FAILED: patch "[PATCH] s390/mm: validate VMA in PGSTE manipulation functions" failed to apply to 4.14-stable tree

FAILED: patch "[PATCH] s390/mm: validate VMA in PGSTE manipulation functions" failed to apply to 4.14-stable tree

[gregkh]

The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From fe3d10024073f06f04c74b9674bd71ccc1d787cf Mon Sep 17 00:00:00 2001
From: David Hildenbrand <david@redhat.com>
Date: Thu, 9 Sep 2021 18:22:42 +0200
Subject: [PATCH] s390/mm: validate VMA in PGSTE manipulation functions

We should not walk/touch page tables outside of VMA boundaries when
holding only the mmap sem in read mode. Evil user space can modify the
VMA layout just before this function runs and e.g., trigger races with
page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
with read mmap_sem in munmap"). gfn_to_hva() will only translate using
KVM memory regions, but won't validate the VMA.

Further, we should not allocate page tables outside of VMA boundaries: if
evil user space decides to map hugetlbfs to these ranges, bad things will
happen because we suddenly have PTE or PMD page tables where we
shouldn't have them.

Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
calling get_locked_pte().

Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>

diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
index 034721a68d8f..2717a406edeb 100644
--- a/arch/s390/mm/pgtable.c
+++ b/arch/s390/mm/pgtable.c
@@ -988,6 +988,7 @@ EXPORT_SYMBOL(get_guest_storage_key);
 int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc,
 			unsigned long *oldpte, unsigned long *oldpgste)
 {
+	struct vm_area_struct *vma;
 	unsigned long pgstev;
 	spinlock_t *ptl;
 	pgste_t pgste;
@@ -997,6 +998,10 @@ int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc,
 	WARN_ON_ONCE(orc > ESSA_MAX);
 	if (unlikely(orc > ESSA_MAX))
 		return -EINVAL;
+
+	vma = vma_lookup(mm, hva);
+	if (!vma || is_vm_hugetlb_page(vma))
+		return -EFAULT;
 	ptep = get_locked_pte(mm, hva, &ptl);
 	if (unlikely(!ptep))
 		return -EFAULT;
@@ -1089,10 +1094,14 @@ EXPORT_SYMBOL(pgste_perform_essa);
 int set_pgste_bits(struct mm_struct *mm, unsigned long hva,
 			unsigned long bits, unsigned long value)
 {
+	struct vm_area_struct *vma;
 	spinlock_t *ptl;
 	pgste_t new;
 	pte_t *ptep;
 
+	vma = vma_lookup(mm, hva);
+	if (!vma || is_vm_hugetlb_page(vma))
+		return -EFAULT;
 	ptep = get_locked_pte(mm, hva, &ptl);
 	if (unlikely(!ptep))
 		return -EFAULT;
@@ -1117,9 +1126,13 @@ EXPORT_SYMBOL(set_pgste_bits);
  */
 int get_pgste(struct mm_struct *mm, unsigned long hva, unsigned long *pgstep)
 {
+	struct vm_area_struct *vma;
 	spinlock_t *ptl;
 	pte_t *ptep;
 
+	vma = vma_lookup(mm, hva);
+	if (!vma || is_vm_hugetlb_page(vma))
+		return -EFAULT;
 	ptep = get_locked_pte(mm, hva, &ptl);
 	if (unlikely(!ptep))
 		return -EFAULT;

[PATCH for 4.14-stable] s390/mm: validate VMA in PGSTE manipulation functions

[David Hildenbrand]

commit fe3d10024073f06f04c74b9674bd71ccc1d787cf upstream.

We should not walk/touch page tables outside of VMA boundaries when
holding only the mmap sem in read mode. Evil user space can modify the
VMA layout just before this function runs and e.g., trigger races with
page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
with read mmap_sem in munmap"). gfn_to_hva() will only translate using
KVM memory regions, but won't validate the VMA.

Further, we should not allocate page tables outside of VMA boundaries: if
evil user space decides to map hugetlbfs to these ranges, bad things will
happen because we suddenly have PTE or PMD page tables where we
shouldn't have them.

Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
calling get_locked_pte().

Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
---
 arch/s390/mm/pgtable.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
index ae677f814bc0..aa6b9487c8bb 100644
--- a/arch/s390/mm/pgtable.c
+++ b/arch/s390/mm/pgtable.c
@@ -896,6 +896,7 @@ EXPORT_SYMBOL(get_guest_storage_key);
 int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc,
 			unsigned long *oldpte, unsigned long *oldpgste)
 {
+	struct vm_area_struct *vma;
 	unsigned long pgstev;
 	spinlock_t *ptl;
 	pgste_t pgste;
@@ -905,6 +906,10 @@ int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc,
 	WARN_ON_ONCE(orc > ESSA_MAX);
 	if (unlikely(orc > ESSA_MAX))
 		return -EINVAL;
+
+	vma = find_vma(mm, hva);
+	if (!vma || hva < vma->vm_start || is_vm_hugetlb_page(vma))
+		return -EFAULT;
 	ptep = get_locked_pte(mm, hva, &ptl);
 	if (unlikely(!ptep))
 		return -EFAULT;
@@ -997,10 +1002,14 @@ EXPORT_SYMBOL(pgste_perform_essa);
 int set_pgste_bits(struct mm_struct *mm, unsigned long hva,
 			unsigned long bits, unsigned long value)
 {
+	struct vm_area_struct *vma;
 	spinlock_t *ptl;
 	pgste_t new;
 	pte_t *ptep;
 
+	vma = find_vma(mm, hva);
+	if (!vma || hva < vma->vm_start || is_vm_hugetlb_page(vma))
+		return -EFAULT;
 	ptep = get_locked_pte(mm, hva, &ptl);
 	if (unlikely(!ptep))
 		return -EFAULT;
@@ -1025,9 +1034,13 @@ EXPORT_SYMBOL(set_pgste_bits);
  */
 int get_pgste(struct mm_struct *mm, unsigned long hva, unsigned long *pgstep)
 {
+	struct vm_area_struct *vma;
 	spinlock_t *ptl;
 	pte_t *ptep;
 
+	vma = find_vma(mm, hva);
+	if (!vma || hva < vma->vm_start || is_vm_hugetlb_page(vma))
+		return -EFAULT;
 	ptep = get_locked_pte(mm, hva, &ptl);
 	if (unlikely(!ptep))
 		return -EFAULT;
-- 
2.31.1

Re: [PATCH for 4.14-stable] s390/mm: validate VMA in PGSTE manipulation functions

[Greg KH]

On Fri, Nov 26, 2021 at 06:15:36PM +0100, David Hildenbrand wrote:
> commit fe3d10024073f06f04c74b9674bd71ccc1d787cf upstream.
> 
> We should not walk/touch page tables outside of VMA boundaries when
> holding only the mmap sem in read mode. Evil user space can modify the
> VMA layout just before this function runs and e.g., trigger races with
> page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
> with read mmap_sem in munmap"). gfn_to_hva() will only translate using
> KVM memory regions, but won't validate the VMA.
> 
> Further, we should not allocate page tables outside of VMA boundaries: if
> evil user space decides to map hugetlbfs to these ranges, bad things will
> happen because we suddenly have PTE or PMD page tables where we
> shouldn't have them.
> 
> Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
> calling get_locked_pte().
> 
> Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
> Signed-off-by: David Hildenbrand <david@redhat.com>
> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
> Acked-by: Heiko Carstens <hca@linux.ibm.com>
> Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: David Hildenbrand <david@redhat.com>
> ---
>  arch/s390/mm/pgtable.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)

What about for 5.10-stable and 5.4-stable and 4.19-stable?  Will this
commit work there as well?

thanks,

greg k-h

Re: [PATCH for 4.14-stable] s390/mm: validate VMA in PGSTE manipulation functions

[David Hildenbrand]

On 28.11.21 12:54, Greg KH wrote:
> On Fri, Nov 26, 2021 at 06:15:36PM +0100, David Hildenbrand wrote:
>> commit fe3d10024073f06f04c74b9674bd71ccc1d787cf upstream.
>>
>> We should not walk/touch page tables outside of VMA boundaries when
>> holding only the mmap sem in read mode. Evil user space can modify the
>> VMA layout just before this function runs and e.g., trigger races with
>> page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
>> with read mmap_sem in munmap"). gfn_to_hva() will only translate using
>> KVM memory regions, but won't validate the VMA.
>>
>> Further, we should not allocate page tables outside of VMA boundaries: if
>> evil user space decides to map hugetlbfs to these ranges, bad things will
>> happen because we suddenly have PTE or PMD page tables where we
>> shouldn't have them.
>>
>> Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
>> calling get_locked_pte().
>>
>> Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
>> Signed-off-by: David Hildenbrand <david@redhat.com>
>> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
>> Acked-by: Heiko Carstens <hca@linux.ibm.com>
>> Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
>> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
>> Signed-off-by: David Hildenbrand <david@redhat.com>
>> ---
>>  arch/s390/mm/pgtable.c | 13 +++++++++++++
>>  1 file changed, 13 insertions(+)
> 
> What about for 5.10-stable and 5.4-stable and 4.19-stable?  Will this
> commit work there as well?

Good point, I only have "FAILED: patch "[PATCH] s390/mm: validate VMA in
PGSTE manipulation functions" failed to apply to 4.14-stable tree" in my
inbox ... but maybe I accidentally deleted the others.


This commit can also be used for:
- 4.19-stable
- 5.4-stable
- 5.10-stable

They all lack vma_lookup() and we have to implement the start address
check manually.

-- 
Thanks,

David / dhildenb

Re: [PATCH for 4.14-stable] s390/mm: validate VMA in PGSTE manipulation functions

[Greg KH]

On Mon, Nov 29, 2021 at 09:40:32AM +0100, David Hildenbrand wrote:
> On 28.11.21 12:54, Greg KH wrote:
> > On Fri, Nov 26, 2021 at 06:15:36PM +0100, David Hildenbrand wrote:
> >> commit fe3d10024073f06f04c74b9674bd71ccc1d787cf upstream.
> >>
> >> We should not walk/touch page tables outside of VMA boundaries when
> >> holding only the mmap sem in read mode. Evil user space can modify the
> >> VMA layout just before this function runs and e.g., trigger races with
> >> page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
> >> with read mmap_sem in munmap"). gfn_to_hva() will only translate using
> >> KVM memory regions, but won't validate the VMA.
> >>
> >> Further, we should not allocate page tables outside of VMA boundaries: if
> >> evil user space decides to map hugetlbfs to these ranges, bad things will
> >> happen because we suddenly have PTE or PMD page tables where we
> >> shouldn't have them.
> >>
> >> Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
> >> calling get_locked_pte().
> >>
> >> Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions")
> >> Signed-off-by: David Hildenbrand <david@redhat.com>
> >> Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
> >> Acked-by: Heiko Carstens <hca@linux.ibm.com>
> >> Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com
> >> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
> >> Signed-off-by: David Hildenbrand <david@redhat.com>
> >> ---
> >>  arch/s390/mm/pgtable.c | 13 +++++++++++++
> >>  1 file changed, 13 insertions(+)
> > 
> > What about for 5.10-stable and 5.4-stable and 4.19-stable?  Will this
> > commit work there as well?
> 
> Good point, I only have "FAILED: patch "[PATCH] s390/mm: validate VMA in
> PGSTE manipulation functions" failed to apply to 4.14-stable tree" in my
> inbox ... but maybe I accidentally deleted the others.

No, odd, I did not send those out, sorry about that.

> This commit can also be used for:
> - 4.19-stable
> - 5.4-stable
> - 5.10-stable

Thanks, will go take this now for all of those.

greg k-h