On Tue, Jun 21, 2022 at 02:21:22PM -0700, Nicolin Chen wrote: > On Sun, Jun 19, 2022 at 11:32:07PM -0700, Christoph Hellwig wrote: > > On Sun, Jun 19, 2022 at 11:57:26PM -0300, Jason Gunthorpe wrote: > > > The remark about io memory is because on s390 memcpy() will crash even > > > on ioremapped memory, you have to use the memcpy_to/fromio() which > > > uses the special s390 io access instructions. > > > > Yes. The same is true for various other architectures, inluding arm64 > > under the right circumstances. > > > > > This helps because we now block io memory from ever getting into these > > > call paths. I'm pretty sure this is a serious security bug, but would > > > let the IBM folks remark as I don't know it all that well.. > > > > Prevent as in crash when trying to convert it to a page? > > > > > As for the kmap, I thought it was standard practice even if it is a > > > non-highmem? Aren't people trying to use this for other security > > > stuff these days? > > > > Ira has been lookin into the protection keys, although they don't > > apply to s390. Either way I don't object to using kmap, but the > > commit log doesn't make much sense to me. > > How about the updated commit log below? Thanks. > > The pinned PFN list returned from vfio_pin_pages() is converted using > page_to_pfn(), so direct access via memcpy() will crash on S390 if the > PFN is an IO PFN, as we have to use the memcpy_to/fromio(), which uses > the special s390 IO access instructions. > > As a standard practice for security purpose, add kmap_local_page() to > block any IO memory from ever getting into this call path. The kmap_local_page is not about the IO memory, the switch to struct page is what is protecting against IO memory. Use kmap_local_page() is just the correct way to convert a struct page into a CPU address to use with memcpy and it is a NOP on S390 because it doesn't use highmem/etc. Jason
