Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1667524ybz; Thu, 16 Apr 2020 13:17:49 -0700 (PDT) X-Google-Smtp-Source: APiQypKesFsiJJs3YfVmtos0y4ZRAPBgdY+Q7aLNmePEK4T2r6gZWbFS5qN0P37+SWZwCu8BK4Cn X-Received: by 2002:a17:906:583:: with SMTP id 3mr10998097ejn.308.1587068268937; Thu, 16 Apr 2020 13:17:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587068268; cv=none; d=google.com; s=arc-20160816; b=ybm9zq46fjDLVVdTnAqFazp46q75HrxEgdGMtKfRjaS/WEoQW6SklhvSmUPvRjhqGb +Yweeqo/hR7nhfUy4h14yArX2KZPI3bSP5s9Ab3SeezZYG8774luFQgSdWn08uZ9PTcr 7XdsxzUbM4OGlev+0NRk2gG3UV4rGZ0yJtdV2d71FAI93qX7ByLzg/AE9U367qYdUz0W tViPDESj+nohcLFDc/DglIyiQzz6Q8biTcBlppDztIhqmL+q9F+is4K1Po5niBkOAtxn 6rUoYZB8PmutlDIEBmy09a81CPr1J53v+behj7I48dRFPxi7r3YONnQ2y3IgkE36TOv1 sKFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jrn8hVJgcVsAp/wVIVN0Aw0byFBo6oa0xde5zQuuSq0=; b=nekD7k6wYyW4P2TZL9gH+z2KvBr9LN9yp0Rudjqw9NlYPBLkRui8EBwWHo2CmlbBVx Z66LXDr7nEAtV8ZzkobWHEv1WZWoNzkKrHsxwYKD8YK/O47AP0Km/aoDNJlAPX/KC9zl hD2mkobn6PjxaemisFZHcUOpLRv9ovFi3nI0jB2LULcYeUw12+lDRehIlTUcWnmd5FfI 3EIFMyzG0ZzhOZauCkuU0gmj1EdTk7c+5rHAU5oM/9AM1STKKAGENa0cWCvOoMw+y3se kiWkoo6pLxJXqhsUf6kFfQtsJUfC4Q2KR2OKcKLcAipeptbxexyMNWw56HrZiyDMOuvp YPHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0Gkmhryb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e9si6108904eds.63.2020.04.16.13.17.26; Thu, 16 Apr 2020 13:17:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0Gkmhryb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393712AbgDPOLh (ORCPT + 99 others); Thu, 16 Apr 2020 10:11:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:33614 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2898685AbgDPNrd (ORCPT ); Thu, 16 Apr 2020 09:47:33 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7AA45208E4; Thu, 16 Apr 2020 13:47:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587044852; bh=YT2uPu+CvbKPtXH7NT0G3Z7bnBFybUw4cBTirjFdyIA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0GkmhrybmWNBXjbeB+uVkEpcSZsoqllQYl4BIzaeCewp55/g4L8CiwNn67227o7ER nc96ua3Nivd6QdngvEoc8TGZV1AM3UxEgma63bQXVdcsXrDzgbzMB/TVlvn8n8NuiL gLlkZCuRrEpGQJmi+RtiCFBXRnAXLIJnjX7SGgMk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Janosch Frank , David Hildenbrand , Claudio Imbrenda , Christian Borntraeger Subject: [PATCH 5.4 126/232] KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks Date: Thu, 16 Apr 2020 15:23:40 +0200 Message-Id: <20200416131330.817189531@linuxfoundation.org> X-Mailer: git-send-email 2.26.1 In-Reply-To: <20200416131316.640996080@linuxfoundation.org> References: <20200416131316.640996080@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Hildenbrand commit a1d032a49522cb5368e5dfb945a85899b4c74f65 upstream. In case we have a region 1 the following calculation (31 + ((gmap->asce & _ASCE_TYPE_MASK) >> 2)*11) results in 64. As shifts beyond the size are undefined the compiler is free to use instructions like sllg. sllg will only use 6 bits of the shift value (here 64) resulting in no shift at all. That means that ALL addresses will be rejected. The can result in endless loops, e.g. when prefix cannot get mapped. Fixes: 4be130a08420 ("s390/mm: add shadow gmap support") Tested-by: Janosch Frank Reported-by: Janosch Frank Cc: # v4.8+ Signed-off-by: David Hildenbrand Link: https://lore.kernel.org/r/20200403153050.20569-2-david@redhat.com Reviewed-by: Claudio Imbrenda Reviewed-by: Christian Borntraeger [borntraeger@de.ibm.com: fix patch description, remove WARN_ON_ONCE] Signed-off-by: Christian Borntraeger Signed-off-by: Greg Kroah-Hartman --- arch/s390/mm/gmap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/arch/s390/mm/gmap.c +++ b/arch/s390/mm/gmap.c @@ -787,14 +787,18 @@ static void gmap_call_notifier(struct gm static inline unsigned long *gmap_table_walk(struct gmap *gmap, unsigned long gaddr, int level) { + const int asce_type = gmap->asce & _ASCE_TYPE_MASK; unsigned long *table; if ((gmap->asce & _ASCE_TYPE_MASK) + 4 < (level * 4)) return NULL; if (gmap_is_shadow(gmap) && gmap->removed) return NULL; - if (gaddr & (-1UL << (31 + ((gmap->asce & _ASCE_TYPE_MASK) >> 2)*11))) + + if (asce_type != _ASCE_TYPE_REGION1 && + gaddr & (-1UL << (31 + (asce_type >> 2) * 11))) return NULL; + table = gmap->table; switch (gmap->asce & _ASCE_TYPE_MASK) { case _ASCE_TYPE_REGION1: