Linux v5.2-rc3-24-g788a024921c4

2019-06-04 11:15:33 -05:00 · 2019-06-04 11:15:33 -05:00 · df15d2b71a
commit df15d2b71a
parent 76165d2da8
4 changed files with 8 additions and 206 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-f2c7c76c5d0a443053e94adb9f0918fa2fb85c3a
+788a024921c48985939f8241c1ff862a7374d8f9
--- a/kernel.spec
+++ b/kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %global rcrev 3
 # The git snapshot level
-%define gitrev 0
+%define gitrev 1
 # Set rpm version accordingly
 %define rpmversion 5.%{upstream_sublevel}.0
 %endif
@ -122,7 +122,7 @@ Summary: The Linux kernel
 # Set debugbuildsenabled to 1 for production (build separate debug kernels)
 #  and 0 for rawhide (all kernels are debug kernels).
 # See also 'make debug' and 'make release'.
-%define debugbuildsenabled 1
+%define debugbuildsenabled 0

 # Kernel headers are being split out into a separate package
 %if 0%{?fedora}
@ -572,9 +572,6 @@ Patch507: 0001-Drop-that-for-now.patch
 # Submitted upstream at https://lkml.org/lkml/2019/4/23/89
 Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch

-# CVE-2019-3900 rhbz 1698757 1702940
-Patch524: net-vhost_net-fix-possible-infinite-loop.patch
-
 # build fix
 Patch527: v2-powerpc-mm-mark-more-tlb-functions-as-__always_inline.patch

@ -1818,6 +1815,10 @@ fi
 #
 #
 %changelog
+* Tue Jun 04 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.0-0.rc3.git1.1
+- Linux v5.2-rc3-24-g788a024921c4
+- Reenable debugging options.
+
 * Mon Jun 03 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.0-0.rc3.git0.1
 - Linux v5.2-rc3

--- a/net-vhost_net-fix-possible-infinite-loop.patch
+++ b/net-vhost_net-fix-possible-infinite-loop.patch
@ -1,200 +0,0 @@
-From patchwork Thu Apr 25 07:33:19 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Jason Wang <jasowang@redhat.com>
-X-Patchwork-Id: 10916185
-Return-Path: <kvm-owner@kernel.org>
-Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
- [172.30.200.125])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4F501575
-	for <patchwork-kvm@patchwork.kernel.org>;
- Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
-Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D276828BD7
-	for <patchwork-kvm@patchwork.kernel.org>;
- Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
-Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
-	id C64AC28BE1; Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
-X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
-	pdx-wl-mail.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
-	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 590B228BD7
-	for <patchwork-kvm@patchwork.kernel.org>;
- Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1726957AbfDYHd1 (ORCPT
-        <rfc822;patchwork-kvm@patchwork.kernel.org>);
-        Thu, 25 Apr 2019 03:33:27 -0400
-Received: from mx1.redhat.com ([209.132.183.28]:60130 "EHLO mx1.redhat.com"
-        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
-        id S1726317AbfDYHd1 (ORCPT <rfc822;kvm@vger.kernel.org>);
-        Thu, 25 Apr 2019 03:33:27 -0400
-Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
- [10.5.11.22])
-        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
-        (No client certificate requested)
-        by mx1.redhat.com (Postfix) with ESMTPS id C2BCE3002619;
-        Thu, 25 Apr 2019 07:33:26 +0000 (UTC)
-Received: from hp-dl380pg8-02.lab.eng.pek2.redhat.com
- (hp-dl380pg8-02.lab.eng.pek2.redhat.com [10.73.8.12])
-        by smtp.corp.redhat.com (Postfix) with ESMTP id 5DA021001DDB;
-        Thu, 25 Apr 2019 07:33:21 +0000 (UTC)
-From: Jason Wang <jasowang@redhat.com>
-To: mst@redhat.com, jasowang@redhat.com, kvm@vger.kernel.org,
-        virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
-        linux-kernel@vger.kernel.org
-Cc: ppandit@redhat.com
-Subject: [PATCH net] vhost_net: fix possible infinite loop
-Date: Thu, 25 Apr 2019 03:33:19 -0400
-Message-Id: <1556177599-56248-1-git-send-email-jasowang@redhat.com>
-X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
-X-Greylist: Sender IP whitelisted,
- not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]);
- Thu, 25 Apr 2019 07:33:26 +0000 (UTC)
-Sender: kvm-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <kvm.vger.kernel.org>
-X-Mailing-List: kvm@vger.kernel.org
-X-Virus-Scanned: ClamAV using ClamSMTP
-
-When the rx buffer is too small for a packet, we will discard the vq
-descriptor and retry it for the next packet:
-
-while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
-					      &busyloop_intr))) {
-...
-	/* On overrun, truncate and discard */
-	if (unlikely(headcount > UIO_MAXIOV)) {
-		iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
-		err = sock->ops->recvmsg(sock, &msg,
-					 1, MSG_DONTWAIT | MSG_TRUNC);
-		pr_debug("Discarded rx packet: len %zd\n", sock_len);
-		continue;
-	}
-...
-}
-
-This makes it possible to trigger a infinite while..continue loop
-through the co-opreation of two VMs like:
-
-1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the
-   vhost process as much as possible e.g using indirect descriptors or
-   other.
-2) Malicious VM2 generate packets to VM1 as fast as possible
-
-Fixing this by checking against weight at the end of RX and TX
-loop. This also eliminate other similar cases when:
-
- userspace is consuming the packets in the meanwhile
- theoretical TOCTOU attack if guest moving avail index back and forth
-  to hit the continue after vhost find guest just add new buffers
-
-This addresses CVE-2019-3900.
-
-Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short")
-Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
-Signed-off-by: Jason Wang <jasowang@redhat.com>
---
- drivers/vhost/net.c | 41 +++++++++++++++++++++--------------------
- 1 file changed, 21 insertions(+), 20 deletions(-)
-
-diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
-index df51a35..fb46e6b 100644
--- a/drivers/vhost/net.c
-+++ b/drivers/vhost/net.c
-@@ -778,8 +778,9 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
- 	int err;
- 	int sent_pkts = 0;
- 	bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX);
-+	bool next_round = false;
- 
-	for (;;) {
-+	do {
- 		bool busyloop_intr = false;
- 
- 		if (nvq->done_idx == VHOST_NET_BATCH)
-@@ -845,11 +846,10 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
- 		vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head);
- 		vq->heads[nvq->done_idx].len = 0;
- 		++nvq->done_idx;
-		if (vhost_exceeds_weight(++sent_pkts, total_len)) {
-			vhost_poll_queue(&vq->poll);
-			break;
-		}
-	}
-+	} while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len)));
-+
-+	if (next_round)
-+		vhost_poll_queue(&vq->poll);
- 
- 	vhost_tx_batch(net, nvq, sock, &msg);
- }
-@@ -873,8 +873,9 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
- 	struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
- 	bool zcopy_used;
- 	int sent_pkts = 0;
-+	bool next_round = false;
- 
-	for (;;) {
-+	do {
- 		bool busyloop_intr;
- 
- 		/* Release DMAs done buffers first */
-@@ -951,11 +952,10 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
- 		else
- 			vhost_zerocopy_signal_used(net, vq);
- 		vhost_net_tx_packet(net);
-		if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) {
-			vhost_poll_queue(&vq->poll);
-			break;
-		}
-	}
-+	} while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len)));
-+
-+	if (next_round)
-+		vhost_poll_queue(&vq->poll);
- }
- 
- /* Expects to be always run from workqueue - which acts as
-@@ -1134,6 +1134,7 @@ static void handle_rx(struct vhost_net *net)
- 	struct iov_iter fixup;
- 	__virtio16 num_buffers;
- 	int recv_pkts = 0;
-+	bool next_round = false;
- 
- 	mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX);
- 	sock = vq->private_data;
-@@ -1153,8 +1154,11 @@ static void handle_rx(struct vhost_net *net)
- 		vq->log : NULL;
- 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
- 
-	while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
-						      &busyloop_intr))) {
-+	do {
-+		sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
-+						      &busyloop_intr);
-+		if (!sock_len)
-+			break;
- 		sock_len += sock_hlen;
- 		vhost_len = sock_len + vhost_hlen;
- 		headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
-@@ -1239,12 +1243,9 @@ static void handle_rx(struct vhost_net *net)
- 			vhost_log_write(vq, vq_log, log, vhost_len,
- 					vq->iov, in);
- 		total_len += vhost_len;
-		if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) {
-			vhost_poll_queue(&vq->poll);
-			goto out;
-		}
-	}
-	if (unlikely(busyloop_intr))
-+	} while (!(next_round = vhost_exceeds_weight(++recv_pkts, total_len)));
-+
-+	if (unlikely(busyloop_intr || next_round))
- 		vhost_poll_queue(&vq->poll);
- 	else
- 		vhost_net_enable_vq(net, vq);
--- a/1
+++ b/1
@ -1,2 +1,3 @@
 SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236
 SHA512 (patch-5.2-rc3.xz) = 0d412178769defc6f4da5bba057a0e4f1330b2d87fd08b8554598d8cd802c1edbc68d58acf5af1c2d4777609feb25aee1963d7154572ec4b2a30ca36b9d07adc
+SHA512 (patch-5.2-rc3-git1.xz) = ebedd563211cc20d7afe3919123580f92af21abaa1c49b5f8c96154bb68ebbec115b107977b7d613e4fb2db04c33b2be029e55730ce81e7dfe4a6707037d720d