[SRU][Xenial][PATCH 0/1] s390/mm: fix write access check in gup_huge_pmd()

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][PATCH 0/1] s390/mm: fix write access check in gup_huge_pmd()

Joseph Salisbury-3
BugLink: http://bugs.launchpad.net/bugs/1730596

== SRU Justification ==
The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
wrong way around. It must not be set for write==1, and not be checked for
write==0. Fix this similar to how it was fixed for ptes long time ago in
commit 25591b0 ("[S390] fix get_user_pages_fast").

One impact of this bug would be unnecessarily using the gup slow path for
write==0 on r/w mappings. A potentially more severe impact would be that
gup_huge_pmd() will succeed for write==1 on r/o mappings.

This bug is fixed by mainline commit ba385c0594, which is in mainline as of
v4.14-rc2.  It was also cc'd to upstream stable.  It has already been accepted
in upstream v4.13.y, so Artful and Bionic have the fix via the 4.13.5 stable
updates.  This SRU for Xenial needed a minor backport, so it is submitted
separate of Zesty.
   
Full testing feedback has not been reported by IBM as of yet.  However, I am
still submitting this SRU since the bug is critical and a re-spin may be needed.
 
== Fix ==
commit ba385c0594e723d41790ecfb12c610e6f90c7785
Author: Gerald Schaefer <[hidden email]>
Date:   Mon Sep 18 16:51:51 2017 +0200

    s390/mm: fix write access check in gup_huge_pmd()


== Regression Potential ==
This patch is specific to s390.  It has also been accepted by upstream stable,
so additional upstream review has been done.

== Test Case ==
Awaiting full testing feedback from IBM.  SRU still submitted due to critical
importance of bug.

Gerald Schaefer (1):
  s390/mm: fix write access check in gup_huge_pmd()

 arch/s390/mm/gup.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][PATCH 1/1] s390/mm: fix write access check in gup_huge_pmd()

Joseph Salisbury-3
From: Gerald Schaefer <[hidden email]>

BugLink: http://bugs.launchpad.net/bugs/1730596

The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
wrong way around. It must not be set for write==1, and not be checked for
write==0. Fix this similar to how it was fixed for ptes long time ago in
commit 25591b070336 ("[S390] fix get_user_pages_fast").

One impact of this bug would be unnecessarily using the gup slow path for
write==0 on r/w mappings. A potentially more severe impact would be that
gup_huge_pmd() will succeed for write==1 on r/o mappings.

Cc: <[hidden email]>
Signed-off-by: Gerald Schaefer <[hidden email]>
Signed-off-by: Martin Schwidefsky <[hidden email]>
(back ported from commit ba385c0594e723d41790ecfb12c610e6f90c7785)
Signed-off-by: Joseph Salisbury <[hidden email]>
---
 arch/s390/mm/gup.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
index 12bbf0e..a14d122 100644
--- a/arch/s390/mm/gup.c
+++ b/arch/s390/mm/gup.c
@@ -54,13 +54,12 @@ static inline int gup_pte_range(pmd_t *pmdp, pmd_t pmd, unsigned long addr,
 static inline int gup_huge_pmd(pmd_t *pmdp, pmd_t pmd, unsigned long addr,
  unsigned long end, int write, struct page **pages, int *nr)
 {
- unsigned long mask, result;
  struct page *head, *page, *tail;
+ unsigned long mask;
  int refs;
 
- result = write ? 0 : _SEGMENT_ENTRY_PROTECT;
- mask = result | _SEGMENT_ENTRY_INVALID;
- if ((pmd_val(pmd) & mask) != result)
+ mask = (write ? _SEGMENT_ENTRY_PROTECT : 0) | _SEGMENT_ENTRY_INVALID;
+ if ((pmd_val(pmd) & mask) != 0)
  return 0;
  VM_BUG_ON(!pfn_valid(pmd_val(pmd) >> PAGE_SHIFT));
 
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][Xenial][PATCH 0/1] s390/mm: fix write access check in gup_huge_pmd()

Kamal Mostafa-2
In reply to this post by Joseph Salisbury-3
ACK, pending positive test feedback.

 -Kamal

On Wed, Nov 08, 2017 at 04:45:11PM -0500, Joseph Salisbury wrote:

> BugLink: http://bugs.launchpad.net/bugs/1730596
>
> == SRU Justification ==
> The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
> wrong way around. It must not be set for write==1, and not be checked for
> write==0. Fix this similar to how it was fixed for ptes long time ago in
> commit 25591b0 ("[S390] fix get_user_pages_fast").
>
> One impact of this bug would be unnecessarily using the gup slow path for
> write==0 on r/w mappings. A potentially more severe impact would be that
> gup_huge_pmd() will succeed for write==1 on r/o mappings.
>
> This bug is fixed by mainline commit ba385c0594, which is in mainline as of
> v4.14-rc2.  It was also cc'd to upstream stable.  It has already been accepted
> in upstream v4.13.y, so Artful and Bionic have the fix via the 4.13.5 stable
> updates.  This SRU for Xenial needed a minor backport, so it is submitted
> separate of Zesty.
>    
> Full testing feedback has not been reported by IBM as of yet.  However, I am
> still submitting this SRU since the bug is critical and a re-spin may be needed.
>  
> == Fix ==
> commit ba385c0594e723d41790ecfb12c610e6f90c7785
> Author: Gerald Schaefer <[hidden email]>
> Date:   Mon Sep 18 16:51:51 2017 +0200
>
>     s390/mm: fix write access check in gup_huge_pmd()
>
>
> == Regression Potential ==
> This patch is specific to s390.  It has also been accepted by upstream stable,
> so additional upstream review has been done.
>
> == Test Case ==
> Awaiting full testing feedback from IBM.  SRU still submitted due to critical
> importance of bug.
>
> Gerald Schaefer (1):
>   s390/mm: fix write access check in gup_huge_pmd()
>
>  arch/s390/mm/gup.c | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
>
> --
> 2.7.4
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Xenial][PATCH 0/1] s390/mm: fix write access check in gup_huge_pmd()

Kleber Souza
In reply to this post by Joseph Salisbury-3
On 11/08/17 22:45, Joseph Salisbury wrote:

> BugLink: http://bugs.launchpad.net/bugs/1730596
>
> == SRU Justification ==
> The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
> wrong way around. It must not be set for write==1, and not be checked for
> write==0. Fix this similar to how it was fixed for ptes long time ago in
> commit 25591b0 ("[S390] fix get_user_pages_fast").
>
> One impact of this bug would be unnecessarily using the gup slow path for
> write==0 on r/w mappings. A potentially more severe impact would be that
> gup_huge_pmd() will succeed for write==1 on r/o mappings.
>
> This bug is fixed by mainline commit ba385c0594, which is in mainline as of
> v4.14-rc2.  It was also cc'd to upstream stable.  It has already been accepted
> in upstream v4.13.y, so Artful and Bionic have the fix via the 4.13.5 stable
> updates.  This SRU for Xenial needed a minor backport, so it is submitted
> separate of Zesty.
>    
> Full testing feedback has not been reported by IBM as of yet.  However, I am
> still submitting this SRU since the bug is critical and a re-spin may be needed.
>  
> == Fix ==
> commit ba385c0594e723d41790ecfb12c610e6f90c7785
> Author: Gerald Schaefer <[hidden email]>
> Date:   Mon Sep 18 16:51:51 2017 +0200
>
>     s390/mm: fix write access check in gup_huge_pmd()
>
>
> == Regression Potential ==
> This patch is specific to s390.  It has also been accepted by upstream stable,
> so additional upstream review has been done.
>
> == Test Case ==
> Awaiting full testing feedback from IBM.  SRU still submitted due to critical
> importance of bug.
>
> Gerald Schaefer (1):
>   s390/mm: fix write access check in gup_huge_pmd()
>
>  arch/s390/mm/gup.c | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
>

Trivial backport, already on the stable kernels.

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU][Xenial][PATCH 0/1] s390/mm: fix write access check in gup_huge_pmd()

Thadeu Lima de Souza Cascardo-3
In reply to this post by Joseph Salisbury-3
Applied to xenial master-next branch.

Thanks.
Cascardo.

Applied-to: xenial/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team