Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp674615pxb; Thu, 9 Sep 2021 09:27:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzst5nJqtfXwgyacWIohautqSq4018dkmziejUF4OOJSQ37uT5z+x6Z0iu6yXd4wcOjGkX X-Received: by 2002:a17:906:2bc3:: with SMTP id n3mr4218628ejg.548.1631204870756; Thu, 09 Sep 2021 09:27:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631204870; cv=none; d=google.com; s=arc-20160816; b=GEw9TnC14fGj2mNyQwbXr2t+kgRFCBRR9FxpXncBaLEZhqt8CNC+lds8vMpJKTCAOl ArJXS7lVFCLYXeKzf7egMh1Z+naBW47hdR7RiJkvTpRaXnpFS/xoTxPu+GblUwirU8Id MAATwyWZbDEHsNiqYK048jNYGyinSgsD4lVVz03ew3tewYv1MGHqyzBfEj/XouizLPDR EYw/Bg1vIk4Zm1Fewn7pS9VkQe5qvqK36q1UKA5LK/rR5cVDCwBS7ArYK54iRLYY9bsy SfJRdvpRCE/9WZK/QytTW0OYtPhUeU0gyLrwvExtrFqAIt1E18Qbl3xLgAfdiv9wuwrZ Z2HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=XLdqt4rseRM/GIF92UYXv6b/tK6ZasqjgOzH1i0jC0Y=; b=oduwtMCIpfCD2vxMXicQSRNdYqaSVsdhkCnB2wH9RhPSD2JIMrc2IP+poZI8dzUMMc vjVa+nwS2Dt0QlBrtytqDSGLgOFCAqqx0H0oVIhl61b4p9bmcntdbJN/PjH22GYpTchb L2/A+WDNKY/6IrsDCOb8AHcbUqFMUAvXZ7abPR+3F6pn+s7jhFivbkx6HsTHJ4vLNKdu kqd4bkRN20XwiiNsZcc9QxSMVkVysDc1N9l1aU6/UGflRjZH9ErZNzkMdI88HEu1ln8Z K6gIDsroet+qSqlOBzw213cvFUR6jvoquPwr/KmoCk0XZqGiPqpDvhyYy6yBrccNgvGy odgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bPgSx7Qg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c5si2387690eds.290.2021.09.09.09.27.09; Thu, 09 Sep 2021 09:27:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bPgSx7Qg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239381AbhIIQZe (ORCPT + 99 others); Thu, 9 Sep 2021 12:25:34 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:59300 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237340AbhIIQYz (ORCPT ); Thu, 9 Sep 2021 12:24:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631204625; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XLdqt4rseRM/GIF92UYXv6b/tK6ZasqjgOzH1i0jC0Y=; b=bPgSx7Qg7QegwAYRMaY3Oe2VRXoUrDf+sW1q+rdpffiI+lRMmangyF8V0tn9F2GonPiKrP O3IHNJK+3Z7Ck5y7MtvFatN7yFTKYGvP5GO4At18FdZcuv+7ZuDWFKdGMJZApi5cgWm+HP mk8eFIjoByS/C+pXnhQbF1o+Ec54+Qg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-249-dD2LMHwWPuOGAojgNHBPhg-1; Thu, 09 Sep 2021 12:23:42 -0400 X-MC-Unique: dD2LMHwWPuOGAojgNHBPhg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EC3BC802E3F; Thu, 9 Sep 2021 16:23:10 +0000 (UTC) Received: from t480s.redhat.com (unknown [10.39.192.233]) by smtp.corp.redhat.com (Postfix) with ESMTP id BC80C77718; Thu, 9 Sep 2021 16:23:07 +0000 (UTC) From: David Hildenbrand To: linux-kernel@vger.kernel.org Cc: linux-s390@vger.kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org, David Hildenbrand , Christian Borntraeger , Janosch Frank , Cornelia Huck , Claudio Imbrenda , Heiko Carstens , Vasily Gorbik , Niklas Schnelle , Gerald Schaefer , Ulrich Weigand Subject: [PATCH resend RFC 5/9] s390/uv: fully validate the VMA before calling follow_page() Date: Thu, 9 Sep 2021 18:22:44 +0200 Message-Id: <20210909162248.14969-6-david@redhat.com> In-Reply-To: <20210909162248.14969-1-david@redhat.com> References: <20210909162248.14969-1-david@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We should not walk/touch page tables outside of VMA boundaries when holding only the mmap sem in read mode. Evil user space can modify the VMA layout just before this function runs and e.g., trigger races with page table removal code since commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"). find_vma() does not check if the address is >= the VMA start address; use vma_lookup() instead. Fixes: 214d9bbcd3a6 ("s390/mm: provide memory management functions for protected KVM guests") Signed-off-by: David Hildenbrand --- arch/s390/kernel/uv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c index aeb0a15bcbb7..193205fb2777 100644 --- a/arch/s390/kernel/uv.c +++ b/arch/s390/kernel/uv.c @@ -227,7 +227,7 @@ int gmap_make_secure(struct gmap *gmap, unsigned long gaddr, void *uvcb) uaddr = __gmap_translate(gmap, gaddr); if (IS_ERR_VALUE(uaddr)) goto out; - vma = find_vma(gmap->mm, uaddr); + vma = vma_lookup(gmap->mm, uaddr); if (!vma) goto out; /* -- 2.31.1