Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp642340ybz; Wed, 22 Apr 2020 05:20:49 -0700 (PDT) X-Google-Smtp-Source: APiQypLTXFrZrUFphUZ8iIkbMvWjamQx4voQGiiEsEIryqx68QdzOvpOXe+jCSMm27teFnV5dqUn X-Received: by 2002:a17:906:1fd6:: with SMTP id e22mr26402578ejt.150.1587558049163; Wed, 22 Apr 2020 05:20:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587558049; cv=none; d=google.com; s=arc-20160816; b=oFVJKSzyHlACzny7stwxtwN1cAD/uc25cY+VYZdWLtxHuoMMEeBtyXtqJFtBCcg0CH Dh/xAXoX/DuR+NGKWFRQI34dRc/7M5FbICOkVokW01DmEl0WUiG9zX+KiweVIGIo2eCc qjBHJwKTl309mE6qLEzBhBmPxjdGep8VMETES0Ue+KMHCq52dq+YOHODaQ8LEB+7z7GY 0KxiAK3i/XEhygeuYwP5yp03Q7voZf3YXAWCKpNkjCdvvNYclDD1MlqCmChw2TXD3Tmg JqPiWyG7XIPLVeGK73R1YpfAx/QMr2tdifgvTVZxRZKxuBZ6h4Phm2luWogbF5BiQ0Jw JwfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5AXIH8fZiCGk3kd2fna6E3yp2amosmhxytveaFquHXY=; b=t50waof66ZJ9phfctmcHCkweLxwIFZFmJZSlqM+ulkqzWaiqOyQ3qdHEYfb0jwGskF Egt7TOrv1yIUHCxLLdEUR65226EWzX5Za1Euvbkhy3cKcf6FRFPtoXjb59QhB+GPKmmZ eRIY8kn1aMtYbPifsKlxnViJVPYyL5KuYtgs5CL0RxfgxB3nRYDJI3+eaY0iANinaNqX lH0kMTYQmrmI3fQ5SVYrWppQeE1waMv2KKBNUieLqMMa57g5hQl2A3oLlEM/jEXMt5fW AOpxfHYemP6GQd5J3gMA98GxGSQgRUgCjoSMjB+bI8p+Jqng5D4ECeRU4g4hbDmjhqh3 YpUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=z3Kr4eAK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s13si3426526ejr.484.2020.04.22.05.20.25; Wed, 22 Apr 2020 05:20:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=z3Kr4eAK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729292AbgDVKME (ORCPT + 99 others); Wed, 22 Apr 2020 06:12:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:44464 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729257AbgDVKLx (ORCPT ); Wed, 22 Apr 2020 06:11:53 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2F57C2070B; Wed, 22 Apr 2020 10:11:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587550312; bh=JQlAhwaWJDolkGHYfLug13DpnHAwy5RBZ7yJEGbYus0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=z3Kr4eAKV7yTJLloGTh0yV8Kizs0SQrVD7d5/ATpC2e01P3SsHEwcusvSuyyEUtFJ 84zA2/ZKJJ4r/+fxmnjxiPasMh55ybEhLuotEWY8NFjARyTAuzbcFiH3wg4USbZVQ2 lpCZriJ48VM+m8fb1bbjDFSBiRnoVpIY9YDptXto= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Janosch Frank , David Hildenbrand , Claudio Imbrenda , Christian Borntraeger Subject: [PATCH 4.14 058/199] KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks Date: Wed, 22 Apr 2020 11:56:24 +0200 Message-Id: <20200422095104.082711515@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200422095057.806111593@linuxfoundation.org> References: <20200422095057.806111593@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Hildenbrand commit a1d032a49522cb5368e5dfb945a85899b4c74f65 upstream. In case we have a region 1 the following calculation (31 + ((gmap->asce & _ASCE_TYPE_MASK) >> 2)*11) results in 64. As shifts beyond the size are undefined the compiler is free to use instructions like sllg. sllg will only use 6 bits of the shift value (here 64) resulting in no shift at all. That means that ALL addresses will be rejected. The can result in endless loops, e.g. when prefix cannot get mapped. Fixes: 4be130a08420 ("s390/mm: add shadow gmap support") Tested-by: Janosch Frank Reported-by: Janosch Frank Cc: # v4.8+ Signed-off-by: David Hildenbrand Link: https://lore.kernel.org/r/20200403153050.20569-2-david@redhat.com Reviewed-by: Claudio Imbrenda Reviewed-by: Christian Borntraeger [borntraeger@de.ibm.com: fix patch description, remove WARN_ON_ONCE] Signed-off-by: Christian Borntraeger Signed-off-by: Greg Kroah-Hartman --- arch/s390/mm/gmap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/arch/s390/mm/gmap.c +++ b/arch/s390/mm/gmap.c @@ -762,14 +762,18 @@ static void gmap_call_notifier(struct gm static inline unsigned long *gmap_table_walk(struct gmap *gmap, unsigned long gaddr, int level) { + const int asce_type = gmap->asce & _ASCE_TYPE_MASK; unsigned long *table; if ((gmap->asce & _ASCE_TYPE_MASK) + 4 < (level * 4)) return NULL; if (gmap_is_shadow(gmap) && gmap->removed) return NULL; - if (gaddr & (-1UL << (31 + ((gmap->asce & _ASCE_TYPE_MASK) >> 2)*11))) + + if (asce_type != _ASCE_TYPE_REGION1 && + gaddr & (-1UL << (31 + (asce_type >> 2) * 11))) return NULL; + table = gmap->table; switch (gmap->asce & _ASCE_TYPE_MASK) { case _ASCE_TYPE_REGION1: