Kernel KVM virtualization development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Heiko Carstens" <hca@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, "Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	kvm@vger.kernel.org, "Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH] s390/mm: Add missing vm_start <= addr check to do_secure_storage_access()
Date: Fri, 17 Jul 2026 13:23:44 +0000	[thread overview]
Message-ID: <20260717132345.539A11F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260717131407.855327-1-hca@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing !mm check in do_secure_storage_access allows kernel threads faulting on user-space accesses to trigger a NULL pointer dereference.
--

--- Patch [1]: [PATCH] s390/mm: Add missing vm_start <= addr check to do_secure_storage_access() ---
commit 925b56344e2c328b11b68034f7f630693a6c6b31
Author: Heiko Carstens <hca@linux.ibm.com>

s390/mm: Add missing vm_start <= addr check to do_secure_storage_access()

This patch converts do_secure_storage_access() to use lock_mm_and_find_vma() 
to ensure the faulting address is properly checked against the VMA boundaries.

Link: https://lore.kernel.org/all/20260717093904.E4A421F00A3E@smtp.kernel.org/

> diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
> index 028aeb9c48d6f..d6c58d78edc5a 100644
> --- a/arch/s390/mm/fault.c
> +++ b/arch/s390/mm/fault.c
> @@ -456,10 +456,9 @@ void do_secure_storage_access(struct pt_regs *regs)
>  		if (faulthandler_disabled())
>  			return handle_fault_error_nolock(regs, 0);
>  		mm = current->mm;
> -		mmap_read_lock(mm);
> -		vma = find_vma(mm, addr);
> +		vma = lock_mm_and_find_vma(mm, addr, regs);

[Severity: High]
This is a pre-existing issue, but does this lack of a NULL check on mm lead 
to a crash if a kernel thread faults on a user-space access?

When a kernel thread (which has current->mm == NULL) triggers a secure
storage access exception (for instance, via a copy_from_user() mapped to a
secure page), it enters this branch. The mm pointer is set to NULL and then
passed to lock_mm_and_find_vma():

vma = lock_mm_and_find_vma(mm, addr, regs);

Inside lock_mm_and_find_vma(), it unconditionally calls mmap_read_lock(mm):

mm/mmap_lock.c:lock_mm_and_find_vma() {
        ...
        mmap_read_lock(mm);
        ...
}

Could this result in a NULL pointer dereference? The do_page_fault() path
handles this gracefully with an explicit !mm check and exception fixups, but
do_secure_storage_access() appears to be missing this check.

>  		if (!vma)
> -			return handle_fault_error(regs, SEGV_MAPERR);
> +			return handle_fault_error_nolock(regs, SEGV_MAPERR);

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260717131407.855327-1-hca@linux.ibm.com?part=1

      reply	other threads:[~2026-07-17 13:23 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-17 13:14 [PATCH] s390/mm: Add missing vm_start <= addr check to do_secure_storage_access() Heiko Carstens
2026-07-17 13:23 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260717132345.539A11F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox