Re: [PULL 1/1] vfio-ccw: Don't assume there are more ccws after a TIC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 20 Feb 2019 14:22:24 +0100
Halil Pasic <pasic@xxxxxxxxxxxxx> wrote:

> On Wed, 20 Feb 2019 13:44:46 +0100
> Cornelia Huck <cohuck@xxxxxxxxxx> wrote:
> 
> > On Wed, 20 Feb 2019 06:29:38 -0500
> > Eric Farman <farman@xxxxxxxxxxxxx> wrote:
> >   
> > > On 02/20/2019 04:48 AM, Cornelia Huck wrote:    
> > > > On Tue, 19 Feb 2019 21:49:07 -0500
> > > > Eric Farman <farman@xxxxxxxxxxxxx> wrote:
> > > >       
> > > >> Hi Connie, Farhan,
> > > >>
> > > >> On 02/04/2019 12:06 PM, Cornelia Huck wrote:      
> > > >>> From: Farhan Ali <alifm@xxxxxxxxxxxxx>
> > > >>>
> > > >>> When trying to calculate the length of a ccw chain, we assume
> > > >>> there are ccws after a TIC. This can lead to overcounting and
> > > >>> copying garbage data from guest memory.
> > > >>>
> > > >>> Signed-off-by: Farhan Ali <alifm@xxxxxxxxxxxxx>
> > > >>> Message-Id: <d63748c1f1b03147bcbf401596638627a5e35ef7.1548082107.git.alifm@xxxxxxxxxxxxx>
> > > >>> Reviewed-by: Halil Pasic <pasic@xxxxxxxxxxxxx>
> > > >>> Signed-off-by: Cornelia Huck <cohuck@xxxxxxxxxx>
> > > >>> ---
> > > >>>    drivers/s390/cio/vfio_ccw_cp.c | 2 +-
> > > >>>    1 file changed, 1 insertion(+), 1 deletion(-)
> > > >>>
> > > >>> diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c
> > > >>> index 70a006ba4d05..ba08fe137c2e 100644
> > > >>> --- a/drivers/s390/cio/vfio_ccw_cp.c
> > > >>> +++ b/drivers/s390/cio/vfio_ccw_cp.c
> > > >>> @@ -392,7 +392,7 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp)
> > > >>>    			return -EOPNOTSUPP;
> > > >>>    		}
> > > >>>    
> > > >>> -		if ((!ccw_is_chain(ccw)) && (!ccw_is_tic(ccw)))
> > > >>> +		if (!ccw_is_chain(ccw))    
> > 
> > OK, this function now returns the length of the chain excluding the
> > last tic.
> >   
> 
> I'm confused. I read this like the length includes the tic, but not the
> ccw? after the tic. Or am I wrong?
> 
> 
> > > >>>    			break;
> > > >>>    
> > > >>>    		ccw++;
> > > >>>        
> > 
> > Now, cp_init will not copy the last tic to the chain. When it then
> > looks for tics in that new chain, it won't find any, and stop copying.   
> 
> Eric also said the TIC is included but the subsequent READ gets 'dropped'
> from (SEEK + SIDE + TIC + READ).

Then I'm out of ideas. Are we sure the channel program is correct?



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Kernel Development]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Info]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux