On Wed, 20 Feb 2019 14:22:24 +0100 Halil Pasic <pasic@xxxxxxxxxxxxx> wrote: > On Wed, 20 Feb 2019 13:44:46 +0100 > Cornelia Huck <cohuck@xxxxxxxxxx> wrote: > > > On Wed, 20 Feb 2019 06:29:38 -0500 > > Eric Farman <farman@xxxxxxxxxxxxx> wrote: > > > > > On 02/20/2019 04:48 AM, Cornelia Huck wrote: > > > > On Tue, 19 Feb 2019 21:49:07 -0500 > > > > Eric Farman <farman@xxxxxxxxxxxxx> wrote: > > > > > > > >> Hi Connie, Farhan, > > > >> > > > >> On 02/04/2019 12:06 PM, Cornelia Huck wrote: > > > >>> From: Farhan Ali <alifm@xxxxxxxxxxxxx> > > > >>> > > > >>> When trying to calculate the length of a ccw chain, we assume > > > >>> there are ccws after a TIC. This can lead to overcounting and > > > >>> copying garbage data from guest memory. > > > >>> > > > >>> Signed-off-by: Farhan Ali <alifm@xxxxxxxxxxxxx> > > > >>> Message-Id: <d63748c1f1b03147bcbf401596638627a5e35ef7.1548082107.git.alifm@xxxxxxxxxxxxx> > > > >>> Reviewed-by: Halil Pasic <pasic@xxxxxxxxxxxxx> > > > >>> Signed-off-by: Cornelia Huck <cohuck@xxxxxxxxxx> > > > >>> --- > > > >>> drivers/s390/cio/vfio_ccw_cp.c | 2 +- > > > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > > > >>> > > > >>> diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c > > > >>> index 70a006ba4d05..ba08fe137c2e 100644 > > > >>> --- a/drivers/s390/cio/vfio_ccw_cp.c > > > >>> +++ b/drivers/s390/cio/vfio_ccw_cp.c > > > >>> @@ -392,7 +392,7 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp) > > > >>> return -EOPNOTSUPP; > > > >>> } > > > >>> > > > >>> - if ((!ccw_is_chain(ccw)) && (!ccw_is_tic(ccw))) > > > >>> + if (!ccw_is_chain(ccw)) > > > > OK, this function now returns the length of the chain excluding the > > last tic. > > > > I'm confused. I read this like the length includes the tic, but not the > ccw? after the tic. Or am I wrong? > > > > > >>> break; > > > >>> > > > >>> ccw++; > > > >>> > > > > Now, cp_init will not copy the last tic to the chain. When it then > > looks for tics in that new chain, it won't find any, and stop copying. > > Eric also said the TIC is included but the subsequent READ gets 'dropped' > from (SEEK + SIDE + TIC + READ). Then I'm out of ideas. Are we sure the channel program is correct?
