| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/07/17 17:19 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": [
"KVM"
],
"FocusSymbols": [
"do_secure_storage_access"
],
"Reasoning": "The patch modifies the page fault handling for secure storage access on s390 (do_secure_storage_access). It changes how the mmap lock is acquired and how errors are handled when a VMA is not found. This is a functional change in core architecture code and should be fuzzed. The code is guarded by CONFIG_KVM.",
"WorthFuzzing": true
} |
| 1/1 | 2026/07/17 17:19 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 61854b3360ae5810934c4694dd5856535dbedbbd\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Fri Jul 17 17:19:25 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c\nindex 028aeb9c48d6ff..d6c58d78edc5af 100644\n--- a/arch/s390/mm/fault.c\n+++ b/arch/s390/mm/fault.c\n@@ -456,10 +456,9 @@ void do_secure_storage_access(struct pt_regs *regs)\n \t\tif (faulthandler_disabled())\n \t\t\treturn handle_fault_error_nolock(regs, 0);\n \t\tmm = current-\u003emm;\n-\t\tmmap_read_lock(mm);\n-\t\tvma = find_vma(mm, addr);\n+\t\tvma = lock_mm_and_find_vma(mm, addr, regs);\n \t\tif (!vma)\n-\t\t\treturn handle_fault_error(regs, SEGV_MAPERR);\n+\t\t\treturn handle_fault_error_nolock(regs, SEGV_MAPERR);\n \t\tfolio = folio_walk_start(\u0026fw, vma, addr, 0);\n \t\tif (!folio) {\n \t\t\tmmap_read_unlock(mm);\n"
} |
| 2/1 | 2026/07/17 17:19 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"KVM"
],
"FocusSymbols": [
"do_secure_storage_access"
],
"Reasoning": "The patch modifies the page fault handling for secure storage access on s390 (do_secure_storage_access). It changes how the mmap lock is acquired and how errors are handled when a VMA is not found. This is a functional change in core architecture code and should be fuzzed. The code is guarded by CONFIG_KVM.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 61854b3360ae5810934c4694dd5856535dbedbbd
Author: syz-cluster <triage@syzkaller.com>
Date: Fri Jul 17 17:19:25 2026 +0000
syz-cluster: applied patch under review
diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
index 028aeb9c48d6ff..d6c58d78edc5af 100644
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -456,10 +456,9 @@ void do_secure_storage_access(struct pt_regs *regs)
if (faulthandler_disabled())
return handle_fault_error_nolock(regs, 0);
mm = current->mm;
- mmap_read_lock(mm);
- vma = find_vma(mm, addr);
+ vma = lock_mm_and_find_vma(mm, addr, regs);
if (!vma)
- return handle_fault_error(regs, SEGV_MAPERR);
+ return handle_fault_error_nolock(regs, SEGV_MAPERR);
folio = folio_walk_start(&fw, vma, addr, 0);
if (!folio) {
mmap_read_unlock(mm);
|
| 3/2 | 2026/07/17 17:19 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 1931 output: 39 thoughts: 233 Thoughts: **Analyzing a Patch to s390 Memory Management** Okay, so this patch is touching `arch/s390/mm/fault.c`. Right away, I see that it's changing the locking strategy within `do_secure_storage_access`. It's moving from the older `mmap_read_lock` and `find_vma` approach to using `lock_mm_and_find_vma`. That's interesting, and likely means they're aiming for a more fine-grained locking mechanism or trying to avoid some potential contention issues. The error handling change is important too; using `handle_fault_error_nolock` instead of the locked version when `lock_mm_and_find_vma` fails. This is because `lock_mm_and_find_vma` doesn't hold the lock if it returns `NULL`. This error path is the key to understand if there is a race condition. Now, a critical question arises: is this code path even *reachable* in a virtualized environment? `do_secure_storage_access` is, after all, very specific to the s390 architecture. My first thought is that syzkaller probably isn't configured to run on s390 by default, but it *could* be. I need to keep in mind that the "s390" is an architecture. Ultimately, is it worth the effort to consider fuzzing this area? Yes, without question. This is a functional change deep within the architecture-specific memory management code. Even if it requires some extra setup to run syzkaller on s390, the potential for discovering critical memory access bugs related to this locking change is significant. I need to go back and take a closer look at `do_secure_storage_access` itself within `arch/s390/mm/fault.c` to see how it can be affected. |
