[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 21/67] s390x/css: handle cssid 255 correctly
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 21/67] s390x/css: handle cssid 255 correctly |
Date: |
Wed, 14 Dec 2016 18:44:15 -0600 |
From: Cornelia Huck <address@hidden>
The cssid 255 is reserved but still valid from an architectural
point of view. However, feeding a bogus schid of 0xffffffff into
the virtio hypercall will lead to a crash:
Stack trace of thread 138363:
#0 0x00000000100d168c css_find_subch (qemu-system-s390x)
#1 0x00000000100d3290 virtio_ccw_hcall_notify
#2 0x00000000100cbf60 s390_virtio_hypercall
#3 0x000000001010ff7a handle_hypercall
#4 0x0000000010079ed4 kvm_cpu_exec (qemu-system-s390x)
#5 0x00000000100609b4 qemu_kvm_cpu_thread_fn
#6 0x000003ff8b887bb4 start_thread (libpthread.so.0)
#7 0x000003ff8b78df0a thread_start (libc.so.6)
This is because the css array was only allocated for 0..254
instead of 0..255.
Let's fix this by bumping MAX_CSSID to 255 and fencing off the
reserved cssid of 255 during css image allocation.
Reported-by: Christian Borntraeger <address@hidden>
Tested-by: Christian Borntraeger <address@hidden>
Cc: address@hidden
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 882b3b97697affb36ca3d174f42f846232008979)
Signed-off-by: Michael Roth <address@hidden>
---
hw/s390x/css.c | 8 +++-----
include/hw/s390x/css.h | 2 +-
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/hw/s390x/css.c b/hw/s390x/css.c
index bb8e4be..b0e81ef 100644
--- a/hw/s390x/css.c
+++ b/hw/s390x/css.c
@@ -141,7 +141,8 @@ out_err:
int css_create_css_image(uint8_t cssid, bool default_image)
{
trace_css_new_image(cssid, default_image ? "(default)" : "");
- if (cssid > MAX_CSSID) {
+ /* 255 is reserved */
+ if (cssid == 255) {
return -EINVAL;
}
if (channel_subsys.css[cssid]) {
@@ -1267,7 +1268,7 @@ bool css_schid_final(int m, uint8_t cssid, uint8_t ssid,
uint16_t schid)
uint8_t real_cssid;
real_cssid = (!m && (cssid == 0)) ? channel_subsys.default_cssid : cssid;
- if (real_cssid > MAX_CSSID || ssid > MAX_SSID ||
+ if (ssid > MAX_SSID ||
!channel_subsys.css[real_cssid] ||
!channel_subsys.css[real_cssid]->sch_set[ssid]) {
return true;
@@ -1282,9 +1283,6 @@ static int css_add_virtual_chpid(uint8_t cssid, uint8_t
chpid, uint8_t type)
CssImage *css;
trace_css_chpid_add(cssid, chpid, type);
- if (cssid > MAX_CSSID) {
- return -EINVAL;
- }
css = channel_subsys.css[cssid];
if (!css) {
return -EINVAL;
diff --git a/include/hw/s390x/css.h b/include/hw/s390x/css.h
index 1da63e3..c96c862 100644
--- a/include/hw/s390x/css.h
+++ b/include/hw/s390x/css.h
@@ -20,7 +20,7 @@
#define MAX_DEVNO 65535
#define MAX_SCHID 65535
#define MAX_SSID 3
-#define MAX_CSSID 254 /* 255 is reserved */
+#define MAX_CSSID 255
#define MAX_CHPID 255
#define MAX_CIWS 62
--
1.9.1
- [Qemu-devel] [PATCH 13/67] vmw_pvscsi: check page count while initialising descriptor rings, (continued)
- [Qemu-devel] [PATCH 13/67] vmw_pvscsi: check page count while initialising descriptor rings, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 12/67] scsi-disk: change disk serial length from 20 to 36, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 15/67] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 14/67] scsi: mptconfig: fix an assert expression, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 16/67] crypto: ensure XTS is only used with ciphers with 16 byte blocks, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 18/67] scsi-disk: Cleaning up around tray open state, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 17/67] iothread: Stop threads before main() quits, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 19/67] virtio-scsi: Don't abort when media is ejected, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 20/67] ahci: clear aiocb in ncq_cb, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 01/67] linux-headers: update, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 21/67] s390x/css: handle cssid 255 correctly,
Michael Roth <=
- [Qemu-devel] [PATCH 23/67] qcow2: fix encryption during cow of sectors, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 24/67] iscsi: Fix divide-by-zero regression on raw SG devices, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 22/67] vfio/pci: Fix regression in MSI routing configuration, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 25/67] block: reintroduce bdrv_flush_all, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 26/67] qemu: use bdrv_flush_all for vm_stop et al, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 30/67] qht: fix unlock-after-free segfault upon resizing, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 27/67] block-backend: remove blk_flush_all, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 02/67] hw/ppc/spapr: Move code related to "ibm, pa-features" to a separate function, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 33/67] qapi: Fix crash when 'any' or 'null' parameter is missing, Michael Roth, 2016/12/14
- [Qemu-devel] [PATCH 29/67] qht: simplify qht_reset_size, Michael Roth, 2016/12/14