linux/arch/s390/include/asm
Martin Schwidefsky 3446c13b26 s390/mm: four page table levels vs. fork
The fork of a process with four page table levels is broken since
git commit 6252d702c5 "[S390] dynamic page tables."

All new mm contexts are created with three page table levels and
an asce limit of 4TB. If the parent has four levels dup_mmap will
add vmas to the new context which are outside of the asce limit.
The subsequent call to copy_page_range will walk the three level
page table structure of the new process with non-zero pgd and pud
indexes. This leads to memory clobbers as the pgd_index *and* the
pud_index is added to the mm->pgd pointer without a pgd_deref
in between.

The init_new_context() function is selecting the number of page
table levels for a new context. The function is used by mm_init()
which in turn is called by dup_mm() and mm_alloc(). These two are
used by fork() and exec(). The init_new_context() function can
distinguish the two cases by looking at mm->context.asce_limit,
for fork() the mm struct has been copied and the number of page
table levels may not change. For exec() the mm_alloc() function
set the new mm structure to zero, in this case a three-level page
table is created as the temporary stack space is located at
STACK_TOP_MAX = 4TB.

This fixes CVE-2016-2143.

Reported-by: Marcin Kościelnicki <koriakin@0x04.net>
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2016-03-10 09:21:24 +01:00
..
fpu s390/fpu: signals vs. floating point control register 2016-02-22 09:29:35 +01:00
trace s390/diag: add a s390 prefix to the diagnose trace point 2015-11-09 09:10:47 +01:00
Kbuild Merge branch 'strscpy' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile 2015-10-04 16:31:13 +01:00
airq.h s390/airq: add support for irq ranges 2014-03-04 10:41:04 +01:00
appldata.h s390/diag: add a statistic for diagnose calls 2015-10-14 14:32:06 +02:00
asm-offsets.h
atomic.h s390/barrier: remove unnecessary serialization in atomics and bitops 2015-10-14 14:32:07 +02:00
barrier.h s390: more efficient smp barriers 2016-01-12 20:47:05 +02:00
bitops.h s390/bitops: remove 31 bit related comments 2015-10-14 14:32:15 +02:00
bug.h
bugs.h
cache.h
cacheflush.h mm/debug_pagealloc: fix build failure on ppc and some other archs 2015-02-05 13:35:30 -08:00
ccwdev.h s390/cio: fix multiple structure definitions 2014-05-20 08:58:53 +02:00
ccwgroup.h s390: fix new ccwgroup.h kernel-doc warning 2014-05-20 08:58:45 +02:00
checksum.h s390/checksum: remove memset() within csum_partial_copy_from_user() 2014-02-24 17:14:08 +01:00
chpid.h s390/cio: fix multiple structure definitions 2014-05-20 08:58:53 +02:00
cio.h s390: add support for ipl devices in subchannel sets > 0 2015-11-11 13:56:27 +01:00
clp.h s390/pci: cleanup clp page allocation 2013-02-14 15:55:16 +01:00
cmb.h s390/cio: use device_lock during cmb activation 2015-10-14 14:32:02 +02:00
cmpxchg.h s390/cmpxchg: remove dead code 2015-10-14 14:32:15 +02:00
compat.h s390: remove is_32bit_task() helper 2015-11-27 09:24:17 +01:00
cpcmd.h
cpu.h s390/smp: cleanup core vs. cpu in the SCLP interface 2015-06-25 09:39:24 +02:00
cpu_mf.h s390: remove runtime instrumentation interrupts 2015-11-03 14:40:51 +01:00
cpufeature.h s390/module: enable generic CPU feature modalias using s390 ELF hwcaps 2015-07-22 09:58:02 +02:00
cputime.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
crw.h s390/cio: Consolidate inline assemblies and related data definitions 2015-12-18 14:59:34 +01:00
css_chars.h s390/qdio: bridgeport support - CHSC part 2014-01-15 14:48:01 -08:00
ctl_reg.h s390/fpu: always enable the vector facility if it is available 2015-10-14 14:32:08 +02:00
current.h
debug.h s390/debug: avoid function call for debug_sprintf_* 2014-12-08 09:42:29 +01:00
delay.h
device.h
diag.h s390/diag: add tracepoint for diagnose calls 2015-10-14 14:32:06 +02:00
dis.h s390/disassembler: add vector instructions 2014-10-09 09:14:15 +02:00
div64.h
dma-mapping.h dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
dma.h s390/pci: define isa_dma_bridge_buggy 2013-01-08 10:57:09 +01:00
eadm.h s390/scm_block: do not hide eadm subchannel dependency 2013-11-15 14:08:42 +01:00
ebcdic.h
elf.h Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2016-01-13 13:16:16 -08:00
emergency-restart.h
etr.h s390/etr,stp: fix possible deadlock on machine check 2015-10-14 14:32:18 +02:00
exec.h
extmem.h
facilities_src.h s390/facilities: add z13 als bit 2015-12-18 14:59:24 +01:00
facility.h s390/facilities: optimize test_facility() 2015-12-18 14:59:23 +01:00
fb.h
fcx.h s390/cio: fix error-prone defines 2013-10-24 17:17:04 +02:00
ftrace.h s390/ftrace: hotpatch support for function tracing 2015-01-29 09:19:25 +01:00
futex.h s390/uaccess: simplify control register updates 2014-05-20 08:58:46 +02:00
hardirq.h hardirq: Make hardirq bits generic 2013-11-13 20:21:46 +01:00
hugetlb.h s390/hugetlb: add hugepages_supported define 2015-07-17 16:39:52 -07:00
hw_irq.h s390: convert interrupt handling to use generic hardirq 2013-08-22 12:20:04 +02:00
idals.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
idle.h s390/udelay: make udelay have busy loop semantics 2015-10-14 14:32:13 +02:00
io.h s390/io: Add pci_iomap_wc() and pci_iomap_wc_range() 2015-08-28 08:04:48 +02:00
ipl.h s390/dump: cleanup CPU save area handling 2015-11-27 09:24:14 +01:00
irq.h s390: remove runtime instrumentation interrupts 2015-11-03 14:40:51 +01:00
irq_regs.h
irqflags.h s390/irqflags: optimize irq restore 2016-01-19 12:14:01 +01:00
isc.h s390/pci: PCI adapter interrupts for MSI/MSI-X 2012-11-30 17:47:21 +01:00
itcw.h
jump_label.h locking/static_keys: Add a new static_key interface 2015-08-03 11:34:15 +02:00
kdebug.h
kexec.h kexec: allocate the kexec control page with KEXEC_CONTROL_MEMORY_GFP 2015-04-23 16:52:01 +02:00
kmap_types.h
kprobes.h s390/ftrace,kprobes: allow to patch first instruction 2014-10-27 13:27:27 +01:00
kvm_host.h KVM: s390: fix memory overwrites when vx is disabled 2016-01-26 15:40:21 +01:00
kvm_para.h s390/diag: add a statistic for diagnose calls 2015-10-14 14:32:06 +02:00
linkage.h s390/kernel: move EX_TABLE macros to linkage.h header file 2015-07-22 09:57:59 +02:00
livepatch.h livepatch: change the error message in asm/livepatch.h header files 2016-01-18 21:35:43 +01:00
local.h
local64.h
lowcore.h s390: rename struct _lowcore to struct lowcore 2016-01-11 12:27:15 +01:00
mathemu.h
mman.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
mmu.h s390/kvm: remove delayed reallocation of page tables for KVM 2015-04-23 16:55:49 +02:00
mmu_context.h s390/mm: four page table levels vs. fork 2016-03-10 09:21:24 +01:00
mmzone.h s390/numa: add core infrastructure 2015-08-03 18:40:25 +02:00
module.h
mutex.h mutex: replace CONFIG_HAVE_ARCH_MUTEX_CPU_RELAX with simple ifdef 2013-09-28 12:46:21 +02:00
nmi.h s390/nmi: remove casts 2015-10-27 09:33:55 +01:00
numa.h s390/numa: use correct type for node_to_cpumask_map 2015-09-23 09:18:56 +02:00
os_info.h s390/dump: streamline oldmem copy functions 2015-11-27 09:24:12 +01:00
page.h revert "s390/mm: make hugepages_supported a boot time decision" 2015-07-17 16:39:52 -07:00
pci.h iommu/s390: Add iommu api for s390 pci devices 2015-10-06 12:20:24 +02:00
pci_clp.h s390/pci: add some new arch specific pci attributes 2014-05-20 08:58:50 +02:00
pci_debug.h s390/pci: remove CONFIG_PCI_DEBUG dependancy 2013-10-24 17:17:16 +02:00
pci_dma.h s390/pci_dma: fix DMA table corruption with > 4 TB main memory 2015-11-27 09:24:15 +01:00
pci_insn.h s390/pci: cleanup function information block 2013-10-24 17:17:17 +02:00
pci_io.h s390/pci: improve ZPCI_* macros 2016-01-26 12:45:49 +01:00
percpu.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
perf_event.h s390/oprofile: fix compile error 2015-07-01 09:34:39 +02:00
pgalloc.h s390/mm: four page table levels vs. fork 2016-03-10 09:21:24 +01:00
pgtable.h s390, thp: remove infrastructure for handling splitting PMDs 2016-01-15 17:56:32 -08:00
processor.h s390: remove all usages of PSW_ADDR_AMODE 2016-01-19 12:14:02 +01:00
ptrace.h s390: remove all usages of PSW_ADDR_INSN 2016-01-19 12:14:03 +01:00
qdio.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
reset.h s390/dump: rework CPU register dump code 2015-11-27 09:24:14 +01:00
runtime_instr.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
rwsem.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
schid.h
sclp.h Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2016-01-13 13:16:16 -08:00
scsw.h
seccomp.h
sections.h
segment.h
serial.h s390: convert interrupt handling to use generic hardirq 2013-08-22 12:20:04 +02:00
setup.h s390/setup: cleanup machine flags 2015-12-18 14:59:32 +01:00
sfp-machine.h
sfp-util.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
shmparam.h
signal.h s390: switch to generic old sigaction() 2013-02-03 18:16:14 -05:00
sigp.h Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2015-02-11 17:42:32 -08:00
smp.h s390/dump: rework CPU register dump code 2015-11-27 09:24:14 +01:00
sparsemem.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
spinlock.h s390/spinlock: remove unneeded serializations at unlock 2015-10-14 14:32:25 +02:00
spinlock_types.h s390/rwlock: use directed yield for write-locked rwlocks 2014-09-25 10:52:05 +02:00
string.h lib/string.c: remove strnicmp() 2015-02-12 18:54:14 -08:00
switch_to.h s390/fpu: split fpu-internal.h into fpu internals, api, and type headers 2015-10-16 09:41:12 +02:00
syscall.h s390/syscalls: simplify syscall_get_arch() 2015-03-30 13:26:07 +02:00
sysinfo.h s390/sysinfo: add missing SYSIB 1.2.2 multithreading fields 2016-01-11 12:27:00 +01:00
termios.h
thread_info.h s390: remove is_32bit_task() helper 2015-11-27 09:24:17 +01:00
timex.h s390: time: Provide read_boot_clock64() and read_persistent_clock64() 2015-05-22 10:36:29 -07:00
tlb.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
tlbflush.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
topology.h s390: get rid of CONFIG_SCHED_MC and CONFIG_SCHED_BOOK 2015-12-30 10:34:57 +01:00
types.h s390: remove 31 bit support 2015-03-25 11:49:33 +01:00
uaccess.h mm/uaccess, mm/fault: Clarify that uaccess may only sleep if pagefaults are enabled 2015-05-19 08:39:14 +02:00
unaligned.h
unistd.h s390: wire up separate socketcalls system calls 2015-09-18 11:16:53 +02:00
uprobes.h s390/uprobes: architecture backend for uprobes 2014-09-25 10:52:17 +02:00
user.h
vdso.h s390/vdso: optimize getcpu system call 2016-01-11 13:01:24 +01:00
vga.h vga: compile fix, disable vga for s390 2012-11-30 17:47:28 +01:00
vtime.h vtime: Describe overriden functions in dedicated arch headers 2013-08-14 17:14:53 +02:00
vtimer.h s390/idle: consolidate idle functions and definitions 2014-10-09 09:14:03 +02:00
vx-insn.h s390/vx: add vector instruction support for older binutils versions 2015-07-22 09:58:01 +02:00
xor.h