From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50721C4167E for ; Mon, 15 Nov 2021 23:42:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3B8D06325C for ; Mon, 15 Nov 2021 23:42:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352640AbhKOXpe (ORCPT ); Mon, 15 Nov 2021 18:45:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:45394 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344093AbhKOTXW (ORCPT ); Mon, 15 Nov 2021 14:23:22 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 48F7463482; Mon, 15 Nov 2021 18:51:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1637002290; bh=zVpcIoGwJea5VlWdXEEPscq6xc9JAqqyt8BvjklTMg8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oz0tulHXFcTwq4hwT3F+GMBPFiscaKqrY5m6uQlgXVmG/tECOQW5FtnskrPsx696E bOrYPdhLkKgX2Q982nxvOVBaNzZmsf0a5u9spvbjhHp90o4EkpKbtrZAIBco3ePzYG heHWh8dPF/ph0ealyRbdbW9eRlmO73ZQMWb+oxCg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Hildenbrand , Claudio Imbrenda , Heiko Carstens , "Liam R. Howlett" , Christian Borntraeger , Sasha Levin Subject: [PATCH 5.15 510/917] s390/uv: fully validate the VMA before calling follow_page() Date: Mon, 15 Nov 2021 18:00:05 +0100 Message-Id: <20211115165446.053855028@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211115165428.722074685@linuxfoundation.org> References: <20211115165428.722074685@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Hildenbrand [ Upstream commit 46c22ffd2772201662350bc7b94b9ea9d3ee5ac2 ] We should not walk/touch page tables outside of VMA boundaries when holding only the mmap sem in read mode. Evil user space can modify the VMA layout just before this function runs and e.g., trigger races with page table removal code since commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"). find_vma() does not check if the address is >= the VMA start address; use vma_lookup() instead. Fixes: 214d9bbcd3a6 ("s390/mm: provide memory management functions for protected KVM guests") Signed-off-by: David Hildenbrand Reviewed-by: Claudio Imbrenda Acked-by: Heiko Carstens Reviewed-by: Liam R. Howlett Link: https://lore.kernel.org/r/20210909162248.14969-6-david@redhat.com Signed-off-by: Christian Borntraeger Signed-off-by: Sasha Levin --- arch/s390/kernel/uv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c index 5a656c7b7a67a..f95ccbd396925 100644 --- a/arch/s390/kernel/uv.c +++ b/arch/s390/kernel/uv.c @@ -212,7 +212,7 @@ again: uaddr = __gmap_translate(gmap, gaddr); if (IS_ERR_VALUE(uaddr)) goto out; - vma = find_vma(gmap->mm, uaddr); + vma = vma_lookup(gmap->mm, uaddr); if (!vma) goto out; /* -- 2.33.0