tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost

Pull virtio fixes from Michael Tsirkin:
"Last minute bugfixes.

A couple of security things.

And an error handling bugfix that is never encountered by most people,
but that also makes it kind of safe to push at the last minute, and it
helps push the fix to stable a bit sooner"

* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
vhost: make sure log_num < in_num
vhost: block speculation of translated descriptors
virtio_ring: fix unmap of indirect descriptors

Linus Torvalds ad32b480 6dcf6a4e

+12 -6
+6 -4
drivers/vhost/vhost.c
··· 2071 2071 _iov = iov + ret; 2072 2072 size = node->size - addr + node->start; 2073 2073 _iov->iov_len = min((u64)len - s, size); 2074 - _iov->iov_base = (void __user *)(unsigned long) 2075 - (node->userspace_addr + addr - node->start); 2074 + _iov->iov_base = (void __user *) 2075 + ((unsigned long)node->userspace_addr + 2076 + array_index_nospec((unsigned long)(addr - node->start), 2077 + node->size)); 2076 2078 s += size; 2077 2079 addr += size; 2078 2080 ++ret; ··· 2180 2178 /* If this is an input descriptor, increment that count. */ 2181 2179 if (access == VHOST_ACCESS_WO) { 2182 2180 *in_num += ret; 2183 - if (unlikely(log)) { 2181 + if (unlikely(log && ret)) { 2184 2182 log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); 2185 2183 log[*log_num].len = vhost32_to_cpu(vq, desc.len); 2186 2184 ++*log_num; ··· 2321 2319 /* If this is an input descriptor, 2322 2320 * increment that count. */ 2323 2321 *in_num += ret; 2324 - if (unlikely(log)) { 2322 + if (unlikely(log && ret)) { 2325 2323 log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); 2326 2324 log[*log_num].len = vhost32_to_cpu(vq, desc.len); 2327 2325 ++*log_num;
+6 -2
drivers/virtio/virtio_ring.c
··· 566 566 567 567 unmap_release: 568 568 err_idx = i; 569 - i = head; 569 + 570 + if (indirect) 571 + i = 0; 572 + else 573 + i = head; 570 574 571 575 for (n = 0; n < total_sg; n++) { 572 576 if (i == err_idx) 573 577 break; 574 578 vring_unmap_one_split(vq, &desc[i]); 575 - i = virtio16_to_cpu(_vq->vdev, vq->split.vring.desc[i].next); 579 + i = virtio16_to_cpu(_vq->vdev, desc[i].next); 576 580 } 577 581 578 582 if (indirect)