aboutsummaryrefslogtreecommitdiff
path: root/tools/lib/api
diff options
context:
space:
mode:
authorDavid Hildenbrand <[email protected]>2021-09-09 18:22:40 +0200
committerChristian Borntraeger <[email protected]>2021-10-25 09:20:38 +0200
commit2d8fb8f3914b40e3cc12f8cbb74daefd5245349d (patch)
tree8ab1a00bbe974b7ba1a4080be14d375c3fbb43f2 /tools/lib/api
parent0e9ff65f455dfd0a8aea5e7843678ab6fe097e21 (diff)
s390/gmap: validate VMA in __gmap_zap()
We should not walk/touch page tables outside of VMA boundaries when holding only the mmap sem in read mode. Evil user space can modify the VMA layout just before this function runs and e.g., trigger races with page table removal code since commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"). The pure prescence in our guest_to_host radix tree does not imply that there is a VMA. Further, we should not allocate page tables (via get_locked_pte()) outside of VMA boundaries: if evil user space decides to map hugetlbfs to these ranges, bad things will happen because we suddenly have PTE or PMD page tables where we shouldn't have them. Similarly, we have to check if we suddenly find a hugetlbfs VMA, before calling get_locked_pte(). Note that gmap_discard() is different: zap_page_range()->unmap_single_vma() makes sure to stay within VMA boundaries. Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management") Signed-off-by: David Hildenbrand <[email protected]> Reviewed-by: Claudio Imbrenda <[email protected]> Acked-by: Heiko Carstens <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Christian Borntraeger <[email protected]>
Diffstat (limited to 'tools/lib/api')
0 files changed, 0 insertions, 0 deletions