Re: [PULL 1/1] vfio-ccw: Don't assume there are more ccws after a TIC

[Eric Farman <farman@xxxxxxxxxxxxx>]

On 02/20/2019 10:28 AM, Cornelia Huck wrote:
> On Wed, 20 Feb 2019 14:22:24 +0100
> Halil Pasic <pasic@xxxxxxxxxxxxx> wrote:
>
> > On Wed, 20 Feb 2019 13:44:46 +0100
> > Cornelia Huck <cohuck@xxxxxxxxxx> wrote:
> >
> > > On Wed, 20 Feb 2019 06:29:38 -0500
> > > Eric Farman <farman@xxxxxxxxxxxxx> wrote:
> > >    
> > > > On 02/20/2019 04:48 AM, Cornelia Huck wrote:
> > > > > On Tue, 19 Feb 2019 21:49:07 -0500
> > > > > Eric Farman <farman@xxxxxxxxxxxxx> wrote:
> > > > >        
> > > > > > Hi Connie, Farhan,
> > > > > >
> > > > > > On 02/04/2019 12:06 PM, Cornelia Huck wrote:
> > > > > > > From: Farhan Ali <alifm@xxxxxxxxxxxxx>
> > > > > > >
> > > > > > > When trying to calculate the length of a ccw chain, we assume
> > > > > > > there are ccws after a TIC. This can lead to overcounting and
> > > > > > > copying garbage data from guest memory.
> > > > > > >
> > > > > > > Signed-off-by: Farhan Ali <alifm@xxxxxxxxxxxxx>
> > > > > > > Message-Id: <d63748c1f1b03147bcbf401596638627a5e35ef7.1548082107.git.alifm@xxxxxxxxxxxxx>
> > > > > > > Reviewed-by: Halil Pasic <pasic@xxxxxxxxxxxxx>
> > > > > > > Signed-off-by: Cornelia Huck <cohuck@xxxxxxxxxx>
> > > > > > > ---
> > > > > > >     drivers/s390/cio/vfio_ccw_cp.c | 2 +-
> > > > > > >     1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > > >
> > > > > > > diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c
> > > > > > > index 70a006ba4d05..ba08fe137c2e 100644
> > > > > > > --- a/drivers/s390/cio/vfio_ccw_cp.c
> > > > > > > +++ b/drivers/s390/cio/vfio_ccw_cp.c
> > > > > > > @@ -392,7 +392,7 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp)
> > > > > > >     			return -EOPNOTSUPP;
> > > > > > >     		}
> > > > > > >     
> > > > > > > -		if ((!ccw_is_chain(ccw)) && (!ccw_is_tic(ccw)))
> > > > > > > +		if (!ccw_is_chain(ccw))
> > >
> > > OK, this function now returns the length of the chain excluding the
> > > last tic.
> > >    
> >
> > I'm confused. I read this like the length includes the tic, but not the
> > ccw? after the tic. Or am I wrong?
> >
> >
> > > > > > >     			break;
> > > > > > >     
> > > > > > >     		ccw++;
> > > > > > >         
> > >
> > > Now, cp_init will not copy the last tic to the chain. When it then
> > > looks for tics in that new chain, it won't find any, and stop copying.
> >
> > Eric also said the TIC is included but the subsequent READ gets 'dropped'
> > from (SEEK + SIDE + TIC + READ).
>
> Then I'm out of ideas. Are we sure the channel program is correct?

We shouldn't assume that I read things correctly.  :)  I have not looked 
at Jason's patches, and was going by what I saw being referenced in 
ccwchain_fetch_{one|tic} with or without this patch.

Now that I've got the morning meetings out of the way, I'll spend some 
time sorting out whether we're dropping a read or a tic.