git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Laurent Dufour <ldufour@linux.vnet.ibm.com>
	Mon, 4 Sep 2017 08:32:15 +0000 (10:32 +0200)
committer	Seth Forshee <seth.forshee@canonical.com>
	Thu, 12 Oct 2017 21:20:54 +0000 (16:20 -0500)
commit	297b502ddcfda74051f2ee7bd0c3c136a00d9d5c
tree	eec5a7002a41cfca8810549689da47484ea1a437	tree
parent	9a5d5f75b390ed9af31d4476e05941421c8e592b	commit \| diff

x86/mm: Fix fault error path using unsafe vma pointer

BugLink: http://bugs.launchpad.net/bugs/1721777
commit a3c4fb7c9c2ebfd50b8c60f6c069932bb319bc37 upstream.

commit 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal
generation code") passes down a vma pointer to the error path, but that is
done once the mmap_sem is released when calling mm_fault_error() from
__do_page_fault().

This is dangerous as the vma structure is no more safe to be used once the
mmap_sem has been released. As only the protection key value is required in
the error processing, we could just pass down this value.

Fix it by passing a pointer to a protection key value down to the fault
signal generation code. The use of a pointer allows to keep the check
generating a warning message in fill_sig_info_pkey() when the vma was not
known. If the pointer is valid, the protection value can be accessed by
deferencing the pointer.

[ tglx: Made *pkey u32 as that's the type which is passed in siginfo ]

Fixes: 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal generation code")
Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Link: http://lkml.kernel.org/r/1504513935-12742-1-git-send-email-ldufour@linux.vnet.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>