diff options
| author | David Hildenbrand <david@redhat.com> | 2021-09-09 19:22:42 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-12-01 11:23:34 +0300 |
| commit | b23c0c4c9e0a988e7248b270daaefb38c1a29fb2 (patch) | |
| tree | d451a77f768e71b2c88f5bbb5bb13b2251eeaab9 /ipc/shm.c | |
| parent | 3c9a213e0edbeb993d2da06ce99588612d433134 (diff) | |
| download | linux-b23c0c4c9e0a988e7248b270daaefb38c1a29fb2.tar.xz | |
s390/mm: validate VMA in PGSTE manipulation functions
commit fe3d10024073f06f04c74b9674bd71ccc1d787cf upstream.
We should not walk/touch page tables outside of VMA boundaries when
holding only the mmap sem in read mode. Evil user space can modify the
VMA layout just before this function runs and e.g., trigger races with
page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
with read mmap_sem in munmap"). gfn_to_hva() will only translate using
KVM memory regions, but won't validate the VMA.
Further, we should not allocate page tables outside of VMA boundaries: if
evil user space decides to map hugetlbfs to these ranges, bad things will
happen because we suddenly have PTE or PMD page tables where we
shouldn't have them.
Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
calling get_locked_pte().
Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'ipc/shm.c')
0 files changed, 0 insertions, 0 deletions