From: Fabiano Rosas <farosas@linux.ibm.com>
To: Nicholas Piggin <npiggin@gmail.com>, kvm-ppc@vger.kernel.org
Cc: aik@ozlabs.ru, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH 3/3] KVM: PPC: Fix mmio length message
Date: Thu, 30 Dec 2021 18:24:10 +0000 [thread overview]
Message-ID: <87k0fmdk8l.fsf@linux.ibm.com> (raw)
In-Reply-To: <1640427230.38pm5r9iop.astroid@bobo.none>
Nicholas Piggin <npiggin@gmail.com> writes:
> Excerpts from Fabiano Rosas's message of December 24, 2021 7:15 am:
>> We check against 'bytes' but print 'run->mmio.len' which at that point
>> has an old value.
>>
>> e.g. 16-byte load:
>>
>> before:
>> __kvmppc_handle_load: bad MMIO length: 8
>>
>> now:
>> __kvmppc_handle_load: bad MMIO length: 16
>>
>> Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
>
> This patch fine, but in the case of overflow we continue anyway here.
> Can that overwrite some other memory in the kvm_run struct?
I tested this and QEMU will indeed overwrite the subsequent fields of
kvm_run. A `lq` on this data:
mmio_test_data:
.long 0xdeadbeef
.long 0x8badf00d
.long 0x1337c0de
.long 0x01abcdef
produces:
__kvmppc_handle_load: bad MMIO length: 16
kvmppc_complete_mmio_load data: 0x8badf00ddeadbeef
bad MMIO length: 322420958 <-- mmio.len got nuked
But then we return from kvmppc_complete_mmio_load without writing to the
registers.
>
> This is familiar, maybe something Alexey has noticed in the past too?
> What was the consensus on fixing it? (at least it should have a comment
> if it's not a problem IMO)
My plan was to just add quadword support. And whatever else might
missing. But I got sidetracked with how to test this so I'm just now
coming back to it.
Perhaps a more immediate fix is needed before that? We could block loads
and stores larger than 8 bytes earlier at kvmppc_emulate_loadstore for
instance.
WARNING: multiple messages have this Message-ID (diff)
From: Fabiano Rosas <farosas@linux.ibm.com>
To: Nicholas Piggin <npiggin@gmail.com>, kvm-ppc@vger.kernel.org
Cc: aik@ozlabs.ru, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH 3/3] KVM: PPC: Fix mmio length message
Date: Thu, 30 Dec 2021 15:24:10 -0300 [thread overview]
Message-ID: <87k0fmdk8l.fsf@linux.ibm.com> (raw)
In-Reply-To: <1640427230.38pm5r9iop.astroid@bobo.none>
Nicholas Piggin <npiggin@gmail.com> writes:
> Excerpts from Fabiano Rosas's message of December 24, 2021 7:15 am:
>> We check against 'bytes' but print 'run->mmio.len' which at that point
>> has an old value.
>>
>> e.g. 16-byte load:
>>
>> before:
>> __kvmppc_handle_load: bad MMIO length: 8
>>
>> now:
>> __kvmppc_handle_load: bad MMIO length: 16
>>
>> Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
>
> This patch fine, but in the case of overflow we continue anyway here.
> Can that overwrite some other memory in the kvm_run struct?
I tested this and QEMU will indeed overwrite the subsequent fields of
kvm_run. A `lq` on this data:
mmio_test_data:
.long 0xdeadbeef
.long 0x8badf00d
.long 0x1337c0de
.long 0x01abcdef
produces:
__kvmppc_handle_load: bad MMIO length: 16
kvmppc_complete_mmio_load data: 0x8badf00ddeadbeef
bad MMIO length: 322420958 <-- mmio.len got nuked
But then we return from kvmppc_complete_mmio_load without writing to the
registers.
>
> This is familiar, maybe something Alexey has noticed in the past too?
> What was the consensus on fixing it? (at least it should have a comment
> if it's not a problem IMO)
My plan was to just add quadword support. And whatever else might
missing. But I got sidetracked with how to test this so I'm just now
coming back to it.
Perhaps a more immediate fix is needed before that? We could block loads
and stores larger than 8 bytes earlier at kvmppc_emulate_loadstore for
instance.
next prev parent reply other threads:[~2021-12-30 18:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-23 21:15 [PATCH 0/3] KVM: PPC: Minor fixes Fabiano Rosas
2021-12-23 21:15 ` Fabiano Rosas
2021-12-23 21:15 ` [PATCH 1/3] KVM: PPC: Book3S HV: Stop returning internal values to userspace Fabiano Rosas
2021-12-23 21:15 ` Fabiano Rosas
2021-12-25 10:11 ` Nicholas Piggin
2021-12-25 10:11 ` Nicholas Piggin
2021-12-23 21:15 ` [PATCH 2/3] KVM: PPC: Fix vmx/vsx mixup in mmio emulation Fabiano Rosas
2021-12-23 21:15 ` Fabiano Rosas
2021-12-25 10:12 ` Nicholas Piggin
2021-12-25 10:12 ` Nicholas Piggin
2021-12-27 17:28 ` Fabiano Rosas
2021-12-27 17:28 ` Fabiano Rosas
2022-01-04 9:01 ` Alexey Kardashevskiy
2022-01-04 9:01 ` Alexey Kardashevskiy
2021-12-23 21:15 ` [PATCH 3/3] KVM: PPC: Fix mmio length message Fabiano Rosas
2021-12-23 21:15 ` Fabiano Rosas
2021-12-25 10:16 ` Nicholas Piggin
2021-12-25 10:16 ` Nicholas Piggin
2021-12-30 18:24 ` Fabiano Rosas [this message]
2021-12-30 18:24 ` Fabiano Rosas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k0fmdk8l.fsf@linux.ibm.com \
--to=farosas@linux.ibm.com \
--cc=aik@ozlabs.ru \
--cc=kvm-ppc@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=npiggin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.