From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 6 Dec 2018 09:47:36 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.19.8~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d132d225bf0937eed0086f71641d679816b56da4;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch
	userfaultfd-shmem-hugetlbfs-only-allow-to-register-vm_maywrite-vmas.patch
---

diff --git a/queue-4.14/scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch b/queue-4.14/scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch
new file mode 100644
index 00000000000..54c2ec46240
--- /dev/null
+++ b/queue-4.14/scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch
@@ -0,0 +1,64 @@
+From 81df022b688d43d2a3667518b2f755d384397910 Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Mon, 27 Nov 2017 23:47:35 +0100
+Subject: scsi: scsi_devinfo: cleanly zero-pad devinfo strings
+
+From: Martin Wilck <mwilck@suse.com>
+
+commit 81df022b688d43d2a3667518b2f755d384397910 upstream.
+
+Cleanly fill memory for "vendor" and "model" with 0-bytes for the
+"compatible" case rather than adding only a single 0 byte.  This
+simplifies the devinfo code a a bit, and avoids mistakes in other places
+of the code (not in current upstream, but we had one such mistake in the
+SUSE kernel).
+
+[mkp: applied by hand and added braces]
+
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_devinfo.c |   22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -34,7 +34,6 @@ struct scsi_dev_info_list_table {
+ };
+ 
+ 
+-static const char spaces[] = "                "; /* 16 of them */
+ static unsigned scsi_default_dev_flags;
+ static LIST_HEAD(scsi_dev_info_list);
+ static char scsi_dev_flags[256];
+@@ -296,20 +295,13 @@ static void scsi_strcpy_devinfo(char *na
+ 	size_t from_length;
+ 
+ 	from_length = strlen(from);
+-	strncpy(to, from, min(to_length, from_length));
+-	if (from_length < to_length) {
+-		if (compatible) {
+-			/*
+-			 * NUL terminate the string if it is short.
+-			 */
+-			to[from_length] = '\0';
+-		} else {
+-			/* 
+-			 * space pad the string if it is short. 
+-			 */
+-			strncpy(&to[from_length], spaces,
+-				to_length - from_length);
+-		}
++	/* this zero-pads the destination */
++	strncpy(to, from, to_length);
++	if (from_length < to_length && !compatible) {
++		/*
++		 * space pad the string if it is short.
++		 */
++		memset(&to[from_length], ' ', to_length - from_length);
+ 	}
+ 	if (from_length > to_length)
+ 		 printk(KERN_WARNING "%s: %s string '%s' is too long\n",
diff --git a/queue-4.14/series b/queue-4.14/series
index e8814347dc8..10833de4520 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -23,3 +23,5 @@ userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch
 userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch
 userfaultfd-shmem-add-i_size-checks.patch
 userfaultfd-shmem-uffdio_copy-set-the-page-dirty-if-vm_write-is-not-set.patch
+scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch
+userfaultfd-shmem-hugetlbfs-only-allow-to-register-vm_maywrite-vmas.patch
diff --git a/queue-4.14/userfaultfd-shmem-hugetlbfs-only-allow-to-register-vm_maywrite-vmas.patch b/queue-4.14/userfaultfd-shmem-hugetlbfs-only-allow-to-register-vm_maywrite-vmas.patch
new file mode 100644
index 00000000000..5201cbf7a0a
--- /dev/null
+++ b/queue-4.14/userfaultfd-shmem-hugetlbfs-only-allow-to-register-vm_maywrite-vmas.patch
@@ -0,0 +1,107 @@
+From 29ec90660d68bbdd69507c1c8b4e33aa299278b1 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 30 Nov 2018 14:09:32 -0800
+Subject: userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit 29ec90660d68bbdd69507c1c8b4e33aa299278b1 upstream.
+
+After the VMA to register the uffd onto is found, check that it has
+VM_MAYWRITE set before allowing registration.  This way we inherit all
+common code checks before allowing to fill file holes in shmem and
+hugetlbfs with UFFDIO_COPY.
+
+The userfaultfd memory model is not applicable for readonly files unless
+it's a MAP_PRIVATE.
+
+Link: http://lkml.kernel.org/r/20181126173452.26955-4-aarcange@redhat.com
+Fixes: ff62a3421044 ("hugetlb: implement memfd sealing")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Hugh Dickins <hughd@google.com>
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
+Cc: <stable@vger.kernel.org>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/userfaultfd.c |   15 +++++++++++++++
+ mm/userfaultfd.c |   15 ++++++---------
+ 2 files changed, 21 insertions(+), 9 deletions(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1362,6 +1362,19 @@ static int userfaultfd_register(struct u
+ 		ret = -EINVAL;
+ 		if (!vma_can_userfault(cur))
+ 			goto out_unlock;
++
++		/*
++		 * UFFDIO_COPY will fill file holes even without
++		 * PROT_WRITE. This check enforces that if this is a
++		 * MAP_SHARED, the process has write permission to the backing
++		 * file. If VM_MAYWRITE is set it also enforces that on a
++		 * MAP_SHARED vma: there is no F_WRITE_SEAL and no further
++		 * F_WRITE_SEAL can be taken until the vma is destroyed.
++		 */
++		ret = -EPERM;
++		if (unlikely(!(cur->vm_flags & VM_MAYWRITE)))
++			goto out_unlock;
++
+ 		/*
+ 		 * If this vma contains ending address, and huge pages
+ 		 * check alignment.
+@@ -1407,6 +1420,7 @@ static int userfaultfd_register(struct u
+ 		BUG_ON(!vma_can_userfault(vma));
+ 		BUG_ON(vma->vm_userfaultfd_ctx.ctx &&
+ 		       vma->vm_userfaultfd_ctx.ctx != ctx);
++		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+ 
+ 		/*
+ 		 * Nothing to do: this vma is already registered into this
+@@ -1553,6 +1567,7 @@ static int userfaultfd_unregister(struct
+ 		cond_resched();
+ 
+ 		BUG_ON(!vma_can_userfault(vma));
++		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+ 
+ 		/*
+ 		 * Nothing to do: this vma is already registered into this
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -228,8 +228,9 @@ retry:
+ 		if (!dst_vma || !is_vm_hugetlb_page(dst_vma))
+ 			goto out_unlock;
+ 		/*
+-		 * Only allow __mcopy_atomic_hugetlb on userfaultfd
+-		 * registered ranges.
++		 * Check the vma is registered in uffd, this is
++		 * required to enforce the VM_MAYWRITE check done at
++		 * uffd registration time.
+ 		 */
+ 		if (!dst_vma->vm_userfaultfd_ctx.ctx)
+ 			goto out_unlock;
+@@ -472,13 +473,9 @@ retry:
+ 	if (!dst_vma)
+ 		goto out_unlock;
+ 	/*
+-	 * Be strict and only allow __mcopy_atomic on userfaultfd
+-	 * registered ranges to prevent userland errors going
+-	 * unnoticed. As far as the VM consistency is concerned, it
+-	 * would be perfectly safe to remove this check, but there's
+-	 * no useful usage for __mcopy_atomic ouside of userfaultfd
+-	 * registered ranges. This is after all why these are ioctls
+-	 * belonging to the userfaultfd and not syscalls.
++	 * Check the vma is registered in uffd, this is required to
++	 * enforce the VM_MAYWRITE check done at uffd registration
++	 * time.
+ 	 */
+ 	if (!dst_vma->vm_userfaultfd_ctx.ctx)
+ 		goto out_unlock;