Commit 71a86ef0 authored by Heiko Carstens's avatar Heiko Carstens Committed by Martin Schwidefsky

s390/uaccess: add missing page table walk range check

When translating a user space address, the address must be checked against
the ASCE limit of the process. If the address is larger than the maximum
address that is reachable with the ASCE, an ASCE type exception must be
generated.

The current code simply ignored the higher order bits. This resulted in an
address wrap around in user space instead of an exception in user space.

Cc: stable@vger.kernel.org # v3.9+
Reviewed-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent dba6bb60
...@@ -78,11 +78,14 @@ static size_t copy_in_kernel(size_t count, void __user *to, ...@@ -78,11 +78,14 @@ static size_t copy_in_kernel(size_t count, void __user *to,
* contains the (negative) exception code. * contains the (negative) exception code.
*/ */
#ifdef CONFIG_64BIT #ifdef CONFIG_64BIT
static unsigned long follow_table(struct mm_struct *mm, static unsigned long follow_table(struct mm_struct *mm,
unsigned long address, int write) unsigned long address, int write)
{ {
unsigned long *table = (unsigned long *)__pa(mm->pgd); unsigned long *table = (unsigned long *)__pa(mm->pgd);
if (unlikely(address > mm->context.asce_limit - 1))
return -0x38UL;
switch (mm->context.asce_bits & _ASCE_TYPE_MASK) { switch (mm->context.asce_bits & _ASCE_TYPE_MASK) {
case _ASCE_TYPE_REGION1: case _ASCE_TYPE_REGION1:
table = table + ((address >> 53) & 0x7ff); table = table + ((address >> 53) & 0x7ff);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment