From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:39212 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727074AbeKHSMi (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 8 Nov 2018 13:12:38 -0500
Received: from pps.filterd (m0098396.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wA88YEEu123828
        for <stable@vger.kernel.org>; Thu, 8 Nov 2018 03:38:13 -0500
Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2nmhf28wrk-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <stable@vger.kernel.org>; Thu, 08 Nov 2018 03:38:13 -0500
Received: from localhost
        by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <stable@vger.kernel.org> from <frankja@linux.ibm.com>;
        Thu, 8 Nov 2018 08:38:11 -0000
From: Janosch Frank <frankja@linux.ibm.com>
To: stable@vger.kernel.org
Cc: borntraeger@de.ibm.com
Subject: [PATCH 4.4] s390/mm: Check for valid vma before zapping in gmap_discard
Date: Thu,  8 Nov 2018 09:37:32 +0100
Message-Id: <1541666252-18470-1-git-send-email-frankja@linux.ibm.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Janosch Frank <frankja@de.ibm.com>

Userspace could have munmapped the area before doing unmapping from
the gmap. This would leave us with a valid vmaddr, but an invalid vma
from which we would try to zap memory. Let's check before using the
vma.

Function was moved with 1e133ab296f3 in v4.6.
Is 1843abd upstream.

Fixes: 388186b ("kvm: Handle diagnose 0x10 (release pages)")
Signed-off-by: Janosch Frank <frankja@de.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
CC: <stable@vger.kernel.org> # 4.4
---
 arch/s390/mm/pgtable.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
index 05ae254..1866b6a 100644
--- a/arch/s390/mm/pgtable.c
+++ b/arch/s390/mm/pgtable.c
@@ -637,6 +637,8 @@ void gmap_discard(struct gmap *gmap, unsigned long from, unsigned long to)
 		vmaddr |= gaddr & ~PMD_MASK;
 		/* Find vma in the parent mm */
 		vma = find_vma(gmap->mm, vmaddr);
+		if (!vma)
+			continue;
 		size = min(to - gaddr, PMD_SIZE - (gaddr & ~PMD_MASK));
 		zap_page_range(vma, vmaddr, size, NULL);
 	}
-- 
2.7.4