Commit a1d032a4 authored by David Hildenbrand's avatar David Hildenbrand Committed by Christian Borntraeger

KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks

In case we have a region 1 the following calculation
(31 + ((gmap->asce & _ASCE_TYPE_MASK) >> 2)*11)
results in 64. As shifts beyond the size are undefined the compiler is
free to use instructions like sllg. sllg will only use 6 bits of the
shift value (here 64) resulting in no shift at all. That means that ALL
addresses will be rejected.

The can result in endless loops, e.g. when prefix cannot get mapped.

Fixes: 4be130a0 ("s390/mm: add shadow gmap support")
Tested-by: default avatarJanosch Frank <frankja@linux.ibm.com>
Reported-by: default avatarJanosch Frank <frankja@linux.ibm.com>
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
Link: https://lore.kernel.org/r/20200403153050.20569-2-david@redhat.comReviewed-by: default avatarClaudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
[borntraeger@de.ibm.com: fix patch description, remove WARN_ON_ONCE]
Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
parent 8c1b724d
...@@ -787,14 +787,18 @@ static void gmap_call_notifier(struct gmap *gmap, unsigned long start, ...@@ -787,14 +787,18 @@ static void gmap_call_notifier(struct gmap *gmap, unsigned long start,
static inline unsigned long *gmap_table_walk(struct gmap *gmap, static inline unsigned long *gmap_table_walk(struct gmap *gmap,
unsigned long gaddr, int level) unsigned long gaddr, int level)
{ {
const int asce_type = gmap->asce & _ASCE_TYPE_MASK;
unsigned long *table; unsigned long *table;
if ((gmap->asce & _ASCE_TYPE_MASK) + 4 < (level * 4)) if ((gmap->asce & _ASCE_TYPE_MASK) + 4 < (level * 4))
return NULL; return NULL;
if (gmap_is_shadow(gmap) && gmap->removed) if (gmap_is_shadow(gmap) && gmap->removed)
return NULL; return NULL;
if (gaddr & (-1UL << (31 + ((gmap->asce & _ASCE_TYPE_MASK) >> 2)*11)))
if (asce_type != _ASCE_TYPE_REGION1 &&
gaddr & (-1UL << (31 + (asce_type >> 2) * 11)))
return NULL; return NULL;
table = gmap->table; table = gmap->table;
switch (gmap->asce & _ASCE_TYPE_MASK) { switch (gmap->asce & _ASCE_TYPE_MASK) {
case _ASCE_TYPE_REGION1: case _ASCE_TYPE_REGION1:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment