diff options
| author | Laurent Dufour <ldufour@linux.vnet.ibm.com> | 2017-09-04 08:32:15 (GMT) |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-10-05 07:44:04 (GMT) |
| commit | 54af98f86b925573bfaf5254bab50e4a01df1526 (patch) | |
| tree | 308583fa7807d0be4c155a430f50ab7f7c2b816c /arch/x86/kernel/fpu/regset.c | |
| parent | f11525d7ff5d784270a66c8b888705dd9b96620b (diff) | |
| download | linux-54af98f86b925573bfaf5254bab50e4a01df1526.tar.xz | |
x86/mm: Fix fault error path using unsafe vma pointer
commit a3c4fb7c9c2ebfd50b8c60f6c069932bb319bc37 upstream.
commit 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal
generation code") passes down a vma pointer to the error path, but that is
done once the mmap_sem is released when calling mm_fault_error() from
__do_page_fault().
This is dangerous as the vma structure is no more safe to be used once the
mmap_sem has been released. As only the protection key value is required in
the error processing, we could just pass down this value.
Fix it by passing a pointer to a protection key value down to the fault
signal generation code. The use of a pointer allows to keep the check
generating a warning message in fill_sig_info_pkey() when the vma was not
known. If the pointer is valid, the protection value can be accessed by
deferencing the pointer.
[ tglx: Made *pkey u32 as that's the type which is passed in siginfo ]
Fixes: 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal generation code")
Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Link: http://lkml.kernel.org/r/1504513935-12742-1-git-send-email-ldufour@linux.vnet.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch/x86/kernel/fpu/regset.c')
0 files changed, 0 insertions, 0 deletions