From: sashiko-bot@kernel.org
To: "Heiko Carstens" <hca@linux.ibm.com>
Cc: "Vasily Gorbik" <gor@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
kvm@vger.kernel.org, "Heiko Carstens" <hca@linux.ibm.com>,
linux-s390@vger.kernel.org
Subject: Re: [PATCH v2 2/4] s390/mm: Fix handling of secure storage access exceptions in vmalloc area
Date: Fri, 17 Jul 2026 09:39:04 +0000 [thread overview]
Message-ID: <20260717093904.E4A421F00A3E@smtp.kernel.org> (raw)
In-Reply-To: <20260717092415.3039699-3-hca@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] `do_secure_storage_access` uses `find_vma()` to locate the VMA but fails to verify that the faulting address is within the returned VMA's bounds, allowing an unprivileged user to reliably trigger a `WARN_ON_ONCE` via a race condition.
--
--- Patch [2]: [PATCH v2 2/4] s390/mm: Fix handling of secure storage access exceptions in vmalloc area ---
commit 09ae7bc2c3bf1f10251c33af84acf243e29af836
Author: Heiko Carstens <hca@linux.ibm.com>
s390/mm: Fix handling of secure storage access exceptions in vmalloc area
Secure storage access exceptions in vmalloc area need to be handled
separately since folio_try_get() or virt_to_phys() do not work on such
addresses. Given that there cannot be a valid access let such exceptions
fail immediately. The kernel will either fixup or crash.
> diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
> index 028aeb9c48d6f..392e467420392 100644
> --- a/arch/s390/mm/fault.c
> +++ b/arch/s390/mm/fault.c
> @@ -438,6 +438,8 @@ void do_secure_storage_access(struct pt_regs *regs)
> panic("Unexpected PGM 0x3d with TEID bit 61=0");
> }
> if (is_kernel_fault(regs)) {
> + if (is_vmalloc_addr((void *)addr))
> + return handle_fault_error_nolock(regs, 0);
> folio = virt_to_folio((void *)addr);
> if (unlikely(!folio_try_get(folio)))
> return;
[ ... ]
> } else {
> if (faulthandler_disabled())
> return handle_fault_error_nolock(regs, 0);
> mm = current->mm;
> mmap_read_lock(mm);
> vma = find_vma(mm, addr);
> if (!vma)
> return handle_fault_error(regs, SEGV_MAPERR);
> folio = folio_walk_start(&fw, vma, addr, 0);
[Severity: High]
This is a pre-existing issue, but does using find_vma() here allow a race
condition that could trigger a kernel warning in folio_walk_start()?
find_vma() returns the first VMA where vma->vm_end > addr, but it doesn't
guarantee that vma->vm_start <= addr. If a concurrent unmap happens and the
exact VMA is removed before mmap_read_lock() is acquired, find_vma() might
return the next VMA in the address space.
Passing an out-of-bounds VMA to folio_walk_start() violates its API contract
and triggers a WARN_ON_ONCE().
Would using vma_lookup() instead properly validate that the address falls
within the VMA's bounds?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260717092415.3039699-1-hca@linux.ibm.com?part=2
next prev parent reply other threads:[~2026-07-17 9:39 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-17 9:24 [PATCH v2 0/4] s390: Reintroduce support for DCACHE_WORD_ACCESS Heiko Carstens
2026-07-17 9:24 ` [PATCH v2 1/4] KVM: s390: pv: Use VM_SPARSE area for guest variable storage area Heiko Carstens
2026-07-17 9:40 ` sashiko-bot
2026-07-17 10:32 ` Heiko Carstens
2026-07-17 9:24 ` [PATCH v2 2/4] s390/mm: Fix handling of secure storage access exceptions in vmalloc area Heiko Carstens
2026-07-17 9:39 ` sashiko-bot [this message]
2026-07-17 9:24 ` [PATCH v2 3/4] s390/mm: Remove folio handling for secure storage access exceptions Heiko Carstens
2026-07-17 9:24 ` [PATCH v2 4/4] s390: Add support for DCACHE_WORD_ACCESS (again) Heiko Carstens
2026-07-17 9:36 ` sashiko-bot
2026-07-17 10:20 ` Heiko Carstens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260717093904.E4A421F00A3E@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.