1 files changed, 0 insertions, 118 deletions
diff --git a/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch b/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
deleted file mode 100644
index 0d02d22..0000000
--- a/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 82c5a8c0debac552750a00b4fc7551c89c7b34b8 Mon Sep 17 00:00:00 2001
-From: Andrea Arcangeli <aarcange@redhat.com>
-Date: Fri, 30 Nov 2018 14:09:25 -0800
-Subject: [PATCH] userfaultfd: use ENOENT instead of EFAULT if the atomic copy
- user fails
-commit 9e368259ad988356c4c95150fafd1a06af095d98 upstream.
-Patch series "userfaultfd shmem updates".
-Jann found two bugs in the userfaultfd shmem MAP_SHARED backend: the
-lack of the VM_MAYWRITE check and the lack of i_size checks.
-Then looking into the above we also fixed the MAP_PRIVATE case.
-Hugh by source review also found a data loss source if UFFDIO_COPY is
-used on shmem MAP_SHARED PROT_READ mappings (the production usages
-incidentally run with PROT_READ|PROT_WRITE, so the data loss couldn't
-happen in those production usages like with QEMU).
-The whole patchset is marked for stable.
-We verified QEMU postcopy live migration with guest running on shmem
-MAP_PRIVATE run as well as before after the fix of shmem MAP_PRIVATE.
-Regardless if it's shmem or hugetlbfs or MAP_PRIVATE or MAP_SHARED, QEMU
-unconditionally invokes a punch hole if the guest mapping is filebacked
-and a MADV_DONTNEED too (needed to get rid of the MAP_PRIVATE COWs and
-for the anon backend).
-This patch (of 5):
-We internally used EFAULT to communicate with the caller, switch to
-ENOENT, so EFAULT can be used as a non internal retval.
-CVE: CVE-2018-18397
-Upstream-Status: Backport
-Link: http://lkml.kernel.org/r/20181126173452.26955-2-aarcange@redhat.com
-Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
-Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
-Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
-Reviewed-by: Hugh Dickins <hughd@google.com>
-Cc: Mike Kravetz <mike.kravetz@oracle.com>
-Cc: Jann Horn <jannh@google.com>
-Cc: Peter Xu <peterx@redhat.com>
-Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Cc: <stable@vger.kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
- mm/hugetlb.c     | 2 +-
- mm/shmem.c       | 2 +-
- mm/userfaultfd.c | 6 +++---
- 3 files changed, 5 insertions(+), 5 deletions(-)
-diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index f46040aed2da..224cdd953a79 100644
--- a/mm/hugetlb.c
-+++ b/mm/hugetlb.c
-@@ -4037,7 +4037,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
- 
-                /* fallback to copy_from_user outside mmap_sem */
-                if (unlikely(ret)) {
-                       ret = -EFAULT;
-+                       ret = -ENOENT;
-                        *pagep = page;
-                        /* don't free the page */
-                        goto out;
-diff --git a/mm/shmem.c b/mm/shmem.c
-index ab7ff0aeae2d..9f856ecda73b 100644
--- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -2266,7 +2266,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
-                                *pagep = page;
-                                shmem_inode_unacct_blocks(inode, 1);
-                                /* don't free the page */
-                               return -EFAULT;
-+                               return -ENOENT;
-                        }
-                } else {                /* mfill_zeropage_atomic */
-                        clear_highpage(page);
-diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
-index 81192701964d..c63c0fc5ecfa 100644
--- a/mm/userfaultfd.c
-+++ b/mm/userfaultfd.c
-@@ -49,7 +49,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
- 
-                /* fallback to copy_from_user outside mmap_sem */
-                if (unlikely(ret)) {
-                       ret = -EFAULT;
-+                       ret = -ENOENT;
-                        *pagep = page;
-                        /* don't free the page */
-                        goto out;
-@@ -275,7 +275,7 @@ static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm,
- 
-                cond_resched();
- 
-               if (unlikely(err == -EFAULT)) {
-+               if (unlikely(err == -ENOENT)) {
-                        up_read(&dst_mm->mmap_sem);
-                        BUG_ON(!page);
- 
-@@ -521,7 +521,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
-                                       src_addr, &page, zeropage);
-                cond_resched();
- 
-               if (unlikely(err == -EFAULT)) {
-+               if (unlikely(err == -ENOENT)) {
-                        void *page_kaddr;
- 
-                        up_read(&dst_mm->mmap_sem);
-- 
-2.19.2

diff --git a/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch b/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch deleted file mode 100644 index 0d02d22..0000000 --- a/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch +++ /dev/null
@@ -1,118 +0,0 @@
1	From 82c5a8c0debac552750a00b4fc7551c89c7b34b8 Mon Sep 17 00:00:00 2001
2	From: Andrea Arcangeli <aarcange@redhat.com>
3	Date: Fri, 30 Nov 2018 14:09:25 -0800
4	Subject: [PATCH] userfaultfd: use ENOENT instead of EFAULT if the atomic copy
5	user fails
6
7	commit 9e368259ad988356c4c95150fafd1a06af095d98 upstream.
