From d6b4dcf5c580470ed553052206836adfaa2052fc Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 5 Dec 2017 09:41:03 -0500 Subject: fs/file.c: trim includes Signed-off-by: Al Viro --- fs/file.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fs/file.c b/fs/file.c index 3b080834b870..bb2d251e19c1 100644 --- a/fs/file.c +++ b/fs/file.c @@ -11,18 +11,13 @@ #include #include #include -#include -#include #include #include -#include #include #include #include -#include #include #include -#include unsigned int sysctl_nr_open __read_mostly = 1024*1024; unsigned int sysctl_nr_open_min = BITS_PER_LONG; -- cgit v1.2.3 From 9c5650359a1e7fc21e191fdc087f31154ce27ae2 Mon Sep 17 00:00:00 2001 From: Yang Shi Date: Sat, 18 Nov 2017 07:02:17 +0800 Subject: vfs: remove unused hardirq.h Preempt counter APIs have been split out, currently, hardirq.h just includes irq_enter/exit APIs which are not used by vfs at all. So, remove the unused hardirq.h. Signed-off-by: Yang Shi Cc: Alexander Viro Signed-off-by: Al Viro --- fs/dcache.c | 1 - fs/file_table.c | 1 - 2 files changed, 2 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index 5c7df1df81ff..b99a39206930 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -32,7 +32,6 @@ #include #include #include -#include #include #include #include diff --git a/fs/file_table.c b/fs/file_table.c index 2dc9f38bd195..7ec0b3e5f05d 100644 --- a/fs/file_table.c +++ b/fs/file_table.c @@ -23,7 +23,6 @@ #include #include #include -#include #include #include #include -- cgit v1.2.3 From a0e94598e6b6c0d1df6a5fa14eb7c767ca817a20 Mon Sep 17 00:00:00 2001 From: Christophe Leroy Date: Sat, 9 Dec 2017 17:24:24 +0100 Subject: Fix misannotated out-of-line _copy_to_user() Destination is a kernel pointer and source - a userland one in _copy_from_user(); _copy_to_user() is the other way round. Fixes: d597580d37377 ("generic ...copy_..._user primitives") Signed-off-by: Christophe Leroy Signed-off-by: Al Viro --- lib/usercopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/usercopy.c b/lib/usercopy.c index 15e2e6fb060e..3744b2a8e591 100644 --- a/lib/usercopy.c +++ b/lib/usercopy.c @@ -20,7 +20,7 @@ EXPORT_SYMBOL(_copy_from_user); #endif #ifndef INLINE_COPY_TO_USER -unsigned long _copy_to_user(void *to, const void __user *from, unsigned long n) +unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n) { might_fault(); if (likely(access_ok(VERIFY_WRITE, to, n))) { -- cgit v1.2.3 From 00b0c9b82663ac42e5a09f58ce960f81f29d64ee Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 14 Dec 2017 21:27:55 -0500 Subject: Add primitives for manipulating bitfields both in host- and fixed-endian. The following primitives are defined in linux/bitfield.h: * u32 le32_get_bits(__le32 val, u32 field) extracts the contents of the bitfield specified by @field in little-endian 32bit object @val and converts it to host-endian. * void le32p_replace_bits(__le32 *p, u32 v, u32 field) replaces the contents of the bitfield specified by @field in little-endian 32bit object pointed to by @p with the value of @v. New value is given in host-endian and stored as little-endian. * __le32 le32_replace_bits(__le32 old, u32 v, u32 field) is equivalent to ({__le32 tmp = old; le32p_replace_bits(&tmp, v, field); tmp;}) In other words, instead of modifying an object in memory, it takes the initial value and returns the modified one. * __le32 le32_encode_bits(u32 v, u32 field) is equivalent to le32_replace_bits(0, v, field). In other words, it returns a little-endian 32bit object with the bitfield specified by @field containing the value of @v and all bits outside that bitfield being zero. Such set of helpers is defined for each of little-, big- and host-endian types; e.g. u64_get_bits(val, field) will return the contents of the bitfield specified by @field in host-endian 64bit object @val, etc. Of course, for host-endian no conversion is involved. Fields to access are specified as GENMASK() values - an N-bit field starting at bit #M is encoded as GENMASK(M + N - 1, M). Note that bit numbers refer to endianness of the object we are working with - e.g. GENMASK(11, 0) in __be16 refers to the second byte and the lower 4 bits of the first byte. In __le16 it would refer to the first byte and the lower 4 bits of the second byte, etc. Field specification must be a constant; __builtin_constant_p() doesn't have to be true for it, but compiler must be able to evaluate it at build time. If it cannot or if the value does not encode any bitfield, the build will fail. If the value being stored in a bitfield is a constant that does not fit into that bitfield, a warning will be generated at compile time. Signed-off-by: Al Viro --- include/linux/bitfield.h | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h index 1030651f8309..cf2588d81148 100644 --- a/include/linux/bitfield.h +++ b/include/linux/bitfield.h @@ -16,6 +16,7 @@ #define _LINUX_BITFIELD_H #include +#include /* * Bitfield access macros @@ -103,4 +104,49 @@ (typeof(_mask))(((_reg) & (_mask)) >> __bf_shf(_mask)); \ }) +extern void __compiletime_warning("value doesn't fit into mask") +__field_overflow(void); +extern void __compiletime_error("bad bitfield mask") +__bad_mask(void); +static __always_inline u64 field_multiplier(u64 field) +{ + if ((field | (field - 1)) & ((field | (field - 1)) + 1)) + __bad_mask(); + return field & -field; +} +static __always_inline u64 field_mask(u64 field) +{ + return field / field_multiplier(field); +} +#define ____MAKE_OP(type,base,to,from) \ +static __always_inline __##type type##_encode_bits(base v, base field) \ +{ \ + if (__builtin_constant_p(v) && (v & ~field_multiplier(field))) \ + __field_overflow(); \ + return to((v & field_mask(field)) * field_multiplier(field)); \ +} \ +static __always_inline __##type type##_replace_bits(__##type old, \ + base val, base field) \ +{ \ + return (old & ~to(field)) | type##_encode_bits(val, field); \ +} \ +static __always_inline void type##p_replace_bits(__##type *p, \ + base val, base field) \ +{ \ + *p = (*p & ~to(field)) | type##_encode_bits(val, field); \ +} \ +static __always_inline base type##_get_bits(__##type v, base field) \ +{ \ + return (from(v) & field)/field_multiplier(field); \ +} +#define __MAKE_OP(size) \ + ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \ + ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \ + ____MAKE_OP(u##size,u##size,,) +__MAKE_OP(16) +__MAKE_OP(32) +__MAKE_OP(64) +#undef __MAKE_OP +#undef ____MAKE_OP + #endif -- cgit v1.2.3 From f1ee616214cb22410e939d963bbb2349c2570f02 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Thu, 21 Dec 2017 09:45:40 +1100 Subject: VFS: don't keep disconnected dentries on d_anon The original purpose of the per-superblock d_anon list was to keep disconnected dentries in the cache between consecutive requests to the NFS server. Dentries can be disconnected if a client holds a file open and repeatedly performs IO on it, and if the server drops the dentry, whether due to memory pressure, server restart, or "echo 3 > /proc/sys/vm/drop_caches". This purpose was thwarted by commit 75a6f82a0d10 ("freeing unlinked file indefinitely delayed") which caused disconnected dentries to be freed as soon as their refcount reached zero. This means that, when a dentry being used by nfsd gets disconnected, a new one needs to be allocated for every request (unless requests overlap). As the dentry has no name, no parent, and no children, there is little of value to cache. As small memory allocations are typically fast (from per-cpu free lists) this likely has little cost. This means that the original purpose of s_anon is no longer relevant: there is no longer any need to keep disconnected dentries on a list so they appear to be hashed. However, s_anon now has a new use. When you mount an NFS filesystem, the dentry stored in s_root is just a placebo. The "real" root dentry is allocated using d_obtain_root() and so it kept on the s_anon list. I don't know the reason for this, but suspect it related to NFSv4 where a mount of "server:/some/path" require NFS to look up the root filehandle on the server, then walk down "/some" and "/path" to get the filehandle to mount. Whatever the reason, NFS depends on the s_anon list and on shrink_dcache_for_umount() pruning all dentries on this list. So we cannot simply remove s_anon. We could just leave the code unchanged, but apart from that being potentially confusing, the (unfair) bit-spin-lock which protects s_anon can become a bottle neck when lots of disconnected dentries are being created. So this patch renames s_anon to s_roots, and stops storing disconnected dentries on the list. Only dentries obtained with d_obtain_root() are now stored on this list. There are many fewer of these (only NFS and NILFS2 use the call, and only during filesystem mount) so contention on the bit-lock will not be a problem. Possibly an alternate solution should be found for NFS and NILFS2, but that would require understanding their needs first. Signed-off-by: NeilBrown Signed-off-by: Al Viro --- Documentation/filesystems/nfs/Exporting | 27 +++++++++++++++------- .../staging/lustre/lustre/llite/llite_internal.h | 10 +------- fs/dcache.c | 22 ++++++++++-------- fs/super.c | 2 +- include/linux/fs.h | 2 +- 5 files changed, 34 insertions(+), 29 deletions(-) diff --git a/Documentation/filesystems/nfs/Exporting b/Documentation/filesystems/nfs/Exporting index 520a4becb75c..63889149f532 100644 --- a/Documentation/filesystems/nfs/Exporting +++ b/Documentation/filesystems/nfs/Exporting @@ -56,13 +56,25 @@ a/ A dentry flag DCACHE_DISCONNECTED which is set on any dentry that might not be part of the proper prefix. This is set when anonymous dentries are created, and cleared when a dentry is noticed to be a child of a dentry which is in the proper - prefix. - -b/ A per-superblock list "s_anon" of dentries which are the roots of - subtrees that are not in the proper prefix. These dentries, as - well as the proper prefix, need to be released at unmount time. As - these dentries will not be hashed, they are linked together on the - d_hash list_head. + prefix. If the refcount on a dentry with this flag set + becomes zero, the dentry is immediately discarded, rather than being + kept in the dcache. If a dentry that is not already in the dcache + is repeatedly accessed by filehandle (as NFSD might do), an new dentry + will be a allocated for each access, and discarded at the end of + the access. + + Note that such a dentry can acquire children, name, ancestors, etc. + without losing DCACHE_DISCONNECTED - that flag is only cleared when + subtree is successfully reconnected to root. Until then dentries + in such subtree are retained only as long as there are references; + refcount reaching zero means immediate eviction, same as for unhashed + dentries. That guarantees that we won't need to hunt them down upon + umount. + +b/ A primitive for creation of secondary roots - d_obtain_root(inode). + Those do _not_ bear DCACHE_DISCONNECTED. They are placed on the + per-superblock list (->s_roots), so they can be located at umount + time for eviction purposes. c/ Helper routines to allocate anonymous dentries, and to help attach loose directory dentries at lookup time. They are: @@ -77,7 +89,6 @@ c/ Helper routines to allocate anonymous dentries, and to help attach (such as an anonymous one created by d_obtain_alias), if appropriate. It returns NULL when the passed-in dentry is used, following the calling convention of ->lookup. - Filesystem Issues ----------------- diff --git a/drivers/staging/lustre/lustre/llite/llite_internal.h b/drivers/staging/lustre/lustre/llite/llite_internal.h index b133fd00c08c..0d62fcf016dc 100644 --- a/drivers/staging/lustre/lustre/llite/llite_internal.h +++ b/drivers/staging/lustre/lustre/llite/llite_internal.h @@ -1296,15 +1296,7 @@ static inline void d_lustre_invalidate(struct dentry *dentry, int nested) spin_lock_nested(&dentry->d_lock, nested ? DENTRY_D_LOCK_NESTED : DENTRY_D_LOCK_NORMAL); ll_d2d(dentry)->lld_invalid = 1; - /* - * We should be careful about dentries created by d_obtain_alias(). - * These dentries are not put in the dentry tree, instead they are - * linked to sb->s_anon through dentry->d_hash. - * shrink_dcache_for_umount() shrinks the tree and sb->s_anon list. - * If we unhashed such a dentry, unmount would not be able to find - * it and busy inodes would be reported. - */ - if (d_count(dentry) == 0 && !(dentry->d_flags & DCACHE_DISCONNECTED)) + if (d_count(dentry) == 0) __d_drop(dentry); spin_unlock(&dentry->d_lock); } diff --git a/fs/dcache.c b/fs/dcache.c index b99a39206930..17e6b84b9656 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -48,8 +48,8 @@ * - i_dentry, d_u.d_alias, d_inode of aliases * dcache_hash_bucket lock protects: * - the dcache hash table - * s_anon bl list spinlock protects: - * - the s_anon list (see __d_drop) + * s_roots bl list spinlock protects: + * - the s_roots list (see __d_drop) * dentry->d_sb->s_dentry_lru_lock protects: * - the dcache lru lists and counters * d_lock protects: @@ -67,7 +67,7 @@ * dentry->d_lock * dentry->d_sb->s_dentry_lru_lock * dcache_hash_bucket lock - * s_anon lock + * s_roots lock * * If there is an ancestor relationship: * dentry->d_parent->...->d_parent->d_lock @@ -476,10 +476,10 @@ void __d_drop(struct dentry *dentry) /* * Hashed dentries are normally on the dentry hashtable, * with the exception of those newly allocated by - * d_obtain_alias, which are always IS_ROOT: + * d_obtain_root, which are always IS_ROOT: */ if (unlikely(IS_ROOT(dentry))) - b = &dentry->d_sb->s_anon; + b = &dentry->d_sb->s_roots; else b = d_hash(dentry->d_name.hash); @@ -1499,8 +1499,8 @@ void shrink_dcache_for_umount(struct super_block *sb) sb->s_root = NULL; do_one_tree(dentry); - while (!hlist_bl_empty(&sb->s_anon)) { - dentry = dget(hlist_bl_entry(hlist_bl_first(&sb->s_anon), struct dentry, d_hash)); + while (!hlist_bl_empty(&sb->s_roots)) { + dentry = dget(hlist_bl_entry(hlist_bl_first(&sb->s_roots), struct dentry, d_hash)); do_one_tree(dentry); } } @@ -1964,9 +1964,11 @@ static struct dentry *__d_obtain_alias(struct inode *inode, int disconnected) spin_lock(&tmp->d_lock); __d_set_inode_and_type(tmp, inode, add_flags); hlist_add_head(&tmp->d_u.d_alias, &inode->i_dentry); - hlist_bl_lock(&tmp->d_sb->s_anon); - hlist_bl_add_head(&tmp->d_hash, &tmp->d_sb->s_anon); - hlist_bl_unlock(&tmp->d_sb->s_anon); + if (!disconnected) { + hlist_bl_lock(&tmp->d_sb->s_roots); + hlist_bl_add_head(&tmp->d_hash, &tmp->d_sb->s_roots); + hlist_bl_unlock(&tmp->d_sb->s_roots); + } spin_unlock(&tmp->d_lock); spin_unlock(&inode->i_lock); diff --git a/fs/super.c b/fs/super.c index d4e33e8f1e6f..9ea66601d664 100644 --- a/fs/super.c +++ b/fs/super.c @@ -207,7 +207,7 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags, if (s->s_user_ns != &init_user_ns) s->s_iflags |= SB_I_NODEV; INIT_HLIST_NODE(&s->s_instances); - INIT_HLIST_BL_HEAD(&s->s_anon); + INIT_HLIST_BL_HEAD(&s->s_roots); mutex_init(&s->s_sync_lock); INIT_LIST_HEAD(&s->s_inodes); spin_lock_init(&s->s_inode_list_lock); diff --git a/include/linux/fs.h b/include/linux/fs.h index 2995a271ec46..6276f8315e5b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1359,7 +1359,7 @@ struct super_block { const struct fscrypt_operations *s_cop; - struct hlist_bl_head s_anon; /* anonymous dentries for (nfs) exporting */ + struct hlist_bl_head s_roots; /* alternate root dentries for NFS */ struct list_head s_mounts; /* list of mounts; _not_ for fs use */ struct block_device *s_bdev; struct backing_dev_info *s_bdi; -- cgit v1.2.3 From 3d26759c09da7242db6ae18ce9a0f6b09bfeafcc Mon Sep 17 00:00:00 2001 From: Al Viro Date: Wed, 27 Dec 2017 19:00:09 -0500 Subject: r128: don't open-code memdup_user() Signed-off-by: Al Viro --- drivers/gpu/drm/r128/r128_state.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/drivers/gpu/drm/r128/r128_state.c b/drivers/gpu/drm/r128/r128_state.c index 8fdc56c1c953..b9bfa806d346 100644 --- a/drivers/gpu/drm/r128/r128_state.c +++ b/drivers/gpu/drm/r128/r128_state.c @@ -982,25 +982,14 @@ static int r128_cce_dispatch_write_pixels(struct drm_device *dev, xbuf_size = count * sizeof(*x); ybuf_size = count * sizeof(*y); - x = kmalloc(xbuf_size, GFP_KERNEL); - if (x == NULL) - return -ENOMEM; - y = kmalloc(ybuf_size, GFP_KERNEL); - if (y == NULL) { - kfree(x); - return -ENOMEM; - } - if (copy_from_user(x, depth->x, xbuf_size)) { - kfree(x); - kfree(y); - return -EFAULT; - } - if (copy_from_user(y, depth->y, xbuf_size)) { + x = memdup_user(depth->x, xbuf_size); + if (IS_ERR(x)) + return PTR_ERR(x); + y = memdup_user(depth->y, ybuf_size); + if (IS_ERR(y)) { kfree(x); - kfree(y); - return -EFAULT; + return PTR_ERR(y); } - buffer_size = depth->n * sizeof(u32); buffer = memdup_user(depth->buffer, buffer_size); if (IS_ERR(buffer)) { -- cgit v1.2.3 From fc1c428eb46af8183be771d2c78b3902acbeffe3 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 28 Dec 2017 14:43:06 -0500 Subject: usx2y: don't bother with access_ok() in ->dsp_load() memdup_user() checks it, so the only effect would be failing with -EINVAL instead of -EFAULT in case when access_ok() is false. However, the caller has already checked access_ok() itself (and would have buggered off with -EFAULT), so the check is completely pointless. Removing it both simplifies the only instance of ->dsp_load() and allows to get rid of the check in caller - its sole effect used to be in preventing a bogus error value from access_ok() in the instance. Let memdup_user() do the right thing instead... Signed-off-by: Al Viro --- sound/usb/usx2y/usX2Yhwdep.