| From b890d03ba063cf939e9facf029787138c08ce6c2 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 9 Sep 2021 18:22:41 +0200 |
| Subject: s390/gmap: don't unconditionally call pte_unmap_unlock() in |
| __gmap_zap() |
| |
| From: David Hildenbrand <david@redhat.com> |
| |
| [ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ] |
| |
| ... otherwise we will try unlocking a spinlock that was never locked via a |
| garbage pointer. |
| |
| At the time we reach this code path, we usually successfully looked up |
| a PGSTE already; however, evil user space could have manipulated the VMA |
| layout in the meantime and triggered removal of the page table. |
| |
| Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c") |
| Signed-off-by: David Hildenbrand <david@redhat.com> |
| Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> |
| Acked-by: Heiko Carstens <hca@linux.ibm.com> |
| Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com |
| Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| arch/s390/mm/gmap.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c |
| index 4fa7a562c6fc1..5e5a4e1f0e6cf 100644 |
| --- a/arch/s390/mm/gmap.c |
| +++ b/arch/s390/mm/gmap.c |
| @@ -684,9 +684,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) |
| vmaddr |= gaddr & ~PMD_MASK; |
| /* Get pointer to the page table entry */ |
| ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); |
| - if (likely(ptep)) |
| + if (likely(ptep)) { |
| ptep_zap_unused(gmap->mm, vmaddr, ptep, 0); |
| - pte_unmap_unlock(ptep, ptl); |
| + pte_unmap_unlock(ptep, ptl); |
| + } |
| } |
| } |
| EXPORT_SYMBOL_GPL(__gmap_zap); |
| -- |
| 2.33.0 |
| |
