From: Greg KH <gregkh@linuxfoundation.org>
To: David Hildenbrand <david@redhat.com>
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
borntraeger@de.ibm.com, hca@linux.ibm.com,
imbrenda@linux.ibm.com
Subject: Re: [PATCH for 4.14-stable] s390/mm: validate VMA in PGSTE manipulation functions
Date: Mon, 29 Nov 2021 13:30:58 +0100 [thread overview]
Message-ID: <YaTIAiR9NVQBPUBE@kroah.com> (raw)
In-Reply-To: <7fdab1f3-abf7-1214-8d74-8cdcc6d96918@redhat.com>
On Mon, Nov 29, 2021 at 09:40:32AM +0100, David Hildenbrand wrote:
> On 28.11.21 12:54, Greg KH wrote:
> > On Fri, Nov 26, 2021 at 06:15:36PM +0100, David Hildenbrand wrote:
> >> commit fe3d10024073f06f04c74b9674bd71ccc1d787cf upstream.
> >>
> >> We should not walk/touch page tables outside of VMA boundaries when
> >> holding only the mmap sem in read mode. Evil user space can modify the
> >> VMA layout just before this function runs and e.g., trigger races with
> >> page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
> >> with read mmap_sem in munmap"). gfn_to_hva() will only translate using
> >> KVM memory regions, but won't validate the VMA.
> >>
> >> Further, we should not allocate page tables outside of VMA boundaries: if
> >> evil user space decides to map hugetlbfs to these ranges, bad things will
> >> happen because we suddenly have PTE or PMD page tables where we
> >> shouldn't have them.
> >>
> >> Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
> >> calling get_locked_pte().
> >>
> >> Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
> >> Signed-off-by: David Hildenbrand <david@redhat.com>
> >> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
> >> Acked-by: Heiko Carstens <hca@linux.ibm.com>
> >> Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
> >> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> >> Signed-off-by: David Hildenbrand <david@redhat.com>
> >> ---
> >> arch/s390/mm/pgtable.c | 13 +++++++++++++
> >> 1 file changed, 13 insertions(+)
> >
> > What about for 5.10-stable and 5.4-stable and 4.19-stable? Will this
> > commit work there as well?
>
> Good point, I only have "FAILED: patch "[PATCH] s390/mm: validate VMA in
> PGSTE manipulation functions" failed to apply to 4.14-stable tree" in my
> inbox ... but maybe I accidentally deleted the others.
No, odd, I did not send those out, sorry about that.
> This commit can also be used for:
> - 4.19-stable
> - 5.4-stable
> - 5.10-stable
Thanks, will go take this now for all of those.
greg k-h
prev parent reply other threads:[~2021-11-29 12:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-17 17:52 FAILED: patch "[PATCH] s390/mm: validate VMA in PGSTE manipulation functions" failed to apply to 4.14-stable tree gregkh
2021-11-26 17:15 ` [PATCH for 4.14-stable] s390/mm: validate VMA in PGSTE manipulation functions David Hildenbrand
2021-11-28 11:54 ` Greg KH
2021-11-29 8:40 ` David Hildenbrand
2021-11-29 12:30 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YaTIAiR9NVQBPUBE@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=borntraeger@de.ibm.com \
--cc=david@redhat.com \
--cc=hca@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.