[Qemu-devel] [PATCH v2] s390x/cpumodel: fix segmentation fault when baselining models

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH v2] s390x/cpumodel: fix segmentation fault when baselining models
@ 2018-07-18  9:23 David Hildenbrand
  2018-07-18 11:06 ` Christian Borntraeger
  2018-07-18 12:36 ` Cornelia Huck
  0 siblings, 2 replies; 3+ messages in thread
From: David Hildenbrand @ 2018-07-18  9:23 UTC (permalink / raw)
  To: qemu-s390x
  Cc: qemu-devel, Richard Henderson, Alexander Graf, Cornelia Huck,
	Christian Borntraeger, Thomas Huth, Chris Venteicher,
	Collin Walling, David Hildenbrand

Usually, when baselining two CPU models, whereby one of them has base
CPU features disabled (e.g. z14-base,msa=off), we fallback to an older
model that did not have these features in the base model. We always try to
create a "sane" CPU model (as far as possible), and one part of it is that
removing base features is no good and to be avoided.

Now, if we disable base features that were part of a z900, we're out of
luck. We won't find a CPU model and QEMU will segfault. This is a
scenario that should never happen in real life, but it can be used to
crash QEMU.

So let's properly report an error if we baseline e.g.:

{ "execute": "query-cpu-model-baseline",
  "arguments" : { "modela": { "name": "z14-base", "props": {"esan3" : false}},
                  "modelb": { "name": "z14"}} }

Instead of segfaulting.

Signed-off-by: David Hildenbrand <david@redhat.com>
---
 target/s390x/cpu_models.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c
index cfdbccf46d..604898a882 100644
--- a/target/s390x/cpu_models.c
+++ b/target/s390x/cpu_models.c
@@ -716,6 +716,14 @@ CpuModelBaselineInfo *arch_query_cpu_model_baseline(CpuModelInfo *infoa,
 
     model.def = s390_find_cpu_def(cpu_type, max_gen, max_gen_ga,
                                   model.features);
+
+    /* models without early base features (esan3) are bad */
+    if (!model.def) {
+        error_setg(errp, "No compatible CPU model could be created as"
+                   " important base features are disabled");
+        return NULL;
+    }
+
     /* strip off features not part of the max model */
     bitmap_and(model.features, model.features, model.def->full_feat,
                S390_FEAT_MAX);
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH v2] s390x/cpumodel: fix segmentation fault when baselining models
  2018-07-18  9:23 [Qemu-devel] [PATCH v2] s390x/cpumodel: fix segmentation fault when baselining models David Hildenbrand
@ 2018-07-18 11:06 ` Christian Borntraeger
  2018-07-18 12:36 ` Cornelia Huck
  1 sibling, 0 replies; 3+ messages in thread
From: Christian Borntraeger @ 2018-07-18 11:06 UTC (permalink / raw)
  To: David Hildenbrand, qemu-s390x
  Cc: qemu-devel, Richard Henderson, Alexander Graf, Cornelia Huck,
	Thomas Huth, Chris Venteicher, Collin Walling



On 07/18/2018 11:23 AM, David Hildenbrand wrote:
> Usually, when baselining two CPU models, whereby one of them has base
> CPU features disabled (e.g. z14-base,msa=off), we fallback to an older
> model that did not have these features in the base model. We always try to
> create a "sane" CPU model (as far as possible), and one part of it is that
> removing base features is no good and to be avoided.
> 
> Now, if we disable base features that were part of a z900, we're out of
> luck. We won't find a CPU model and QEMU will segfault. This is a
> scenario that should never happen in real life, but it can be used to
> crash QEMU.
> 
> So let's properly report an error if we baseline e.g.:
> 
> { "execute": "query-cpu-model-baseline",
>   "arguments" : { "modela": { "name": "z14-base", "props": {"esan3" : false}},
>                   "modelb": { "name": "z14"}} }
> 
> Instead of segfaulting.
> 
> Signed-off-by: David Hildenbrand <david@redhat.com>

Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>

> ---
>  target/s390x/cpu_models.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c
> index cfdbccf46d..604898a882 100644
> --- a/target/s390x/cpu_models.c
> +++ b/target/s390x/cpu_models.c
> @@ -716,6 +716,14 @@ CpuModelBaselineInfo *arch_query_cpu_model_baseline(CpuModelInfo *infoa,
>  
>      model.def = s390_find_cpu_def(cpu_type, max_gen, max_gen_ga,
>                                    model.features);
> +
> +    /* models without early base features (esan3) are bad */
> +    if (!model.def) {
> +        error_setg(errp, "No compatible CPU model could be created as"
> +                   " important base features are disabled");
> +        return NULL;
> +    }
> +
>      /* strip off features not part of the max model */
>      bitmap_and(model.features, model.features, model.def->full_feat,
>                 S390_FEAT_MAX);
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH v2] s390x/cpumodel: fix segmentation fault when baselining models
  2018-07-18  9:23 [Qemu-devel] [PATCH v2] s390x/cpumodel: fix segmentation fault when baselining models David Hildenbrand
  2018-07-18 11:06 ` Christian Borntraeger
@ 2018-07-18 12:36 ` Cornelia Huck
  1 sibling, 0 replies; 3+ messages in thread
From: Cornelia Huck @ 2018-07-18 12:36 UTC (permalink / raw)
  To: David Hildenbrand
  Cc: qemu-s390x, qemu-devel, Richard Henderson, Alexander Graf,
	Christian Borntraeger, Thomas Huth, Chris Venteicher,
	Collin Walling

On Wed, 18 Jul 2018 11:23:30 +0200
David Hildenbrand <david@redhat.com> wrote:

> Usually, when baselining two CPU models, whereby one of them has base
> CPU features disabled (e.g. z14-base,msa=off), we fallback to an older
> model that did not have these features in the base model. We always try to
> create a "sane" CPU model (as far as possible), and one part of it is that
> removing base features is no good and to be avoided.
> 
> Now, if we disable base features that were part of a z900, we're out of
> luck. We won't find a CPU model and QEMU will segfault. This is a
> scenario that should never happen in real life, but it can be used to
> crash QEMU.
> 
> So let's properly report an error if we baseline e.g.:
> 
> { "execute": "query-cpu-model-baseline",
>   "arguments" : { "modela": { "name": "z14-base", "props": {"esan3" : false}},
>                   "modelb": { "name": "z14"}} }
> 
> Instead of segfaulting.
> 
> Signed-off-by: David Hildenbrand <david@redhat.com>
> ---
>  target/s390x/cpu_models.c | 8 ++++++++
>  1 file changed, 8 insertions(+)

Thanks, queued to s390-fixes.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-07-18 12:36 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-18  9:23 [Qemu-devel] [PATCH v2] s390x/cpumodel: fix segmentation fault when baselining models David Hildenbrand
2018-07-18 11:06 ` Christian Borntraeger
2018-07-18 12:36 ` Cornelia Huck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).