On Wed, 20 Feb 2019 13:44:46 +0100 Cornelia Huck <cohuck@xxxxxxxxxx> wrote: > On Wed, 20 Feb 2019 06:29:38 -0500 > Eric Farman <farman@xxxxxxxxxxxxx> wrote: > > > On 02/20/2019 04:48 AM, Cornelia Huck wrote: > > > On Tue, 19 Feb 2019 21:49:07 -0500 > > > Eric Farman <farman@xxxxxxxxxxxxx> wrote: > > > > > >> Hi Connie, Farhan, > > >> > > >> On 02/04/2019 12:06 PM, Cornelia Huck wrote: > > >>> From: Farhan Ali <alifm@xxxxxxxxxxxxx> > > >>> > > >>> When trying to calculate the length of a ccw chain, we assume > > >>> there are ccws after a TIC. This can lead to overcounting and > > >>> copying garbage data from guest memory. > > >>> > > >>> Signed-off-by: Farhan Ali <alifm@xxxxxxxxxxxxx> > > >>> Message-Id: <d63748c1f1b03147bcbf401596638627a5e35ef7.1548082107.git.alifm@xxxxxxxxxxxxx> > > >>> Reviewed-by: Halil Pasic <pasic@xxxxxxxxxxxxx> > > >>> Signed-off-by: Cornelia Huck <cohuck@xxxxxxxxxx> > > >>> --- > > >>> drivers/s390/cio/vfio_ccw_cp.c | 2 +- > > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > > >>> > > >>> diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c > > >>> index 70a006ba4d05..ba08fe137c2e 100644 > > >>> --- a/drivers/s390/cio/vfio_ccw_cp.c > > >>> +++ b/drivers/s390/cio/vfio_ccw_cp.c > > >>> @@ -392,7 +392,7 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp) > > >>> return -EOPNOTSUPP; > > >>> } > > >>> > > >>> - if ((!ccw_is_chain(ccw)) && (!ccw_is_tic(ccw))) > > >>> + if (!ccw_is_chain(ccw)) > > OK, this function now returns the length of the chain excluding the > last tic. > I'm confused. I read this like the length includes the tic, but not the ccw? after the tic. Or am I wrong? > > >>> break; > > >>> > > >>> ccw++; > > >>> > > Now, cp_init will not copy the last tic to the chain. When it then > looks for tics in that new chain, it won't find any, and stop copying. Eric also said the TIC is included but the subsequent READ gets 'dropped' from (SEEK + SIDE + TIC + READ). Regards, Halil > >> + READ
