Re: [PATCH 1/1] KVM: s390: virtio-ccw: don't overwrite config space values

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 29/06/2015 16:44, Christian Borntraeger wrote:
> From: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
> 
> Eric noticed problems with vhost-scsi and virtio-ccw: vhost-scsi
> complained about overwriting values in the config space, which
> was triggered by a broken implementation of virtio-ccw's config
> get/set routines. It was probably sheer luck that we did not hit
> this before.
> 
> When writing a value to the config space, the WRITE_CONF ccw will
> always write from the beginning of the config space up to and
> including the value to be set. If the config space up to the value
> has not yet been retrieved from the device, however, we'll end up
> overwriting values. Keep track of the known config space and update
> if needed to avoid this.
> 
> Moreover, READ_CONF will only read the number of bytes it has been
> instructed to retrieve, so we must not copy more than that to the
> buffer, or we might overwrite trailing values.
> 
> Reported-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
> Reviewed-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
> Tested-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---
>  drivers/s390/kvm/virtio_ccw.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/s390/kvm/virtio_ccw.c b/drivers/s390/kvm/virtio_ccw.c
> index 6f1fa17..f8d8fdb 100644
> --- a/drivers/s390/kvm/virtio_ccw.c
> +++ b/drivers/s390/kvm/virtio_ccw.c
> @@ -65,6 +65,7 @@ struct virtio_ccw_device {
>  	bool is_thinint;
>  	bool going_away;
>  	bool device_lost;
> +	unsigned int config_ready;
>  	void *airq_info;
>  };
>  
> @@ -833,8 +834,11 @@ static void virtio_ccw_get_config(struct virtio_device *vdev,
>  	if (ret)
>  		goto out_free;
>  
> -	memcpy(vcdev->config, config_area, sizeof(vcdev->config));
> -	memcpy(buf, &vcdev->config[offset], len);
> +	memcpy(vcdev->config, config_area, offset + len);
> +	if (buf)
> +		memcpy(buf, &vcdev->config[offset], len);
> +	if (vcdev->config_ready < offset + len)
> +		vcdev->config_ready = offset + len;
>  
>  out_free:
>  	kfree(config_area);
> @@ -857,6 +861,9 @@ static void virtio_ccw_set_config(struct virtio_device *vdev,
>  	if (!config_area)
>  		goto out_free;
>  
> +	/* Make sure we don't overwrite fields. */
> +	if (vcdev->config_ready < offset)
> +		virtio_ccw_get_config(vdev, 0, NULL, offset);
>  	memcpy(&vcdev->config[offset], buf, len);
>  	/* Write the config area to the host. */
>  	memcpy(config_area, vcdev->config, sizeof(vcdev->config));
> 

Applied (but I think in general virtio-ccw patches should go through
mst---the exception is when matching changes to KVM are needed, and of
course the exception was almost always the rule during bringup).

Thanks,

Paolo
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]