rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity
af68a7132d
qemu/s390x-protvirt-SCLP-interpretation.patch
Bruce Rogers af68a7132d Accepting request 822154 from home:bfrogers:branches:Virtualization 
- Updating to Sphinx v3.1.2 in Factory is exposing an issue in
  qemu doc sources. Fix it
  docs-fix-trace-docs-build-with-sphinx-3..patch
- Fix DoS possibility in ati-vga emulation (CVE-2020-13800
  bsc#1172495)
  ati-vga-check-mm_index-before-recursive-.patch
- Fix DoS possibility in Network Block Device (nbd) support
  infrastructure (CVE-2020-10761 bsc#1172710)
  nbd-server-Avoid-long-error-message-asse.patch
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS
  8708EM2 emulation (CVE-2020-13659 bsc#1172386)
  exec-set-map-length-to-zero-when-returni.patch
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation
  (CVE-2020-13362 bsc#1172383)
  megasas-use-unsigned-type-for-reply_queu.patch
- Fix legacy IGD passthrough
  hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch
- The latest gcc10 available in Factory has the fix for the
  issue this patch was created to avoid, so drop it
  build-Work-around-gcc10-bug-by-not-using.patch
- Switch to upstream versions of some patches we carry
  add-enum-cast-to-avoid-gcc10-warning.patch
  -> golan-Add-explicit-type-casts-for-nodnic.patch
  Be-explicit-about-fcommon-compiler-direc.patch
  -> build-Be-explicit-about-fcommon-compiler.patch
  Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
  -> build-Do-not-apply-WORKAROUND_CFLAGS-for.patch
  Fix-s-directive-argument-is-null-error.patch
  -> build-Fix-s-directive-argument-is-null-e.patch
  Workaround-compilation-error-with-gcc-9..patch
  -> build-Workaround-compilation-error-with-.patch
  work-around-gcc10-problem-with-zero-leng.patch
  -> intel-Avoid-spurious-compiler-warning-on.patch
- Fix vgabios issue for cirrus graphics emulation, which
  effectively downgraded it to standard VGA behavior
  vga-fix-cirrus-bios.patch
- Fix OOB access possibility in ES1370 audio device emulation
  (CVE-2020-13361 bsc#1172384)
  es1370-check-total-frame-count-against-c.patch

OBS-URL: https://build.opensuse.org/request/show/822154
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=553
2020-07-22 04:19:22 +00:00

