s390/gup: add missing TASK_SIZE check to get_user_pages_fast()

When walking page tables we need to make sure that everything
is within bounds of the ASCE limit of the task's address space.
Otherwise we might calculate e.g. a pud pointer which is not
within a pud and dereference it.
So check against TASK_SIZE (which is the ASCE limit) before
walking page tables.

Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
index 8b8285310b5a172a2f1e650b4c52d6c908bc193a..16fb3c1615dcfe1f4a31d71fe3773793ee16ae4a 100644 (file)
--- a/arch/s390/mm/gup.c
+++ b/arch/s390/mm/gup.c
@@ -229,7 +229,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
        addr = start;
        len = (unsigned long) nr_pages << PAGE_SHIFT;
        end = start + len;
-       if (end < start)
+       if ((end < start) || (end > TASK_SIZE))
                goto slow_irqon;
 
        /*