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c index f4b3cda412fc..2bbcf4af06dd 100644 --- a/sound/usb/usx2y/usX2Yhwdep.c +++ b/sound/usb/usx2y/usX2Yhwdep.c @@ -198,24 +198,22 @@ static int snd_usX2Y_hwdep_dsp_load(struct snd_hwdep *hw, struct snd_hwdep_dsp_image *dsp) { struct usX2Ydev *priv = hw->private_data; - int lret, err = -EINVAL; - snd_printdd( "dsp_load %s\n", dsp->name); + struct usb_device* dev = priv->dev; + int lret, err; + char *buf; - if (access_ok(VERIFY_READ, dsp->image, dsp->length)) { - struct usb_device* dev = priv->dev; - char *buf; + snd_printdd( "dsp_load %s\n", dsp->name); - buf = memdup_user(dsp->image, dsp->length); - if (IS_ERR(buf)) - return PTR_ERR(buf); + buf = memdup_user(dsp->image, dsp->length); + if (IS_ERR(buf)) + return PTR_ERR(buf); - err = usb_set_interface(dev, 0, 1); - if (err) - snd_printk(KERN_ERR "usb_set_interface error \n"); - else - err = usb_bulk_msg(dev, usb_sndbulkpipe(dev, 2), buf, dsp->length, &lret, 6000); - kfree(buf); - } + err = usb_set_interface(dev, 0, 1); + if (err) + snd_printk(KERN_ERR "usb_set_interface error \n"); + else + err = usb_bulk_msg(dev, usb_sndbulkpipe(dev, 2), buf, dsp->length, &lret, 6000); + kfree(buf); if (err) return err; if (dsp->index == 1) { -- cgit v1.2.3 From 446bd647ceee73fbed50404daece9cbcec751f66 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 28 Dec 2017 16:30:22 -0500 Subject: snd_hwdep_dsp_load(): don't bother with access_ok() the only remaining instance of ->dsp_load() doesn't need it. Signed-off-by: Al Viro --- sound/core/hwdep.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c index 8faae3d1455d..25b8f2234fc7 100644 --- a/sound/core/hwdep.c +++ b/sound/core/hwdep.c @@ -233,8 +233,6 @@ static int snd_hwdep_dsp_load(struct snd_hwdep *hw, /* check whether the dsp was already loaded */ if (hw->dsp_loaded & (1 << info.index)) return -EBUSY; - if (!access_ok(VERIFY_READ, info.image, info.length)) - return -EFAULT; err = hw->ops.dsp_load(hw, &info); if (err < 0) return err; -- cgit v1.2.3 From 3d46d7108dd3ff8b1d477bc2b7b061b12690e83c Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 28 Dec 2017 17:22:51 -0500 Subject: usx2y: don't bother with memdup_user() for 16-byte structure ... when it can bloody well go into a local variable. Signed-off-by: Al Viro --- sound/usb/usx2y/us122l.c | 43 ++++++++++++++++++------------------------- 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/sound/usb/usx2y/us122l.c b/sound/usb/usx2y/us122l.c index 159da1f3924e..8c394178a385 100644 --- a/sound/usb/usx2y/us122l.c +++ b/sound/usb/usx2y/us122l.c @@ -378,7 +378,7 @@ out: static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, unsigned cmd, unsigned long arg) { - struct usb_stream_config *cfg; + struct usb_stream_config cfg; struct us122l *us122l = hw->private_data; struct usb_stream *s; unsigned min_period_frames; @@ -388,24 +388,21 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, if (cmd != SNDRV_USB_STREAM_IOCTL_SET_PARAMS) return -ENOTTY; - cfg = memdup_user((void *)arg, sizeof(*cfg)); - if (IS_ERR(cfg)) - return PTR_ERR(cfg); + if (copy_from_user(&cfg, (void __user *)arg, sizeof(cfg))) + return -EFAULT; + + if (cfg.version != USB_STREAM_INTERFACE_VERSION) + return -ENXIO; - if (cfg->version != USB_STREAM_INTERFACE_VERSION) { - err = -ENXIO; - goto free; - } high_speed = us122l->dev->speed == USB_SPEED_HIGH; - if ((cfg->sample_rate != 44100 && cfg->sample_rate != 48000 && + if ((cfg.sample_rate != 44100 && cfg.sample_rate != 48000 && (!high_speed || - (cfg->sample_rate != 88200 && cfg->sample_rate != 96000))) || - cfg->frame_size != 6 || - cfg->period_frames > 0x3000) { - err = -EINVAL; - goto free; - } - switch (cfg->sample_rate) { + (cfg.sample_rate != 88200 && cfg.sample_rate != 96000))) || + cfg.frame_size != 6 || + cfg.period_frames > 0x3000) + return -EINVAL; + + switch (cfg.sample_rate) { case 44100: min_period_frames = 48; break; @@ -418,10 +415,8 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, } if (!high_speed) min_period_frames <<= 1; - if (cfg->period_frames < min_period_frames) { - err = -EINVAL; - goto free; - } + if (cfg.period_frames < min_period_frames) + return -EINVAL; snd_power_wait(hw->card, SNDRV_CTL_POWER_D0); @@ -430,24 +425,22 @@ static int usb_stream_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, if (!us122l->master) us122l->master = file; else if (us122l->master != file) { - if (!s || memcmp(cfg, &s->cfg, sizeof(*cfg))) { + if (!s || memcmp(&cfg, &s->cfg, sizeof(cfg))) { err = -EIO; goto unlock; } us122l->slave = file; } - if (!s || memcmp(cfg, &s->cfg, sizeof(*cfg)) || + if (!s || memcmp(&cfg, &s->cfg, sizeof(cfg)) || s->state == usb_stream_xrun) { us122l_stop(us122l); - if (!us122l_start(us122l, cfg->sample_rate, cfg->period_frames)) + if (!us122l_start(us122l, cfg.sample_rate, cfg.period_frames)) err = -EIO; else err = 1; } unlock: mutex_unlock(&us122l->mutex); -free: - kfree(cfg); wake_up_all(&us122l->sk.sleep); return err; } -- cgit v1.2.3 From 14544d7690f674ce2b7aa9dc6531c244cc861d19 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 29 Dec 2017 16:12:28 -0500 Subject: vme_user: don't use __copy_..._user() Saving access_ok() is not worth the trouble; yes, the callers of ->read() and ->write() will have done the right checks, but it's much too long (and varied) call chains to rely upon. Signed-off-by: Al Viro --- drivers/staging/vme/devices/vme_user.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/staging/vme/devices/vme_user.c b/drivers/staging/vme/devices/vme_user.c index a3d4610fbdbe..4c8c6fa0a79f 100644 --- a/drivers/staging/vme/devices/vme_user.c +++ b/drivers/staging/vme/devices/vme_user.c @@ -134,7 +134,7 @@ static ssize_t resource_to_user(int minor, char __user *buf, size_t count, if (copied < 0) return (int)copied; - if (__copy_to_user(buf, image[minor].kern_buf, (unsigned long)copied)) + if (copy_to_user(buf, image[minor].kern_buf, (unsigned long)copied)) return -EFAULT; return copied; @@ -146,7 +146,7 @@ static ssize_t resource_from_user(unsigned int minor, const char __user *buf, if (count > image[minor].size_buf) count = image[minor].size_buf; - if (__copy_from_user(image[minor].kern_buf, buf, (unsigned long)count)) + if (copy_from_user(image[minor].kern_buf, buf, (unsigned long)count)) return -EFAULT; return vme_master_write(image[minor].resource, image[minor].kern_buf, @@ -159,7 +159,7 @@ static ssize_t buffer_to_user(unsigned int minor, char __user *buf, void *image_ptr; image_ptr = image[minor].kern_buf + *ppos; - if (__copy_to_user(buf, image_ptr, (unsigned long)count)) + if (copy_to_user(buf, image_ptr, (unsigned long)count)) return -EFAULT; return count; @@ -171,7 +171,7 @@ static ssize_t buffer_from_user(unsigned int minor, const char __user *buf, void *image_ptr; image_ptr = image[minor].kern_buf + *ppos; - if (__copy_from_user(image_ptr, buf, (unsigned long)count)) + if (copy_from_user(image_ptr, buf, (unsigned long)count)) return -EFAULT; return count; -- cgit v1.2.3 From 18e2ea5cd00c35f4a3e7ba3ef261c38643ef2af3 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 29 Dec 2017 16:25:30 -0500 Subject: uvc_v4l2: clean copyin/copyout up Signed-off-by: Al Viro --- drivers/media/usb/uvc/uvc_v4l2.c | 55 ++++++++++++++++------------------------ 1 file changed, 22 insertions(+), 33 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index 3e7e283a44a8..329a967382dd 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -1284,36 +1284,30 @@ struct uvc_xu_control_mapping32 { static int uvc_v4l2_get_xu_mapping(struct uvc_xu_control_mapping *kp, const struct uvc_xu_control_mapping32 __user *up) { - compat_caddr_t p; + struct uvc_xu_control_mapping32 *p = (void *)kp; + compat_caddr_t info; + u32 count; - if (!access_ok(VERIFY_READ, up, sizeof(*up)) || - __copy_from_user(kp, up, offsetof(typeof(*up), menu_info)) || - __get_user(kp->menu_count, &up->menu_count)) + if (copy_from_user(p, up, sizeof(*p))) return -EFAULT; - memset(kp->reserved, 0, sizeof(kp->reserved)); - - if (kp->menu_count == 0) { - kp->menu_info = NULL; - return 0; - } - - if (__get_user(p, &up->menu_info)) - return -EFAULT; - kp->menu_info = compat_ptr(p); + count = p->menu_count; + info = p->menu_info; + memset(kp->reserved, 0, sizeof(kp->reserved)); + kp->menu_info = count ? compat_ptr(info) : NULL; + kp->menu_count = count; return 0; } static int uvc_v4l2_put_xu_mapping(const struct uvc_xu_control_mapping *kp, struct uvc_xu_control_mapping32 __user *up) { - if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || - __copy_to_user(up, kp, offsetof(typeof(*up), menu_info)) || - __put_user(kp->menu_count, &up->menu_count)) + if (copy_to_user(up, kp, offsetof(typeof(*up), menu_info)) || + put_user(kp->menu_count, &up->menu_count)) return -EFAULT; - if (__clear_user(up->reserved, sizeof(up->reserved))) + if (clear_user(up->reserved, sizeof(up->reserved))) return -EFAULT; return 0; @@ -1330,31 +1324,26 @@ struct uvc_xu_control_query32 { static int uvc_v4l2_get_xu_query(struct uvc_xu_control_query *kp, const struct uvc_xu_control_query32 __user *up) { - compat_caddr_t p; + struct uvc_xu_control_query32 v; - if (!access_ok(VERIFY_READ, up, sizeof(*up)) || - __copy_from_user(kp, up, offsetof(typeof(*up), data))) + if (copy_from_user(&v, up, sizeof(v))) return -EFAULT; - if (kp->size == 0) { - kp->data = NULL; - return 0; - } - - if (__get_user(p, &up->data)) - return -EFAULT; - kp->data = compat_ptr(p); - + *kp = (struct uvc_xu_control_query){ + .unit = v.unit, + .selector = v.selector, + .query = v.query, + .size = v.size, + .data = v.size ? compat_ptr(v.data) : NULL + }; return 0; } static int uvc_v4l2_put_xu_query(const struct uvc_xu_control_query *kp, struct uvc_xu_control_query32 __user *up) { - if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || - __copy_to_user(up, kp, offsetof(typeof(*up), data))) + if (copy_to_user(up, kp, offsetof(typeof(*up), data))) return -EFAULT; - return 0; } -- cgit v1.2.3 From 6db620012fceea7cf203a9889e311f27dc49a2c7 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sat, 30 Dec 2017 00:03:39 -0500 Subject: nfs4file: get rid of pointless include of btrfs.h should've been killed by "vfs: pull btrfs clone API to vfs layer"... Signed-off-by: Al Viro --- fs/nfs/nfs4file.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c index 626d1382002e..6b3b372b59b9 100644 --- a/fs/nfs/nfs4file.c +++ b/fs/nfs/nfs4file.c @@ -8,7 +8,6 @@ #include #include #include -#include /* BTRFS_IOC_CLONE/BTRFS_IOC_CLONE_RANGE */ #include "delegation.h" #include "internal.h" #include "iostat.h" -- cgit v1.2.3 From 7d815165c1a64da9fd1b0f4ac8d97ba938ff1d71 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 6 Jan 2018 09:45:42 -0800 Subject: eventfd: convert to use anon_inode_getfd() Nothing actually calls eventfd_file_create() besides the eventfd2() system call itself. So simplify things by folding it into the system call and using anon_inode_getfd() instead of anon_inode_getfile(). This removes over 40 lines with no change in functionality. (eventfd_file_create() was apparently added years ago for KVM irqfd's, but was never used.) Signed-off-by: Eric Biggers Signed-off-by: Al Viro --- fs/eventfd.c | 53 +++++++------------------------------------------ include/linux/eventfd.h | 5 ----- 2 files changed, 7 insertions(+), 51 deletions(-) diff --git a/fs/eventfd.c b/fs/eventfd.c index 2fb4eadaa118..4167e670ed4d 100644 --- a/fs/eventfd.c +++ b/fs/eventfd.c @@ -412,72 +412,33 @@ struct eventfd_ctx *eventfd_ctx_fileget(struct file *file) } EXPORT_SYMBOL_GPL(eventfd_ctx_fileget); -/** - * eventfd_file_create - Creates an eventfd file pointer. - * @count: Initial eventfd counter value. - * @flags: Flags for the eventfd file. - * - * This function creates an eventfd file pointer, w/out installing it into - * the fd table. This is useful when the eventfd file is used during the - * initialization of data structures that require extra setup after the eventfd - * creation. So the eventfd creation is split into the file pointer creation - * phase, and the file descriptor installation phase. - * In this way races with userspace closing the newly installed file descriptor - * can be avoided. - * Returns an eventfd file pointer, or a proper error pointer. - */ -struct file *eventfd_file_create(unsigned int count, int flags) +SYSCALL_DEFINE2(eventfd2, unsigned int, count, int, flags) { - struct file *file; struct eventfd_ctx *ctx; + int fd; /* Check the EFD_* constants for consistency. */ BUILD_BUG_ON(EFD_CLOEXEC != O_CLOEXEC); BUILD_BUG_ON(EFD_NONBLOCK != O_NONBLOCK); if (flags & ~EFD_FLAGS_SET) - return ERR_PTR(-EINVAL); + return -EINVAL; ctx = kmalloc(sizeof(*ctx), GFP_KERNEL); if (!ctx) - return ERR_PTR(-ENOMEM); + return -ENOMEM; kref_init(&ctx->kref); init_waitqueue_head(&ctx->wqh); ctx->count = count; ctx->flags = flags; - file = anon_inode_getfile("[eventfd]", &eventfd_fops, ctx, - O_RDWR | (flags & EFD_SHARED_FCNTL_FLAGS)); - if (IS_ERR(file)) + fd = anon_inode_getfd("[eventfd]", &eventfd_fops, ctx, + O_RDWR | (flags & EFD_SHARED_FCNTL_FLAGS)); + if (fd < 0) eventfd_free_ctx(ctx); - return file; -} - -SYSCALL_DEFINE2(eventfd2, unsigned int, count, int, flags) -{ - int fd, error; - struct file *file; - - error = get_unused_fd_flags(flags & EFD_SHARED_FCNTL_FLAGS); - if (error < 0) - return error; - fd = error; - - file = eventfd_file_create(count, flags); - if (IS_ERR(file)) { - error = PTR_ERR(file); - goto err_put_unused_fd; - } - fd_install(fd, file); - return fd; - -err_put_unused_fd: - put_unused_fd(fd); - - return error; } SYSCALL_DEFINE1(eventfd, unsigned int, count) diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h index 60b2985e8a18..15826192cc23 100644 --- a/include/linux/eventfd.h +++ b/include/linux/eventfd.h @@ -30,7 +30,6 @@ struct file; #ifdef CONFIG_EVENTFD -struct file *eventfd_file_create(unsigned int count, int flags); struct eventfd_ctx *eventfd_ctx_get(struct eventfd_ctx *ctx); void eventfd_ctx_put(struct eventfd_ctx *ctx); struct file *eventfd_fget(int fd); @@ -47,10 +46,6 @@ int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *w * Ugly ugly ugly error layer to support modules that uses eventfd but * pretend to work in !CONFIG_EVENTFD configurations. Namely, AIO. */ -static inline struct file *eventfd_file_create(unsigned int count, int flags) -{ - return ERR_PTR(-ENOSYS); -} static inline struct eventfd_ctx *eventfd_ctx_fdget(int fd) { -- cgit v1.2.3 From b6364572d641c8eba9eab9bcc31d8962f96ddf15 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 6 Jan 2018 09:45:43 -0800 Subject: eventfd: fold eventfd_ctx_read() into eventfd_read() eventfd_ctx_read() is not used outside of eventfd.c, so unexport it and fold it into eventfd_read(). This slightly simplifies the code and makes it more analogous to eventfd_write(). (eventfd_ctx_read() was apparently added years ago for KVM irqfd's, but was never used.) Signed-off-by: Eric Biggers Signed-off-by: Al Viro --- fs/eventfd.c | 53 ++++++++++++++----------------------------------- include/linux/eventfd.h | 7 ------- 2 files changed, 15 insertions(+), 45 deletions(-) diff --git a/fs/eventfd.c b/fs/eventfd.c index 4167e670ed4d..6138d2b5cdeb 100644 --- a/fs/eventfd.c +++ b/fs/eventfd.c @@ -207,36 +207,27 @@ int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *w } EXPORT_SYMBOL_GPL(eventfd_ctx_remove_wait_queue); -/** - * eventfd_ctx_read - Reads the eventfd counter or wait if it is zero. - * @ctx: [in] Pointer to eventfd context. - * @no_wait: [in] Different from zero if the operation should not block. - * @cnt: [out] Pointer to the 64-bit counter value. - * - * Returns %0 if successful, or the following error codes: - * - * - -EAGAIN : The operation would have blocked but @no_wait was non-zero. - * - -ERESTARTSYS : A signal interrupted the wait operation. - * - * If @no_wait is zero, the function might sleep until the eventfd internal - * counter becomes greater than zero. - */ -ssize_t eventfd_ctx_read(struct eventfd_ctx *ctx, int no_wait, __u64 *cnt) +static ssize_t eventfd_read(struct file *file, char __user *buf, size_t count, + loff_t *ppos) { + struct eventfd_ctx *ctx = file->private_data; ssize_t res; + __u64 ucnt = 0; DECLARE_WAITQUEUE(wait, current); + if (count < sizeof(ucnt)) + return -EINVAL; + spin_lock_irq(&ctx->wqh.lock); - *cnt = 0; res = -EAGAIN; if (ctx->count > 0) - res = 0; - else if (!no_wait) { + res = sizeof(ucnt); + else if (!