Patch "s390/uaccess: add missing page table walk range check" has been added to the 3.10-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    s390/uaccess: add missing page table walk range check

to the 3.10-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     s390-uaccess-add-missing-page-table-walk-range-check.patch
and it can be found in the queue-3.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 71a86ef055f569b93bc6901f007bdf447dbf515f Mon Sep 17 00:00:00 2001
From: Heiko Carstens <heiko.carst...@de.ibm.com>
Date: Thu, 21 Nov 2013 16:22:17 +0100
Subject: s390/uaccess: add missing page table walk range check

From: Heiko Carstens <heiko.carst...@de.ibm.com>

commit 71a86ef055f569b93bc6901f007bdf447dbf515f upstream.

When translating a user space address, the address must be checked against
the ASCE limit of the process. If the address is larger than the maximum
address that is reachable with the ASCE, an ASCE type exception must be
generated.

The current code simply ignored the higher order bits. This resulted in an
address wrap around in user space instead of an exception in user space.

Reviewed-by: Gerald Schaefer <gerald.schae...@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carst...@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidef...@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 arch/s390/lib/uaccess_pt.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/s390/lib/uaccess_pt.c
+++ b/arch/s390/lib/uaccess_pt.c
@@ -78,11 +78,14 @@ static size_t copy_in_kernel(size_t coun
  * contains the (negative) exception code.
  */
 #ifdef CONFIG_64BIT
+
 static unsigned long follow_table(struct mm_struct *mm,
                                  unsigned long address, int write)
 {
        unsigned long *table = (unsigned long *)__pa(mm->pgd);
 
+       if (unlikely(address > mm->context.asce_limit - 1))
+               return -0x38UL;
        switch (mm->context.asce_bits & _ASCE_TYPE_MASK) {
        case _ASCE_TYPE_REGION1:
                table = table + ((address >> 53) & 0x7ff);


Patches currently in stable-queue which might be from heiko.carst...@de.ibm.com 
are

queue-3.10/s390-uaccess-add-missing-page-table-walk-range-check.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html