qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] target/s390x/kvm: Fix problem when running with


From: Christian Borntraeger
Subject: Re: [Qemu-devel] [PATCH] target/s390x/kvm: Fix problem when running with SELinux under z/VM
Date: Fri, 24 Mar 2017 10:39:29 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 03/24/2017 10:26 AM, Thomas Huth wrote:
> When running QEMU with KVM under z/VM, the memory for the guest
> is allocated via legacy_s390_alloc() since the KVM_CAP_S390_COW
> extension is not supported on z/VM. legacy_s390_alloc() then uses
> mmap(... PROT_EXEC ...) for the guest memory - but this does not
> work when running with SELinux enabled, mmap() fails and QEMU aborts
> with the following error message:
> 
>  cannot set up guest memory 's390.ram': Permission denied
> 
> Looking at the other allocator function qemu_anon_ram_alloc(), it
> seems like PROT_EXEC is normally not needed for allocating the
> guest RAM, and indeed, the guest also starts successfully under
> z/VM when we remove the PROT_EXEC from the legacy_s390_alloc()
> function. So let's get rid of that flag here to be able to run
> with SELinux under z/VM, too.

Older z/VM versions do not provide the enhanced suppression on protection
facility, which would result in guest failures as soon as the kernel
starts dirty pages tracking by write protecting the pages via the page
table. Some kernel release back (last time I checked) the PROT_EXEC was 
necessary to prevent the dirty pages tracking from taking place. So this
patch would break KVM in that case.

Newer z/VMs (e.g. 6.3) do provide ESOP. SO the question is,
why is KVM_CAP_S390_COW not set?


> 
> Signed-off-by: Thomas Huth <address@hidden>
> ---
>  target/s390x/kvm.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index ac47154..5167436 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -678,8 +678,7 @@ static void *legacy_s390_alloc(size_t size, uint64_t 
> *align)
>  {
>      void *mem;
> 
> -    mem = mmap((void *) 0x800000000ULL, size,
> -               PROT_EXEC|PROT_READ|PROT_WRITE,
> +    mem = mmap((void *) 0x800000000ULL, size, PROT_READ | PROT_WRITE,
>                 MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
>      return mem == MAP_FAILED ? NULL : mem;
>  }
> 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]