fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
qemu-cr16/hw
History
Thomas Huth e5cb62e7b6 hw/s390x: Fix a possible crash with passed-through virtio devices 
Consider the following nested setup: An L1 host uses some virtio device
(e.g. virtio-keyboard) for the L2 guest, and this L2 guest passes this
device through to the L3 guest. Since the L3 guest sees a virtio device,
it might send virtio notifications to the QEMU in L2 for that device.
But since the QEMU in L2 defined this device as vfio-ccw, the function
handle_virtio_ccw_notify() cannot handle this and crashes: It calls
virtio_ccw_get_vdev() that casts sch->driver_data into a VirtioCcwDevice,
but since "sch" belongs to a vfio-ccw device, that driver_data rather
points to a CcwDevice instead. So as soon as QEMU tries to use some
VirtioCcwDevice specific data from that device, we've lost.

We must not take virtio notifications for such devices. Thus fix the
issue by adding a check to the handle_virtio_ccw_notify() handler to
refuse all devices that are not our own virtio devices. Like in the
other branches that detect wrong settings, we return -EINVAL from the
function, which will later be placed in GPR2 to inform the guest about
the error.

Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Tested-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20251118174047.73103-1-thuth@redhat.com>
2025-11-21 08:33:15 +01:00
..
9pfs 9pfs: Stop including gstrfuncs.h 2025-09-18 21:21:29 +02:00
acpi acpi/generic_event_device.c: enable use_hest_addr for QEMU 10.x 2025-10-05 08:06:32 -04:00
adc qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
alpha hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
arm hw/arm: Re-enable xenpvh machine in qemu-system-arm/aarch64 binaries 2025-11-18 19:59:36 +01:00
audio hw/audio/lm4549: Don't try to open a zero-frequency audio voice 2025-11-14 13:20:10 +00:00
avr qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
block block: enable stats-intervals for storage devices 2025-10-29 12:10:09 +01:00
char * char: rename CharBackend->CharFrontend 2025-10-29 10:43:56 +01:00
core virtio-net: Advertise UDP tunnel GSO support by default 2025-11-09 08:25:08 -05:00
cpu qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
cxl cxl: Clean up includes 2025-11-14 13:18:04 +00:00
display hw/display/xlnx_dp: Don't abort for unsupported graphics formats 2025-11-14 13:13:33 +00:00
dma hw/dma/zynq-devcfg: Fix register memory 2025-11-18 19:59:31 +01:00
fsi qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
gpio hw/gpio/pl061: Declare pullups/pulldowns as 8-bit types 2025-10-31 16:26:44 +00:00
hppa hw/hppa: Enable LASI i82596 network on 715 machine 2025-11-04 16:14:51 +01:00
hyperv system/ramblock: Move ram_block_discard_*_range() declarations 2025-10-07 03:37:03 +02:00
i2c hw/i2c/smbus_eeprom: Add minimum write recovery time for DDR2 2025-10-21 20:09:57 +02:00
i386 q35: increase default tseg size 2025-11-09 08:25:18 -05:00
ide hw/ide/ide-internal: Move dma_buf_commit() into ide "namespace" 2025-10-21 20:16:47 +02:00
input hid: fix incorrect return value for hid 2025-10-05 09:46:06 +03:00
intc hw/intc/ioapic: Fix ACCEL_KERNEL_GSI_IRQFD_POSSIBLE typo 2025-11-18 19:56:11 +01:00
ipack qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
ipmi * char: rename CharBackend->CharFrontend 2025-10-29 10:43:56 +01:00
isa x86: ich9: fix default value of 'No Reboot' bit in GCS 2025-10-05 09:01:08 -04:00
loongarch hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
m68k hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
mem cxl: Clean up includes 2025-11-14 13:18:04 +00:00
microblaze hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
mips * char: rename CharBackend->CharFrontend 2025-10-29 10:43:56 +01:00
misc hw/misc/npcm_clk: Don't divide by zero when calculating frequency 2025-11-14 13:19:37 +00:00
net ebpf: Make ebpf_rss_load() return value consistent with @errp 2025-11-18 19:59:36 +01:00
nubus hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
nvme hw/nvme: add atomic boundary support 2025-10-30 07:07:14 +01:00
nvram nw/nvram/ds1225y: Fix nvram MemoryRegion owner 2025-10-28 08:19:18 +01:00
openrisc hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
pci migration: Fix regression of passing error_fatal into vmstate_load_state() 2025-11-03 16:04:10 -05:00
pci-bridge hw/arm/smmu-common: Check SMMU has PCIe Root Complex association 2025-09-16 17:31:54 +01:00
pci-host q35: increase default tseg size 2025-11-09 08:25:18 -05:00
ppc hw/ppc/pegasos: Fix memory leak 2025-11-09 16:54:44 +05:30
remote hw: Remove unnecessary 'system/ram_addr.h' header 2025-10-07 05:03:56 +02:00
riscv hw/riscv: Replace target_ulong uses 2025-10-30 14:48:26 +01:00
rtc hw/rtc/mc146818rtc: Assert correct usage of mc146818rtc_set_cmos_data() 2025-10-21 20:16:47 +02:00
rx hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
s390x hw/s390x: Fix a possible crash with passed-through virtio devices 2025-11-21 08:33:15 +01:00
scsi ncr710: Use address space of device instead of global address space 2025-11-09 16:09:35 +01:00
sd hw/sd/sdcard: Avoid confusing address calculation in rpmb_calc_hmac 2025-11-18 19:59:36 +01:00
sensor qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
sh4 hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
smbios hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
sparc hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
sparc64 hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
ssi hw/ssi/aspeed_smc: Fix incorrect FMC_WDT2 register read on AST1030 2025-08-04 09:07:38 +02:00
timer hw/pcspk: use explicitly the required PIT types 2025-10-22 08:55:28 +02:00
tpm qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
tricore qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
uefi hw/uefi/ovmf-log: Fix memory leak in hmp_info_firmware_log 2025-10-23 13:27:27 +02:00
ufs hw/ufs/lu: skip automatic zero-init of large array 2025-06-12 13:40:16 -04:00
usb audio: move audio.h under include/qemu/ 2025-10-30 22:56:51 +04:00
vfio vfio: Clean up includes 2025-11-14 13:18:04 +00:00
vfio-user vfio: Clean up includes 2025-11-14 13:18:04 +00:00
virtio vhost-user: make vhost_set_vring_file() synchronous 2025-11-09 08:24:29 -05:00
vmapple hw/gpio/pl061: Declare pullups/pulldowns as 8-bit types 2025-10-31 16:26:44 +00:00
watchdog wdt_i6300esb: fix incorrect mask for interrupt type 2025-10-05 09:46:06 +03:00
xen hw/xen: Build only once 2025-10-30 14:48:26 +01:00
xenpv hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
xtensa hw/core/loader: capture Error from load_image_targphys 2025-10-28 08:19:18 +01:00
Kconfig vfio-user: add vfio-user class and container 2025-06-26 08:55:38 +02:00
meson.build hw/meson: enter target hw first 2025-09-02 17:57:05 +02:00