Skip to content

Commit 0a1d0f0

Browse files
PlaidCatPlaidCat
committed
s390/sclp: Fix SCCB present check
jira LE-4311 cve CVE-2025-39694 Rebuild_History Non-Buildable kernel-5.14.0-570.46.1.el9_6 commit-author Peter Oberparleiter <oberpar@linux.ibm.com> commit 430fa71 Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start at address zero, the resulting virtual address is never zero, so that the NULL checks won't work. Subsequently this may result in incorrect accesses to the first page of the identity mapping. Fix this by introducing a function that handles the NULL case before address translation. Fixes: ada1da3 ("s390/sclp: sort out physical vs virtual pointers usage") Cc: stable@vger.kernel.org Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com> Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> (cherry picked from commit 430fa71) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
1 parent 0b2de89 commit 0a1d0f0

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

drivers/s390/char/sclp.c

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,13 @@ unsigned long sclp_console_full;
7676
/* The currently active SCLP command word. */
7777
static sclp_cmdw_t active_cmd;
7878

79+
static inline struct sccb_header *sclpint_to_sccb(u32 sccb_int)
80+
{
81+
if (sccb_int)
82+
return __va(sccb_int);
83+
return NULL;
84+
}
85+
7986
static inline void sclp_trace(int prio, char *id, u32 a, u64 b, bool err)
8087
{
8188
struct sclp_trace_entry e;
@@ -620,7 +627,7 @@ __sclp_find_req(u32 sccb)
620627

621628
static bool ok_response(u32 sccb_int, sclp_cmdw_t cmd)
622629
{
623-
struct sccb_header *sccb = (struct sccb_header *)__va(sccb_int);
630+
struct sccb_header *sccb = sclpint_to_sccb(sccb_int);
624631
struct evbuf_header *evbuf;
625632
u16 response;
626633

@@ -659,7 +666,7 @@ static void sclp_interrupt_handler(struct ext_code ext_code,
659666

660667
/* INT: Interrupt received (a=intparm, b=cmd) */
661668
sclp_trace_sccb(0, "INT", param32, active_cmd, active_cmd,
662-
(struct sccb_header *)__va(finished_sccb),
669+
sclpint_to_sccb(finished_sccb),
663670
!ok_response(finished_sccb, active_cmd));
664671

665672
if (finished_sccb) {

0 commit comments

Comments
 (0)