From: Martin Schwidefsky <schwidefsky@de.ibm.com>
Date: Thu, 31 Aug 2017 11:18:22 +0000 (+0200)
Subject: s390/mm: fix BUG_ON in crst_table_upgrade
X-Git-Tag: v4.12.12~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3b9fb20262fcd0a39a48cf5f0ff1ad7e00f37dc;p=thirdparty%2Fkernel%2Fstable.git

s390/mm: fix BUG_ON in crst_table_upgrade

commit 8ab867cb0806a8e195de161fd8883a0578d1d050 upstream.

A 31-bit compat process can force a BUG_ON in crst_table_upgrade
with specific, invalid mmap calls, e.g.

   mmap((void*) 0x7fff8000, 0x10000, 3, 32, -1, 0)

The arch_get_unmapped_area[_topdown] functions miss an if condition
in the decision to do a page table upgrade.

[ms: Backport to 4.12, minor context change]

Fixes: 9b11c7912d00 ("s390/mm: simplify arch_get_unmapped_area[_topdown]")
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c
index b854b1da281a3..888bee99fe645 100644
--- a/arch/s390/mm/mmap.c
+++ b/arch/s390/mm/mmap.c
@@ -119,7 +119,8 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 
 check_asce_limit:
-	if (addr + len > current->mm->context.asce_limit) {
+	if (addr + len > current->mm->context.asce_limit &&
+	    addr + len <= TASK_SIZE) {
 		rc = crst_table_upgrade(mm);
 		if (rc)
 			return (unsigned long) rc;
@@ -183,7 +184,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 	}
 
 check_asce_limit:
-	if (addr + len > current->mm->context.asce_limit) {
+	if (addr + len > current->mm->context.asce_limit &&
+	    addr + len <= TASK_SIZE) {
 		rc = crst_table_upgrade(mm);
 		if (rc)
 			return (unsigned long) rc;