Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/s390/mm/gmap.c | 5 +++--
+ arch/s390/mm/gmap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
-index 55cf3ed1d1fae..979e2c53a513a 100644
--- a/arch/s390/mm/gmap.c
+++ b/arch/s390/mm/gmap.c
-@@ -671,9 +671,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
-
+@@ -665,9 +665,10 @@ void __gmap_zap(struct gmap *gmap, unsig
+ vmaddr |= gaddr & ~PMD_MASK;
/* Get pointer to the page table entry */
ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
- if (likely(ptep))
}
}
EXPORT_SYMBOL_GPL(__gmap_zap);
---
-2.33.0
-
+++ /dev/null
-From d20014a393c9a02727204b3789ee45ef732a72c7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 9 Sep 2021 18:22:40 +0200
-Subject: s390/gmap: validate VMA in __gmap_zap()
-
-From: David Hildenbrand <david@redhat.com>
-
-[ Upstream commit 2d8fb8f3914b40e3cc12f8cbb74daefd5245349d ]
-
-We should not walk/touch page tables outside of VMA boundaries when
-holding only the mmap sem in read mode. Evil user space can modify the
-VMA layout just before this function runs and e.g., trigger races with
-page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
-with read mmap_sem in munmap"). The pure prescence in our guest_to_host
-radix tree does not imply that there is a VMA.
-
-Further, we should not allocate page tables (via get_locked_pte()) outside
-of VMA boundaries: if evil user space decides to map hugetlbfs to these
-ranges, bad things will happen because we suddenly have PTE or PMD page
-tables where we shouldn't have them.
-
-Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
-calling get_locked_pte().
-
-Note that gmap_discard() is different:
-zap_page_range()->unmap_single_vma() makes sure to stay within VMA
-boundaries.
-
-Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management")
-Signed-off-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Acked-by: Heiko Carstens <hca@linux.ibm.com>
-Link: https://lore.kernel.org/r/20210909162248.14969-2-david@redhat.com
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/mm/gmap.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
-index a29d2e88b00ef..55cf3ed1d1fae 100644
---- a/arch/s390/mm/gmap.c
-+++ b/arch/s390/mm/gmap.c
-@@ -654,6 +654,7 @@ EXPORT_SYMBOL_GPL(gmap_fault);
- */
- void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
- {
-+ struct vm_area_struct *vma;
- unsigned long vmaddr;
- spinlock_t *ptl;
- pte_t *ptep;
-@@ -663,6 +664,11 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
- gaddr >> PMD_SHIFT);
- if (vmaddr) {
- vmaddr |= gaddr & ~PMD_MASK;
-+
-+ vma = vma_lookup(gmap->mm, vmaddr);
-+ if (!vma || is_vm_hugetlb_page(vma))
-+ return;
-+
- /* Get pointer to the page table entry */
- ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
- if (likely(ptep))
---
-2.33.0
-
+++ /dev/null
-From b9eaebec12377e206c0c9ed092464987a81c2dfd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 9 Sep 2021 18:22:42 +0200
-Subject: s390/mm: validate VMA in PGSTE manipulation functions
-
-From: David Hildenbrand <david@redhat.com>
-
-[ Upstream commit fe3d10024073f06f04c74b9674bd71ccc1d787cf ]
-
-We should not walk/touch page tables outside of VMA boundaries when
-holding only the mmap sem in read mode. Evil user space can modify the
-VMA layout just before this function runs and e.g., trigger races with
-page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
-with read mmap_sem in munmap"). gfn_to_hva() will only translate using
-KVM memory regions, but won't validate the VMA.
-
-Further, we should not allocate page tables outside of VMA boundaries: if
-evil user space decides to map hugetlbfs to these ranges, bad things will
-happen because we suddenly have PTE or PMD page tables where we
-shouldn't have them.
-
-Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
-calling get_locked_pte().
