Bug 1219090 - vfio-pci - post QEMU2.3 fixes, error sign + BAR overflow
Summary: vfio-pci - post QEMU2.3 fixes, error sign + BAR overflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alex Williamson
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-06 14:37 UTC by Alex Williamson
Modified: 2015-12-04 16:41 UTC (History)
6 users (show)

Fixed In Version: qemu-kvm-rhev-2.3.0-6.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-04 16:41:32 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2546 0 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2015-12-04 21:11:56 UTC

Description Alex Williamson 2015-05-06 14:37:18 UTC
Description of problem:

Include the following post-QEMU-2.3 patches:

commit c6d231e2fd3773ef9a566ca24962f2314cb78f73
Author: Alex Williamson <alex.williamson>
Date:   Tue Apr 28 11:14:02 2015 -0600

    vfio-pci: Fix error path sign
    
    This is an impossible error path due to the fact that we're reading a
    kernel provided, rather than user provided link, which will certainly
    always fit in PATH_MAX.  Currently it returns a fixed 26 char path
    plus %d group number, which typically maxes out at double digits.
    However, the caller of the initfn certainly expects a less-than zero
    return value on error, not just a non-zero value.  Therefore we
    should correct the sign here.
    
    Reported-by: Laszlo Ersek <lersek>
    Reviewed-by: Laszlo Ersek <lersek>
    Signed-off-by: Alex Williamson <alex.williamson>

commit 07ceaf98800519ef9c5dc893af00f1fe1f9144e4
Author: Alex Williamson <alex.williamson>
Date:   Tue Apr 28 11:14:02 2015 -0600

    vfio-pci: Further fix BAR size overflow
    
    In an analysis by Laszlo, the resulting type of our calculation for
    the end of the MSI-X table, and thus the start of memory after the
    table, is uint32_t.  We're therefore not correctly preventing the
    corner case overflow that we intended to fix here where a BAR >=4G
    could place the MSI-X table to end exactly at the 4G boundary.  The
    MSI-X table offset is defined by the hardware spec to 32bits, so we
    simply use a cast rather than changing data structure types.  This
    scenario is purely theoretically, typically the MSI-X table is located
    at the front of the BAR.
    
    Reported-by: Laszlo Ersek <lersek>
    Reviewed-by: Laszlo Ersek <lersek>
    Signed-off-by: Alex Williamson <alex.williamson>

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Neither of these are directly test-able, but are included in qemu-kvm-rhel and should therefore be included in qemu-kvm-rhev.  The error path is unreachable, the overflow requires a very specific, theoretical device.

Comment 2 Miroslav Rezanina 2015-06-26 11:20:50 UTC
Fix included in qemu-kvm-rhev-2.3.0-6.el7

Comment 6 juzhang 2015-08-03 03:51:11 UTC
According to comment4 and comment5, set this issue as verified. QE will continue to track new bzs.

Best Regards,
Junyi

Comment 8 errata-xmlrpc 2015-12-04 16:41:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2546.html


Note You need to log in before you can comment on or make changes to this bug.