diff options
| author | David Hildenbrand <david@redhat.com> | 2021-09-09 18:22:41 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-11-26 11:48:35 +0100 |
| commit | 5b479a4af7ff93dcdb33a8acdca9b00cea9a41cf (patch) | |
| tree | 878c2c65c0158abfd752ec72bc50fc1cb47cc864 /arch | |
| parent | a269586a03ab0e37e221f83012db707277bf9143 (diff) | |
| download | linux-5b479a4af7ff93dcdb33a8acdca9b00cea9a41cf.tar.gz linux-5b479a4af7ff93dcdb33a8acdca9b00cea9a41cf.tar.bz2 linux-5b479a4af7ff93dcdb33a8acdca9b00cea9a41cf.zip | |
s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()
[ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ]
... otherwise we will try unlocking a spinlock that was never locked via a
garbage pointer.
At the time we reach this code path, we usually successfully looked up
a PGSTE already; however, evil user space could have manipulated the VMA
layout in the meantime and triggered removal of the page table.
Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'arch')
| -rw-r--r-- | arch/s390/mm/gmap.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c index 0195c3983f54..65f802f70547 100644 --- a/arch/s390/mm/gmap.c +++ b/arch/s390/mm/gmap.c @@ -662,9 +662,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) vmaddr |= gaddr & ~PMD_MASK; /* Get pointer to the page table entry */ ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); - if (likely(ptep)) + if (likely(ptep)) { ptep_zap_unused(gmap->mm, vmaddr, ptep, 0); - pte_unmap_unlock(ptep, ptl); + pte_unmap_unlock(ptep, ptl); + } } } EXPORT_SYMBOL_GPL(__gmap_zap); |