s390/mm: fix write access check in gup_huge_pmd()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Critical
|
Canonical Kernel Team | ||
linux (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Xenial |
Fix Released
|
Critical
|
Unassigned | ||
Zesty |
Fix Released
|
Critical
|
Unassigned | ||
Artful |
Fix Released
|
Critical
|
Unassigned | ||
Bionic |
Fix Released
|
Critical
|
Unassigned |
Bug Description
== SRU Justification ==
The check for the _SEGMENT_
wrong way around. It must not be set for write==1, and not be checked for
write==0. Fix this similar to how it was fixed for ptes long time ago in
commit 25591b0 ("[S390] fix get_user_
One impact of this bug would be unnecessarily using the gup slow path for
write==0 on r/w mappings. A potentially more severe impact would be that
gup_huge_pmd() will succeed for write==1 on r/o mappings.
This bug is fixed by mainline commit ba385c0594, which is in mainline as of v4.14-rc2. It was also cc'd to upstream stable. It has already been accepted in upstream v4.13.y, so Artful and Bionic have the fix via the 4.13.5 stable updates.
== Fix ==
commit ba385c0594e723d
Author: Gerald Schaefer <email address hidden>
Date: Mon Sep 18 16:51:51 2017 +0200
s390/mm: fix write access check in gup_huge_pmd()
== Regression Potential ==
This patch is specific to s390. It has also been accepted by upstream stable, so additional upstream review has been done.
Addl information
Problem: The check for the _SEGMENT_
for write==1, and not be checked for write==0. Allowing
to the slow path, will result in a missing faultin_page()
to clear the protection bit (for valid writable mappings),
and the async I/O write operation will fail to write to
such a mapping.
Solution: Fix it by correctly checking the protection bit like it is
also done in gup_pte_range() and gup_huge_pud().
Reproduction: Async I/O workload on buffers that are mapped as transparent
Upstream-ID: ba385c0594e723d
tags: | added: architecture-s39064 bugnameltc-161009 severity-high targetmilestone-inin1604 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
tags: | added: kernel-da-key |
Changed in linux (Ubuntu): | |
importance: | Undecided → Critical |
status: | New → Triaged |
tags: |
added: kernel-key removed: kernel-da-key |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
description: | updated |
Changed in linux (Ubuntu Zesty): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-zesty removed: verification-needed-zesty |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
tags: |
added: kernel-da-key removed: kernel-key |
Changed in linux (Ubuntu Artful): | |
status: | Fix Committed → Fix Released |
Changed in linux (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
raising the importance to critical (after discussing with IBM)