157 lines
5.3 KiB
Diff
Raw Blame History

From: Janosch Frank <frankja@linux.ibm.com>
Date: Mon, 3 Jun 2019 16:40:29 +0200
Subject: s390x: protvirt: SCLP interpretation
Git-commit: 32633cf4539341180dbc7a92c2655c711b4a6996
References: bsc#1167075
SCLP for a protected guest is done over the SIDAD, so we need to use
the s390_cpu_pv_mem_* functions to access the SIDAD instead of guest
memory when reading/writing SCBs.
To not confuse the sclp emulation, we set 0x4000 as the SCCB address,
since the function that injects the sclp external interrupt would
reject a zero sccb address.
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/s390x/sclp.c | 56 +++++++++++++++++++++++++++++++++--------
include/hw/s390x/sclp.h | 2 ++
target/s390x/kvm.c | 25 ++++++++++++++----
3 files changed, 67 insertions(+), 16 deletions(-)
diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index f0c35aa57afde03f7ec3e5f52f49..ede056b3efd7d92445d00f2e1298 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -33,6 +33,22 @@ static inline SCLPDevice *get_sclp_device(void)
return sclp;
}
+static inline bool sclp_command_code_valid(uint32_t code)
+{
+ switch (code & SCLP_CMD_CODE_MASK) {
+ case SCLP_CMDW_READ_SCP_INFO:
+ case SCLP_CMDW_READ_SCP_INFO_FORCED:
+ case SCLP_CMDW_READ_CPU_INFO:
+ case SCLP_CMDW_CONFIGURE_IOA:
+ case SCLP_CMDW_DECONFIGURE_IOA:
+ case SCLP_CMD_READ_EVENT_DATA:
+ case SCLP_CMD_WRITE_EVENT_DATA:
+ case SCLP_CMD_WRITE_EVENT_MASK:
+ return true;
+ }
+ return false;
+}
+
static void prepare_cpu_entries(SCLPDevice *sclp, CPUEntry *entry, int *count)
{
MachineState *ms = MACHINE(qdev_get_machine());
@@ -193,6 +209,34 @@ static void sclp_execute(SCLPDevice *sclp, SCCB *sccb, uint32_t code)
}
}
+/*
+ * We only need the address to have something valid for the
+ * service_interrupt call.
+ */
+#define SCLP_PV_DUMMY_ADDR 0x4000
+int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb,
+ uint32_t code)
+{
+ SCLPDevice *sclp = get_sclp_device();
+ SCLPDeviceClass *sclp_c = SCLP_GET_CLASS(sclp);
+ SCCB work_sccb;
+ hwaddr sccb_len = sizeof(SCCB);
+
+ s390_cpu_pv_mem_read(env_archcpu(env), 0, &work_sccb, sccb_len);
+
+ if (!sclp_command_code_valid(code)) {
+ work_sccb.h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);
+ goto out_write;
+ }
+
+ sclp_c->execute(sclp, &work_sccb, code);
+out_write:
+ s390_cpu_pv_mem_write(env_archcpu(env), 0, &work_sccb,
+ be16_to_cpu(work_sccb.h.length));
+ sclp_c->service_interrupt(sclp, SCLP_PV_DUMMY_ADDR);
+ return 0;
+}
+
int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code)
{
SCLPDevice *sclp = get_sclp_device();
@@ -225,17 +269,7 @@ int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code)
return -PGM_SPECIFICATION;
}
- switch (code & SCLP_CMD_CODE_MASK) {
- case SCLP_CMDW_READ_SCP_INFO:
- case SCLP_CMDW_READ_SCP_INFO_FORCED:
- case SCLP_CMDW_READ_CPU_INFO:
- case SCLP_CMDW_CONFIGURE_IOA:
- case SCLP_CMDW_DECONFIGURE_IOA:
- case SCLP_CMD_READ_EVENT_DATA:
- case SCLP_CMD_WRITE_EVENT_DATA:
- case SCLP_CMD_WRITE_EVENT_MASK:
- break;
- default:
+ if (!sclp_command_code_valid(code)) {
work_sccb.h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);
goto out_write;
}
diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h
index cd7b24359f28deb4b659b1f284f6..822eff4396ff5dded7496e50575d 100644
--- a/include/hw/s390x/sclp.h
+++ b/include/hw/s390x/sclp.h
@@ -217,5 +217,7 @@ void s390_sclp_init(void);
void sclp_service_interrupt(uint32_t sccb);
void raise_irq_cpu_hotplug(void);
int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code);
+int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb,
+ uint32_t code);
#endif
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index e0b61680ab086a5ff5875c42b7e5..870dd1b52b6e424f6cbd751cce0d 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -1233,12 +1233,27 @@ static void kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
sccb = env->regs[ipbh0 & 0xf];
code = env->regs[(ipbh0 & 0xf0) >> 4];
- r = sclp_service_call(env, sccb, code);
- if (r < 0) {
- kvm_s390_program_interrupt(cpu, -r);
- return;
+ switch (run->s390_sieic.icptcode) {
+ case ICPT_PV_INSTR_NOTIFICATION:
+ g_assert(s390_is_pv());
+ /* The notification intercepts are currently handled by KVM */
+ error_report("unexpected SCLP PV notification");
+ exit(1);
+ break;
+ case ICPT_PV_INSTR:
+ g_assert(s390_is_pv());
+ sclp_service_call_protected(env, sccb, code);
+ /* Setting the CC is done by the Ultravisor. */
+ break;
+ case ICPT_INSTRUCTION:
+ g_assert(!s390_is_pv());
+ r = sclp_service_call(env, sccb, code);
+ if (r < 0) {
+ kvm_s390_program_interrupt(cpu, -r);
+ return;
+ }
+ setcc(cpu, r);
}
- setcc(cpu, r);
}
static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1)
View Git Blame Copy Permalink