--- /dev/null
+From 81df022b688d43d2a3667518b2f755d384397910 Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Mon, 27 Nov 2017 23:47:35 +0100
+Subject: scsi: scsi_devinfo: cleanly zero-pad devinfo strings
+
+From: Martin Wilck <mwilck@suse.com>
+
+commit 81df022b688d43d2a3667518b2f755d384397910 upstream.
+
+Cleanly fill memory for "vendor" and "model" with 0-bytes for the
+"compatible" case rather than adding only a single 0 byte. This
+simplifies the devinfo code a a bit, and avoids mistakes in other places
+of the code (not in current upstream, but we had one such mistake in the
+SUSE kernel).
+
+[mkp: applied by hand and added braces]
+
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_devinfo.c | 22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -34,7 +34,6 @@ struct scsi_dev_info_list_table {
+ };
+
+
+-static const char spaces[] = " "; /* 16 of them */
+ static unsigned scsi_default_dev_flags;
+ static LIST_HEAD(scsi_dev_info_list);
+ static char scsi_dev_flags[256];
+@@ -296,20 +295,13 @@ static void scsi_strcpy_devinfo(char *na
+ size_t from_length;
+
+ from_length = strlen(from);
+- strncpy(to, from, min(to_length, from_length));
+- if (from_length < to_length) {
+- if (compatible) {
+- /*
+- * NUL terminate the string if it is short.
+- */
+- to[from_length] = '\0';
+- } else {
+- /*
+- * space pad the string if it is short.
+- */
+- strncpy(&to[from_length], spaces,
+- to_length - from_length);
+- }
++ /* this zero-pads the destination */
++ strncpy(to, from, to_length);
++ if (from_length < to_length && !compatible) {
++ /*
++ * space pad the string if it is short.
++ */
++ memset(&to[from_length], ' ', to_length - from_length);
+ }
+ if (from_length > to_length)
+ printk(KERN_WARNING "%s: %s string '%s' is too long\n",
--- /dev/null
+From 29ec90660d68bbdd69507c1c8b4e33aa299278b1 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 30 Nov 2018 14:09:32 -0800
+Subject: userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit 29ec90660d68bbdd69507c1c8b4e33aa299278b1 upstream.
+
+After the VMA to register the uffd onto is found, check that it has
+VM_MAYWRITE set before allowing registration. This way we inherit all
+common code checks before allowing to fill file holes in shmem and
+hugetlbfs with UFFDIO_COPY.
+
+The userfaultfd memory model is not applicable for readonly files unless
+it's a MAP_PRIVATE.
+
+Link: http://lkml.kernel.org/r/20181126173452.26955-4-aarcange@redhat.com
+Fixes: ff62a3421044 ("hugetlb: implement memfd sealing")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Hugh Dickins <hughd@google.com>
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
+Cc: <stable@vger.kernel.org>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/userfaultfd.c | 15 +++++++++++++++
+ mm/userfaultfd.c | 15 ++++++---------
+ 2 files changed, 21 insertions(+), 9 deletions(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1362,6 +1362,19 @@ static int userfaultfd_register(struct u
+ ret = -EINVAL;
+ if (!vma_can_userfault(cur))
+ goto out_unlock;
++
++ /*
++ * UFFDIO_COPY will fill file holes even without
++ * PROT_WRITE. This check enforces that if this is a
++ * MAP_SHARED, the process has write permission to the backing
++ * file. If VM_MAYWRITE is set it also enforces that on a
++ * MAP_SHARED vma: there is no F_WRITE_SEAL and no further
++ * F_WRITE_SEAL can be taken until the vma is destroyed.
++ */
++ ret = -EPERM;
++ if (unlikely(!(cur->vm_flags & VM_MAYWRITE)))
++ goto out_unlock;
++
+ /*
+ * If this vma contains ending address, and huge pages
+ * check alignment.
+@@ -1407,6 +1420,7 @@ static int userfaultfd_register(struct u
+ BUG_ON(!vma_can_userfault(vma));
+ BUG_ON(vma->vm_userfaultfd_ctx.ctx &&
+ vma->vm_userfaultfd_ctx.ctx != ctx);
++ WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+
+ /*
+ * Nothing to do: this vma is already registered into this
+@@ -1553,6 +1567,7 @@ static int userfaultfd_unregister(struct
+ cond_resched();
+
+ BUG_ON(!vma_can_userfault(vma));
++ WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+
+ /*
+ * Nothing to do: this vma is already registered into this
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -228,8 +228,9 @@ retry:
+ if (!dst_vma || !is_vm_hugetlb_page(dst_vma))
+ goto out_unlock;
+ /*
+- * Only allow __mcopy_atomic_hugetlb on userfaultfd
+- * registered ranges.
++ * Check the vma is registered in uffd, this is
++ * required to enforce the VM_MAYWRITE check done at
++ * uffd registration time.
+ */
+ if (!dst_vma->vm_userfaultfd_ctx.ctx)
+ goto out_unlock;
+@@ -472,13 +473,9 @@ retry:
+ if (!dst_vma)
+ goto out_unlock;
+ /*
+- * Be strict and only allow __mcopy_atomic on userfaultfd
+- * registered ranges to prevent userland errors going
+- * unnoticed. As far as the VM consistency is concerned, it
+- * would be perfectly safe to remove this check, but there's
+- * no useful usage for __mcopy_atomic ouside of userfaultfd
+- * registered ranges. This is after all why these are ioctls
+- * belonging to the userfaultfd and not syscalls.
++ * Check the vma is registered in uffd, this is required to
++ * enforce the VM_MAYWRITE check done at uffd registration
++ * time.
+ */
+ if (!dst_vma->vm_userfaultfd_ctx.ctx)
+ goto out_unlock;
projects / thirdparty / kernel / stable-queue.git / commitdiff
