[SRU][Zesty][PATCH 0/1] s390/mm: fix write access check in gup_huge_pmd()

Joseph Salisbury joseph.salisbury at canonical.com
Wed Nov 8 21:48:55 UTC 2017

BugLink: http://bugs.launchpad.net/bugs/1730596

== SRU Justification ==
The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
wrong way around. It must not be set for write==1, and not be checked for
write==0. Fix this similar to how it was fixed for ptes long time ago in
commit 25591b0 ("[S390] fix get_user_pages_fast").

One impact of this bug would be unnecessarily using the gup slow path for
write==0 on r/w mappings. A potentially more severe impact would be that
gup_huge_pmd() will succeed for write==1 on r/o mappings.

This bug is fixed by mainline commit ba385c0594, which is in mainline as of 
v4.14-rc2.  It was also cc'd to upstream stable.  It has already been accepted
in upstream v4.13.y, so Artful and Bionic have the fix via the 4.13.5 stable
updates.  This SRU for Xenial needed a minor backport, so it was submitted
separate of Zesty.  The commit is a clean cherry-pick in Zesty.

Full testing feedback has not been reported by IBM as of yet.  However, I am 
still submitting this SRU since the bug is critical and a re-spin may be needed.

== Fix ==
commit ba385c0594e723d41790ecfb12c610e6f90c7785
Author: Gerald Schaefer <gerald.schaefer at de.ibm.com>
Date:   Mon Sep 18 16:51:51 2017 +0200

    s390/mm: fix write access check in gup_huge_pmd()

== Regression Potential ==
This patch is specific to s390.  It has also been accepted by upstream stable,
so additional upstream review has been done.

== Test Case ==
Awaiting full testing feedback from IBM.  SRU still submitted due to critical
importance of bug.

Gerald Schaefer (1):
  s390/mm: fix write access check in gup_huge_pmd()

 arch/s390/mm/gup.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)


More information about the kernel-team mailing list