From dfa9b240003cb9158449b5ba0c0ee89bfcb41c9e Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 13 Dec 2018 09:30:49 +0100
Subject: [PATCH] Update to 4.19.9

Drop vhost-vsock-fix-use-after-free-in-network-stack-call.patch

Cleanup debian/changelog file
---
 debian/changelog                              |   6 +-
 ...use-after-free-in-network-stack-call.patch | 193 ------------------
 debian/patches/series                         |   1 -
 3 files changed, 4 insertions(+), 196 deletions(-)
 delete mode 100644 debian/patches/bugfix/all/vhost-vsock-fix-use-after-free-in-network-stack-call.patch

diff --git a/debian/changelog b/debian/changelog
index 144408797..889a9d6f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.19.8-1) UNRELEASED; urgency=medium
+linux (4.19.9-1) UNRELEASED; urgency=medium
 
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.6
@@ -16,6 +16,9 @@ linux (4.19.8-1) UNRELEASED; urgency=medium
     - userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not
       set (CVE-2018-18397)
     - blk-mq: punt failed direct issue to dispatch list
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.9
+    - vhost/vsock: fix use-after-free in network stack callers
+      (CVE-2018-14625)
 
   [ Marcin Juszkiewicz ]
   * [arm64] Enable ACPI IMPI
@@ -50,7 +53,6 @@ linux (4.19.8-1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * Set ABI to 1
-  * vhost/vsock: fix use-after-free in network stack callers (CVE-2018-14625)
 
   [ Nicolas Schier ]
   * ovl: permit overlayfs mounts in user namespaces (Closes: #913880)
diff --git a/debian/patches/bugfix/all/vhost-vsock-fix-use-after-free-in-network-stack-call.patch b/debian/patches/bugfix/all/vhost-vsock-fix-use-after-free-in-network-stack-call.patch
deleted file mode 100644
index 00c2fa96f..000000000
--- a/debian/patches/bugfix/all/vhost-vsock-fix-use-after-free-in-network-stack-call.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Mon, 5 Nov 2018 10:35:47 +0000
-Subject: vhost/vsock: fix use-after-free in network stack callers
-Origin: https://git.kernel.org/linus/834e772c8db0c6a275d75315d90aba4ebbb1e249
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14625
-
-If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
-a struct vhost_vsock use-after-free is possible.  This occurs because
-.release() does not wait for other CPUs to stop using struct
-vhost_vsock.
-
-Switch to an RCU-enabled hashtable (indexed by guest CID) so that
-.release() can wait for other CPUs by calling synchronize_rcu().  This
-also eliminates vhost_vsock_lock acquisition in the data path so it
-could have a positive effect on performance.
-
-This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".
-
-Cc: stable@vger.kernel.org
-Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
-Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
-Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
----
- drivers/vhost/vsock.c | 57 +++++++++++++++++++++++++------------------
- 1 file changed, 33 insertions(+), 24 deletions(-)
-
-diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
-index 731e2ea2aeca..98ed5be132c6 100644
---- a/drivers/vhost/vsock.c
-+++ b/drivers/vhost/vsock.c
-@@ -15,6 +15,7 @@
- #include <net/sock.h>
- #include <linux/virtio_vsock.h>
- #include <linux/vhost.h>
-+#include <linux/hashtable.h>
- 
- #include <net/af_vsock.h>
- #include "vhost.h"
-@@ -27,14 +28,14 @@ enum {
- 
- /* Used to track all the vhost_vsock instances on the system. */
- static DEFINE_SPINLOCK(vhost_vsock_lock);
--static LIST_HEAD(vhost_vsock_list);
-+static DEFINE_READ_MOSTLY_HASHTABLE(vhost_vsock_hash, 8);
- 
- struct vhost_vsock {
- 	struct vhost_dev dev;
- 	struct vhost_virtqueue vqs[2];
- 
--	/* Link to global vhost_vsock_list, protected by vhost_vsock_lock */
--	struct list_head list;
-+	/* Link to global vhost_vsock_hash, writes use vhost_vsock_lock */
-+	struct hlist_node hash;
- 
- 	struct vhost_work send_pkt_work;
- 	spinlock_t send_pkt_list_lock;
-@@ -50,11 +51,14 @@ static u32 vhost_transport_get_local_cid(void)
- 	return VHOST_VSOCK_DEFAULT_HOST_CID;
- }
- 
--static struct vhost_vsock *__vhost_vsock_get(u32 guest_cid)
-+/* Callers that dereference the return value must hold vhost_vsock_lock or the
-+ * RCU read lock.
-+ */
-+static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
- {
- 	struct vhost_vsock *vsock;
- 
--	list_for_each_entry(vsock, &vhost_vsock_list, list) {
-+	hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
- 		u32 other_cid = vsock->guest_cid;
- 
- 		/* Skip instances that have no CID yet */
-@@ -69,17 +73,6 @@ static struct vhost_vsock *__vhost_vsock_get(u32 guest_cid)
- 	return NULL;
- }
- 
--static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
--{
--	struct vhost_vsock *vsock;
--
--	spin_lock_bh(&vhost_vsock_lock);
--	vsock = __vhost_vsock_get(guest_cid);
--	spin_unlock_bh(&vhost_vsock_lock);
--
--	return vsock;
--}
--
- static void
- vhost_transport_do_send_pkt(struct vhost_vsock *vsock,
- 			    struct vhost_virtqueue *vq)
-@@ -210,9 +203,12 @@ vhost_transport_send_pkt(struct virtio_vsock_pkt *pkt)
- 	struct vhost_vsock *vsock;
- 	int len = pkt->len;
- 
-+	rcu_read_lock();
-+
- 	/* Find the vhost_vsock according to guest context id  */
- 	vsock = vhost_vsock_get(le64_to_cpu(pkt->hdr.dst_cid));
- 	if (!vsock) {
-+		rcu_read_unlock();
- 		virtio_transport_free_pkt(pkt);
- 		return -ENODEV;
- 	}
-@@ -225,6 +221,8 @@ vhost_transport_send_pkt(struct virtio_vsock_pkt *pkt)
- 	spin_unlock_bh(&vsock->send_pkt_list_lock);
- 
- 	vhost_work_queue(&vsock->dev, &vsock->send_pkt_work);
-+
-+	rcu_read_unlock();
- 	return len;
- }
- 
-@@ -234,12 +232,15 @@ vhost_transport_cancel_pkt(struct vsock_sock *vsk)
- 	struct vhost_vsock *vsock;
- 	struct virtio_vsock_pkt *pkt, *n;
- 	int cnt = 0;
-+	int ret = -ENODEV;
- 	LIST_HEAD(freeme);
- 
-+	rcu_read_lock();
-+
- 	/* Find the vhost_vsock according to guest context id  */
- 	vsock = vhost_vsock_get(vsk->remote_addr.svm_cid);
- 	if (!vsock)
--		return -ENODEV;
-+		goto out;
- 
- 	spin_lock_bh(&vsock->send_pkt_list_lock);
- 	list_for_each_entry_safe(pkt, n, &vsock->send_pkt_list, list) {
-@@ -265,7 +266,10 @@ vhost_transport_cancel_pkt(struct vsock_sock *vsk)
- 			vhost_poll_queue(&tx_vq->poll);
- 	}
- 
--	return 0;
-+	ret = 0;
-+out:
-+	rcu_read_unlock();
-+	return ret;
- }
- 
- static struct virtio_vsock_pkt *
-@@ -533,10 +537,6 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file)
- 	spin_lock_init(&vsock->send_pkt_list_lock);
- 	INIT_LIST_HEAD(&vsock->send_pkt_list);
- 	vhost_work_init(&vsock->send_pkt_work, vhost_transport_send_pkt_work);
--
--	spin_lock_bh(&vhost_vsock_lock);
--	list_add_tail(&vsock->list, &vhost_vsock_list);
--	spin_unlock_bh(&vhost_vsock_lock);
- 	return 0;
- 
- out:
-@@ -585,9 +585,13 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file)
- 	struct vhost_vsock *vsock = file->private_data;
- 
- 	spin_lock_bh(&vhost_vsock_lock);
--	list_del(&vsock->list);
-+	if (vsock->guest_cid)
-+		hash_del_rcu(&vsock->hash);
- 	spin_unlock_bh(&vhost_vsock_lock);
- 
-+	/* Wait for other CPUs to finish using vsock */
-+	synchronize_rcu();
-+
- 	/* Iterating over all connections for all CIDs to find orphans is
- 	 * inefficient.  Room for improvement here. */
- 	vsock_for_each_connected_socket(vhost_vsock_reset_orphans);
-@@ -628,12 +632,17 @@ static int vhost_vsock_set_cid(struct vhost_vsock *vsock, u64 guest_cid)
- 
- 	/* Refuse if CID is already in use */
- 	spin_lock_bh(&vhost_vsock_lock);
--	other = __vhost_vsock_get(guest_cid);
-+	other = vhost_vsock_get(guest_cid);
- 	if (other && other != vsock) {
- 		spin_unlock_bh(&vhost_vsock_lock);
- 		return -EADDRINUSE;
- 	}
-+
-+	if (vsock->guest_cid)
-+		hash_del_rcu(&vsock->hash);
-+
- 	vsock->guest_cid = guest_cid;
-+	hash_add_rcu(vhost_vsock_hash, &vsock->hash, guest_cid);
- 	spin_unlock_bh(&vhost_vsock_lock);
- 
- 	return 0;
--- 
-2.20.0.rc2
-
diff --git a/debian/patches/series b/debian/patches/series
index 91d6c047b..5d45f6407 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -131,7 +131,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/vhost-vsock-fix-use-after-free-in-network-stack-call.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch