Commit 5b479a4a authored Sep 09, 2021 by David Hildenbrand Committed by Greg Kroah-Hartman Nov 26, 2021

s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()



[ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ]

... otherwise we will try unlocking a spinlock that was never locked via a
garbage pointer.

At the time we reach this code path, we usually successfully looked up
a PGSTE already; however, evil user space could have manipulated the VMA
layout in the meantime and triggered removal of the page table.

Fixes: 1e133ab2 ("s390/mm: split arch/s390/mm/pgtable.c")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com


Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent a269586a

arch/s390/mm/gmap.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -662,11 +662,12 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
		vmaddr \|= gaddr & ~PMD_MASK;
		/* Get pointer to the page table entry */
		ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
		if (likely(ptep))
		if (likely(ptep)) {
		ptep_zap_unused(gmap->mm, vmaddr, ptep, 0);
		pte_unmap_unlock(ptep, ptl);
		}
		}
		}
		EXPORT_SYMBOL_GPL(__gmap_zap);

		void gmap_discard(struct gmap *gmap, unsigned long from, unsigned long to)