On Sun, Jun 19, 2022 at 11:32:07PM -0700, Christoph Hellwig wrote: > On Sun, Jun 19, 2022 at 11:57:26PM -0300, Jason Gunthorpe wrote: > > The remark about io memory is because on s390 memcpy() will crash even > > on ioremapped memory, you have to use the memcpy_to/fromio() which > > uses the special s390 io access instructions. > > Yes. The same is true for various other architectures, inluding arm64 > under the right circumstances. > > > This helps because we now block io memory from ever getting into these > > call paths. I'm pretty sure this is a serious security bug, but would > > let the IBM folks remark as I don't know it all that well.. > > Prevent as in crash when trying to convert it to a page? > > > As for the kmap, I thought it was standard practice even if it is a > > non-highmem? Aren't people trying to use this for other security > > stuff these days? > > Ira has been lookin into the protection keys, although they don't > apply to s390. Either way I don't object to using kmap, but the > commit log doesn't make much sense to me. How about the updated commit log below? Thanks. The pinned PFN list returned from vfio_pin_pages() is converted using page_to_pfn(), so direct access via memcpy() will crash on S390 if the PFN is an IO PFN, as we have to use the memcpy_to/fromio(), which uses the special s390 IO access instructions. As a standard practice for security purpose, add kmap_local_page() to block any IO memory from ever getting into this call path.
