git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	David Hildenbrand <david@redhat.com>
	Thu, 9 Sep 2021 16:22:42 +0000 (18:22 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 1 Dec 2021 08:27:43 +0000 (09:27 +0100)
commit	b2a7e63edf21b3598f1eaec060f971102f735311
tree	5ca39bf647f993931baf75803b68dffade27a0fb	tree
parent	2692931d92d83afaa636703e95203d53629ca7c1	commit \| diff

s390/mm: validate VMA in PGSTE manipulation functions

commit fe3d10024073f06f04c74b9674bd71ccc1d787cf upstream.

We should not walk/touch page tables outside of VMA boundaries when
holding only the mmap sem in read mode. Evil user space can modify the
VMA layout just before this function runs and e.g., trigger races with
page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
with read mmap_sem in munmap"). gfn_to_hva() will only translate using
KVM memory regions, but won't validate the VMA.

Further, we should not allocate page tables outside of VMA boundaries: if
evil user space decides to map hugetlbfs to these ranges, bad things will
happen because we suddenly have PTE or PMD page tables where we
shouldn't have them.

Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
calling get_locked_pte().

Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>