From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 285F4C433EF for ; Fri, 24 Sep 2021 12:55:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0CDAC6137C for ; Fri, 24 Sep 2021 12:55:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344706AbhIXM5S (ORCPT ); Fri, 24 Sep 2021 08:57:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:51298 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344697AbhIXMzc (ORCPT ); Fri, 24 Sep 2021 08:55:32 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6025B6135F; Fri, 24 Sep 2021 12:50:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632487860; bh=iFOvE+dZ2rCrVC59YwVG92qx2Vt9z/gVTWKV75wIq0I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tf2MPlvI+pp8LGsq4PGUsMpuMg8GP74YP7wflqdeoh0y2sjGeil5SOA9mY9co9SVz 1SWNgDpood/4c2DdVmxny/UTkJyodT899ojHXC+XgcRsGMug272luSFle2GythIa3f Hg7BUBjUT5QQikFZzRh7Yxna2uz9p8HFOWH9Pt/8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Niklas Schnelle , "Liam R. Howlett" , David Hildenbrand , Vasily Gorbik Subject: [PATCH 5.4 08/50] s390/pci_mmio: fully validate the VMA before calling follow_pte() Date: Fri, 24 Sep 2021 14:43:57 +0200 Message-Id: <20210924124332.514704761@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210924124332.229289734@linuxfoundation.org> References: <20210924124332.229289734@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Hildenbrand commit a8b92b8c1eac8d655a97b1e90f4d83c25d9b9a18 upstream. We should not walk/touch page tables outside of VMA boundaries when holding only the mmap sem in read mode. Evil user space can modify the VMA layout just before this function runs and e.g., trigger races with page table removal code since commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"). find_vma() does not check if the address is >= the VMA start address; use vma_lookup() instead. Reviewed-by: Niklas Schnelle Reviewed-by: Liam R. Howlett Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") Signed-off-by: David Hildenbrand Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman --- arch/s390/pci/pci_mmio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/s390/pci/pci_mmio.c +++ b/arch/s390/pci/pci_mmio.c @@ -128,7 +128,7 @@ static long get_pfn(unsigned long user_a down_read(¤t->mm->mmap_sem); ret = -EINVAL; vma = find_vma(current->mm, user_addr); - if (!vma) + if (!vma || user_addr < vma->vm_start) goto out; ret = -EACCES; if (!(vma->vm_flags & access))