diff options
| author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2012-10-22 09:49:02 -0400 |
|---|---|---|
| committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2012-11-13 05:02:26 -0500 |
| commit | d55c4c613fc4d4ad2ba0fc6fa2b57176d420f7e4 (patch) | |
| tree | 4e28b1a01016e285876876a1c6eb7ba8127f9072 /arch/s390/mm | |
| parent | 658e5ce705f2a09ab681eb61ca7c8619bb7a783d (diff) | |
s390/gup: add missing TASK_SIZE check to get_user_pages_fast()
When walking page tables we need to make sure that everything
is within bounds of the ASCE limit of the task's address space.
Otherwise we might calculate e.g. a pud pointer which is not
within a pud and dereference it.
So check against TASK_SIZE (which is the ASCE limit) before
walking page tables.
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'arch/s390/mm')
| -rw-r--r-- | arch/s390/mm/gup.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c index 8b8285310b5..16fb3c1615d 100644 --- a/arch/s390/mm/gup.c +++ b/arch/s390/mm/gup.c | |||
| @@ -229,7 +229,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write, | |||
| 229 | addr = start; | 229 | addr = start; |
| 230 | len = (unsigned long) nr_pages << PAGE_SHIFT; | 230 | len = (unsigned long) nr_pages << PAGE_SHIFT; |
| 231 | end = start + len; | 231 | end = start + len; |
| 232 | if (end < start) | 232 | if ((end < start) || (end > TASK_SIZE)) |
| 233 | goto slow_irqon; | 233 | goto slow_irqon; |
| 234 | 234 | ||
| 235 | /* | 235 | /* |