Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp673416pxb; Thu, 9 Sep 2021 09:26:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwxpWhBX4I0eUlc7ijF4cGU/sZ6/BX5uSuPoKGrwd8XfEDaLkOL7no3prX084XaeszJ3sHY X-Received: by 2002:a17:906:fa04:: with SMTP id lo4mr4468217ejb.560.1631204772323; Thu, 09 Sep 2021 09:26:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631204772; cv=none; d=google.com; s=arc-20160816; b=hSOnboclj2wrERYN/Eq1RB32Km4tYTq+sUD2DMj6wTKyavyIx3h63X85mVWxRo/0tq 9LpqSFE1xlkUENszMIwSdO337d0Z1nqEZ+ebVDEX3HxClVOuIBw03fkvI/rZvzHgEG0d sd8DLOxWbh+aHWNvw6+UvrZ24fqGXCHsc2iHNiYY7Um9pdxBorOrUCnP2DbnBtdAHh9v AybcdYNcFaDw4MSH01WracE4Hbf2toys2TE7OQIR8PqhocHsJ5voCzaboyzpxItrPhrs PmQRbjOdKNEkmzvv1OTM2oeZmsUvxLPogE8bEwTvqgLmHpfO53YBkiKemUKul+wTavh5 bt7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=AFQ+PFFzuCsI2iNiDGJPyhOhhFIVbgjHojitNDzOvDA=; b=EIgdtTQEsv0VH2WkJAyLKXy//YOdkgDX59MxJ1DjjqmlEHjlnbBFFHXarKtX+qmz+9 +b0PE8+4bwshp5YdVzKO0eiiRaJKPumYVfXVP6yRAZmTLyOCAQC/9vlhTBHY+Jxv7ahS D4f+innHxUgPXXohYlgdnYUngpQgmJquS68TJGd+ebqEXHDFNRlqW5obgNdhabogmd6h YG/6IbLgRjRXC0WofC1t2l57AZgB2SNRn5+V4oBKK2sKywjZHSkF4WKM8S4Fuew2KI4G htFKpD14LYHCY2KkkFStbFcoKe4RCKec0kRDwhhQxIcHjLsZm0iM3HA1Fm+YGdevwXa0 5lJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EBuSlW08; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p12si3114555ejy.328.2021.09.09.09.25.40; Thu, 09 Sep 2021 09:26:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EBuSlW08; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237333AbhIIQZH (ORCPT + 99 others); Thu, 9 Sep 2021 12:25:07 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:24536 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237208AbhIIQYy (ORCPT ); Thu, 9 Sep 2021 12:24:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631204624; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AFQ+PFFzuCsI2iNiDGJPyhOhhFIVbgjHojitNDzOvDA=; b=EBuSlW08TqrUNpcQZLxxDAebTp1OeppHJNI06LAkbAieFX6mMbIdDMbdk999mnbVHy4NqI aOqK1hNxRo9dDJGRWJ3V5weAs1LW6Q13zkykSLE+oygaeeDUPp4pDL5430wxbns3Qt3ex8 tFWZl5QOyeE6+wnCqfDWlzVKi7LTQEc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-569-iYujWlCINKeyttb0DHYyVA-1; Thu, 09 Sep 2021 12:23:43 -0400 X-MC-Unique: iYujWlCINKeyttb0DHYyVA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9FD91802CB5; Thu, 9 Sep 2021 16:23:14 +0000 (UTC) Received: from t480s.redhat.com (unknown [10.39.192.233]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5712A18FD2; Thu, 9 Sep 2021 16:23:11 +0000 (UTC) From: David Hildenbrand To: linux-kernel@vger.kernel.org Cc: linux-s390@vger.kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org, David Hildenbrand , Christian Borntraeger , Janosch Frank , Cornelia Huck , Claudio Imbrenda , Heiko Carstens , Vasily Gorbik , Niklas Schnelle , Gerald Schaefer , Ulrich Weigand Subject: [PATCH resend RFC 6/9] s390/pci_mmio: fully validate the VMA before calling follow_pte() Date: Thu, 9 Sep 2021 18:22:45 +0200 Message-Id: <20210909162248.14969-7-david@redhat.com> In-Reply-To: <20210909162248.14969-1-david@redhat.com> References: <20210909162248.14969-1-david@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We should not walk/touch page tables outside of VMA boundaries when holding only the mmap sem in read mode. Evil user space can modify the VMA layout just before this function runs and e.g., trigger races with page table removal code since commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"). find_vma() does not check if the address is >= the VMA start address; use vma_lookup() instead. Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") Signed-off-by: David Hildenbrand --- arch/s390/pci/pci_mmio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/s390/pci/pci_mmio.c b/arch/s390/pci/pci_mmio.c index ae683aa623ac..c5b35ea129cf 100644 --- a/arch/s390/pci/pci_mmio.c +++ b/arch/s390/pci/pci_mmio.c @@ -159,7 +159,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, unsigned long, mmio_addr, mmap_read_lock(current->mm); ret = -EINVAL; - vma = find_vma(current->mm, mmio_addr); + vma = vma_lookup(current->mm, mmio_addr); if (!vma) goto out_unlock_mmap; if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) @@ -298,7 +298,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsigned long, mmio_addr, mmap_read_lock(current->mm); ret = -EINVAL; - vma = find_vma(current->mm, mmio_addr); + vma = vma_lookup(current->mm, mmio_addr); if (!vma) goto out_unlock_mmap; if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) -- 2.31.1