(file->f_flags & O_NONBLOCK)) { __add_wait_queue(&ctx->wqh, &wait); for (;;) { set_current_state(TASK_INTERRUPTIBLE); if (ctx->count > 0) { - res = 0; + res = sizeof(ucnt); break; } if (signal_pending(current)) { @@ -250,31 +241,17 @@ ssize_t eventfd_ctx_read(struct eventfd_ctx *ctx, int no_wait, __u64 *cnt) __remove_wait_queue(&ctx->wqh, &wait); __set_current_state(TASK_RUNNING); } - if (likely(res == 0)) { - eventfd_ctx_do_read(ctx, cnt); + if (likely(res > 0)) { + eventfd_ctx_do_read(ctx, &ucnt); if (waitqueue_active(&ctx->wqh)) wake_up_locked_poll(&ctx->wqh, POLLOUT); } spin_unlock_irq(&ctx->wqh.lock); - return res; -} -EXPORT_SYMBOL_GPL(eventfd_ctx_read); - -static ssize_t eventfd_read(struct file *file, char __user *buf, size_t count, - loff_t *ppos) -{ - struct eventfd_ctx *ctx = file->private_data; - ssize_t res; - __u64 cnt; - - if (count < sizeof(cnt)) - return -EINVAL; - res = eventfd_ctx_read(ctx, file->f_flags & O_NONBLOCK, &cnt); - if (res < 0) - return res; + if (res > 0 && put_user(ucnt, (__u64 __user *)buf)) + return -EFAULT; - return put_user(cnt, (__u64 __user *) buf) ? -EFAULT : sizeof(cnt); + return res; } static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t count, diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h index 15826192cc23..566fef14d0a6 100644 --- a/include/linux/eventfd.h +++ b/include/linux/eventfd.h @@ -36,7 +36,6 @@ struct file *eventfd_fget(int fd); struct eventfd_ctx *eventfd_ctx_fdget(int fd); struct eventfd_ctx *eventfd_ctx_fileget(struct file *file); __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n); -ssize_t eventfd_ctx_read(struct eventfd_ctx *ctx, int no_wait, __u64 *cnt); int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *wait, __u64 *cnt); @@ -62,12 +61,6 @@ static inline void eventfd_ctx_put(struct eventfd_ctx *ctx) } -static inline ssize_t eventfd_ctx_read(struct eventfd_ctx *ctx, int no_wait, - __u64 *cnt) -{ - return -ENOSYS; -} - static inline int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *wait, __u64 *cnt) { -- cgit v1.2.3 From 105f2b7096075eacb6d2c83a6e00b652c2951063 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 6 Jan 2018 09:45:44 -0800 Subject: eventfd: fold eventfd_ctx_get() into eventfd_ctx_fileget() eventfd_ctx_get() is not used outside of eventfd.c, so unexport it and fold it into eventfd_ctx_fileget(). (eventfd_ctx_get() was apparently added years ago for KVM irqfd's, but was never used.) Signed-off-by: Eric Biggers Signed-off-by: Al Viro --- fs/eventfd.c | 21 ++++++--------------- include/linux/eventfd.h | 2 +- 2 files changed, 7 insertions(+), 16 deletions(-) diff --git a/fs/eventfd.c b/fs/eventfd.c index 6138d2b5cdeb..bc0105ae253f 100644 --- a/fs/eventfd.c +++ b/fs/eventfd.c @@ -79,25 +79,12 @@ static void eventfd_free(struct kref *kref) eventfd_free_ctx(ctx); } -/** - * eventfd_ctx_get - Acquires a reference to the internal eventfd context. - * @ctx: [in] Pointer to the eventfd context. - * - * Returns: In case of success, returns a pointer to the eventfd context. - */ -struct eventfd_ctx *eventfd_ctx_get(struct eventfd_ctx *ctx) -{ - kref_get(&ctx->kref); - return ctx; -} -EXPORT_SYMBOL_GPL(eventfd_ctx_get); - /** * eventfd_ctx_put - Releases a reference to the internal eventfd context. * @ctx: [in] Pointer to eventfd context. * * The eventfd context reference must have been previously acquired either - * with eventfd_ctx_get() or eventfd_ctx_fdget(). + * with eventfd_ctx_fdget() or eventfd_ctx_fileget(). */ void eventfd_ctx_put(struct eventfd_ctx *ctx) { @@ -382,10 +369,14 @@ EXPORT_SYMBOL_GPL(eventfd_ctx_fdget); */ struct eventfd_ctx *eventfd_ctx_fileget(struct file *file) { + struct eventfd_ctx *ctx; + if (file->f_op != &eventfd_fops) return ERR_PTR(-EINVAL); - return eventfd_ctx_get(file->private_data); + ctx = file->private_data; + kref_get(&ctx->kref); + return ctx; } EXPORT_SYMBOL_GPL(eventfd_ctx_fileget); diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h index 566fef14d0a6..7094718b653b 100644 --- a/include/linux/eventfd.h +++ b/include/linux/eventfd.h @@ -26,11 +26,11 @@ #define EFD_SHARED_FCNTL_FLAGS (O_CLOEXEC | O_NONBLOCK) #define EFD_FLAGS_SET (EFD_SHARED_FCNTL_FLAGS | EFD_SEMAPHORE) +struct eventfd_ctx; struct file; #ifdef CONFIG_EVENTFD -struct eventfd_ctx *eventfd_ctx_get(struct eventfd_ctx *ctx); void eventfd_ctx_put(struct eventfd_ctx *ctx); struct file *eventfd_fget(int fd); struct eventfd_ctx *eventfd_ctx_fdget(int fd); -- cgit v1.2.3 From 6c2c97a24f096e3239bc54029b808c6bcba4f358 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 7 Jan 2018 13:00:27 -0500 Subject: memdup_user(): switch to GFP_USER Signed-off-by: Al Viro --- mm/util.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/mm/util.c b/mm/util.c index 34e57fae959d..4b93ffa6df96 100644 --- a/mm/util.c +++ b/mm/util.c @@ -156,12 +156,7 @@ void *memdup_user(const void __user *src, size_t len) { void *p; - /* - * Always use GFP_KERNEL, since copy_from_user() can sleep and - * cause pagefault, which makes it pointless to use GFP_NOFS - * or GFP_ATOMIC. - */ - p = kmalloc_track_caller(len, GFP_KERNEL); + p = kmalloc_track_caller(len, GFP_USER); if (!p) return ERR_PTR(-ENOMEM); -- cgit v1.2.3 From 50fd2f298bef9d1f69ac755f1fdf70cd98746be2 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 7 Jan 2018 13:06:15 -0500 Subject: new primitive: vmemdup_user() similar to memdup_user(), but does *not* guarantee that result will be physically contiguous; use only in cases where that's not a requirement and free it with kvfree(). Signed-off-by: Al Viro --- include/linux/string.h | 1 + mm/util.c | 29 ++++++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/include/linux/string.h b/include/linux/string.h index 410ecf17de3c..12d5429de0c8 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -11,6 +11,7 @@ extern char *strndup_user(const char __user *, long); extern void *memdup_user(const void __user *, size_t); +extern void *vmemdup_user(const void __user *, size_t); extern void *memdup_user_nul(const void __user *, size_t); /* diff --git a/mm/util.c b/mm/util.c index 4b93ffa6df96..c1250501364f 100644 --- a/mm/util.c +++ b/mm/util.c @@ -150,7 +150,8 @@ EXPORT_SYMBOL(kmemdup_nul); * @src: source address in user space * @len: number of bytes to copy * - * Returns an ERR_PTR() on failure. + * Returns an ERR_PTR() on failure. Result is physically + * contiguous, to be freed by kfree(). */ void *memdup_user(const void __user *src, size_t len) { @@ -169,6 +170,32 @@ void *memdup_user(const void __user *src, size_t len) } EXPORT_SYMBOL(memdup_user); +/** + * vmemdup_user - duplicate memory region from user space + * + * @src: source address in user space + * @len: number of bytes to copy + * + * Returns an ERR_PTR() on failure. Result may be not + * physically contiguous. Use kvfree() to free. + */ +void *vmemdup_user(const void __user *src, size_t len) +{ + void *p; + + p = kvmalloc(len, GFP_USER); + if (!p) + return ERR_PTR(-ENOMEM); + + if (copy_from_user(p, src, len)) { + kvfree(p); + return ERR_PTR(-EFAULT); + } + + return p; +} +EXPORT_SYMBOL(vmemdup_user); + /* * strndup_user - duplicate an existing string from user space * @s: The string to duplicate -- cgit v1.2.3 From 88a890375fa2fd9b54083979403243ab24a3ca35 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 7 Jan 2018 13:09:15 -0500 Subject: replace_user_tlv(): switch to vmemdup_user() Signed-off-by: Al Viro --- sound/core/control.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sound/core/control.c b/sound/core/control.c index 56b3e2d49c82..eaef67bd004b 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -1129,7 +1130,7 @@ static int replace_user_tlv(struct snd_kcontrol *kctl, unsigned int __user *buf, if (size > 1024 * 128) /* sane value */ return -EINVAL; - container = memdup_user(buf, size); + container = vmemdup_user(buf, size); if (IS_ERR(container)) return PTR_ERR(container); @@ -1137,7 +1138,7 @@ static int replace_user_tlv(struct snd_kcontrol *kctl, unsigned int __user *buf, if (!change) change = memcmp(ue->tlv_data, container, size) != 0; if (!change) { - kfree(container); + kvfree(container); return 0; } @@ -1148,7 +1149,7 @@ static int replace_user_tlv(struct snd_kcontrol *kctl, unsigned int __user *buf, mask = SNDRV_CTL_EVENT_MASK_INFO; } - kfree(ue->tlv_data); + kvfree(ue->tlv_data); ue->tlv_data = container; ue->tlv_data_size = size; @@ -1225,7 +1226,7 @@ static void snd_ctl_elem_user_free(struct snd_kcontrol *kcontrol) { struct user_element *ue = kcontrol->private_data; - kfree(ue->tlv_data); + kvfree(ue->tlv_data); kfree(ue->priv_data); kfree(ue); } -- cgit v1.2.3 From 59aeaf3fef9dcf59dc595390dd5b89dfedcb8926 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 7 Jan 2018 13:11:03 -0500 Subject: snd_ctl_elem_init_enum_names(): switch to vmemdup_user() Signed-off-by: Al Viro --- sound/core/control.