On Thu, 9 Sep 2021 18:22:45 +0200
David Hildenbrand <david@xxxxxxxxxx> wrote:
> We should not walk/touch page tables outside of VMA boundaries when
> holding only the mmap sem in read mode. Evil user space can modify the
> VMA layout just before this function runs and e.g., trigger races with
> page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
> with read mmap_sem in munmap").
>
> find_vma() does not check if the address is >= the VMA start address;
> use vma_lookup() instead.
>
> Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
> Signed-off-by: David Hildenbrand <david@xxxxxxxxxx>
Reviewed-by: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx>
> ---
> arch/s390/pci/pci_mmio.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/s390/pci/pci_mmio.c b/arch/s390/pci/pci_mmio.c
> index ae683aa623ac..c5b35ea129cf 100644
> --- a/arch/s390/pci/pci_mmio.c
> +++ b/arch/s390/pci/pci_mmio.c
> @@ -159,7 +159,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, unsigned
> long, mmio_addr,
> mmap_read_lock(current->mm);
> ret = -EINVAL;
> - vma = find_vma(current->mm, mmio_addr);
> + vma = vma_lookup(current->mm, mmio_addr);
> if (!vma)
> goto out_unlock_mmap;
> if (!(vma->vm_flags & (VM_IO | VM_PFNMAP)))
> @@ -298,7 +298,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsigned
> long, mmio_addr,
> mmap_read_lock(current->mm);
> ret = -EINVAL;
> - vma = find_vma(current->mm, mmio_addr);
> + vma = vma_lookup(current->mm, mmio_addr);
> if (!vma)
> goto out_unlock_mmap;
> if (!(vma->vm_flags & (VM_IO | VM_PFNMAP)))
