ad32b4800c
2 changed files with 12 additions and 6 deletions
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
 		_iov = iov + ret;
 		size = node->size - addr + node->start;
 		_iov->iov_len = min((u64)len - s, size);
-		_iov->iov_base = (void __user *)(unsigned long)
-			(node->userspace_addr + addr - node->start);
+		_iov->iov_base = (void __user *)
+			((unsigned long)node->userspace_addr +
+			 array_index_nospec((unsigned long)(addr - node->start),
+					    node->size));
 		s += size;
 		addr += size;
 		++ret;
@ -2178,7 +2180,7 @@ static int get_indirect(struct vhost_virtqueue *vq,
 		/* If this is an input descriptor, increment that count. */
 		if (access == VHOST_ACCESS_WO) {
 			*in_num += ret;
-			if (unlikely(log)) {
+			if (unlikely(log && ret)) {
 				log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
 				log[*log_num].len = vhost32_to_cpu(vq, desc.len);
 				++*log_num;
@ -2319,7 +2321,7 @@ int vhost_get_vq_desc(struct vhost_virtqueue *vq,
 			/* If this is an input descriptor,
 			 * increment that count. */
 			*in_num += ret;
-			if (unlikely(log)) {
+			if (unlikely(log && ret)) {
 				log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
 				log[*log_num].len = vhost32_to_cpu(vq, desc.len);
 				++*log_num;
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@ -566,13 +566,17 @@ static inline int virtqueue_add_split(struct virtqueue *_vq,

 unmap_release:
 	err_idx = i;
-	i = head;
+
+	if (indirect)
+		i = 0;
+	else
+		i = head;

 	for (n = 0; n < total_sg; n++) {
 		if (i == err_idx)
 			break;
 		vring_unmap_one_split(vq, &desc[i]);
-		i = virtio16_to_cpu(_vq->vdev, vq->split.vring.desc[i].next);
+		i = virtio16_to_cpu(_vq->vdev, desc[i].next);
 	}

 	if (indirect)