From: David Hildenbrand <david@redhat.com>
Date: Thu, 9 Sep 2021 18:22:44 +0200
Subject: s390/uv: fully validate the VMA before calling follow_page()
Git-commit: 46c22ffd2772201662350bc7b94b9ea9d3ee5ac2
Patch-mainline: v5.16-rc1
References: git-fixes

We should not walk/touch page tables outside of VMA boundaries when
holding only the mmap sem in read mode. Evil user space can modify the
VMA layout just before this function runs and e.g., trigger races with
page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
with read mmap_sem in munmap").

find_vma() does not check if the address is >= the VMA start address;
use vma_lookup() instead.

Fixes: 214d9bbcd3a6 ("s390/mm: provide memory management functions for protected KVM guests")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Link: https://lore.kernel.org/r/20210909162248.14969-6-david@redhat.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
[ ptesarik: Since SLE15-SP2 does not contain mainline commit
  ce6d42f2e4a2d98898419743b037a95661e3ac9d, check the VMA start
  address explicitly. ]
Signed-off-by: Petr Tesarik <ptesarik@suse.com>
---
 arch/s390/kernel/uv.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/kernel/uv.c
+++ b/arch/s390/kernel/uv.c
@@ -211,7 +211,7 @@ again:
 	if (IS_ERR_VALUE(uaddr))
 		goto out;
 	vma = find_vma(gmap->mm, uaddr);
-	if (!vma)
+	if (!vma || uaddr < vma->vm_start)
 		goto out;
 	/*
 	 * Secure pages cannot be huge and userspace should not combine both.