mirror of
https://github.com/mii443/qemu.git
synced 2025-08-23 15:48:20 +00:00
1b5520a3fd
The cssid 255 is reserved but still valid from an architectural
point of view. However, feeding a bogus schid of 0xffffffff into
the virtio hypercall will lead to a crash:
Stack trace of thread 138363:
#0 0x00000000100d168c css_find_subch (qemu-system-s390x)
#1 0x00000000100d3290 virtio_ccw_hcall_notify
#2 0x00000000100cbf60 s390_virtio_hypercall
#3 0x000000001010ff7a handle_hypercall
#4 0x0000000010079ed4 kvm_cpu_exec (qemu-system-s390x)
#5 0x00000000100609b4 qemu_kvm_cpu_thread_fn
#6 0x000003ff8b887bb4 start_thread (libpthread.so.0)
#7 0x000003ff8b78df0a thread_start (libc.so.6)
This is because the css array was only allocated for 0..254
instead of 0..255.
Let's fix this by bumping MAX_CSSID to 255 and fencing off the
reserved cssid of 255 during css image allocation.
Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit 882b3b9769)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
127 lines
3.8 KiB
C
127 lines
3.8 KiB
C
/*
|
|
* Channel subsystem structures and definitions.
|
|
*
|
|
* Copyright 2012 IBM Corp.
|
|
* Author(s): Cornelia Huck <cornelia.huck@de.ibm.com>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or (at
|
|
* your option) any later version. See the COPYING file in the top-level
|
|
* directory.
|
|
*/
|
|
|
|
#ifndef CSS_H
|
|
#define CSS_H
|
|
|
|
#include "hw/s390x/adapter.h"
|
|
#include "hw/s390x/s390_flic.h"
|
|
#include "ioinst.h"
|
|
|
|
/* Channel subsystem constants. */
|
|
#define MAX_SCHID 65535
|
|
#define MAX_SSID 3
|
|
#define MAX_CSSID 255
|
|
#define MAX_CHPID 255
|
|
|
|
#define MAX_CIWS 62
|
|
|
|
typedef struct CIW {
|
|
uint8_t type;
|
|
uint8_t command;
|
|
uint16_t count;
|
|
} QEMU_PACKED CIW;
|
|
|
|
typedef struct SenseId {
|
|
/* common part */
|
|
uint8_t reserved; /* always 0x'FF' */
|
|
uint16_t cu_type; /* control unit type */
|
|
uint8_t cu_model; /* control unit model */
|
|
uint16_t dev_type; /* device type */
|
|
uint8_t dev_model; /* device model */
|
|
uint8_t unused; /* padding byte */
|
|
/* extended part */
|
|
CIW ciw[MAX_CIWS]; /* variable # of CIWs */
|
|
} QEMU_PACKED SenseId;
|
|
|
|
/* Channel measurements, from linux/drivers/s390/cio/cmf.c. */
|
|
typedef struct CMB {
|
|
uint16_t ssch_rsch_count;
|
|
uint16_t sample_count;
|
|
uint32_t device_connect_time;
|
|
uint32_t function_pending_time;
|
|
uint32_t device_disconnect_time;
|
|
uint32_t control_unit_queuing_time;
|
|
uint32_t device_active_only_time;
|
|
uint32_t reserved[2];
|
|
} QEMU_PACKED CMB;
|
|
|
|
typedef struct CMBE {
|
|
uint32_t ssch_rsch_count;
|
|
uint32_t sample_count;
|
|
uint32_t device_connect_time;
|
|
uint32_t function_pending_time;
|
|
uint32_t device_disconnect_time;
|
|
uint32_t control_unit_queuing_time;
|
|
uint32_t device_active_only_time;
|
|
uint32_t device_busy_time;
|
|
uint32_t initial_command_response_time;
|
|
uint32_t reserved[7];
|
|
} QEMU_PACKED CMBE;
|
|
|
|
struct SubchDev {
|
|
/* channel-subsystem related things: */
|
|
uint8_t cssid;
|
|
uint8_t ssid;
|
|
uint16_t schid;
|
|
uint16_t devno;
|
|
SCHIB curr_status;
|
|
uint8_t sense_data[32];
|
|
hwaddr channel_prog;
|
|
CCW1 last_cmd;
|
|
bool last_cmd_valid;
|
|
bool ccw_fmt_1;
|
|
bool thinint_active;
|
|
uint8_t ccw_no_data_cnt;
|
|
/* transport-provided data: */
|
|
int (*ccw_cb) (SubchDev *, CCW1);
|
|
void (*disable_cb)(SubchDev *);
|
|
SenseId id;
|
|
void *driver_data;
|
|
};
|
|
|
|
typedef struct IndAddr {
|
|
hwaddr addr;
|
|
uint64_t map;
|
|
unsigned long refcnt;
|
|
int len;
|
|
QTAILQ_ENTRY(IndAddr) sibling;
|
|
} IndAddr;
|
|
|
|
IndAddr *get_indicator(hwaddr ind_addr, int len);
|
|
void release_indicator(AdapterInfo *adapter, IndAddr *indicator);
|
|
int map_indicator(AdapterInfo *adapter, IndAddr *indicator);
|
|
|
|
typedef SubchDev *(*css_subch_cb_func)(uint8_t m, uint8_t cssid, uint8_t ssid,
|
|
uint16_t schid);
|
|
void subch_device_save(SubchDev *s, QEMUFile *f);
|
|
int subch_device_load(SubchDev *s, QEMUFile *f);
|
|
int css_create_css_image(uint8_t cssid, bool default_image);
|
|
bool css_devno_used(uint8_t cssid, uint8_t ssid, uint16_t devno);
|
|
void css_subch_assign(uint8_t cssid, uint8_t ssid, uint16_t schid,
|
|
uint16_t devno, SubchDev *sch);
|
|
void css_sch_build_virtual_schib(SubchDev *sch, uint8_t chpid, uint8_t type);
|
|
uint16_t css_build_subchannel_id(SubchDev *sch);
|
|
void css_reset(void);
|
|
void css_reset_sch(SubchDev *sch);
|
|
void css_queue_crw(uint8_t rsc, uint8_t erc, int chain, uint16_t rsid);
|
|
void css_generate_sch_crws(uint8_t cssid, uint8_t ssid, uint16_t schid,
|
|
int hotplugged, int add);
|
|
void css_generate_chp_crws(uint8_t cssid, uint8_t chpid);
|
|
void css_generate_css_crws(uint8_t cssid);
|
|
void css_clear_sei_pending(void);
|
|
void css_adapter_interrupt(uint8_t isc);
|
|
|
|
#define CSS_IO_ADAPTER_VIRTIO 1
|
|
int css_register_io_adapter(uint8_t type, uint8_t isc, bool swap,
|
|
bool maskable, uint32_t *id);
|
|
#endif
|