Patch "frv: fix clear_user()" has been added to the 4.7-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    frv: fix clear_user()

to the 4.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     frv-fix-clear_user.patch
and it can be found in the queue-4.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu, 18 Aug 2016 20:54:02 -0400
Subject: frv: fix clear_user()

From: Al Viro <viro@zeniv.linux.org.uk>

commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.

It should check access_ok().  Otherwise a bunch of places turn into
trivially exploitable rootholes.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/frv/include/asm/uaccess.h |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/frv/include/asm/uaccess.h
+++ b/arch/frv/include/asm/uaccess.h
@@ -263,19 +263,25 @@ do {							\
 extern long __memset_user(void *dst, unsigned long count);
 extern long __memcpy_user(void *dst, const void *src, unsigned long count);
 
-#define clear_user(dst,count)			__memset_user(____force(dst), (count))
+#define __clear_user(dst,count)			__memset_user(____force(dst), (count))
 #define __copy_from_user_inatomic(to, from, n)	__memcpy_user((to), ____force(from), (n))
 #define __copy_to_user_inatomic(to, from, n)	__memcpy_user(____force(to), (from), (n))
 
 #else
 
-#define clear_user(dst,count)			(memset(____force(dst), 0, (count)), 0)
+#define __clear_user(dst,count)			(memset(____force(dst), 0, (count)), 0)
 #define __copy_from_user_inatomic(to, from, n)	(memcpy((to), ____force(from), (n)), 0)
 #define __copy_to_user_inatomic(to, from, n)	(memcpy(____force(to), (from), (n)), 0)
 
 #endif
 
-#define __clear_user clear_user
+static inline unsigned long __must_check
+clear_user(void __user *to, unsigned long n)
+{
+	if (likely(__access_ok(to, n)))
+		n = __clear_user(to, n);
+	return n;
+}
 
 static inline unsigned long __must_check
 __copy_to_user(void __user *to, const void *from, unsigned long n)


Patches currently in stable-queue which might be from viro@zeniv.linux.org.uk are

queue-4.7/nios2-copy_from_user-should-zero-the-tail-of-destination.patch
queue-4.7/m32r-fix-__get_user.patch
queue-4.7/microblaze-fix-copy_from_user.patch
queue-4.7/cris-buggered-copy_from_user-copy_to_user-clear_user.patch
queue-4.7/asm-generic-make-copy_from_user-zero-the-destination-properly.patch
queue-4.7/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch
queue-4.7/score-fix-__get_user-get_user.patch
queue-4.7/parisc-fix-copy_from_user.patch
queue-4.7/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch
queue-4.7/alpha-fix-copy_from_user.patch
queue-4.7/mn10300-failing-__get_user-and-get_user-should-zero.patch
queue-4.7/openrisc-fix-copy_from_user.patch
queue-4.7/avr32-fix-copy_from_user.patch
queue-4.7/score-fix-copy_from_user-and-friends.patch
queue-4.7/sh64-failing-__get_user-should-zero.patch
queue-4.7/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch
queue-4.7/hexagon-fix-strncpy_from_user-error-return.patch
queue-4.7/af_unix-split-u-readlock-into-two-iolock-and-bindlock.patch
queue-4.7/frv-fix-clear_user.patch
queue-4.7/fix-minor-infoleak-in-get_user_ex.patch
queue-4.7/asm-generic-make-get_user-clear-the-destination-on-errors.patch
queue-4.7/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch
queue-4.7/s390-get_user-should-zero-on-failure.patch
queue-4.7/microblaze-fix-__get_user.patch
queue-4.7/blackfin-fix-copy_from_user.patch
queue-4.7/fix-iov_iter_fault_in_readable.patch
queue-4.7/nios2-fix-__get_user.patch
queue-4.7/sh-fix-copy_from_user.patch