Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp268146img; Mon, 18 Mar 2019 02:41:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqzE3MtkLrfyq89UYwoDzUhT8sWLk5LkyJUVstGf/l2Iy+6jgFoxaglIGYItBXM5zETCKW6y X-Received: by 2002:a17:902:2ba8:: with SMTP id l37mr17870099plb.17.1552902087115; Mon, 18 Mar 2019 02:41:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552902087; cv=none; d=google.com; s=arc-20160816; b=AiwyAMU7KlAUse+jM65w9jdZeOsozJF6JjGwdK17t5mpOrqEGMZor10Rjg8/QoJP2L dacwW3VyYNtp2lUQHPO3SCDbNzYa2ISsgt7NRU3nWq+ljxYfzXErvLTdMBSVvbjaUQ/I nSyR9LkHWVBFG7WRUov8KHSN8c/AdJXw85+wn2jdwCRi3FL7DI1Nz63Ts9Y9IeUB32NM HYNA1aweRGJx2i5NPhKkuI0vTgmvZH/V3vnx9PFOp0Rlsjir69eQ6YAZ5/UTzWFzaOpT eGMc5YL9Ds0VnAJvhyqDIyN+nCl6FIEGTNutcYHMtkUqusjoeJCERsocslFnrc5Z5Mmd B79Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LDuuxVPZIR5iJ6EtBr2hFuRxm3W+TBf00FQQqXy3heo=; b=pFMoU4sjLMiMSJ1X0tS3Sfvxnf/1nRKhk43odtbB6n8hInQLtuLxnOsMenvPcQZeai ZJRyMyfNnSW7Ih29lb9EM+7ZVrlIOl2fWBcLPSDcOkyxpJHkeXD6B6PfOBNLOzWm/uTT sTp38AREhFSA0aXHg9b8ay65Zu4/yjc1qxBKAU10X74U477VU4n3X7goqJ6ovpwoPiHR O3St/naYgkCzV/5Hg1nnL5IZMAzFpMeuzJ/XXKYMhMFMYspVgD9VkPcfHzwlRHj3mm0r 8HdaWDDzRUl/ugVc9Rg0F/H+Y0Yo2FjsGrOlgyJGYxoZMiW/6nSw/o0u9nqzyEUeQ8Ea SF+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BZBFZedz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p17si8698423pgb.329.2019.03.18.02.41.11; Mon, 18 Mar 2019 02:41:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BZBFZedz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387531AbfCRJjy (ORCPT + 99 others); Mon, 18 Mar 2019 05:39:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:44132 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728174AbfCRJfo (ORCPT ); Mon, 18 Mar 2019 05:35:44 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AFD372083D; Mon, 18 Mar 2019 09:35:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552901744; bh=1Y5Ed4vc1HYqTE+Cm/sl54qPzYxJ6ZrXvnQyRt9XtCo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BZBFZedzYZepXLLGsMCc8VCSrb+VhdBADCXdZNw+NCAnKsnNLWb2xkaSzWB4P3/E/ pcenTeuL1cFgNZUzyotYv7rvN5RDAOzxnst6gXeJ05/ocAPdD84z0hUOBl+GChN37v eepNKxS5ER6glxBnLAt850YzCwVlmX5ZYiOGQYjg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zha Bin , Liu Jiang , Stefan Hajnoczi , Jason Wang , "David S. Miller" , Shengjing Zhu Subject: [PATCH 4.14 34/34] vhost/vsock: fix vhost vsock cid hashing inconsistent Date: Mon, 18 Mar 2019 10:25:58 +0100 Message-Id: <20190318084149.786582053@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190318084144.657740413@linuxfoundation.org> References: <20190318084144.657740413@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Zha Bin commit 7fbe078c37aba3088359c9256c1a1d0c3e39ee81 upstream. The vsock core only supports 32bit CID, but the Virtio-vsock spec define CID (dst_cid and src_cid) as u64 and the upper 32bits is reserved as zero. This inconsistency causes one bug in vhost vsock driver. The scenarios is: 0. A hash table (vhost_vsock_hash) is used to map an CID to a vsock object. And hash_min() is used to compute the hash key. hash_min() is defined as: (sizeof(val) <= 4 ? hash_32(val, bits) : hash_long(val, bits)). That means the hash algorithm has dependency on the size of macro argument 'val'. 0. In function vhost_vsock_set_cid(), a 64bit CID is passed to hash_min() to compute the hash key when inserting a vsock object into the hash table. 0. In function vhost_vsock_get(), a 32bit CID is passed to hash_min() to compute the hash key when looking up a vsock for an CID. Because the different size of the CID, hash_min() returns different hash key, thus fails to look up the vsock object for an CID. To fix this bug, we keep CID as u64 in the IOCTLs and virtio message headers, but explicitly convert u64 to u32 when deal with the hash table and vsock core. Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers") Link: https://github.com/stefanha/virtio/blob/vsock/trunk/content.tex Signed-off-by: Zha Bin Reviewed-by: Liu Jiang Reviewed-by: Stefan Hajnoczi Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Shengjing Zhu Signed-off-by: Greg Kroah-Hartman --- drivers/vhost/vsock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -642,7 +642,7 @@ static int vhost_vsock_set_cid(struct vh hash_del_rcu(&vsock->hash); vsock->guest_cid = guest_cid; - hash_add_rcu(vhost_vsock_hash, &vsock->hash, guest_cid); + hash_add_rcu(vhost_vsock_hash, &vsock->hash, vsock->guest_cid); spin_unlock_bh(&vhost_vsock_lock); return 0;