Commit 20701190e0 for qemu.org

commit 20701190e023216d0213a107a491402ce2cc501e
Author: Christian Borntraeger <borntraeger@linux.ibm.com>
Date:   Thu Jul 9 16:29:05 2026 +0200

    s390x/sclp: prevent re-reading the sclp header

    We verify the sccb length and then allocate based on that length. The
    following access re-reads the sccb again. This can race against other
    vCPUs overwriting the length field.

    sclp_service_call_protected does not need a change as the ultravisor
    provides a consistent snapshot.

    Fixes: c1db53a5910f ("s390/sclp: read sccb from mem based on provided length")
    Cc: qemu-stable@nongnu.org
    Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
    Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
    Reviewed-by: Eric Farman <farman@linux.ibm.com>
    Reviewed-by: Collin Walling <walling@linux.ibm.com>
    Message-ID: <20260709142906.197474-2-borntraeger@linux.ibm.com>
    Signed-off-by: Cornelia Huck <cohuck@redhat.com>

diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 2d2cde7803..3c8cb16488 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -329,7 +329,8 @@ int sclp_service_call(S390CPU *cpu, uint64_t sccb, uint32_t code)
     /*
      * we want to work on a private copy of the sccb, to prevent guests
      * from playing dirty tricks by modifying the memory content after
-     * the host has checked the values
+     * the host has checked the values.
+     * Reuse the previously fetched header
      */
     work_sccb = g_malloc0(be16_to_cpu(header.length));
     ret = address_space_read(as, sccb, attrs,
@@ -337,6 +338,7 @@ int sclp_service_call(S390CPU *cpu, uint64_t sccb, uint32_t code)
     if (ret != MEMTX_OK) {
         return -PGM_ADDRESSING;
     }
+    work_sccb->h = header;

     if (!sclp_command_code_valid(code)) {
         work_sccb->h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);