From patchwork Thu Aug 8 04:45:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tyler Hicks X-Patchwork-Id: 1143817 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 463wm3755gz9s7T; Thu, 8 Aug 2019 14:45:23 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hvaIi-0008Pv-NC; Thu, 08 Aug 2019 04:45:20 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hvaIh-0008Pk-Jt for kernel-team@lists.ubuntu.com; Thu, 08 Aug 2019 04:45:19 +0000 Received: from 2.general.tyhicks.us.vpn ([10.172.64.53] helo=sec.ubuntu-ci) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hvaIg-0004ab-VS; Thu, 08 Aug 2019 04:45:19 +0000 From: Tyler Hicks To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/9][SRU][X] CVE-2019-3900: vhost DoS Date: Thu, 8 Aug 2019 04:45:03 +0000 Message-Id: <1565239512-11188-1-git-send-email-tyhicks@canonical.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3900.html An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. Fairly involved backports. Build logs are clean. I tested with netperf's TCP_RR, TCP_SENDFILE, TCP_STREAM, UDP_RR, and UDP_STREAM tests. The tests were initiated from both the host and the guest to ensure that the vhost-net connection was stable and that performance was similar before and after the patches were applied. Tyler Jason Wang (6): vhost: introduce vhost_vq_avail_empty() vhost_net: tx batching vhost_net: introduce vhost_exceeds_weight() vhost: introduce vhost_exceeds_weight() vhost_net: fix possible infinite loop vhost: scsi: add weight support Paolo Abeni (1): vhost_net: use packet weight for rx handler, too Willem de Bruijn (1): vhost_net: do not stall on zerocopy depletion haibinzhang(张海斌) (1): vhost-net: set packet weight of tx polling to 2 * vq size drivers/vhost/net.c | 60 ++++++++++++++++++++++++++++++++------------------- drivers/vhost/scsi.c | 14 ++++++++---- drivers/vhost/vhost.c | 34 ++++++++++++++++++++++++++++- drivers/vhost/vhost.h | 7 +++++- 4 files changed, 87 insertions(+), 28 deletions(-) Acked-by: Connor Kuehl Acked-by: Stefan Bader