s390/gup: add missing TASK_SIZE check to get_user_pages_fast()

When walking page tables we need to make sure that everything is within bounds of the ASCE limit of the task's address space. Otherwise we might calculate e.g. a pud pointer which is not within a pud and dereference it. So check against TASK_SIZE (which is the ASCE limit) before walking page tables. Reviewed-by: N Gerald Schaefer <gerald.schaefer@de.ibm.com> Cc: stable@vger.kernel.org Signed-off-by: N Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: N Martin Schwidefsky <schwidefsky@de.ibm.com>

s390/gup: add missing TASK_SIZE check to get_user_pages_fast()
When walking page tables we need to make sure that everything is within bounds of the ASCE limit of the task's address space. Otherwise we might calculate e.g. a pud pointer which is not within a pud and dereference it. So check against TASK_SIZE (which is the ASCE limit) before walking page tables. Reviewed-by: N Gerald Schaefer <gerald.schaefer@de.ibm.com> Cc: stable@vger.kernel.org Signed-off-by: N Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: N Martin Schwidefsky <schwidefsky@de.ibm.com>
d55c4c61 · Heiko Carstens · Martin Schwidefsky · 658e5ce7 · d55c4c61
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

arch/s390/mm/gup.c arch/s390/mm/gup.c +1 -1

未找到文件。
--- a/arch/s390/mm/gup.c
+++ b/arch/s390/mm/gup.c
@@ -229,7 +229,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
 	addr = start;
 	len = (unsigned long) nr_pages << PAGE_SHIFT;
 	end = start + len;
-	if (end < start)
+	if ((end < start) || (end > TASK_SIZE))
 		goto slow_irqon;

 	/*