From: Carsten Otte <carsteno@de.ibm.com>
To: Avi Kivity <avi@redhat.com>
Cc: Alexander Graf <agraf@suse.de>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
KVM list <kvm@vger.kernel.org>,
stable@kernel.org, Martin Schwidefsky <schwidefsky@de.ibm.com>
Subject: Fix prefix register checking in arch/s390/kvm/sigp.c
Date: Mon, 30 Nov 2009 17:14:41 +0100 [thread overview]
Message-ID: <4B13EF71.3080905@de.ibm.com> (raw)
This patch corrects the checking of the new address for the prefix register.
On s390, the prefix register is used to address the cpu's lowcore (address
0...8k). This check is supposed to verify that the memory is readable and
present.
copy_from_guest is a helper function, that can be used to read from guest
memory. It applies prefixing, adds the start address of the guest memory in
user, and then calls copy_from_user. Previous code was obviously broken for
two reasons:
- prefixing should not be applied here. The current prefix register is
going to be updated soon, and the address we're looking for will be
0..8k after we've updated the register
- we're adding the guest origin (gmsor) twice: once in subject code
and once in copy_from_guest
With kuli, we did not hit this problem because (a) we were lucky with
previous prefix register content, and (b) our guest memory was mmaped
very low into user address space.
This patch should go into 2.6.32, it prevents running smp guests with qemu.
Signed-off-by: Carsten Otte <cotte@de.ibm.com>
Reported-by: Alexander Graf <agraf@suse.de>
---
sigp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: kvm/arch/s390/kvm/sigp.c
===================================================================
--- kvm.orig/arch/s390/kvm/sigp.c 2009-10-13 11:09:04.000000000 +0200
+++ kvm/arch/s390/kvm/sigp.c 2009-11-30 16:46:21.000000000 +0100
@@ -188,9 +188,9 @@
/* make sure that the new value is valid memory */
address = address & 0x7fffe000u;
- if ((copy_from_guest(vcpu, &tmp,
- (u64) (address + vcpu->arch.sie_block->gmsor) , 1)) ||
- (copy_from_guest(vcpu, &tmp, (u64) (address +
+ if ((copy_from_user(&tmp, (void __user *)
+ (address + vcpu->arch.sie_block->gmsor) , 1)) ||
+ (copy_from_user(&tmp, (void __user *)(address +
vcpu->arch.sie_block->gmsor + PAGE_SIZE), 1))) {
*reg |= SIGP_STAT_INVALID_PARAMETER;
return 1; /* invalid parameter */
next reply other threads:[~2009-11-30 16:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-30 16:14 Carsten Otte [this message]
2009-12-02 12:55 ` Fix prefix register checking in arch/s390/kvm/sigp.c Avi Kivity
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B13EF71.3080905@de.ibm.com \
--to=carsteno@de.ibm.com \
--cc=agraf@suse.de \
--cc=avi@redhat.com \
--cc=heiko.carstens@de.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox