Fix a host crash triggerable by the guest via a channel program.
-----BEGIN PGP SIGNATURE-----

iQJGBAABCAAwFiEEw9DWbcNiT/aowBjO3s9rk8bwL68FAlyGipcSHGNvaHVja0By
ZWRoYXQuY29tAAoJEN7Pa5PG8C+v+moP/2JK1vNI4OY4Jl0djOJabgbbBM9a8RcN
2jcrecMOfcssZNAffPc5JfN0pDQ2e8eTAn4khSdwkG0H+N7XfYdKm9ZCwnXh1YAj
mEmE6hvGsH2xEGnXZgyj9F3a9Uovpnxeit/ZgsO8JR+7pq3eHolgsLLOI4MwaUTz
PNyOqkG5t220EVVGZRREGeChVMhIEldtCBqnPGM1dzPfxoCQMPT1fECyLThiH+JC
WjjoRs6BZuusPKOa+6lNwiXYNWf+va6Xiebx0XL9Mepf0v8zGZzf9rKGSkDCZP8L
D9NSx7bSVLc+M8lPOEhIbwQQmCAOEpu/B+ERndVDJhp+eKkqpN5BfnCPdtZYpWjg
kAZIwBQYB3pDdFhsavd8IjW/FA+Bgrfz9XZDzO4oOhoaTYXc1UfdulWWT6KE6hXO
5hzb6AuUM0xVR8VnCnI+jeMyBPUbYeZ49TTFBV1oZYLvVHiFBaBISs/zyzvniU3E
gYJdrXkx5PpX4zd/YUouYdq6xiilyg8a/TVgjykLWBj9wLhT2z6oP3LfDoPb1dt2
nvry6jptUJCqbd7a821zq/2DxneWzVpNjT8LjFJouKEe69VAB5Rml1zy4E9CrXdJ
Q3AGsiSya066tan+9QE1tBbxrTpMvkWdIY9kb00XLUjI9VotKAbicEqjIqCvcJHb
9TkG9M6zH1Ig
=ko62
-----END PGP SIGNATURE-----
vfio: ccw: only free cp on final interrupt

When we get an interrupt for a channel program, it is not
necessarily the final interrupt; for example, the issuing
guest may request an intermediate interrupt by specifying
the program-controlled-interrupt flag on a ccw.

We must not switch the state to idle if the interrupt is not
yet final; even more importantly, we must not free the translated
channel program if the interrupt is not yet final, or the host
can crash during cp rewind.

Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously")
Cc: stable@vger.kernel.org # v4.12+
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
1 file changed