diff options
| author | Heiko Carstens <hca@linux.ibm.com> | 2025-04-30 09:58:05 +0200 |
|---|---|---|
| committer | Heiko Carstens <hca@linux.ibm.com> | 2025-05-05 15:47:20 +0200 |
| commit | 3919600d32b92e67f1d28376bd63152306e99452 (patch) | |
| tree | 7607b413eb745fd3fa8fe166790ba6559a8d11d7 | |
| parent | f049a4f7ffa50000485a61d5518ffae24b662aaa (diff) | |
s390/mm: Fix potential use-after-free in __crst_table_upgrade()
The pointer to the mm_struct which is passed to __crst_table_upgrade() may
only be dereferenced if it is identical to current->active_mm. Otherwise
the current task has no reference to the mm_struct and it may already be
freed. In such a case this would result in a use-after-free bug.
Make sure this use-after-free scenario does not happen by moving the code,
which dereferences the mm_struct pointer, after the check which verifies
that the pointer is identical to current->active_mm, like it was before
lazy ASCE handling was reimplemented.
Fixes: 8b72f5a97b82 ("s390/mm: Reimplement lazy ASCE handling")
Reviewed-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
| -rw-r--r-- | arch/s390/mm/pgalloc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c index e33903b419a9..d177bea0bd73 100644 --- a/arch/s390/mm/pgalloc.c +++ b/arch/s390/mm/pgalloc.c @@ -40,9 +40,9 @@ static void __crst_table_upgrade(void *arg) struct mm_struct *mm = arg; struct ctlreg asce; - asce.val = mm->context.asce; /* change all active ASCEs to avoid the creation of new TLBs */ if (current->active_mm == mm) { + asce.val = mm->context.asce; get_lowcore()->user_asce = asce; local_ctl_load(7, &asce); if (!test_thread_flag(TIF_ASCE_PRIMARY)) |