From: Greg Kroah-Hartman Date: Mon, 1 Apr 2019 13:59:13 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.138~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb217dea4b01e9ae0d4468960a7b92b9f02bfcbc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: vfio-ccw-only-free-cp-on-final-interrupt.patch --- diff --git a/queue-4.14/series b/queue-4.14/series index 55edae348de..54dc5ba931b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -104,3 +104,4 @@ x86-smp-enforce-config_hotplug_cpu-when-smp-y.patch kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch revert-usb-core-only-clean-up-what-we-allocated.patch +vfio-ccw-only-free-cp-on-final-interrupt.patch diff --git a/queue-4.14/vfio-ccw-only-free-cp-on-final-interrupt.patch b/queue-4.14/vfio-ccw-only-free-cp-on-final-interrupt.patch new file mode 100644 index 00000000000..34c79cd5b9e --- /dev/null +++ b/queue-4.14/vfio-ccw-only-free-cp-on-final-interrupt.patch @@ -0,0 +1,58 @@ +From 50b7f1b7236bab08ebbbecf90521e84b068d7a17 Mon Sep 17 00:00:00 2001 +From: Cornelia Huck +Date: Mon, 11 Mar 2019 10:59:53 +0100 +Subject: vfio: ccw: only free cp on final interrupt + +From: Cornelia Huck + +commit 50b7f1b7236bab08ebbbecf90521e84b068d7a17 upstream. + +When we get an interrupt for a channel program, it is not +necessarily the final interrupt; for example, the issuing +guest may request an intermediate interrupt by specifying +the program-controlled-interrupt flag on a ccw. + +We must not switch the state to idle if the interrupt is not +yet final; even more importantly, we must not free the translated +channel program if the interrupt is not yet final, or the host +can crash during cp rewind. + +Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously") +Cc: stable@vger.kernel.org # v4.12+ +Reviewed-by: Eric Farman +Signed-off-by: Cornelia Huck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/s390/cio/vfio_ccw_drv.c ++++ b/drivers/s390/cio/vfio_ccw_drv.c +@@ -70,20 +70,24 @@ static void vfio_ccw_sch_io_todo(struct + { + struct vfio_ccw_private *private; + struct irb *irb; ++ bool is_final; + + private = container_of(work, struct vfio_ccw_private, io_work); + irb = &private->irb; + ++ is_final = !(scsw_actl(&irb->scsw) & ++ (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT)); + if (scsw_is_solicited(&irb->scsw)) { + cp_update_scsw(&private->cp, &irb->scsw); +- cp_free(&private->cp); ++ if (is_final) ++ cp_free(&private->cp); + } + memcpy(private->io_region.irb_area, irb, sizeof(*irb)); + + if (private->io_trigger) + eventfd_signal(private->io_trigger, 1); + +- if (private->mdev) ++ if (private->mdev && is_final) + private->state = VFIO_CCW_STATE_IDLE; + } +