summaryrefslogtreecommitdiff
path: root/arch/s390/mm/gup.c
diff options
context:
space:
mode:
authorHeiko Carstens <heiko.carstens@de.ibm.com>2012-10-22 15:49:02 +0200
committerMartin Schwidefsky <schwidefsky@de.ibm.com>2012-11-13 11:02:26 +0100
commitd55c4c613fc4d4ad2ba0fc6fa2b57176d420f7e4 (patch)
tree4e28b1a01016e285876876a1c6eb7ba8127f9072 /arch/s390/mm/gup.c
parent658e5ce705f2a09ab681eb61ca7c8619bb7a783d (diff)
downloadlwn-d55c4c613fc4d4ad2ba0fc6fa2b57176d420f7e4.tar.gz
lwn-d55c4c613fc4d4ad2ba0fc6fa2b57176d420f7e4.zip
s390/gup: add missing TASK_SIZE check to get_user_pages_fast()
When walking page tables we need to make sure that everything is within bounds of the ASCE limit of the task's address space. Otherwise we might calculate e.g. a pud pointer which is not within a pud and dereference it. So check against TASK_SIZE (which is the ASCE limit) before walking page tables. Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com> Cc: stable@vger.kernel.org Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'arch/s390/mm/gup.c')
-rw-r--r--arch/s390/mm/gup.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
index 8b8285310b5a..16fb3c1615dc 100644
--- a/arch/s390/mm/gup.c
+++ b/arch/s390/mm/gup.c
@@ -229,7 +229,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
addr = start;
len = (unsigned long) nr_pages << PAGE_SHIFT;
end = start + len;
- if (end < start)
+ if ((end < start) || (end > TASK_SIZE))
goto slow_irqon;
/*