Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2353229pxb; Mon, 20 Sep 2021 19:51:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxlMyTzSV5Brcs7jRbyvYr0qlLO7qA0xvnZF58d+j768cUv3fa16CLvSCUUpxVmQbUqwcCf X-Received: by 2002:a50:da07:: with SMTP id z7mr5510355edj.301.1632192670544; Mon, 20 Sep 2021 19:51:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192670; cv=none; d=google.com; s=arc-20160816; b=IjXx8NxJLT5/3tdv5QVAcHU7XdnAGin0ceFIvZwYX6Z33CP+OYuvFxlMWjkzDh0NFV 4dtCr2XBa2j8NM7UdtkmKRD0THbw+Z9WZktRfVhFjTBOyyP/6wldnXNW81UqZ26eqEjW erjJRd8187xNU22pSdKTjU3l/A4P+wvnHnDAOz3PD08wGKwYGDPjkU87rzG752VpgyrP X1yK68dmujQh4eZZvEoHWDzmFe/o4BDYaDNTXpcqSfC9YBHkq9eN+KCO9QutSxtGTWzK enNyfV7eSMelzwn0+Bu50enk88XJRcYddOIugRtLWJ4FI6M2TIkwkJBC6xFAB00sDdNv xPyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LXMLeHAXddyhoBTO2AQIjhhuVl+5hXT4DN+owRVBMgg=; b=dDvLx2WvtZKySJqs+p1L/r1nfdSe7dP/7o2U9HHJ9FaBO7lfsqGu/coXKKq4uBPc6X UuOYCwwvFbuiD64bMgWqWkz/oCmHMz/le5r57pbhyPEJ9o3UDVR1c6l0CixkBl99lkLQ MEEggrawl2PJbY+ips7+u5jPqcV8c2YkDcbRgbFoAe5tHFMUuHKDFGoOAp98TwN0pWpi dslH8NIGZnt1PF6YU+mhUHbgw+A2P0zMb/RuGGHEndqVwXQ91zA5AMt1Jy4rkKlIBSgA ZflWWbpMzA7PmT4ru+X9+Cb4hQkfeCH87YGO0H5j+3waEo8F1jzl3OskkcMS9zZyZK5R 0tpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=n5Pbd9yR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bq16si17021885edb.303.2021.09.20.19.50.47; Mon, 20 Sep 2021 19:51:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=n5Pbd9yR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354305AbhITSpR (ORCPT + 99 others); Mon, 20 Sep 2021 14:45:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:55616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1382501AbhITSkb (ORCPT ); Mon, 20 Sep 2021 14:40:31 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B619363338; Mon, 20 Sep 2021 17:31:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632159092; bh=LIQR5vIzGDugMsTTNQGx6cy8uXVW1K9EDJLiVhnSt1U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n5Pbd9yRH0zjWvIAZxoaGb0cxL+nfy9hUgb/RCW9XNbTXRk8mtb5svtPnEGJPjMFO d1T1KZXuKkT5asYcqQuzFbm3ke9yb3IAfOBvMdOa7As/JRjHNG5A9DyXPbyneLAzle Db6sA6OYaqXy5+r2PM1uHhM6tct+p6AZ+IUZtJOY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Niklas Schnelle , "Liam R. Howlett" , David Hildenbrand , Vasily Gorbik Subject: [PATCH 5.14 073/168] s390/pci_mmio: fully validate the VMA before calling follow_pte() Date: Mon, 20 Sep 2021 18:43:31 +0200 Message-Id: <20210920163924.041752812@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163921.633181900@linuxfoundation.org> References: <20210920163921.633181900@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Hildenbrand commit a8b92b8c1eac8d655a97b1e90f4d83c25d9b9a18 upstream. We should not walk/touch page tables outside of VMA boundaries when holding only the mmap sem in read mode. Evil user space can modify the VMA layout just before this function runs and e.g., trigger races with page table removal code since commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"). find_vma() does not check if the address is >= the VMA start address; use vma_lookup() instead. Reviewed-by: Niklas Schnelle Reviewed-by: Liam R. Howlett Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") Signed-off-by: David Hildenbrand Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman --- arch/s390/pci/pci_mmio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/s390/pci/pci_mmio.c +++ b/arch/s390/pci/pci_mmio.c @@ -159,7 +159,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, uns mmap_read_lock(current->mm); ret = -EINVAL; - vma = find_vma(current->mm, mmio_addr); + vma = vma_lookup(current->mm, mmio_addr); if (!vma) goto out_unlock_mmap; if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) @@ -298,7 +298,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsi mmap_read_lock(current->mm); ret = -EINVAL; - vma = find_vma(current->mm, mmio_addr); + vma = vma_lookup(current->mm, mmio_addr); if (!vma) goto out_unlock_mmap; if (!(vma->vm_flags & (VM_IO | VM_PFNMAP)))