diff options
| author | David Hildenbrand <david@redhat.com> | 2021-09-09 19:22:41 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-11-26 13:36:10 +0300 |
| commit | 3ad30172906bbbbe00701a2d361a40c2357905e5 (patch) | |
| tree | 3fb281465c8568293f133ac7b8f128063a599d0f /arch/s390 | |
| parent | f85450ca01ee6a4bd9c6fe4f10656661e931d241 (diff) | |
| download | linux-3ad30172906bbbbe00701a2d361a40c2357905e5.tar.xz | |
s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()
[ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ]
... otherwise we will try unlocking a spinlock that was never locked via a
garbage pointer.
At the time we reach this code path, we usually successfully looked up
a PGSTE already; however, evil user space could have manipulated the VMA
layout in the meantime and triggered removal of the page table.
Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'arch/s390')
| -rw-r--r-- | arch/s390/mm/gmap.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c index 7cde0f2f52e1..65ccb9d79727 100644 --- a/arch/s390/mm/gmap.c +++ b/arch/s390/mm/gmap.c @@ -684,9 +684,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) vmaddr |= gaddr & ~PMD_MASK; /* Get pointer to the page table entry */ ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); - if (likely(ptep)) + if (likely(ptep)) { ptep_zap_unused(gmap->mm, vmaddr, ptep, 0); - pte_unmap_unlock(ptep, ptl); + pte_unmap_unlock(ptep, ptl); + } } } EXPORT_SYMBOL_GPL(__gmap_zap); |