aboutsummaryrefslogtreecommitdiffstats
path: root/arch/s390/lib
diff options
context:
space:
mode:
authorHeiko Carstens <heiko.carstens@de.ibm.com>2013-11-21 10:22:17 -0500
committerMartin Schwidefsky <schwidefsky@de.ibm.com>2013-11-25 03:15:38 -0500
commit71a86ef055f569b93bc6901f007bdf447dbf515f (patch)
tree0d2af2ebb5e82bca6e1121c7777b3e0e8a12ef6d /arch/s390/lib
parentdba6bb60043ed73abca8990f237db63a8cea6c50 (diff)
s390/uaccess: add missing page table walk range check
When translating a user space address, the address must be checked against the ASCE limit of the process. If the address is larger than the maximum address that is reachable with the ASCE, an ASCE type exception must be generated. The current code simply ignored the higher order bits. This resulted in an address wrap around in user space instead of an exception in user space. Cc: stable@vger.kernel.org # v3.9+ Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'arch/s390/lib')
-rw-r--r--arch/s390/lib/uaccess_pt.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/arch/s390/lib/uaccess_pt.c b/arch/s390/lib/uaccess_pt.c
index 97e03caf7825..dbdab3e7a1a6 100644
--- a/arch/s390/lib/uaccess_pt.c
+++ b/arch/s390/lib/uaccess_pt.c
@@ -78,11 +78,14 @@ static size_t copy_in_kernel(size_t count, void __user *to,
78 * contains the (negative) exception code. 78 * contains the (negative) exception code.
79 */ 79 */
80#ifdef CONFIG_64BIT 80#ifdef CONFIG_64BIT
81
81static unsigned long follow_table(struct mm_struct *mm, 82static unsigned long follow_table(struct mm_struct *mm,
82 unsigned long address, int write) 83 unsigned long address, int write)
83{ 84{
84 unsigned long *table = (unsigned long *)__pa(mm->pgd); 85 unsigned long *table = (unsigned long *)__pa(mm->pgd);
85 86
87 if (unlikely(address > mm->context.asce_limit - 1))
88 return -0x38UL;
86 switch (mm->context.asce_bits & _ASCE_TYPE_MASK) { 89 switch (mm->context.asce_bits & _ASCE_TYPE_MASK) {
87 case _ASCE_TYPE_REGION1: 90 case _ASCE_TYPE_REGION1:
88 table = table + ((address >> 53) & 0x7ff); 91 table = table + ((address >> 53) & 0x7ff);