summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHeiko Carstens <heiko.carstens@de.ibm.com>2013-11-21 16:22:17 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-12-04 10:57:16 -0800
commit3df594a7ac9a732413ecaad15682945715df4443 (patch)
tree04896e081d84adfaf66683aba22217c485157b5c
parent1a2d670b28befe626d50a39af579da44ecd22245 (diff)
downloadlinux-3.10-3df594a7ac9a732413ecaad15682945715df4443.tar.gz
linux-3.10-3df594a7ac9a732413ecaad15682945715df4443.tar.bz2
linux-3.10-3df594a7ac9a732413ecaad15682945715df4443.zip
s390/uaccess: add missing page table walk range check
commit 71a86ef055f569b93bc6901f007bdf447dbf515f upstream. When translating a user space address, the address must be checked against the ASCE limit of the process. If the address is larger than the maximum address that is reachable with the ASCE, an ASCE type exception must be generated. The current code simply ignored the higher order bits. This resulted in an address wrap around in user space instead of an exception in user space. Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--arch/s390/lib/uaccess_pt.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/arch/s390/lib/uaccess_pt.c b/arch/s390/lib/uaccess_pt.c
index 50ea137a2d3..1bf40ef57cf 100644
--- a/arch/s390/lib/uaccess_pt.c
+++ b/arch/s390/lib/uaccess_pt.c
@@ -78,11 +78,14 @@ static size_t copy_in_kernel(size_t count, void __user *to,
* contains the (negative) exception code.
*/
#ifdef CONFIG_64BIT
+
static unsigned long follow_table(struct mm_struct *mm,
unsigned long address, int write)
{
unsigned long *table = (unsigned long *)__pa(mm->pgd);
+ if (unlikely(address > mm->context.asce_limit - 1))
+ return -0x38UL;
switch (mm->context.asce_bits & _ASCE_TYPE_MASK) {
case _ASCE_TYPE_REGION1:
table = table + ((address >> 53) & 0x7ff);