diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2014-08-25 09:37:00 -0400 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-08-25 09:37:00 -0400 |
| commit | 7cd4b90a737e2e6f41be4ac8b1df847fec67f3da (patch) | |
| tree | 920abb10e0c1279eaf256eaec4d6fbd386ab9ac2 | |
| parent | 7b46268d29543e313e731606d845e65c17f232e4 (diff) | |
| parent | ab3f285f227fec62868037e9b1b1fd18294a83b8 (diff) | |
Merge tag 'kvm-s390-20140825' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD
Here are two fixes for s390 KVM code that prevent:
1. a malicious user to trigger a kernel BUG
2. a malicious user to change the storage key of read-only pages
| -rw-r--r-- | arch/s390/kvm/kvm-s390.c | 13 | ||||
| -rw-r--r-- | arch/s390/mm/pgtable.c | 10 |
2 files changed, 10 insertions, 13 deletions
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c index a3c324ec4370..197bec03d919 100644 --- a/arch/s390/kvm/kvm-s390.c +++ b/arch/s390/kvm/kvm-s390.c | |||
| @@ -1321,19 +1321,6 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) | |||
| 1321 | return -EINVAL; | 1321 | return -EINVAL; |
| 1322 | } | 1322 | } |
| 1323 | 1323 | ||
| 1324 | switch (kvm_run->exit_reason) { | ||
| 1325 | case KVM_EXIT_S390_SIEIC: | ||
| 1326 | case KVM_EXIT_UNKNOWN: | ||
| 1327 | case KVM_EXIT_INTR: | ||
| 1328 | case KVM_EXIT_S390_RESET: | ||
| 1329 | case KVM_EXIT_S390_UCONTROL: | ||
| 1330 | case KVM_EXIT_S390_TSCH: | ||
| 1331 | case KVM_EXIT_DEBUG: | ||
| 1332 | break; | ||
| 1333 | default: | ||
| 1334 | BUG(); | ||
| 1335 | } | ||
| 1336 | |||
| 1337 | vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask; | 1324 | vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask; |
| 1338 | vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr; | 1325 | vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr; |
| 1339 | if (kvm_run->kvm_dirty_regs & KVM_SYNC_PREFIX) { | 1326 | if (kvm_run->kvm_dirty_regs & KVM_SYNC_PREFIX) { |
diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c index 19daa53a3da4..5404a6261db9 100644 --- a/arch/s390/mm/pgtable.c +++ b/arch/s390/mm/pgtable.c | |||
| @@ -986,11 +986,21 @@ int set_guest_storage_key(struct mm_struct *mm, unsigned long addr, | |||
| 986 | pte_t *ptep; | 986 | pte_t *ptep; |
| 987 | 987 | ||
| 988 | down_read(&mm->mmap_sem); | 988 | down_read(&mm->mmap_sem); |
| 989 | retry: | ||
| 989 | ptep = get_locked_pte(current->mm, addr, &ptl); | 990 | ptep = get_locked_pte(current->mm, addr, &ptl); |
| 990 | if (unlikely(!ptep)) { | 991 | if (unlikely(!ptep)) { |
| 991 | up_read(&mm->mmap_sem); | 992 | up_read(&mm->mmap_sem); |
| 992 | return -EFAULT; | 993 | return -EFAULT; |
| 993 | } | 994 | } |
| 995 | if (!(pte_val(*ptep) & _PAGE_INVALID) && | ||
| 996 | (pte_val(*ptep) & _PAGE_PROTECT)) { | ||
| 997 | pte_unmap_unlock(*ptep, ptl); | ||
| 998 | if (fixup_user_fault(current, mm, addr, FAULT_FLAG_WRITE)) { | ||
| 999 | up_read(&mm->mmap_sem); | ||
| 1000 | return -EFAULT; | ||
| 1001 | } | ||
| 1002 | goto retry; | ||
| 1003 | } | ||
| 994 | 1004 | ||
| 995 | new = old = pgste_get_lock(ptep); | 1005 | new = old = pgste_get_lock(ptep); |
| 996 | pgste_val(new) &= ~(PGSTE_GR_BIT | PGSTE_GC_BIT | | 1006 | pgste_val(new) &= ~(PGSTE_GR_BIT | PGSTE_GC_BIT | |