s390/mm: fix NULL pointer dereference

hcahca · Vasily Gorbik · commit e6ec07dc6dd4 · 2024-04-03T15:00:19.000+02:00
The recently added check to figure out if a fault happened on gmap ASCE dereferences the gmap pointer in lowcore without checking that it is not NULL. For all non-KVM processes the pointer is NULL, so that some value from lowcore will be read. With the current layouts of struct gmap and struct lowcore the read value (aka ASCE) is zero, so that this doesn't lead to any observable bug; at least currently. Fix this by adding the missing NULL pointer check. Fixes: 64c3431 ("s390/entry: compare gmap asce to determine guest/host fault") Acked-by: Sven Schnelle <svens@linux.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
@@ -75,7 +75,7 @@ static enum fault_type get_fault_type(struct pt_regs *regs)
 		if (!IS_ENABLED(CONFIG_PGSTE))
 			return KERNEL_FAULT;
 		gmap = (struct gmap *)S390_lowcore.gmap;
-		if (regs->cr1 == gmap->asce)
+		if (gmap && gmap->asce == regs->cr1)
 			return GMAP_FAULT;
 		return KERNEL_FAULT;
 	}

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ static enum fault_type get_fault_type(struct pt_regs *regs)`
`75`	`75`	`if (!IS_ENABLED(CONFIG_PGSTE))`
`76`	`76`	`return KERNEL_FAULT;`
`77`	`77`	`gmap = (struct gmap *)S390_lowcore.gmap;`
`78`		`- if (regs->cr1 == gmap->asce)`
	`78`	`+ if (gmap && gmap->asce == regs->cr1)`
`79`	`79`	`return GMAP_FAULT;`
`80`	`80`	`return KERNEL_FAULT;`
`81`	`81`	`}`