From mboxrd@z Thu Jan 1 00:00:00 1970 From: Carsten Otte Subject: Fix prefix register checking in arch/s390/kvm/sigp.c Date: Mon, 30 Nov 2009 17:14:41 +0100 Message-ID: <4B13EF71.3080905@de.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Alexander Graf , Heiko Carstens , KVM list , stable@kernel.org, Martin Schwidefsky To: Avi Kivity Return-path: Received: from mtagate5.de.ibm.com ([195.212.17.165]:34588 "EHLO mtagate5.de.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752426AbZK3QN5 (ORCPT ); Mon, 30 Nov 2009 11:13:57 -0500 Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate5.de.ibm.com (8.13.1/8.13.1) with ESMTP id nAUGE3ch028323 for ; Mon, 30 Nov 2009 16:14:03 GMT Received: from d12av04.megacenter.de.ibm.com (d12av04.megacenter.de.ibm.com [9.149.165.229]) by d12nrmr1607.megacenter.de.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nAUGE3lk1077474 for ; Mon, 30 Nov 2009 17:14:03 +0100 Received: from d12av04.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id nAUGE2M9020747 for ; Mon, 30 Nov 2009 17:14:03 +0100 Sender: kvm-owner@vger.kernel.org List-ID: This patch corrects the checking of the new address for the prefix register. On s390, the prefix register is used to address the cpu's lowcore (address 0...8k). This check is supposed to verify that the memory is readable and present. copy_from_guest is a helper function, that can be used to read from guest memory. It applies prefixing, adds the start address of the guest memory in user, and then calls copy_from_user. Previous code was obviously broken for two reasons: - prefixing should not be applied here. The current prefix register is going to be updated soon, and the address we're looking for will be 0..8k after we've updated the register - we're adding the guest origin (gmsor) twice: once in subject code and once in copy_from_guest With kuli, we did not hit this problem because (a) we were lucky with previous prefix register content, and (b) our guest memory was mmaped very low into user address space. This patch should go into 2.6.32, it prevents running smp guests with qemu. Signed-off-by: Carsten Otte Reported-by: Alexander Graf --- sigp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Index: kvm/arch/s390/kvm/sigp.c =================================================================== --- kvm.orig/arch/s390/kvm/sigp.c 2009-10-13 11:09:04.000000000 +0200 +++ kvm/arch/s390/kvm/sigp.c 2009-11-30 16:46:21.000000000 +0100 @@ -188,9 +188,9 @@ /* make sure that the new value is valid memory */ address = address & 0x7fffe000u; - if ((copy_from_guest(vcpu, &tmp, - (u64) (address + vcpu->arch.sie_block->gmsor) , 1)) || - (copy_from_guest(vcpu, &tmp, (u64) (address + + if ((copy_from_user(&tmp, (void __user *) + (address + vcpu->arch.sie_block->gmsor) , 1)) || + (copy_from_user(&tmp, (void __user *)(address + vcpu->arch.sie_block->gmsor + PAGE_SIZE), 1))) { *reg |= SIGP_STAT_INVALID_PARAMETER; return 1; /* invalid parameter */