summaryrefslogtreecommitdiff
path: root/scripts/Makefile.thinlto
diff options
context:
space:
mode:
authorChristian Borntraeger <borntraeger@linux.ibm.com>2026-06-11 13:50:36 +0300
committerClaudio Imbrenda <imbrenda@linux.ibm.com>2026-06-11 16:09:53 +0300
commitc7dda3d0f869dc97223448a06c9a2e5235928e48 (patch)
treeed251d5f0f1a7239ddc2768f2930410553ee92b6 /scripts/Makefile.thinlto
parent9030da050c9fe7d10150c9f93765e464f6c7da3c (diff)
downloadlinux-c7dda3d0f869dc97223448a06c9a2e5235928e48.tar.xz
KVM: s390: Initialize KVM_S390_GET_CMMA_BITS memory
kvm_s390_get_cmma_bits() allocates its output buffer with vmalloc(), which does not zero the returned pages: values = vmalloc(args->count); In the non-peek (migration) path, dat_get_cmma() reports a byte count spanning from the first to the last dirty page, but __dat_get_cmma_pte() writes values[gfn - start] only for pages whose CMMA dirty bit is set. The walk uses DAT_WALK_IGN_HOLES, so clean and unmapped pages that lie between two dirty pages within the reported span are visited but never store their byte. Those gaps (up to KVM_S390_MAX_BIT_DISTANCE pages each) stay uninitialized yet fall inside [0, count) and are copied out by copy_to_user(), disclosing stale kernel memory to user space. Before the switch to the new gmap implementation the buffer was fully populated for every gfn in the span, so no uninitialized bytes were exposed; the dirty-only walk introduced the leak. Use vzalloc() so the gaps read back as zero. Fixes: e38c884df921 ("KVM: s390: Switch to new gmap") Cc: stable@vger.kernel.org Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-ID: <20260611105036.11491-1-borntraeger@linux.ibm.com>
Diffstat (limited to 'scripts/Makefile.thinlto')
0 files changed, 0 insertions, 0 deletions