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sound/core/control.c b/sound/core/control.c index eaef67bd004b..d16b53d0547c 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1198,7 +1198,7 @@ static int snd_ctl_elem_init_enum_names(struct user_element *ue) if (ue->info.value.enumerated.names_length > 64 * 1024) return -EINVAL; - names = memdup_user((const void __user *)user_ptrval, + names = vmemdup_user((const void __user *)user_ptrval, ue->info.value.enumerated.names_length); if (IS_ERR(names)) return PTR_ERR(names); @@ -1209,7 +1209,7 @@ static int snd_ctl_elem_init_enum_names(struct user_element *ue) for (i = 0; i < ue->info.value.enumerated.items; ++i) { name_len = strnlen(p, buf_len); if (name_len == 0 || name_len >= 64 || name_len == buf_len) { - kfree(names); + kvfree(names); return -EINVAL; } p += name_len + 1; @@ -1227,7 +1227,7 @@ static void snd_ctl_elem_user_free(struct snd_kcontrol *kcontrol) struct user_element *ue = kcontrol->private_data; kvfree(ue->tlv_data); - kfree(ue->priv_data); + kvfree(ue->priv_data); kfree(ue); } -- cgit v1.2.3 From c981f254cc82f50f8cb864ce6432097b23195b9c Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 7 Jan 2018 13:19:09 -0500 Subject: sctp: use vmemdup_user() rather than badly open-coding memdup_user() Signed-off-by: Al Viro --- net/sctp/socket.c | 59 +++++++++++-------------------------------------------- 1 file changed, 11 insertions(+), 48 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 3204a9b29407..c2cccc9902d6 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -970,13 +970,6 @@ int sctp_asconf_mgmt(struct sctp_sock *sp, struct sctp_sockaddr_entry *addrw) * This is used for tunneling the sctp_bindx() request through sctp_setsockopt() * from userspace. * - * We don't use copy_from_user() for optimization: we first do the - * sanity checks (buffer size -fast- and access check-healthy - * pointer); if all of those succeed, then we can alloc the memory - * (expensive operation) needed to copy the data to kernel. Then we do - * the copying without checking the user space area - * (__copy_from_user()). - * * On exit there is no need to do sockfd_put(), sys_setsockopt() does * it. * @@ -1006,25 +999,15 @@ static int sctp_setsockopt_bindx(struct sock *sk, if (unlikely(addrs_size <= 0)) return -EINVAL; - /* Check the user passed a healthy pointer. */ - if (unlikely(!access_ok(VERIFY_READ, addrs, addrs_size))) - return -EFAULT; - - /* Alloc space for the address array in kernel memory. */ - kaddrs = kmalloc(addrs_size, GFP_USER | __GFP_NOWARN); - if (unlikely(!kaddrs)) - return -ENOMEM; - - if (__copy_from_user(kaddrs, addrs, addrs_size)) { - kfree(kaddrs); - return -EFAULT; - } + kaddrs = vmemdup_user(addrs, addrs_size); + if (unlikely(IS_ERR(kaddrs))) + return PTR_ERR(kaddrs); /* Walk through the addrs buffer and count the number of addresses. */ addr_buf = kaddrs; while (walk_size < addrs_size) { if (walk_size + sizeof(sa_family_t) > addrs_size) { - kfree(kaddrs); + kvfree(kaddrs); return -EINVAL; } @@ -1035,7 +1018,7 @@ static int sctp_setsockopt_bindx(struct sock *sk, * causes the address buffer to overflow return EINVAL. */ if (!af || (walk_size + af->sockaddr_len) > addrs_size) { - kfree(kaddrs); + kvfree(kaddrs); return -EINVAL; } addrcnt++; @@ -1065,7 +1048,7 @@ static int sctp_setsockopt_bindx(struct sock *sk, } out: - kfree(kaddrs); + kvfree(kaddrs); return err; } @@ -1323,13 +1306,6 @@ out_free: * land and invoking either sctp_connectx(). This is used for tunneling * the sctp_connectx() request through sctp_setsockopt() from userspace. * - * We don't use copy_from_user() for optimization: we first do the - * sanity checks (buffer size -fast- and access check-healthy - * pointer); if all of those succeed, then we can alloc the memory - * (expensive operation) needed to copy the data to kernel. Then we do - * the copying without checking the user space area - * (__copy_from_user()). - * * On exit there is no need to do sockfd_put(), sys_setsockopt() does * it. * @@ -1345,7 +1321,6 @@ static int __sctp_setsockopt_connectx(struct sock *sk, sctp_assoc_t *assoc_id) { struct sockaddr *kaddrs; - gfp_t gfp = GFP_KERNEL; int err = 0; pr_debug("%s: sk:%p addrs:%p addrs_size:%d\n", @@ -1354,24 +1329,12 @@ static int __sctp_setsockopt_connectx(struct sock *sk, if (unlikely(addrs_size <= 0)) return -EINVAL; - /* Check the user passed a healthy pointer. */ - if (unlikely(!access_ok(VERIFY_READ, addrs, addrs_size))) - return -EFAULT; - - /* Alloc space for the address array in kernel memory. */ - if (sk->sk_socket->file) - gfp = GFP_USER | __GFP_NOWARN; - kaddrs = kmalloc(addrs_size, gfp); - if (unlikely(!kaddrs)) - return -ENOMEM; - - if (__copy_from_user(kaddrs, addrs, addrs_size)) { - err = -EFAULT; - } else { - err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id); - } + kaddrs = vmemdup_user(addrs, addrs_size); + if (unlikely(IS_ERR(kaddrs))) + return PTR_ERR(kaddrs); - kfree(kaddrs); + err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id); + kvfree(kaddrs); return err; } -- cgit v1.2.3 From e1fc742e14e01d84d9693c4aca4ab23da65811fb Mon Sep 17 00:00:00 2001 From: Jürg Billeter Date: Fri, 29 Sep 2017 14:07:17 +0200 Subject: fs: add RWF_APPEND MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is the per-I/O equivalent of O_APPEND to support atomic append operations on any open file. If a file is opened with O_APPEND, pwrite() ignores the offset and always appends data to the end of the file. RWF_APPEND enables atomic append and pwrite() with offset on a single file descriptor. Signed-off-by: Jürg Billeter Signed-off-by: Al Viro --- include/linux/fs.h | 2 ++ include/uapi/linux/fs.h | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index 6276f8315e5b..85c8ddc55760 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3224,6 +3224,8 @@ static inline int kiocb_set_rw_flags(struct kiocb *ki, rwf_t flags) ki->ki_flags |= IOCB_DSYNC; if (flags & RWF_SYNC) ki->ki_flags |= (IOCB_DSYNC | IOCB_SYNC); + if (flags & RWF_APPEND) + ki->ki_flags |= IOCB_APPEND; return 0; } diff --git a/include/uapi/linux/fs.h b/include/uapi/linux/fs.h index 4199f8acbce5..d2a8313fabd7 100644 --- a/include/uapi/linux/fs.h +++ b/include/uapi/linux/fs.h @@ -377,7 +377,11 @@ typedef int __bitwise __kernel_rwf_t; /* per-IO, return -EAGAIN if operation would block */ #define RWF_NOWAIT ((__force __kernel_rwf_t)0x00000008) +/* per-IO O_APPEND */ +#define RWF_APPEND ((__force __kernel_rwf_t)0x00000010) + /* mask of flags supported by the kernel */ -#define RWF_SUPPORTED (RWF_HIPRI | RWF_DSYNC | RWF_SYNC | RWF_NOWAIT) +#define RWF_SUPPORTED (RWF_HIPRI | RWF_DSYNC | RWF_SYNC | RWF_NOWAIT |\ + RWF_APPEND) #endif /* _UAPI_LINUX_FS_H */ -- cgit v1.2.3 From 4bfd054ae11ea061685c4a2a6234fdc8e92fad41 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 16 Jan 2018 21:44:24 -0800 Subject: fs: fold __inode_permission() into inode_permission() Since commit 9c630ebefeee ("ovl: simplify permission checking"), overlayfs doesn't call __inode_permission() anymore, which leaves no users other than inode_permission(). So just fold it back into inode_permission(). Signed-off-by: Eric Biggers Signed-off-by: Al Viro --- fs/namei.c | 71 ++++++++++++++++++++---------------------------------- include/linux/fs.h | 1 - 2 files changed, 26 insertions(+), 46 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index f0c7a7b9b6ca..29b044022e9c 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -390,50 +390,6 @@ static inline int do_inode_permission(struct inode *inode, int mask) return generic_permission(inode, mask); } -/** - * __inode_permission - Check for access rights to a given inode - * @inode: Inode to check permission on - * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC) - * - * Check for read/write/execute permissions on an