From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 8 Sep 2017 07:09:51 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.13.1~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=83743524e6a5c446b043cce28cbc8f68a10b2931;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch
	scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch
---

diff --git a/queue-3.18/scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch b/queue-3.18/scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch
new file mode 100644
index 00000000000..dd089a2e1f8
--- /dev/null
+++ b/queue-3.18/scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch
@@ -0,0 +1,61 @@
+From 6a8dadcca81fceff9976e8828cceb072873b7bd5 Mon Sep 17 00:00:00 2001
+From: Todd Poynor <toddpoynor@google.com>
+Date: Tue, 15 Aug 2017 22:41:08 -0700
+Subject: scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
+
+From: Todd Poynor <toddpoynor@google.com>
+
+commit 6a8dadcca81fceff9976e8828cceb072873b7bd5 upstream.
+
+Take f_mutex around mmap() processing to protect against races with the
+SG_SET_RESERVED_SIZE ioctl.  Ensure the reserve buffer length remains
+consistent during the mapping operation, and set the "mmap called" flag
+to prevent further changes to the reserved buffer size as an atomic
+operation with the mapping.
+
+[mkp: fixed whitespace]
+
+Signed-off-by: Todd Poynor <toddpoynor@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1295,6 +1295,7 @@ sg_mmap(struct file *filp, struct vm_are
+ 	unsigned long req_sz, len, sa;
+ 	Sg_scatter_hold *rsv_schp;
+ 	int k, length;
++	int ret = 0;
+ 
+ 	if ((!filp) || (!vma) || (!(sfp = (Sg_fd *) filp->private_data)))
+ 		return -ENXIO;
+@@ -1305,8 +1306,11 @@ sg_mmap(struct file *filp, struct vm_are
+ 	if (vma->vm_pgoff)
+ 		return -EINVAL;	/* want no offset */
+ 	rsv_schp = &sfp->reserve;
+-	if (req_sz > rsv_schp->bufflen)
+-		return -ENOMEM;	/* cannot map more than reserved buffer */
++	mutex_lock(&sfp->f_mutex);
++	if (req_sz > rsv_schp->bufflen) {
++		ret = -ENOMEM;	/* cannot map more than reserved buffer */
++		goto out;
++	}
+ 
+ 	sa = vma->vm_start;
+ 	length = 1 << (PAGE_SHIFT + rsv_schp->page_order);
+@@ -1320,7 +1324,9 @@ sg_mmap(struct file *filp, struct vm_are
+ 	vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP;
+ 	vma->vm_private_data = sfp;
+ 	vma->vm_ops = &sg_mmap_vm_ops;
+-	return 0;
++out:
++	mutex_unlock(&sfp->f_mutex);
++	return ret;
+ }
+ 
+ static void
diff --git a/queue-3.18/scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch b/queue-3.18/scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch
new file mode 100644
index 00000000000..1fa9cb23181
--- /dev/null
+++ b/queue-3.18/scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch
@@ -0,0 +1,48 @@
+From 8d26f491116feaa0b16de370b6a7ba40a40fa0b4 Mon Sep 17 00:00:00 2001
+From: Todd Poynor <toddpoynor@google.com>
+Date: Tue, 15 Aug 2017 21:48:43 -0700
+Subject: scsi: sg: recheck MMAP_IO request length with lock held
+
+From: Todd Poynor <toddpoynor@google.com>
+
+commit 8d26f491116feaa0b16de370b6a7ba40a40fa0b4 upstream.
+
+Commit 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page
+array") adds needed concurrency protection for the "reserve" buffer.
+Some checks that are initially made outside the lock are replicated once
+the lock is taken to ensure the checks and resulting decisions are made
+using consistent state.
+
+The check that a request with flag SG_FLAG_MMAP_IO set fits in the
+reserve buffer also needs to be performed again under the lock to ensure
+the reserve buffer length compared against matches the value in effect
+when the request is linked to the reserve buffer.  An -ENOMEM should be
+returned in this case, instead of switching over to an indirect buffer
+as for non-MMAP_IO requests.
+
+Signed-off-by: Todd Poynor <toddpoynor@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1798,9 +1798,12 @@ sg_start_req(Sg_request *srp, unsigned c
+ 		    !sfp->res_in_use) {
+ 			sfp->res_in_use = 1;
+ 			sg_link_reserve(sfp, srp, dxfer_len);
+-		} else if ((hp->flags & SG_FLAG_MMAP_IO) && sfp->res_in_use) {
++		} else if (hp->flags & SG_FLAG_MMAP_IO) {
++			res = -EBUSY; /* sfp->res_in_use == 1 */
++			if (dxfer_len > rsv_schp->bufflen)
++				res = -ENOMEM;
+ 			mutex_unlock(&sfp->f_mutex);
+-			return -EBUSY;
++			return res;
+ 		} else {
+ 			res = sg_build_indirect(req_schp, sfp, dxfer_len);
+ 			if (res) {
diff --git a/queue-3.18/series b/queue-3.18/series
index 585bcc5ad03..18f8d3c50e7 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -10,3 +10,5 @@ dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch
 cma-fix-calculation-of-aligned-offset.patch
 workqueue-fix-flag-collision.patch
 cs5536-add-support-for-ide-controller-variant.patch
+scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch
+scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch