* [PULL 1/1] vfio: ccw: only free cp on final interrupt
[not found] <20190311162656.10067-1-cohuck@redhat.com>
@ 2019-03-11 16:26 ` Cornelia Huck
2019-03-11 17:24 ` [PULL 0/1] vfio-ccw: fix for 5.1 Martin Schwidefsky
1 sibling, 0 replies; 2+ messages in thread
From: Cornelia Huck @ 2019-03-11 16:26 UTC (permalink / raw)
To: Martin Schwidefsky, Heiko Carstens
Cc: Farhan Ali, Eric Farman, Halil Pasic, linux-s390, kvm,
Cornelia Huck, stable
When we get an interrupt for a channel program, it is not
necessarily the final interrupt; for example, the issuing
guest may request an intermediate interrupt by specifying
the program-controlled-interrupt flag on a ccw.
We must not switch the state to idle if the interrupt is not
yet final; even more importantly, we must not free the translated
channel program if the interrupt is not yet final, or the host
can crash during cp rewind.
Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously")
Cc: stable@vger.kernel.org # v4.12+
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
index a10cec0e86eb..0b3b9de45c60 100644
--- a/drivers/s390/cio/vfio_ccw_drv.c
+++ b/drivers/s390/cio/vfio_ccw_drv.c
@@ -72,20 +72,24 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work)
{
struct vfio_ccw_private *private;
struct irb *irb;
+ bool is_final;
private = container_of(work, struct vfio_ccw_private, io_work);
irb = &private->irb;
+ is_final = !(scsw_actl(&irb->scsw) &
+ (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
if (scsw_is_solicited(&irb->scsw)) {
cp_update_scsw(&private->cp, &irb->scsw);
- cp_free(&private->cp);
+ if (is_final)
+ cp_free(&private->cp);
}
memcpy(private->io_region->irb_area, irb, sizeof(*irb));
if (private->io_trigger)
eventfd_signal(private->io_trigger, 1);
- if (private->mdev)
+ if (private->mdev && is_final)
private->state = VFIO_CCW_STATE_IDLE;
}
--
2.17.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PULL 0/1] vfio-ccw: fix for 5.1
[not found] <20190311162656.10067-1-cohuck@redhat.com>
2019-03-11 16:26 ` [PULL 1/1] vfio: ccw: only free cp on final interrupt Cornelia Huck
@ 2019-03-11 17:24 ` Martin Schwidefsky
1 sibling, 0 replies; 2+ messages in thread
From: Martin Schwidefsky @ 2019-03-11 17:24 UTC (permalink / raw)
To: linux-s390, kvm
On Mon, 11 Mar 2019 17:26:55 +0100
Cornelia Huck <cohuck@redhat.com> wrote:
> The following changes since commit 152e9b8676c6e788c6bff095c1eaae7b86df5003:
>
> s390/vtime: steal time exponential moving average (2019-03-06 14:59:50 +0100)
>
> are available in the Git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/vfio-ccw.git tags/vfio-ccw-20190311
>
> for you to fetch changes up to 50b7f1b7236bab08ebbbecf90521e84b068d7a17:
>
> vfio: ccw: only free cp on final interrupt (2019-03-11 12:06:50 +0100)
>
> ----------------------------------------------------------------
> Fix a host crash triggerable by the guest via a channel program.
>
> ----------------------------------------------------------------
>
> Cornelia Huck (1):
> vfio: ccw: only free cp on final interrupt
>
> drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
Pulled & pushed to s390/linux:fixes. Thanks.
--
blue skies,
Martin.
"Reality continues to ruin my life." - Calvin.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-03-11 17:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20190311162656.10067-1-cohuck@redhat.com>
2019-03-11 16:26 ` [PULL 1/1] vfio: ccw: only free cp on final interrupt Cornelia Huck
2019-03-11 17:24 ` [PULL 0/1] vfio-ccw: fix for 5.1 Martin Schwidefsky
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.