inode. - * - * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask. - * - * This does not check for a read-only file system. You probably want - * inode_permission(). - */ -int __inode_permission(struct inode *inode, int mask) -{ - int retval; - - if (unlikely(mask & MAY_WRITE)) { - /* - * Nobody gets write access to an immutable file. - */ - if (IS_IMMUTABLE(inode)) - return -EPERM; - - /* - * Updating mtime will likely cause i_uid and i_gid to be - * written back improperly if their true value is unknown - * to the vfs. - */ - if (HAS_UNMAPPED_ID(inode)) - return -EACCES; - } - - retval = do_inode_permission(inode, mask); - if (retval) - return retval; - - retval = devcgroup_inode_permission(inode, mask); - if (retval) - return retval; - - return security_inode_permission(inode, mask); -} -EXPORT_SYMBOL(__inode_permission); - /** * sb_permission - Check superblock-level permissions * @sb: Superblock of inode to check permission on @@ -472,7 +428,32 @@ int inode_permission(struct inode *inode, int mask) retval = sb_permission(inode->i_sb, inode, mask); if (retval) return retval; - return __inode_permission(inode, mask); + + if (unlikely(mask & MAY_WRITE)) { + /* + * Nobody gets write access to an immutable file. + */ + if (IS_IMMUTABLE(inode)) + return -EPERM; + + /* + * Updating mtime will likely cause i_uid and i_gid to be + * written back improperly if their true value is unknown + * to the vfs. + */ + if (HAS_UNMAPPED_ID(inode)) + return -EACCES; + } + + retval = do_inode_permission(inode, mask); + if (retval) + return retval; + + retval = devcgroup_inode_permission(inode, mask); + if (retval) + return retval; + + return security_inode_permission(inode, mask); } EXPORT_SYMBOL(inode_permission); diff --git a/include/linux/fs.h b/include/linux/fs.h index 85c8ddc55760..b49251112add 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2699,7 +2699,6 @@ extern sector_t bmap(struct inode *, sector_t); #endif extern int notify_change(struct dentry *, struct iattr *, struct inode **); extern int inode_permission(struct inode *, int); -extern int __inode_permission(struct inode *, int); extern int generic_permission(struct inode *, int); extern int __check_sticky(struct inode *dir, struct inode *inode); -- cgit v1.2.3 From 01950a349ec254f28bf9ad06e74a166521d213e1 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 16 Jan 2018 22:25:12 -0800 Subject: fs/buffer.c: fold init_buffer() into init_page_buffers() Since commit e76004093db1 ("fs/buffer.c: remove unnecessary init operation after allocating buffer_head"), there are no callers of init_buffer() outside of init_page_buffers(). So just fold it into init_page_buffers(). Signed-off-by: Eric Biggers Signed-off-by: Al Viro --- fs/buffer.c | 10 ++-------- include/linux/buffer_head.h | 1 - 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/fs/buffer.c b/fs/buffer.c index 0736a6a2e2f0..3091801169ce 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -53,13 +53,6 @@ static int submit_bh_wbc(int op, int op_flags, struct buffer_head *bh, #define BH_ENTRY(list) list_entry((list), struct buffer_head, b_assoc_buffers) -void init_buffer(struct buffer_head *bh, bh_end_io_t *handler, void *private) -{ - bh->b_end_io = handler; - bh->b_private = private; -} -EXPORT_SYMBOL(init_buffer); - inline void touch_buffer(struct buffer_head *bh) { trace_block_touch_buffer(bh); @@ -922,7 +915,8 @@ init_page_buffers(struct page *page, struct block_device *bdev, do { if (!buffer_mapped(bh)) { - init_buffer(bh, NULL, NULL); + bh->b_end_io = NULL; + bh->b_private = NULL; bh->b_bdev = bdev; bh->b_blocknr = block; if (uptodate) diff --git a/include/linux/buffer_head.h b/include/linux/buffer_head.h index 8b1bf8d3d4a2..58a82f58e44e 100644 --- a/include/linux/buffer_head.h +++ b/include/linux/buffer_head.h @@ -151,7 +151,6 @@ void buffer_check_dirty_writeback(struct page *page, void mark_buffer_dirty(struct buffer_head *bh); void mark_buffer_write_io_error(struct buffer_head *bh); -void init_buffer(struct buffer_head *, bh_end_io_t *, void *); void touch_buffer(struct buffer_head *bh); void set_bh_page(struct buffer_head *bh, struct page *page, unsigned long offset); -- cgit v1.2.3 From 854d3e63438d72cde8296a4c4564898c5f9dd01a Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Mon, 20 Nov 2017 18:05:07 +0300 Subject: dcache: subtract d_hash_shift from 32 in advance Signed-off-by: Alexey Dobriyan Signed-off-by: Al Viro --- fs/dcache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/dcache.c b/fs/dcache.c index 17e6b84b9656..d4f5b52d99be 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -110,7 +110,7 @@ static struct hlist_bl_head *dentry_hashtable __read_mostly; static inline struct hlist_bl_head *d_hash(unsigned int hash) { - return dentry_hashtable + (hash >> (32 - d_hash_shift)); + return dentry_hashtable + (hash >> d_hash_shift); } #define IN_LOOKUP_SHIFT 10 @@ -3593,6 +3593,7 @@ static void __init dcache_init_early(void) &d_hash_mask, 0, 0); + d_hash_shift = 32 - d_hash_shift; } static void __init dcache_init(void) @@ -3619,6 +3620,7 @@ static void __init dcache_init(void) &d_hash_mask, 0, 0); + d_hash_shift = 32 - d_hash_shift; } /* SLAB cache for __getname() consumers */ -- cgit v1.2.3 From b35d786b674345bb32b5181d48408ec2de147011 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Mon, 20 Nov 2017 18:05:52 +0300 Subject: dcache: delete unused d_hash_mask Signed-off-by: Alexey Dobriyan Signed-off-by: Al Viro --- fs/dcache.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index d4f5b52d99be..f110e9eebb58 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -103,7 +103,6 @@ EXPORT_SYMBOL(slash_name); * information, yet avoid using a prime hash-size or similar. */ -static unsigned int d_hash_mask __read_mostly; static unsigned int d_hash_shift __read_mostly; static struct hlist_bl_head *dentry_hashtable __read_mostly; @@ -3590,7 +3589,7 @@ static void __init dcache_init_early(void) 13, HASH_EARLY | HASH_ZERO, &d_hash_shift, - &d_hash_mask, + NULL, 0, 0); d_hash_shift = 32 - d_hash_shift; @@ -3617,7 +3616,7 @@ static void __init dcache_init(void) 13, HASH_ZERO, &d_hash_shift, - &d_hash_mask, + NULL, 0, 0); d_hash_shift = 32 - d_hash_shift; -- cgit v1.2.3 From 5bdd0c6f89fba430e18d636493398389dadc3b17 Mon Sep 17 00:00:00 2001 From: Jake Daryll Obina Date: Fri, 22 Sep 2017 00:00:14 +0800 Subject: jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path If jffs2_iget() fails for a newly-allocated inode, jffs2_do_clear_inode() can get called twice in the error handling path, the first call in jffs2_iget() itself and the second through iget_failed(). This can result to a use-after-free error in the second jffs2_do_clear_inode() call, such as shown by the oops below wherein the second jffs2_do_clear_inode() call was trying to free node fragments that were already freed in the first jffs2_do_clear_inode() call. [ 78.178860] jffs2: error: (1904) jffs2_do_read_inode_internal: CRC failed for read_inode of inode 24 at physical location 0x1fc00c [ 78.178914] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b7b [ 78.185871] pgd = ffffffc03a567000 [ 78.188794] [6b6b6b6b6b6b6b7b] *pgd=0000000000000000, *pud=0000000000000000 [ 78.194968] Internal error: Oops: 96000004 [#1] PREEMPT SMP ... [ 78.513147] PC is at rb_first_postorder+0xc/0x28 [ 78.516503] LR is at jffs2_kill_fragtree+0x28/0x90 [jffs2] [ 78.520672] pc : [] lr : [] pstate: 60000105 [ 78.526757] sp : ffffff800cea38f0 [ 78.528753] x29: ffffff800cea38f0 x28: ffffffc01f3f8e80 [ 78.532754] x27: 0000000000000000 x26: ffffff800cea3c70 [ 78.536756] x25: 00000000dc67c8ae x24: ffffffc033d6945d [ 78.540759] x23: ffffffc036811740 x22: ffffff800891a5b8 [ 78.544760] x21: 0000000000000000 x20: 0000000000000000 [ 78.548762] x19: ffffffc037d48910 x18: ffffff800891a588 [ 78.552764] x17: 0000000000000800 x16: 0000000000000c00 [ 78.556766] x15: 0000000000000010 x14: 6f2065646f6e695f [ 78.560767] x13: 6461657220726f66 x12: 2064656c69616620 [ 78.564769] x11: 435243203a6c616e x10: 7265746e695f6564 [ 78.568771] x9 : 6f6e695f64616572 x8 : ffffffc037974038 [ 78.572774] x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008 [ 78.576775] x5 : 002f91d85bd44a2f x4 : 0000000000000000 [ 78.580777] x3 : 0000000000000000 x2 : 000000403755e000 [ 78.584779] x1 : 6b6b6b6b6b6b6b6b x0 : 6b6b6b6b6b6b6b6b ... [ 79.038551] [] rb_first_postorder+0xc/0x28 [ 79.042962] [] jffs2_do_clear_inode+0x88/0x100 [jffs2] [ 79.048395] [] jffs2_evict_inode+0x3c/0x48 [jffs2] [ 79.053443] [] evict+0xb0/0x168 [ 79.056835] [] iput+0x1c0/0x200 [ 79.060228] [] iget_failed+0x30/0x3c [ 79.064097] [] jffs2_iget+0x2d8/0x360 [jffs2] [ 79.068740] [] jffs2_lookup+0xe8/0x130 [jffs2] [ 79.073434] [] lookup_slow+0x118/0x190 [ 79.077435] [] walk_component+0xfc/0x28c [ 79.081610] [] path_lookupat+0x84/0x108 [ 79.085699] [] filename_lookup+0x88/0x100 [ 79.089960] [] user_path_at_empty+0x58/0x6c [ 79.094396] [] vfs_statx+0xa4/0x114 [ 79.098138] [] SyS_newfstatat+0x58/0x98 [ 79.102227] [] __sys_trace_return+0x0/0x4 [ 79.106489] Code: d65f03c0 f9400001 b40000e1 aa0103e0 (f9400821) The jffs2_do_clear_inode() call in jffs2_iget() is unnecessary since iget_failed() will eventually call jffs2_do_clear_inode() if needed, so just remove it. Fixes: 5451f79f5f81 ("iget: stop JFFS2 from using iget() and read_inode()") Reviewed-by: Richard Weinberger Signed-off-by: Jake Daryll Obina Signed-off-by: Al Viro --- fs/jffs2/fs.