| 4/2 | 2026/07/17 17:19 | tool | grepper |
0mArgs:{
"Expression": "do_secure_storage_access",
"PathPrefix": "arch/s390/mm/fault.c"
}Results: {
"Output": "arch/s390/mm/fault.c=404=NOKPROBE_SYMBOL(do_dat_exception);\n--\narch/s390/mm/fault.c-407-\narch/s390/mm/fault.c:408:void do_secure_storage_access(struct pt_regs *regs)\narch/s390/mm/fault.c-409-{\n--\narch/s390/mm/fault.c-476-}\narch/s390/mm/fault.c:477:NOKPROBE_SYMBOL(do_secure_storage_access);\narch/s390/mm/fault.c-478-\n"
} |
| 5/2 | 2026/07/17 17:19 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 2801 output: 41 thoughts: 29 Thoughts: Okay, here's my interpretation of that thought process, tailored for an expert audience, and written in the first person: **Diving into `do_secure_storage_access` in s390 Fault Handling** Alright, my internal review has led me to focus on `do_secure_storage_access` within `arch/s390/mm/fault.c`. I know this is a critical spot for handling memory access issues, particularly those related to secure storage on the s390 architecture. Given the context of what I've been investigating, understanding precisely how this function works is going to be key. I need to refresh my understanding of how fault handling interacts with the secure storage mechanisms on the platform. Specifically, I'm going to look at how it deals with page faults related to protected memory regions, potential permission violations, and any related security checks performed. I suspect I need to pay close attention to the interaction with the hardware's storage key facilities as well. My goal is to grasp how these access control mechanisms prevent unauthorized data access and how the kernel handles these situations. This is an essential step in whatever issue or improvement I'm working on right now. |
| 6/2 | 2026/07/17 17:19 | tool | read-file |
0mArgs:{
"File": "arch/s390/mm/fault.c",
"FirstLine": 400,
"LineCount": 100
}Results: {
"Contents": " 400:\tvoid do_dat_exception(struct pt_regs *regs)\n 401:\t{\n 402:\t\tdo_exception(regs, VM_ACCESS_FLAGS);\n 403:\t}\n 404:\tNOKPROBE_SYMBOL(do_dat_exception);\n 405:\t\n 406:\t#if IS_ENABLED(CONFIG_KVM)\n 407:\t\n 408:\tvoid do_secure_storage_access(struct pt_regs *regs)\n 409:\t{\n 410:\t\tunion teid teid = { .val = regs-\u003eint_parm_long };\n 411:\t\tunsigned long addr = get_fault_address(regs);\n 412:\t\tstruct vm_area_struct *vma;\n 413:\t\tstruct folio_walk fw;\n 414:\t\tstruct mm_struct *mm;\n 415:\t\tstruct folio *folio;\n 416:\t\tint rc;\n 417:\t\n 418:\t\t/*\n 419:\t\t * Bit 61 indicates if the address is valid, if it is not the\n 420:\t\t * kernel should be stopped or SIGSEGV should be sent to the\n 421:\t\t * process. Bit 61 is not reliable without the misc UV feature,\n 422:\t\t * therefore this needs to be checked too.\n 423:\t\t */\n 424:\t\tif (uv_has_feature(BIT_UV_FEAT_MISC) \u0026\u0026 !teid.b61) {\n 425:\t\t\t/*\n 426:\t\t\t * When this happens, userspace did something that it\n 427:\t\t\t * was not supposed to do, e.g. branching into secure\n 428:\t\t\t * memory. Trigger a segmentation fault.\n 429:\t\t\t */\n 430:\t\t\tif (user_mode(regs)) {\n 431:\t\t\t\tsend_sig(SIGSEGV, current, 0);\n 432:\t\t\t\treturn;\n 433:\t\t\t}\n 434:\t\t\t/*\n 435:\t\t\t * The kernel should never run into this case and\n 436:\t\t\t * there is no way out of this situation.\n 437:\t\t\t */\n 438:\t\t\tpanic(\"Unexpected PGM 0x3d with TEID bit 61=0\");\n 439:\t\t}\n 440:\t\tif (is_kernel_fault(regs)) {\n 441:\t\t\tfolio = virt_to_folio((void *)addr);\n 442:\t\t\tif (unlikely(!folio_try_get(folio)))\n 443:\t\t\t\treturn;\n 444:\t\t\trc = uv_convert_from_secure(folio_to_phys(folio));\n 445:\t\t\tif (!rc)\n 446:\t\t\t\tclear_bit(PG_arch_1, \u0026folio-\u003eflags.f);\n 447:\t\t\tfolio_put(folio);\n 448:\t\t\t/*\n 449:\t\t\t * There are some valid fixup types for kernel\n 450:\t\t\t * accesses to donated secure memory. zeropad is one\n 451:\t\t\t * of them.\n 452:\t\t\t */\n 453:\t\t\tif (rc)\n 454:\t\t\t\treturn handle_fault_error_nolock(regs, 0);\n 455:\t\t} else {\n 456:\t\t\tif (faulthandler_disabled())\n 457:\t\t\t\treturn handle_fault_error_nolock(regs, 0);\n 458:\t\t\tmm = current-\u003emm;\n 459:\t\t\tvma = lock_mm_and_find_vma(mm, addr, regs);\n 460:\t\t\tif (!vma)\n 461:\t\t\t\treturn handle_fault_error_nolock(regs, SEGV_MAPERR);\n 462:\t\t\tfolio = folio_walk_start(\u0026fw, vma, addr, 0);\n 463:\t\t\tif (!folio) {\n 464:\t\t\t\tmmap_read_unlock(mm);\n 465:\t\t\t\treturn;\n 466:\t\t\t}\n 467:\t\t\t/* arch_make_folio_accessible() needs a raised refcount. */\n 468:\t\t\tfolio_get(folio);\n 469:\t\t\trc = arch_make_folio_accessible(folio);\n 470:\t\t\tfolio_put(folio);\n 471:\t\t\tfolio_walk_end(\u0026fw, vma);\n 472:\t\t\tif (rc)\n 473:\t\t\t\tsend_sig(SIGSEGV, current, 0);\n 474:\t\t\tmmap_read_unlock(mm);\n 475:\t\t}\n 476:\t}\n 477:\tNOKPROBE_SYMBOL(do_secure_storage_access);\n 478:\t\n 479:\t#endif /* CONFIG_KVM */\n"
} |
| 7/2 | 2026/07/17 17:19 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 4355 output: 117 thoughts: 139 Thoughts: **Fuzzing Target Identification** Okay, so I'm looking at this code and immediately see that the `do_secure_storage_access` function has a `#if IS_ENABLED(CONFIG_KVM)` wrapper. That's a pretty clear indicator: this functionality is dependent on the Kernel-based Virtual Machine, or `KVM`. Since it's conditional, that implies a specific execution path when KVM is enabled, and a separate one when it's not. That makes it a good candidate for fuzzing, given that path divergence. Looking into the details of the function, it seems like it modifies lock acquisition and error handling, making it even more interesting from a security perspective. It definitely warrants a closer look under the microscope of fuzzing. Now, let me just quickly double-check for any other potentially relevant configurations. Based on the documentation the `arch/s390/mm/fault.c` file has a similar profile as `do_secure_storage_access`. It's compiled specifically for the s390 architecture, which also is worth fuzzing. Alright, with these two targets identified, I'm going to set these results and proceed with further analysis. |
| 8/2 | 2026/07/17 17:19 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"KVM"
],
"FocusSymbols": [
"do_secure_storage_access"
],
"Reasoning": "The patch modifies the page fault handling for secure storage access on s390 (do_secure_storage_access). It changes how the mmap lock is acquired and how errors are handled when a VMA is not found. This is a functional change in core architecture code and should be fuzzed. The code is guarded by CONFIG_KVM.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"KVM"
],
"FocusSymbols": [
"do_secure_storage_access"
],
"Reasoning": "The patch modifies the page fault handling for secure storage access on s390 (do_secure_storage_access). It changes how the mmap lock is acquired and how errors are handled when a VMA is not found. This is a functional change in core architecture code and should be fuzzed. The code is guarded by CONFIG_KVM.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|