On Fri, Jun 17, 2022 at 01:44:30AM -0700, Christoph Hellwig wrote:

On Thu, Jun 16, 2022 at 04:52:11PM -0700, Nicolin Chen wrote:

...

The pinned PFN list returned from vfio_pin_pages() is simply converted using page_to_pfn() without protection, so direct access via memcpy() will crash on S390 if the PFN is an IO PFN. Instead, the pages should be touched using kmap_local_page().

I don't see how this helps. kmap_local_page only works for either pages in the kernel direct map or highmem, but not for memory that needs to be ioremapped. And there is no highmem on s390.

The remark about io memory is because on s390 memcpy() will crash even on ioremapped memory, you have to use the memcpy_to/fromio() which uses the special s390 io access instructions.

This helps because we now block io memory from ever getting into these call paths. I'm pretty sure this is a serious security bug, but would let the IBM folks remark as I don't know it all that well..

As for the kmap, I thought it was standard practice even if it is a non-highmem? Aren't people trying to use this for other security stuff these days?

Jason