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c index e96c6b05e43e..3c96f4bdc549 100644 --- a/fs/jffs2/fs.c +++ b/fs/jffs2/fs.c @@ -362,7 +362,6 @@ error_io: ret = -EIO; error: mutex_unlock(&f->sem); - jffs2_do_clear_inode(c, f); iget_failed(inode); return ERR_PTR(ret); } -- cgit v1.2.3 From 47669fb6b5951d0e09fc99719653e0ac92b50b99 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 8 Nov 2017 16:02:13 +0100 Subject: alpha: osf_sys.c: fix put_tv32 regression There was a typo in the new version of put_tv32() that caused an unguarded access of a user space pointer, and failed to return the correct result in gettimeofday(), wait4(), usleep_thread() and old_adjtimex(). This fixes it to give the correct behavior again. Cc: stable@vger.kernel.org Fixes: 1cc6c4635e9f ("osf_sys.c: switch handling of timeval32/itimerval32 to copy_{to,from}_user()") Signed-off-by: Arnd Bergmann Signed-off-by: Al Viro --- arch/alpha/kernel/osf_sys.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c index ce3a675c0c4b..75a5c35a2067 100644 --- a/arch/alpha/kernel/osf_sys.c +++ b/arch/alpha/kernel/osf_sys.c @@ -964,8 +964,8 @@ static inline long put_tv32(struct timeval32 __user *o, struct timeval *i) { return copy_to_user(o, &(struct timeval32){ - .tv_sec = o->tv_sec, - .tv_usec = o->tv_usec}, + .tv_sec = i->tv_sec, + .tv_usec = i->tv_usec}, sizeof(struct timeval32)); } -- cgit v1.2.3 From ce4c253573ad184603e0fa77876ba155b0cde46d Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 8 Nov 2017 16:02:14 +0100 Subject: alpha: osf_sys.c: use timespec64 where appropriate Some of the syscall helper functions (do_utimes, poll_select_set_timeout, core_sys_select) have changed over the past year or two to use 'timespec64' pointers rather than 'timespec'. This was fine on alpha, since 64-bit architectures treat the two as the same type. However, I'd like to change that behavior and make 'timespec64' a proper type of its own even on 64-bit architectures, and that will introduce harmless type mismatch warnings here. Also, I'm trying to kill off the do_gettimeofday() helper in favor of ktime_get() and related interfaces throughout the kernel. This changes the get_tv32/put_tv32 helper functions to also take a timespec64 argument rather than timeval, which allows us to simplify some of the syscall helpers a bit and avoid the type warnings. For the moment, wait4 and adjtimex are still better off with the old behavior, so I'm adding a special put_tv_to_tv32() helper for those. Signed-off-by: Arnd Bergmann Signed-off-by: Al Viro --- arch/alpha/kernel/osf_sys.c | 68 ++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c index 75a5c35a2067..fa1a392ca9a2 100644 --- a/arch/alpha/kernel/osf_sys.c +++ b/arch/alpha/kernel/osf_sys.c @@ -950,18 +950,27 @@ struct itimerval32 }; static inline long -get_tv32(struct timeval *o, struct timeval32 __user *i) +get_tv32(struct timespec64 *o, struct timeval32 __user *i) { struct timeval32 tv; if (copy_from_user(&tv, i, sizeof(struct timeval32))) return -EFAULT; o->tv_sec = tv.tv_sec; - o->tv_usec = tv.tv_usec; + o->tv_nsec = tv.tv_usec * NSEC_PER_USEC; return 0; } static inline long -put_tv32(struct timeval32 __user *o, struct timeval *i) +put_tv32(struct timeval32 __user *o, struct timespec64 *i) +{ + return copy_to_user(o, &(struct timeval32){ + .tv_sec = i->tv_sec, + .tv_usec = i->tv_nsec / NSEC_PER_USEC}, + sizeof(struct timeval32)); +} + +static inline long +put_tv_to_tv32(struct timeval32 __user *o, struct timeval *i) { return copy_to_user(o, &(struct timeval32){ .tv_sec = i->tv_sec, @@ -1004,9 +1013,10 @@ SYSCALL_DEFINE2(osf_gettimeofday, struct timeval32 __user *, tv, struct timezone __user *, tz) { if (tv) { - struct timeval ktv; - do_gettimeofday(&ktv); - if (put_tv32(tv, &ktv)) + struct timespec64 kts; + + ktime_get_real_ts64(&kts); + if (put_tv32(tv, &kts)) return -EFAULT; } if (tz) { @@ -1019,22 +1029,19 @@ SYSCALL_DEFINE2(osf_gettimeofday, struct timeval32 __user *, tv, SYSCALL_DEFINE2(osf_settimeofday, struct timeval32 __user *, tv, struct timezone __user *, tz) { - struct timespec64 kts64; - struct timespec kts; + struct timespec64 kts; struct timezone ktz; if (tv) { - if (get_tv32((struct timeval *)&kts, tv)) + if (get_tv32(&kts, tv)) return -EFAULT; - kts.tv_nsec *= 1000; - kts64 = timespec_to_timespec64(kts); } if (tz) { if (copy_from_user(&ktz, tz, sizeof(*tz))) return -EFAULT; } - return do_sys_settimeofday64(tv ? &kts64 : NULL, tz ? &ktz : NULL); + return do_sys_settimeofday64(tv ? &kts : NULL, tz ? &ktz : NULL); } asmlinkage long sys_ni_posix_timers(void); @@ -1083,22 +1090,16 @@ SYSCALL_DEFINE3(osf_setitimer, int, which, struct itimerval32 __user *, in, SYSCALL_DEFINE2(osf_utimes, const char __user *, filename, struct timeval32 __user *, tvs) { - struct timespec tv[2]; + struct timespec64 tv[2]; if (tvs) { - struct timeval ktvs[2]; - if (get_tv32(&ktvs[0], &tvs[0]) || - get_tv32(&ktvs[1], &tvs[1])) + if (get_tv32(&tv[0], &tvs[0]) || + get_tv32(&tv[1], &tvs[1])) return -EFAULT; - if (ktvs[0].tv_usec < 0 || ktvs[0].tv_usec >= 1000000 || - ktvs[1].tv_usec < 0 || ktvs[1].tv_usec >= 1000000) + if (tv[0].tv_nsec < 0 || tv[0].tv_nsec >= 1000000000 || + tv[1].tv_nsec < 0 || tv[1].tv_nsec >= 1000000000) return -EINVAL; - - tv[0].tv_sec = ktvs[0].tv_sec; - tv[0].tv_nsec = 1000 * ktvs[0].tv_usec; - tv[1].tv_sec = ktvs[1].tv_sec; - tv[1].tv_nsec = 1000 * ktvs[1].tv_usec; } return do_utimes(AT_FDCWD, filename, tvs ? tv : NULL, 0); @@ -1107,19 +1108,18 @@ SYSCALL_DEFINE2(osf_utimes, const char __user *, filename, SYSCALL_DEFINE5(osf_select, int, n, fd_set __user *, inp, fd_set __user *, outp, fd_set __user *, exp, struct timeval32 __user *, tvp) { - struct timespec end_time, *to = NULL; + struct timespec64 end_time, *to = NULL; if (tvp) { - struct timeval tv; + struct timespec64 tv; to = &end_time; if (get_tv32(&tv, tvp)) return -EFAULT; - if (tv.tv_sec < 0 || tv.tv_usec < 0) + if (tv.tv_sec < 0 || tv.tv_nsec < 0) return -EINVAL; - if (poll_select_set_timeout(to, tv.tv_sec, - tv.tv_usec * NSEC_PER_USEC)) + if (poll_select_set_timeout(to, tv.tv_sec, tv.tv_nsec)) return -EINVAL; } @@ -1192,9 +1192,9 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options, return -EFAULT; if (!ur) return err; - if (put_tv32(&ur->ru_utime, &r.ru_utime)) + if (put_tv_to_tv32(&ur->ru_utime, &r.ru_utime)) return -EFAULT; - if (put_tv32(&ur->ru_stime, &r.ru_stime)) + if (put_tv_to_tv32(&ur->ru_stime, &r.ru_stime)) return -EFAULT; if (copy_to_user(&ur->ru_maxrss, &r.ru_maxrss, sizeof(struct rusage32) - offsetof(struct rusage32, ru_maxrss))) @@ -1210,18 +1210,18 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options, SYSCALL_DEFINE2(osf_usleep_thread, struct timeval32 __user *, sleep, struct timeval32 __user *, remain) { - struct timeval tmp; + struct timespec64 tmp; unsigned long ticks; if (get_tv32(&tmp, sleep)) goto fault; - ticks = timeval_to_jiffies(&tmp); + ticks = timespec64_to_jiffies(&tmp); ticks = schedule_timeout_interruptible(ticks); if (remain) { - jiffies_to_timeval(ticks, &tmp); + jiffies_to_timespec64(ticks, &tmp); if (put_tv32(remain, &tmp)) goto fault; } @@ -1280,7 +1280,7 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p) if (copy_to_user(txc_p, &txc, offsetof(struct timex32, time)) || (copy_to_user(&txc_p->tick, &txc.tick, sizeof(struct timex32) - offsetof(struct timex32, tick))) || - (put_tv32(&txc_p->time, &txc.time))) + (put_tv_to_tv32(&txc_p->time, &txc.time))) return -EFAULT; return ret; -- cgit v1.2.3