[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200408122138.71493308@p-imbrenda>
Date: Wed, 8 Apr 2020 12:21:38 +0200
From: Claudio Imbrenda <imbrenda@...ux.ibm.com>
To: Sean Christopherson <sean.j.christopherson@...el.com>
Cc: Christian Borntraeger <borntraeger@...ibm.com>,
Janosch Frank <frankja@...ux.ibm.com>,
Paolo Bonzini <pbonzini@...hat.com>,
David Hildenbrand <david@...hat.com>,
Cornelia Huck <cohuck@...hat.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+d889b59b2bb87d4047a2@...kaller.appspotmail.com
Subject: Re: [PATCH 2/2] KVM: s390: Return last valid slot if approx index
is out-of-bounds
On Tue, 7 Apr 2020 23:40:59 -0700
Sean Christopherson <sean.j.christopherson@...el.com> wrote:
> Return the index of the last valid slot from gfn_to_memslot_approx()
> if its binary search loop yielded an out-of-bounds index. The index
> can be out-of-bounds if the specified gfn is less than the base of the
> lowest memslot (which is also the last valid memslot).
>
> Note, the sole caller, kvm_s390_get_cmma(), ensures used_slots is
> non-zero.
>
> Fixes: afdad61615cc3 ("KVM: s390: Fix storage attributes migration
> with memory slots") Signed-off-by: Sean Christopherson
> <sean.j.christopherson@...el.com> ---
> arch/s390/kvm/kvm-s390.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
> index 19a81024fe16..5dcf9ff12828 100644
> --- a/arch/s390/kvm/kvm-s390.c
> +++ b/arch/s390/kvm/kvm-s390.c
> @@ -1939,6 +1939,9 @@ static int gfn_to_memslot_approx(struct
> kvm_memslots *slots, gfn_t gfn) start = slot + 1;
> }
>
> + if (start >= slots->used_slots)
> + return slots->used_slots - 1;
> +
> if (gfn >= memslots[start].base_gfn &&
> gfn < memslots[start].base_gfn + memslots[start].npages)
> { atomic_set(&slots->lru_slot, start);
on s390 memory always starts at 0; you can't even boot a system missing
the first pages of physical memory, so this means this situation would
never happen in practice.
of course, a malicious userspace program could create an (unbootable) VM
and trigger this bug, so the patch itself makes sense.
Reviewed-by: Claudio Imbrenda <imbrenda@...ux.ibm.com>
Powered by blists - more mailing lists