-
-Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
-Signed-off-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Acked-by: Heiko Carstens <hca@linux.ibm.com>
-Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/mm/pgtable.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
-index ae677f814bc07..a2182d5a1a105 100644
---- a/arch/s390/mm/pgtable.c
-+++ b/arch/s390/mm/pgtable.c
-@@ -896,6 +896,7 @@ EXPORT_SYMBOL(get_guest_storage_key);
- int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc,
- unsigned long *oldpte, unsigned long *oldpgste)
- {
-+ struct vm_area_struct *vma;
- unsigned long pgstev;
- spinlock_t *ptl;
- pgste_t pgste;
-@@ -905,6 +906,10 @@ int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc,
- WARN_ON_ONCE(orc > ESSA_MAX);
- if (unlikely(orc > ESSA_MAX))
- return -EINVAL;
-+
-+ vma = vma_lookup(mm, hva);
-+ if (!vma || is_vm_hugetlb_page(vma))
-+ return -EFAULT;
- ptep = get_locked_pte(mm, hva, &ptl);
- if (unlikely(!ptep))
- return -EFAULT;
-@@ -997,10 +1002,14 @@ EXPORT_SYMBOL(pgste_perform_essa);
- int set_pgste_bits(struct mm_struct *mm, unsigned long hva,
- unsigned long bits, unsigned long value)
- {
-+ struct vm_area_struct *vma;
- spinlock_t *ptl;
- pgste_t new;
- pte_t *ptep;
-
-+ vma = vma_lookup(mm, hva);
-+ if (!vma || is_vm_hugetlb_page(vma))
-+ return -EFAULT;
- ptep = get_locked_pte(mm, hva, &ptl);
- if (unlikely(!ptep))
- return -EFAULT;
-@@ -1025,9 +1034,13 @@ EXPORT_SYMBOL(set_pgste_bits);
- */
- int get_pgste(struct mm_struct *mm, unsigned long hva, unsigned long *pgstep)
- {
-+ struct vm_area_struct *vma;
- spinlock_t *ptl;
- pte_t *ptep;
-
-+ vma = vma_lookup(mm, hva);
-+ if (!vma || is_vm_hugetlb_page(vma))
-+ return -EFAULT;
- ptep = get_locked_pte(mm, hva, &ptl);
- if (unlikely(!ptep))
- return -EFAULT;
---
-2.33.0
-
phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch
pm-hibernate-fix-sparse-warnings.patch
smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch
-s390-gmap-validate-vma-in-__gmap_zap.patch
s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch
-s390-mm-validate-vma-in-pgste-manipulation-functions.patch
irq-mips-avoid-nested-irq_enter.patch
samples-kretprobes-fix-return-value-if-register_kret.patch
libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/s390/mm/gmap.c | 5 +++--
+ arch/s390/mm/gmap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
-index a8498870bcf49..ffc1372e4c56d 100644
--- a/arch/s390/mm/gmap.c
+++ b/arch/s390/mm/gmap.c
-@@ -668,9 +668,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
-
+@@ -662,9 +662,10 @@ void __gmap_zap(struct gmap *gmap, unsig
+ vmaddr |= gaddr & ~PMD_MASK;
/* Get pointer to the page table entry */
ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
- if (likely(ptep))
}
}
EXPORT_SYMBOL_GPL(__gmap_zap);
---
-2.33.0
-
+++ /dev/null
-From 35177947f8b30a9282dc9149cb936de4c6dd487e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 9 Sep 2021 18:22:40 +0200
-Subject: s390/gmap: validate VMA in __gmap_zap()
-
-From: David Hildenbrand <david@redhat.com>
-
-[ Upstream commit 2d8fb8f3914b40e3cc12f8cbb74daefd5245349d ]
-
-We should not walk/touch page tables outside of VMA boundaries when
-holding only the mmap sem in read mode. Evil user space can modify the
-VMA layout just before this function runs and e.g., trigger races with
-page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
-with read mmap_sem in munmap"). The pure prescence in our guest_to_host
-radix tree does not imply that there is a VMA.
-
-Further, we should not allocate page tables (via get_locked_pte()) outside
-of VMA boundaries: if evil user space decides to map hugetlbfs to these
-ranges, bad things will happen because we suddenly have PTE or PMD page
-tables where we shouldn't have them.
-
-Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
-calling get_locked_pte().
-
-Note that gmap_discard() is different:
-zap_page_range()->unmap_single_vma() makes sure to stay within VMA
-boundaries.
-
-Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management")
-Signed-off-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Acked-by: Heiko Carstens <hca@linux.ibm.com>
-Link: https://lore.kernel.org/r/20210909162248.14969-2-david@redhat.com
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/mm/gmap.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
-index 0195c3983f540..a8498870bcf49 100644
---- a/arch/s390/mm/gmap.c
-+++ b/arch/s390/mm/gmap.c
-@@ -651,6 +651,7 @@ EXPORT_SYMBOL_GPL(gmap_fault);
- */
- void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
- {
-+ struct vm_area_struct *vma;
- unsigned long vmaddr;
- spinlock_t *ptl;
- pte_t *ptep;
-@@ -660,6 +661,11 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
- gaddr >> PMD_SHIFT);
- if (vmaddr) {
- vmaddr |= gaddr & ~PMD_MASK;
-+
-+ vma = vma_lookup(gmap->mm, vmaddr);
-+ if (!vma || is_vm_hugetlb_page(vma))
-+ return;
-+
- /* Get pointer to the page table entry */
- ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
- if (likely(ptep))
---
-2.33.0
-
mwifiex-send-delba-requests-according-to-spec.patch
phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch
smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch
-s390-gmap-validate-vma-in-__gmap_zap.patch
s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch
irq-mips-avoid-nested-irq_enter.patch
samples-kretprobes-fix-return-value-if-register_kret.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
