From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
Gleb Natapov <gleb@redhat.com>, KVM <kvm@vger.kernel.org>,
linux-s390 <linux-s390@vger.kernel.org>,
Avi Kivity <avi.kivity@gmail.com>,
Carsten Otte <cotte@de.ibm.com>, Alexander Graf <agraf@suse.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Sebastian Ott <sebott@linux.vnet.ibm.com>
Subject: Re: [PATCH 2/5] KVM: s390: Add support for machine checks.
Date: Wed, 19 Dec 2012 11:20:18 +0100 [thread overview]
Message-ID: <50D194E2.8050102@de.ibm.com> (raw)
In-Reply-To: <20121219094414.GA4996@osiris.de.ibm.com>
On 19/12/12 10:44, Heiko Carstens wrote:
> On Fri, Dec 07, 2012 at 01:30:22PM +0100, Cornelia Huck wrote:
>> + rc = put_guest_u64(vcpu, __LC_MCCK_CODE, inti->mchk.mcic);
>> + if (rc == -EFAULT)
>> + exception = 1;
>> +
>> + rc = copy_to_guest(vcpu, __LC_MCK_OLD_PSW,
>> + &vcpu->arch.sie_block->gpsw, sizeof(psw_t));
>> + if (rc == -EFAULT)
>> + exception = 1;
>
> Please don't add more explicit -EFAULT checks on guest access paths. Just
> make this like normal user space accesses. That is return code != 0 means
> an error occured:
>
> rc = put_guest_u64(vcpu, __LC_MCCK_CODE, inti->mchk.mcic);
> if (rc)
> exception = 1;
>
> In fact, with the current kvm gaccess code it's even broken, since on error
> the guest access functions may return also -ENOMEM instead of -EFAULT, which
> would be ignored by your code.
> I addressed that with a patch when trying to clean up the guest access
> functions. Maybe the patch below should be merged anyway. Christian?
The whole guest memory access of KVM needs to be reworked to work properly
in those corner cases. I have this on my todo list as one of things for next
year with lots of open questions that I dont want to answer before xmas.
what about in kernel intercepts? (shall we then return EFAULT for the KVM_RUN
ioctl, shall we kill the guest?.....)
We actually need to test the address for validity via the memslots (and not
via return value of copy_from/to_user) all across the s390 code.
I really want to avoid mixing this effort with the virtio-ccw patches.
So my proposal is to apply your patch below and keep Conny's patch as is.
Ok?
Christian
> From db05454b6f3f49a7a10f5a1e546917303cf94532 Mon Sep 17 00:00:00 2001
> From: Heiko Carstens <heiko.carstens@de.ibm.com>
> Date: Mon, 10 Sep 2012 16:36:23 +0200
> Subject: s390/kvm,gaccess: fix guest access return code handling
>
> Guest access functions like copy_to/from_guest() call __guestaddr_to_user()
> which in turn call gmap_fault() in order to translate a guest address to a
> user space address.
> In error case __guest_addr_to_user() returns either -EFAULT or -ENOMEM.
> The copy_to/from_guest functions just pass these return values down to the
> callers.
> The -ENOMEM case however is problematic since there are several places
> which access guest memory like:
>
> rc = copy_to_guest(...);
> if (rc == -EFAULT)
> error_handling();
>
> So in case of -ENOMEM the code assumes that the guest memory access
> succeeded even though it failed.
> This can cause guest data or state corruption.
>
> If __guestaddr_to_user() returns -ENOMEM the meaning is that a valid user
> space mapping exists, but there was not enough memory available when trying
> to build the guest mapping. In other words an out-of-memory situation
> occured.
> For normal user space accesses an out-of-memory situation causes the page
> fault handler to map -ENOMEM to -EFAULT (see fixup code in do_no_context()).
> We need to do exactly the same for the kvm gaccess functions.
>
> So __guestaddr_to_user() should just map all error codes to -EFAULT.
>
> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
> ---
> arch/s390/kvm/gaccess.h | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h
> index 4703f12..84d01dd 100644
> --- a/arch/s390/kvm/gaccess.h
> +++ b/arch/s390/kvm/gaccess.h
> @@ -22,13 +22,16 @@ static inline void __user *__guestaddr_to_user(struct kvm_vcpu *vcpu,
> unsigned long guestaddr)
> {
> unsigned long prefix = vcpu->arch.sie_block->prefix;
> + unsigned long uaddress;
>
> if (guestaddr < 2 * PAGE_SIZE)
> guestaddr += prefix;
> else if ((guestaddr >= prefix) && (guestaddr < prefix + 2 * PAGE_SIZE))
> guestaddr -= prefix;
> -
> - return (void __user *) gmap_fault(guestaddr, vcpu->arch.gmap);
> + uaddress = gmap_fault(guestaddr, vcpu->arch.gmap);
> + if (IS_ERR_VALUE(uaddress))
> + uaddress = -EFAULT;
> + return (void __user *)uaddress;
> }
>
> static inline int get_guest_u64(struct kvm_vcpu *vcpu, unsigned long guestaddr,
>
next prev parent reply other threads:[~2012-12-19 10:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-07 12:30 [PATCH v4 0/5] s390: Host support for channel I/O Cornelia Huck
2012-12-07 12:30 ` [PATCH 1/5] KVM: s390: Support for I/O interrupts Cornelia Huck
2012-12-10 7:33 ` Alexander Graf
2012-12-10 10:09 ` Cornelia Huck
2012-12-11 10:22 ` Alexander Graf
2012-12-11 12:46 ` Cornelia Huck
2012-12-12 0:36 ` Alexander Graf
2012-12-07 12:30 ` [PATCH 2/5] KVM: s390: Add support for machine checks Cornelia Huck
2012-12-10 7:51 ` Alexander Graf
2012-12-10 10:12 ` Cornelia Huck
2012-12-19 9:44 ` Heiko Carstens
2012-12-19 9:44 ` Heiko Carstens
2012-12-19 10:20 ` Christian Borntraeger [this message]
2012-12-19 13:07 ` Heiko Carstens
2012-12-07 12:30 ` [PATCH 3/5] KVM: s390: In-kernel handling of I/O instructions Cornelia Huck
2012-12-10 7:53 ` Alexander Graf
2012-12-10 10:14 ` Cornelia Huck
2012-12-07 12:30 ` [PATCH 4/5] KVM: s390: Base infrastructure for enabling capabilities Cornelia Huck
2012-12-10 7:54 ` Alexander Graf
2012-12-10 10:16 ` Cornelia Huck
2012-12-11 10:24 ` Alexander Graf
2012-12-07 12:30 ` [PATCH 5/5] KVM: s390: Add support for channel I/O instructions Cornelia Huck
2012-12-10 8:01 ` Alexander Graf
-- strict thread matches above, loose matches on Subject: below --
2012-10-31 16:24 [RFC PATCH v3 0/5] s390: Host support for channel I/O Cornelia Huck
2012-10-31 16:24 ` [PATCH 2/5] KVM: s390: Add support for machine checks Cornelia Huck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D194E2.8050102@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=agraf@suse.de \
--cc=avi.kivity@gmail.com \
--cc=cornelia.huck@de.ibm.com \
--cc=cotte@de.ibm.com \
--cc=gleb@redhat.com \
--cc=heiko.carstens@de.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=schwidefsky@de.ibm.com \
--cc=sebott@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.