8
9	Patch series "userfaultfd shmem updates".
10
11	Jann found two bugs in the userfaultfd shmem MAP_SHARED backend: the
12	lack of the VM_MAYWRITE check and the lack of i_size checks.
13
14	Then looking into the above we also fixed the MAP_PRIVATE case.
15
16	Hugh by source review also found a data loss source if UFFDIO_COPY is
17	used on shmem MAP_SHARED PROT_READ mappings (the production usages
18	incidentally run with PROT_READ\|PROT_WRITE, so the data loss couldn't
19	happen in those production usages like with QEMU).
20
21	The whole patchset is marked for stable.
22
23	We verified QEMU postcopy live migration with guest running on shmem
24	MAP_PRIVATE run as well as before after the fix of shmem MAP_PRIVATE.
25	Regardless if it's shmem or hugetlbfs or MAP_PRIVATE or MAP_SHARED, QEMU
26	unconditionally invokes a punch hole if the guest mapping is filebacked
27	and a MADV_DONTNEED too (needed to get rid of the MAP_PRIVATE COWs and
28	for the anon backend).
29
30	This patch (of 5):
31
32	We internally used EFAULT to communicate with the caller, switch to
33	ENOENT, so EFAULT can be used as a non internal retval.
34
35	CVE: CVE-2018-18397
36	Upstream-Status: Backport
37
38	Link: http://lkml.kernel.org/r/20181126173452.26955-2-aarcange@redhat.com
39	Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
40	Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
41	Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
42	Reviewed-by: Hugh Dickins <hughd@google.com>
43	Cc: Mike Kravetz <mike.kravetz@oracle.com>
44	Cc: Jann Horn <jannh@google.com>
45	Cc: Peter Xu <peterx@redhat.com>
46	Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
47	Cc: <stable@vger.kernel.org>
48	Cc: stable@vger.kernel.org
49	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
50	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
52	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
53	---
54	mm/hugetlb.c \| 2 +-
55	mm/shmem.c \| 2 +-
56	mm/userfaultfd.c \| 6 +++---
57	3 files changed, 5 insertions(+), 5 deletions(-)
58
59	diff --git a/mm/hugetlb.c b/mm/hugetlb.c
60	index f46040aed2da..224cdd953a79 100644
61	--- a/mm/hugetlb.c
62	+++ b/mm/hugetlb.c
63	@@ -4037,7 +4037,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
64
65	/* fallback to copy_from_user outside mmap_sem */
66	if (unlikely(ret)) {
67	- ret = -EFAULT;
68	+ ret = -ENOENT;
69	*pagep = page;
70	/* don't free the page */
71	goto out;
72	diff --git a/mm/shmem.c b/mm/shmem.c
73	index ab7ff0aeae2d..9f856ecda73b 100644
74	--- a/mm/shmem.c
75	+++ b/mm/shmem.c
76	@@ -2266,7 +2266,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
77	*pagep = page;
78	shmem_inode_unacct_blocks(inode, 1);
79	/* don't free the page */
80	- return -EFAULT;
81	+ return -ENOENT;
82	}
83	} else { /* mfill_zeropage_atomic */
84	clear_highpage(page);
85	diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
86	index 81192701964d..c63c0fc5ecfa 100644
87	--- a/mm/userfaultfd.c
88	+++ b/mm/userfaultfd.c
89	@@ -49,7 +49,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
90
91	/* fallback to copy_from_user outside mmap_sem */
92	if (unlikely(ret)) {
93	- ret = -EFAULT;
94	+ ret = -ENOENT;
95	*pagep = page;
96	/* don't free the page */
97	goto out;
98	@@ -275,7 +275,7 @@ static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm,
99
100	cond_resched();
101
102	- if (unlikely(err == -EFAULT)) {
103	+ if (unlikely(err == -ENOENT)) {
104	up_read(&dst_mm->mmap_sem);
105	BUG_ON(!page);
106
107	@@ -521,7 +521,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
108	src_addr, &page, zeropage);
109	cond_resched();
110
111	- if (unlikely(err == -EFAULT)) {
112	+ if (unlikely(err == -ENOENT)) {
113	void *page_kaddr;
114
115	up_read(&dst_mm->mmap_sem);
116	--
117	2.19.2
118