All of lore.kernel.org
 help / color / mirror / Atom feed
* [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function
@ 2016-09-29  9:06 Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Jiri Slaby
                   ` (41 more replies)
  0 siblings, 42 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Chen-Yu Tsai, Daniel Lezcano, Jiri Slaby

From: Chen-Yu Tsai <wens@csie.org>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e upstream.

The bootloader (U-boot) sometimes uses this timer for various delays.
It uses it as a ongoing counter, and does comparisons on the current
counter value. The timer counter is never stopped.

In some cases when the user interacts with the bootloader, or lets
it idle for some time before loading Linux, the timer may expire,
and an interrupt will be pending. This results in an unexpected
interrupt when the timer interrupt is enabled by the kernel, at
which point the event_handler isn't set yet. This results in a NULL
pointer dereference exception, panic, and no way to reboot.

Clear any pending interrupts after we stop the timer in the probe
function to avoid this.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/clocksource/sun4i_timer.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/clocksource/sun4i_timer.c b/drivers/clocksource/sun4i_timer.c
index 4fe6ac85ea1d..b4b0c6a2a00d 100644
--- a/drivers/clocksource/sun4i_timer.c
+++ b/drivers/clocksource/sun4i_timer.c
@@ -118,12 +118,16 @@ static struct clock_event_device sun4i_clockevent = {
 	.set_next_event = sun4i_clkevt_next_event,
 };
 
+static void sun4i_timer_clear_interrupt(void)
+{
+	writel(TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_ST_REG);
+}
 
 static irqreturn_t sun4i_timer_interrupt(int irq, void *dev_id)
 {
 	struct clock_event_device *evt = (struct clock_event_device *)dev_id;
 
-	writel(0x1, timer_base + TIMER_IRQ_ST_REG);
+	sun4i_timer_clear_interrupt();
 	evt->event_handler(evt);
 
 	return IRQ_HANDLED;
@@ -177,6 +181,9 @@ static void __init sun4i_timer_init(struct device_node *node)
 	writel(TIMER_CTL_CLK_SRC(TIMER_CTL_CLK_SRC_OSC24M),
 	       timer_base + TIMER_CTL_REG(0));
 
+	/* clear timer0 interrupt */
+	sun4i_timer_clear_interrupt();
+
 	sun4i_clockevent.cpumask = cpumask_of(0);
 
 	clockevents_config_and_register(&sun4i_clockevent, rate, 0x1,
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Jiri Slaby
                   ` (40 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Paul Mackerras, Michael Ellerman, Jiri Slaby

From: Paul Mackerras <paulus@ozlabs.org>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream.

In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13)
we lost a check on the region number (the top four bits of the effective
address) for addresses below PAGE_OFFSET.  That commit replaced a check
that the top 18 bits were all zero with a check that bits 46 - 59 were
zero (performed for all addresses, not just user addresses).

This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
and we will insert a valid SLB entry for it.  The VSID used will be the
same as if the top 4 bits were 0, but the page size will be some random
value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
array in the paca.  If that page size is the same as would be used for
region 0, then userspace just has an alias of the region 0 space.  If the
page size is different, then no HPTE will be found for the access, and
the process will get a SIGSEGV (since hash_page_mm() will refuse to create
a HPTE for the bogus address).

The access beyond the end of the mm_ctx_high_slices_psize can be at most
5.5MB past the array, and so will be in RAM somewhere.  Since the access
is a load performed in real mode, it won't fault or crash the kernel.
At most this bug could perhaps leak a little bit of information about
blocks of 32 bytes of memory located at offsets of i * 512kB past the
paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.

Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/mm/slb_low.S | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/mm/slb_low.S b/arch/powerpc/mm/slb_low.S
index 17aa6dfceb34..e507f5e733f3 100644
--- a/arch/powerpc/mm/slb_low.S
+++ b/arch/powerpc/mm/slb_low.S
@@ -110,7 +110,12 @@ BEGIN_FTR_SECTION
 END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
 	b	slb_finish_load_1T
 
-0:
+0:	/*
+	 * For userspace addresses, make sure this is region 0.
+	 */
+	cmpdi	r9, 0
+	bne	8f
+
 	/* when using slices, we extract the psize off the slice bitmaps
 	 * and then we need to get the sllp encoding off the mmu_psize_defs
 	 * array.
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] NFSv4.x: Fix a refcount leak in nfs_callback_up_net
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] dm flakey: fix reads to be issued if drop_writes configured Jiri Slaby
                   ` (39 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Trond Myklebust, Jiri Slaby

From: Trond Myklebust <trond.myklebust@primarydata.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream.

On error, the callers expect us to return without bumping
nn->cb_users[].

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/nfs/callback.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
index 50443e6dc033..9c98225e45cd 100644
--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -302,6 +302,7 @@ static int nfs_callback_up_net(int minorversion, struct svc_serv *serv, struct n
 err_socks:
 	svc_rpcb_cleanup(serv, net);
 err_bind:
+	nn->cb_users[minorversion]--;
 	dprintk("NFS: Couldn't create callback socket: err = %d; "
 			"net = %p\n", ret, net);
 	return ret;
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] dm flakey: fix reads to be issued if drop_writes configured
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] x86/paravirt: Do not trace _paravirt_ident_*() functions Jiri Slaby
                   ` (38 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Mike Snitzer, Jiri Slaby

From: Mike Snitzer <snitzer@redhat.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc upstream.

v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the
down_interval") overlooked the 'drop_writes' feature, which is meant to
allow reads to be issued rather than errored, during the down_interval.

Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval")
Reported-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/md/dm-flakey.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
index 8e36248f729f..c8ac0ed9d206 100644
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -286,15 +286,13 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
 		pb->bio_submitted = true;
 
 		/*
-		 * Map reads as normal only if corrupt_bio_byte set.
+		 * Error reads if neither corrupt_bio_byte or drop_writes are set.
+		 * Otherwise, flakey_end_io() will decide if the reads should be modified.
 		 */
 		if (bio_data_dir(bio) == READ) {
-			/* If flags were specified, only corrupt those that match. */
-			if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
-			    all_corrupt_bio_flags_match(bio, fc))
-				goto map_bio;
-			else
+			if (!fc->corrupt_bio_byte && !test_bit(DROP_WRITES, &fc->flags))
 				return -EIO;
+			goto map_bio;
 		}
 
 		/*
@@ -331,14 +329,21 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, int error)
 	struct flakey_c *fc = ti->private;
 	struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data));
 
-	/*
-	 * Corrupt successful READs while in down state.
-	 */
 	if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
-		if (fc->corrupt_bio_byte)
+		if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+		    all_corrupt_bio_flags_match(bio, fc)) {
+			/*
+			 * Corrupt successful matching READs while in down state.
+			 */
 			corrupt_bio_data(bio, fc);
-		else
+
+		} else if (!test_bit(DROP_WRITES, &fc->flags)) {
+			/*
+			 * Error read during the down_interval if drop_writes
+			 * wasn't configured.
+			 */
 			return -EIO;
+		}
 	}
 
 	return error;
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] x86/paravirt: Do not trace _paravirt_ident_*() functions
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (2 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] dm flakey: fix reads to be issued if drop_writes configured Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] kvm-arm: Unmap shadow pagetables properly Jiri Slaby
                   ` (37 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Steven Rostedt, Linus Torvalds, Jiri Slaby

From: Steven Rostedt <rostedt@goodmis.org>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream.

Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
after enabling function tracer. I asked him to bisect the functions within
available_filter_functions, which he did and it came down to three:

  _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()

It was found that this is only an issue when noreplace-paravirt is added
to the kernel command line.

This means that those functions are most likely called within critical
sections of the funtion tracer, and must not be traced.

In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
longer an issue.  But both _paravirt_ident_{32,64}() causes the
following splat when they are traced:

 mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
 mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
 mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
 mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
 NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
 Modules linked in: e1000e
 CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
 task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
 RIP: 0010:[<ffffffff81134148>]  [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
 RSP: 0018:ffff8800d4aefb90  EFLAGS: 00000246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
 RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
 RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
 R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
 R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
 FS:  00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
 Call Trace:
   _raw_spin_lock+0x27/0x30
   handle_pte_fault+0x13db/0x16b0
   handle_mm_fault+0x312/0x670
   __do_page_fault+0x1b1/0x4e0
   do_page_fault+0x22/0x30
   page_fault+0x28/0x30
   __vfs_read+0x28/0xe0
   vfs_read+0x86/0x130
   SyS_read+0x46/0xa0
   entry_SYSCALL_64_fastpath+0x1e/0xa8
 Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b

Reported-by: Łukasz Daniluk <lukasz.daniluk@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kernel/paravirt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
index 45c2045692bd..dd77b84fb54f 100644
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -54,12 +54,12 @@ asm (".pushsection .entry.text, \"ax\"\n"
      ".popsection");
 
 /* identity function, which can be inlined */
-u32 _paravirt_ident_32(u32 x)
+u32 notrace _paravirt_ident_32(u32 x)
 {
 	return x;
 }
 
-u64 _paravirt_ident_64(u64 x)
+u64 notrace _paravirt_ident_64(u64 x)
 {
 	return x;
 }
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] kvm-arm: Unmap shadow pagetables properly
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (3 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] x86/paravirt: Do not trace _paravirt_ident_*() functions Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] iio: accel: kxsd9: Fix raw read return Jiri Slaby
                   ` (36 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable
  Cc: Suzuki K Poulose, Marc Zyngier, Catalin Marinas,
	Christoffer Dall, Jiri Slaby

From: Suzuki K Poulose <suzuki.poulose@arm.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 293f293637b55db4f9f522a5a72514e98a541076 upstream.

On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via
mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when
the userspace buffer gets unmapped. However, when the Hypervisor
process exits without explicit unmap of the guest buffers, the only
notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release
) which does nothing on arm. Later this causes us to access pages that
were already released [via exit_mmap() -> unmap_vmas()] when we actually
get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() ->
kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC,
which unmaps any free'd pages from the linear map.

 [  757.644120] Unable to handle kernel paging request at virtual address
  ffff800661e00000
 [  757.652046] pgd = ffff20000b1a2000
 [  757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003,
  *pmd=00000047fcc7c003, *pte=00e8004661e00712
 [  757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP
 [  757.672041] Modules linked in:
 [  757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G      D
 4.8.0-rc1 #3
 [  757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board,
  BIOS 3.06.15 Aug 19 2016
 [  757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000
 [  757.698840] PC is at __flush_dcache_area+0x1c/0x40
 [  757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70
 [  757.708469] pc : [<ffff20000809dbdc>] lr : [<ffff2000080b4a70>] pstate: 20000145
 ...
 [  758.357249] [<ffff20000809dbdc>] __flush_dcache_area+0x1c/0x40
 [  758.363059] [<ffff2000080b6748>] unmap_stage2_range+0x458/0x5f0
 [  758.368954] [<ffff2000080b708c>] kvm_free_stage2_pgd+0x34/0x60
 [  758.374761] [<ffff2000080b2280>] kvm_arch_destroy_vm+0x20/0x68
 [  758.380570] [<ffff2000080aa330>] kvm_put_kvm+0x210/0x358
 [  758.385860] [<ffff2000080aa524>] kvm_vm_release+0x2c/0x40
 [  758.391239] [<ffff2000082ad234>] __fput+0x114/0x2e8
 [  758.396096] [<ffff2000082ad46c>] ____fput+0xc/0x18
 [  758.400869] [<ffff200008104658>] task_work_run+0x108/0x138
 [  758.406332] [<ffff2000080dc8ec>] do_exit+0x48c/0x10e8
 [  758.411363] [<ffff2000080dd5fc>] do_group_exit+0x6c/0x130
 [  758.416739] [<ffff2000080ed924>] get_signal+0x284/0xa18
 [  758.421943] [<ffff20000808a098>] do_signal+0x158/0x860
 [  758.427060] [<ffff20000808aad4>] do_notify_resume+0x6c/0x88
 [  758.432608] [<ffff200008083624>] work_pending+0x10/0x14
 [  758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20)

This patch fixes the issue by moving the kvm_free_stage2_pgd() to
kvm_arch_flush_shadow_all().

Tested-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: James Morse <james.morse@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/kvm/arm.c | 2 --
 arch/arm/kvm/mmu.c | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
index 28b60461936e..25e58d390640 100644
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -163,8 +163,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
 {
 	int i;
 
-	kvm_free_stage2_pgd(kvm);
-
 	for (i = 0; i < KVM_MAX_VCPUS; ++i) {
 		if (kvm->vcpus[i]) {
 			kvm_arch_vcpu_free(kvm->vcpus[i]);
diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
index 87a2769898ac..683cac91a7f6 100644
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -1096,6 +1096,7 @@ void kvm_arch_memslots_updated(struct kvm *kvm)
 
 void kvm_arch_flush_shadow_all(struct kvm *kvm)
 {
+	kvm_free_stage2_pgd(kvm);
 }
 
 void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] iio: accel: kxsd9: Fix raw read return
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (4 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] kvm-arm: Unmap shadow pagetables properly Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] iio: accel: kxsd9: Fix scaling bug Jiri Slaby
                   ` (35 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Linus Walleij, Jonathan Cameron, Jiri Slaby

From: Linus Walleij <linus.walleij@linaro.org>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.

Any readings from the raw interface of the KXSD9 driver will
return an empty string, because it does not return
IIO_VAL_INT but rather some random value from the accelerometer
to the caller.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/iio/accel/kxsd9.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
index 61dcbcf73c22..39220a11f530 100644
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
 		if (ret < 0)
 			goto error_ret;
 		*val = ret;
+		ret = IIO_VAL_INT;
 		break;
 	case IIO_CHAN_INFO_SCALE:
 		ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] iio: accel: kxsd9: Fix scaling bug
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (5 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] iio: accel: kxsd9: Fix raw read return Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] USB: serial: simple: add support for another Infineon flashloader Jiri Slaby
                   ` (34 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Linus Walleij, Jonathan Cameron, Jiri Slaby

From: Linus Walleij <linus.walleij@linaro.org>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.

All the scaling of the KXSD9 involves multiplication with a
fraction number < 1.

However the scaling value returned from IIO_INFO_SCALE was
unpredictable as only the micros of the value was assigned, and
not the integer part, resulting in scaling like this:

$cat in_accel_scale
-1057462640.011978

Fix this by assigning zero to the integer part.

Tested-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/iio/accel/kxsd9.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
index 39220a11f530..ed60a8806f01 100644
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
 		ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
 		if (ret < 0)
 			goto error_ret;
+		*val = 0;
 		*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
 		ret = IIO_VAL_INT_PLUS_MICRO;
 		break;
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] USB: serial: simple: add support for another Infineon flashloader
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (6 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] iio: accel: kxsd9: Fix scaling bug Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Jiri Slaby
                   ` (33 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Daniele Palmas, Johan Hovold, Jiri Slaby

From: Daniele Palmas <dnlplm@gmail.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream.

This patch adds support for Infineon flashloader 0x8087/0x0801.

The flashloader is used in Telit LE940B modem family with Telit
flashing application.

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/usb-serial-simple.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
index 13630428700e..5e27cd10ad3a 100644
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -49,7 +49,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
 /* Infineon Flashloader driver */
 #define FLASHLOADER_IDS()		\
 	{ USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
-	{ USB_DEVICE(0x8087, 0x0716) }
+	{ USB_DEVICE(0x8087, 0x0716) }, \
+	{ USB_DEVICE(0x8087, 0x0801) }
 DEVICE(flashloader, FLASHLOADER_IDS);
 
 /* Google Serial USB SubClass */
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (7 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] USB: serial: simple: add support for another Infineon flashloader Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] USB: change bInterval default to 10 ms Jiri Slaby
                   ` (32 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Yoshihiro Shimoda, Felipe Balbi, Jiri Slaby

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream.

The previous driver is possible to stop the transfer wrongly.
For example:
 1) An interrupt happens, but not BRDY interruption.
 2) Read INTSTS0. And than state->intsts0 is not set to BRDY.
 3) BRDY is set to 1 here.
 4) Read BRDYSTS.
 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly.

Remarks:
 - The INTSTS0.BRDY is read only.
  - If any bits of BRDYSTS are set to 1, the BRDY is set to 1.
  - If BRDYSTS is 0, the BRDY is set to 0.

So, this patch adds condition to avoid such situation. (And about
NRDYSTS, this is not used for now. But, avoiding any side effects,
this patch doesn't touch it.)

Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/renesas_usbhs/mod.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/renesas_usbhs/mod.c b/drivers/usb/renesas_usbhs/mod.c
index 6a030b931a3b..254194d61915 100644
--- a/drivers/usb/renesas_usbhs/mod.c
+++ b/drivers/usb/renesas_usbhs/mod.c
@@ -272,9 +272,16 @@ static irqreturn_t usbhs_interrupt(int irq, void *data)
 	usbhs_write(priv, INTSTS0, ~irq_state.intsts0 & INTSTS0_MAGIC);
 	usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
 
-	usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
+	/*
+	 * The driver should not clear the xxxSTS after the line of
+	 * "call irq callback functions" because each "if" statement is
+	 * possible to call the callback function for avoiding any side effects.
+	 */
+	if (irq_state.intsts0 & BRDY)
+		usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
 	usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
-	usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
+	if (irq_state.intsts0 & BEMP)
+		usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
 
 	/*
 	 * call irq callback functions
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] USB: change bInterval default to 10 ms
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (8 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] ARM: OMAP3: hwmod data: Add sysc information for DSI Jiri Slaby
                   ` (31 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Alan Stern, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream.

Some full-speed mceusb infrared transceivers contain invalid endpoint
descriptors for their interrupt endpoints, with bInterval set to 0.
In the past they have worked out okay with the mceusb driver, because
the driver sets the bInterval field in the descriptor to 1,
overwriting whatever value may have been there before.  However, this
approach was never sanctioned by the USB core, and in fact it does not
work with xHCI controllers, because they use the bInterval value that
was present when the configuration was installed.

Currently usbcore uses 32 ms as the default interval if the value in
the endpoint descriptor is invalid.  It turns out that these IR
transceivers don't work properly unless the interval is set to 10 ms
or below.  To work around this mceusb problem, this patch changes the
endpoint-descriptor parsing routine, making the default interval value
be 10 ms rather than 32 ms.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Wade Berrier <wberrier@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/core/config.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 666cd3641d31..ce6225959f2c 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -213,8 +213,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
 	memcpy(&endpoint->desc, d, n);
 	INIT_LIST_HEAD(&endpoint->urb_list);
 
-	/* Fix up bInterval values outside the legal range. Use 32 ms if no
-	 * proper value can be guessed. */
+	/*
+	 * Fix up bInterval values outside the legal range.
+	 * Use 10 or 8 ms if no proper value can be guessed.
+	 */
 	i = 0;		/* i = min, j = max, n = default */
 	j = 255;
 	if (usb_endpoint_xfer_int(d)) {
@@ -223,13 +225,15 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
 		case USB_SPEED_SUPER_PLUS:
 		case USB_SPEED_SUPER:
 		case USB_SPEED_HIGH:
-			/* Many device manufacturers are using full-speed
+			/*
+			 * Many device manufacturers are using full-speed
 			 * bInterval values in high-speed interrupt endpoint
-			 * descriptors. Try to fix those and fall back to a
-			 * 32 ms default value otherwise. */
+			 * descriptors. Try to fix those and fall back to an
+			 * 8-ms default value otherwise.
+			 */
 			n = fls(d->bInterval*8);
 			if (n == 0)
-				n = 9;	/* 32 ms = 2^(9-1) uframes */
+				n = 7;	/* 8 ms = 2^(7-1) uframes */
 			j = 16;
 
 			/*
@@ -244,10 +248,12 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
 			}
 			break;
 		default:		/* USB_SPEED_FULL or _LOW */
-			/* For low-speed, 10 ms is the official minimum.
+			/*
+			 * For low-speed, 10 ms is the official minimum.
 			 * But some "overclocked" devices might want faster
-			 * polling so we'll allow it. */
-			n = 32;
+			 * polling so we'll allow it.
+			 */
+			n = 10;
 			break;
 		}
 	} else if (usb_endpoint_xfer_isoc(d)) {
@@ -255,10 +261,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
 		j = 16;
 		switch (to_usb_device(ddev)->speed) {
 		case USB_SPEED_HIGH:
-			n = 9;		/* 32 ms = 2^(9-1) uframes */
+			n = 7;		/* 8 ms = 2^(7-1) uframes */
 			break;
 		default:		/* USB_SPEED_FULL */
-			n = 6;		/* 32 ms = 2^(6-1) frames */
+			n = 4;		/* 8 ms = 2^(4-1) frames */
 			break;
 		}
 	}
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] ARM: OMAP3: hwmod data: Add sysc information for DSI
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (9 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] USB: change bInterval default to 10 ms Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Jiri Slaby
                   ` (30 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Sebastian Reichel, Tony Lindgren, Jiri Slaby

From: Sebastian Reichel <sre@kernel.org>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.

Add missing sysconfig/sysstatus information
to OMAP3 hwmod. The information has been
checked against OMAP34xx and OMAP36xx TRM.

Without this change DSI block is not reset
during boot, which is required for working
Nokia N950 display.

Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
index 857e76c38a15..3af7680530a6 100644
--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -724,8 +724,20 @@ static struct omap_hwmod omap3xxx_dss_dispc_hwmod = {
  * display serial interface controller
  */
 
+static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
+	.rev_offs	= 0x0000,
+	.sysc_offs	= 0x0010,
+	.syss_offs	= 0x0014,
+	.sysc_flags	= (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
+			   SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
+			   SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
+	.idlemodes	= (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+	.sysc_fields	= &omap_hwmod_sysc_type1,
+};
+
 static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
 	.name = "dsi",
+	.sysc	= &omap3xxx_dsi_sysc,
 };
 
 static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (10 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] ARM: OMAP3: hwmod data: Add sysc information for DSI Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] crypto: cryptd - initialize child shash_desc on import Jiri Slaby
                   ` (29 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Will Deacon, Peter Zijlstra, Catalin Marinas, Jiri Slaby

From: Will Deacon <will.deacon@arm.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream.

smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
to a full barrier, such that prior stores are ordered with respect to
loads and stores occuring inside the critical section.

Unfortunately, the core code defines the barrier as smp_wmb(), which
is insufficient to provide the required ordering guarantees when used in
conjunction with our load-acquire-based spinlock implementation.

This patch overrides the arm64 definition of smp_mb__before_spinlock()
to map to a full smp_mb().

Cc: Peter Zijlstra <peterz@infradead.org>
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm64/include/asm/spinlock.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/arm64/include/asm/spinlock.h b/arch/arm64/include/asm/spinlock.h
index 0defa0728a9b..c3cab6f87de4 100644
--- a/arch/arm64/include/asm/spinlock.h
+++ b/arch/arm64/include/asm/spinlock.h
@@ -200,4 +200,14 @@ static inline int arch_read_trylock(arch_rwlock_t *rw)
 #define arch_read_relax(lock)	cpu_relax()
 #define arch_write_relax(lock)	cpu_relax()
 
+/*
+ * Accesses appearing in program order before a spin_lock() operation
+ * can be reordered with accesses inside the critical section, by virtue
+ * of arch_spin_lock being constructed using acquire semantics.
+ *
+ * In cases where this is problematic (e.g. try_to_wake_up), an
+ * smp_mb__before_spinlock() can restore the required ordering.
+ */
+#define smp_mb__before_spinlock()	smp_mb()
+
 #endif /* __ASM_SPINLOCK_H */
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] crypto: cryptd - initialize child shash_desc on import
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (11 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] microblaze: fix __get_user() Jiri Slaby
                   ` (28 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Ard Biesheuvel, Herbert Xu, Jiri Slaby

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.

When calling .import() on a cryptd ahash_request, the structure members
that describe the child transform in the shash_desc need to be initialized
like they are when calling .init()

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 crypto/cryptd.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 75c415d37086..d85fab975514 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -565,9 +565,14 @@ static int cryptd_hash_export(struct ahash_request *req, void *out)
 
 static int cryptd_hash_import(struct ahash_request *req, const void *in)
 {
-	struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
+	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+	struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
+	struct shash_desc *desc = cryptd_shash_desc(req);
+
+	desc->tfm = ctx->child;
+	desc->flags = req->base.flags;
 
-	return crypto_shash_import(&rctx->desc, in);
+	return crypto_shash_import(desc, in);
 }
 
 static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] microblaze: fix __get_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (12 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] crypto: cryptd - initialize child shash_desc on import Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] avr32: fix copy_from_user() Jiri Slaby
                   ` (27 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/microblaze/include/asm/uaccess.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
index 0aa005703a0b..19f8f415c034 100644
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -226,7 +226,7 @@ extern long __user_bad(void);
 
 #define __get_user(x, ptr)						\
 ({									\
-	unsigned long __gu_val;						\
+	unsigned long __gu_val = 0;					\
 	/*unsigned long __gu_ptr = (unsigned long)(ptr);*/		\
 	long __gu_err;							\
 	switch (sizeof(*(ptr))) {					\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] avr32: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (13 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] microblaze: fix __get_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] microblaze: " Jiri Slaby
                   ` (26 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.

really ugly, but apparently avr32 compilers turns access_ok() into
something so bad that they want it in assembler.  Left that way,
zeroing added in inline wrapper.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
 arch/avr32/kernel/avr32_ksyms.c  |  2 +-
 arch/avr32/lib/copy_user.S       |  4 ++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/arch/avr32/include/asm/uaccess.h b/arch/avr32/include/asm/uaccess.h
index 245b2ee213c9..a0a9b8c31041 100644
--- a/arch/avr32/include/asm/uaccess.h
+++ b/arch/avr32/include/asm/uaccess.h
@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void *to, const void *from,
 
 extern __kernel_size_t copy_to_user(void __user *to, const void *from,
 				    __kernel_size_t n);
-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
+extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
 				      __kernel_size_t n);
 
 static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_from_user(void *to,
 {
 	return __copy_user(to, (const void __force *)from, n);
 }
+static inline __kernel_size_t copy_from_user(void *to,
+					       const void __user *from,
+					       __kernel_size_t n)
+{
+	size_t res = ___copy_from_user(to, from, n);
+	if (unlikely(res))
+		memset(to + (n - res), 0, res);
+	return res;
+}
 
 #define __copy_to_user_inatomic __copy_to_user
 #define __copy_from_user_inatomic __copy_from_user
diff --git a/arch/avr32/kernel/avr32_ksyms.c b/arch/avr32/kernel/avr32_ksyms.c
index d93ead02daed..7c6cf14f0985 100644
--- a/arch/avr32/kernel/avr32_ksyms.c
+++ b/arch/avr32/kernel/avr32_ksyms.c
@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
 /*
  * Userspace access stuff.
  */
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(___copy_from_user);
 EXPORT_SYMBOL(copy_to_user);
 EXPORT_SYMBOL(__copy_user);
 EXPORT_SYMBOL(strncpy_from_user);
diff --git a/arch/avr32/lib/copy_user.S b/arch/avr32/lib/copy_user.S
index ea59c04b07de..96a6de9d578f 100644
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -25,11 +25,11 @@
 	.align	1
 	.global	copy_from_user
 	.type	copy_from_user, @function
-copy_from_user:
+___copy_from_user:
 	branch_if_kernel r8, __copy_user
 	ret_if_privileged r8, r11, r10, r10
 	rjmp	__copy_user
-	.size	copy_from_user, . - copy_from_user
+	.size	___copy_from_user, . - ___copy_from_user
 
 	.global	copy_to_user
 	.type	copy_to_user, @function
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] microblaze: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (14 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] avr32: fix copy_from_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] fix minor infoleak in get_user_ex() Jiri Slaby
                   ` (25 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/microblaze/include/asm/uaccess.h | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
index 19f8f415c034..1858887105ba 100644
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -371,10 +371,13 @@ extern long __user_bad(void);
 static inline long copy_from_user(void *to,
 		const void __user *from, unsigned long n)
 {
+	unsigned long res = n;
 	might_fault();
-	if (access_ok(VERIFY_READ, from, n))
-		return __copy_from_user(to, from, n);
-	return n;
+	if (likely(access_ok(VERIFY_READ, from, n)))
+		res = __copy_from_user(to, from, n);
+	if (unlikely(res))
+		memset(to + (n - res), 0, res);
+	return res;
 }
 
 #define __copy_to_user(to, from, n)	\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] fix minor infoleak in get_user_ex()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (15 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] microblaze: " Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] mn10300: failing __get_user() and get_user() should zero Jiri Slaby
                   ` (24 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Al Viro, Linus Torvalds, Jiri Slaby

From: Al Viro <viro@ZenIV.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.

get_user_ex(x, ptr) should zero x on failure.  It's not a lot of a leak
(at most we are leaking uninitialized 64bit value off the kernel stack,
and in a fairly constrained situation, at that), but the fix is trivial,
so...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ This sat in different branch from the uaccess fixes since mid-August ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/include/asm/uaccess.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 5838fa911aa0..01635e4e187a 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -383,7 +383,11 @@ do {									\
 #define __get_user_asm_ex(x, addr, itype, rtype, ltype)			\
 	asm volatile("1:	mov"itype" %1,%"rtype"0\n"		\
 		     "2:\n"						\
-		     _ASM_EXTABLE_EX(1b, 2b)				\
+		     ".section .fixup,\"ax\"\n"				\
+                     "3:xor"itype" %"rtype"0,%"rtype"0\n"		\
+		     "  jmp 2b\n"					\
+		     ".previous\n"					\
+		     _ASM_EXTABLE_EX(1b, 3b)				\
 		     : ltype(x) : "m" (__m(addr)))
 
 #define __put_user_nocheck(x, ptr, size)			\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] mn10300: failing __get_user() and get_user() should zero
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (16 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] fix minor infoleak in get_user_ex() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] m32r: fix __get_user() Jiri Slaby
                   ` (23 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/mn10300/include/asm/uaccess.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/mn10300/include/asm/uaccess.h b/arch/mn10300/include/asm/uaccess.h
index 537278746a15..4af43d9ba495 100644
--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -181,6 +181,7 @@ struct __large_struct { unsigned long buf[100]; };
 		"2:\n"						\
 		"	.section	.fixup,\"ax\"\n"	\
 		"3:\n\t"					\
+		"	mov		0,%1\n"			\
 		"	mov		%3,%0\n"		\
 		"	jmp		2b\n"			\
 		"	.previous\n"				\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] m32r: fix __get_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (17 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] mn10300: failing __get_user() and get_user() should zero Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] sh64: failing __get_user() should zero Jiri Slaby
                   ` (22 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/m32r/include/asm/uaccess.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/m32r/include/asm/uaccess.h b/arch/m32r/include/asm/uaccess.h
index 84fe7ba53035..c393e8f57cf7 100644
--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_regs *regs);
 #define __get_user_nocheck(x,ptr,size)					\
 ({									\
 	long __gu_err = 0;						\
-	unsigned long __gu_val;						\
+	unsigned long __gu_val = 0;					\
 	might_fault();							\
 	__get_user_size(__gu_val,(ptr),(size),__gu_err);		\
 	(x) = (__typeof__(*(ptr)))__gu_val;				\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] sh64: failing __get_user() should zero
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (18 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] m32r: fix __get_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] score: fix __get_user/get_user Jiri Slaby
                   ` (21 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream.

It could be done in exception-handling bits in __get_user_b() et.al.,
but the surgery involved would take more knowledge of sh64 details
than I have or _want_ to have.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/sh/include/asm/uaccess_64.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/sh/include/asm/uaccess_64.h b/arch/sh/include/asm/uaccess_64.h
index 2e07e0f40c6a..a2f9d0531328 100644
--- a/arch/sh/include/asm/uaccess_64.h
+++ b/arch/sh/include/asm/uaccess_64.h
@@ -24,6 +24,7 @@
 #define __get_user_size(x,ptr,size,retval)			\
 do {								\
 	retval = 0;						\
+	x = 0;							\
 	switch (size) {						\
 	case 1:							\
 		retval = __get_user_asm_b((void *)&x,		\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] score: fix __get_user/get_user
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (19 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] sh64: failing __get_user() should zero Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] s390: get_user() should zero on failure Jiri Slaby
                   ` (20 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream.

* should zero on any failure
* __get_user() should use __copy_from_user(), not copy_from_user()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/score/include/asm/uaccess.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/score/include/asm/uaccess.h b/arch/score/include/asm/uaccess.h
index ab66ddde777b..c882d961e5b8 100644
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -158,7 +158,7 @@ do {									\
 		__get_user_asm(val, "lw", ptr);				\
 		 break;							\
 	case 8: 							\
-		if ((copy_from_user((void *)&val, ptr, 8)) == 0)	\
+		if (__copy_from_user((void *)&val, ptr, 8) == 0)	\
 			__gu_err = 0;					\
 		else							\
 			__gu_err = -EFAULT;				\
@@ -183,6 +183,8 @@ do {									\
 									\
 	if (likely(access_ok(VERIFY_READ, __gu_ptr, size)))		\
 		__get_user_common((x), size, __gu_ptr);			\
+	else								\
+		(x) = 0;						\
 									\
 	__gu_err;							\
 })
@@ -196,6 +198,7 @@ do {									\
 		"2:\n"							\
 		".section .fixup,\"ax\"\n"				\
 		"3:li	%0, %4\n"					\
+		"li	%1, 0\n"					\
 		"j	2b\n"						\
 		".previous\n"						\
 		".section __ex_table,\"a\"\n"				\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] s390: get_user() should zero on failure
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (20 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] score: fix __get_user/get_user Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06   ` Jiri Slaby
                   ` (19 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/s390/include/asm/uaccess.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
index 9c33ed4e666f..b6017ace1515 100644
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -164,28 +164,28 @@ extern int __put_user_bad(void) __attribute__((noreturn));
 	__chk_user_ptr(ptr);					\
 	switch (sizeof(*(ptr))) {				\
 	case 1: {						\
-		unsigned char __x;				\
+		unsigned char __x = 0;				\
 		__gu_err = __get_user_fn(sizeof (*(ptr)),	\
 					 ptr, &__x);		\
 		(x) = *(__force __typeof__(*(ptr)) *) &__x;	\
 		break;						\
 	};							\
 	case 2: {						\
-		unsigned short __x;				\
+		unsigned short __x = 0;				\
 		__gu_err = __get_user_fn(sizeof (*(ptr)),	\
 					 ptr, &__x);		\
 		(x) = *(__force __typeof__(*(ptr)) *) &__x;	\
 		break;						\
 	};							\
 	case 4: {						\
-		unsigned int __x;				\
+		unsigned int __x = 0;				\
 		__gu_err = __get_user_fn(sizeof (*(ptr)),	\
 					 ptr, &__x);		\
 		(x) = *(__force __typeof__(*(ptr)) *) &__x;	\
 		break;						\
 	};							\
 	case 8: {						\
-		unsigned long long __x;				\
+		unsigned long long __x = 0;			\
 		__gu_err = __get_user_fn(sizeof (*(ptr)),	\
 					 ptr, &__x);		\
 		(x) = *(__force __typeof__(*(ptr)) *) &__x;	\
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] ARC: uaccess: get_user to zero out dest in cause of fault
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
@ 2016-09-29  9:06   ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Jiri Slaby
                     ` (40 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable
  Cc: Vineet Gupta, Linus Torvalds, linux-snps-arc, linux-kernel,
	Vineet Gupta, Al Viro, Jiri Slaby

From: Vineet Gupta <Vineet.Gupta1@synopsys.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream.

Al reported potential issue with ARC get_user() as it wasn't clearing
out destination pointer in case of fault due to bad address etc.

Verified using following

| {
|  	u32 bogus1 = 0xdeadbeef;
|	u64 bogus2 = 0xdead;
|	int rc1, rc2;
|
|  	pr_info("Orig values %x %llx\n", bogus1, bogus2);
|	rc1 = get_user(bogus1, (u32 __user *)0x40000000);
|	rc2 = get_user(bogus2, (u64 __user *)0x50000000);
|	pr_info("access %d %d, new values %x %llx\n",
|		rc1, rc2, bogus1, bogus2);
| }

| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
| Orig values deadbeef dead
| access -14 -14, new values 0 0

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-snps-arc@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arc/include/asm/uaccess.h | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
index 30c9baffa96f..08770c750696 100644
--- a/arch/arc/include/asm/uaccess.h
+++ b/arch/arc/include/asm/uaccess.h
@@ -83,7 +83,10 @@
 	"2:	;nop\n"				\
 	"	.section .fixup, \"ax\"\n"	\
 	"	.align 4\n"			\
-	"3:	mov %0, %3\n"			\
+	"3:	# return -EFAULT\n"		\
+	"	mov %0, %3\n"			\
+	"	# zero out dst ptr\n"		\
+	"	mov %1,  0\n"			\
 	"	j   2b\n"			\
 	"	.previous\n"			\
 	"	.section __ex_table, \"a\"\n"	\
@@ -101,7 +104,11 @@
 	"2:	;nop\n"				\
 	"	.section .fixup, \"ax\"\n"	\
 	"	.align 4\n"			\
-	"3:	mov %0, %3\n"			\
+	"3:	# return -EFAULT\n"		\
+	"	mov %0, %3\n"			\
+	"	# zero out dst ptr\n"		\
+	"	mov %1,  0\n"			\
+	"	mov %R1, 0\n"			\
 	"	j   2b\n"			\
 	"	.previous\n"			\
 	"	.section __ex_table, \"a\"\n"	\
-- 
2.10.0

^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] ARC: uaccess: get_user to zero out dest in cause of fault
@ 2016-09-29  9:06   ` Jiri Slaby
  0 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: linux-snps-arc

From: Vineet Gupta <Vineet.Gupta1@synopsys.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream.

Al reported potential issue with ARC get_user() as it wasn't clearing
out destination pointer in case of fault due to bad address etc.

Verified using following

| {
|  	u32 bogus1 = 0xdeadbeef;
|	u64 bogus2 = 0xdead;
|	int rc1, rc2;
|
|  	pr_info("Orig values %x %llx\n", bogus1, bogus2);
|	rc1 = get_user(bogus1, (u32 __user *)0x40000000);
|	rc2 = get_user(bogus2, (u64 __user *)0x50000000);
|	pr_info("access %d %d, new values %x %llx\n",
|		rc1, rc2, bogus1, bogus2);
| }

| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
| Orig values deadbeef dead
| access -14 -14, new values 0 0

Reported-by: Al Viro <viro at ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds at linux-foundation.org>
Cc: linux-snps-arc at lists.infradead.org
Cc: linux-kernel at vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta at synopsys.com>
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby at suse.cz>
---
 arch/arc/include/asm/uaccess.h | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
index 30c9baffa96f..08770c750696 100644
--- a/arch/arc/include/asm/uaccess.h
+++ b/arch/arc/include/asm/uaccess.h
@@ -83,7 +83,10 @@
 	"2:	;nop\n"				\
 	"	.section .fixup, \"ax\"\n"	\
 	"	.align 4\n"			\
-	"3:	mov %0, %3\n"			\
+	"3:	# return -EFAULT\n"		\
+	"	mov %0, %3\n"			\
+	"	# zero out dst ptr\n"		\
+	"	mov %1,  0\n"			\
 	"	j   2b\n"			\
 	"	.previous\n"			\
 	"	.section __ex_table, \"a\"\n"	\
@@ -101,7 +104,11 @@
 	"2:	;nop\n"				\
 	"	.section .fixup, \"ax\"\n"	\
 	"	.align 4\n"			\
-	"3:	mov %0, %3\n"			\
+	"3:	# return -EFAULT\n"		\
+	"	mov %0, %3\n"			\
+	"	# zero out dst ptr\n"		\
+	"	mov %1,  0\n"			\
+	"	mov %R1, 0\n"			\
 	"	j   2b\n"			\
 	"	.previous\n"			\
 	"	.section __ex_table, \"a\"\n"	\
-- 
2.10.0

^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] asm-generic: make get_user() clear the destination on errors
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (22 preceding siblings ...)
  2016-09-29  9:06   ` Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] frv: fix clear_user() Jiri Slaby
                   ` (17 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.

both for access_ok() failures and for faults halfway through

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/asm-generic/uaccess.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index dc1269c74a52..a79424155cfe 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -228,14 +228,18 @@ extern int __put_user_bad(void) __attribute__((noreturn));
 	might_fault();						\
 	access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ?		\
 		__get_user(x, ptr) :				\
-		-EFAULT;					\
+		((x) = (__typeof__(*(ptr)))0,-EFAULT);		\
 })
 
 #ifndef __get_user_fn
 static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
 {
-	size = __copy_from_user(x, ptr, size);
-	return size ? -EFAULT : size;
+	size_t n = __copy_from_user(x, ptr, size);
+	if (unlikely(n)) {
+		memset(x + (size - n), 0, n);
+		return -EFAULT;
+	}
+	return 0;
 }
 
 #define __get_user_fn(sz, u, k)	__get_user_fn(sz, u, k)
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] frv: fix clear_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (23 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] asm-generic: make get_user() clear the destination on errors Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] cris: buggered copy_from_user/copy_to_user/clear_user Jiri Slaby
                   ` (16 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.

It should check access_ok().  Otherwise a bunch of places turn into
trivially exploitable rootholes.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/frv/include/asm/uaccess.h | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/arch/frv/include/asm/uaccess.h b/arch/frv/include/asm/uaccess.h
index 3ac9a59d65d4..87d9e34c5df8 100644
--- a/arch/frv/include/asm/uaccess.h
+++ b/arch/frv/include/asm/uaccess.h
@@ -263,19 +263,25 @@ do {							\
 extern long __memset_user(void *dst, unsigned long count);
 extern long __memcpy_user(void *dst, const void *src, unsigned long count);
 
-#define clear_user(dst,count)			__memset_user(____force(dst), (count))
+#define __clear_user(dst,count)			__memset_user(____force(dst), (count))
 #define __copy_from_user_inatomic(to, from, n)	__memcpy_user((to), ____force(from), (n))
 #define __copy_to_user_inatomic(to, from, n)	__memcpy_user(____force(to), (from), (n))
 
 #else
 
-#define clear_user(dst,count)			(memset(____force(dst), 0, (count)), 0)
+#define __clear_user(dst,count)			(memset(____force(dst), 0, (count)), 0)
 #define __copy_from_user_inatomic(to, from, n)	(memcpy((to), ____force(from), (n)), 0)
 #define __copy_to_user_inatomic(to, from, n)	(memcpy(____force(to), (from), (n)), 0)
 
 #endif
 
-#define __clear_user clear_user
+static inline unsigned long __must_check
+clear_user(void __user *to, unsigned long n)
+{
+	if (likely(__access_ok(to, n)))
+		n = __clear_user(to, n);
+	return n;
+}
 
 static inline unsigned long __must_check
 __copy_to_user(void __user *to, const void *from, unsigned long n)
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] cris: buggered copy_from_user/copy_to_user/clear_user
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (24 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] frv: fix clear_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] blackfin: fix copy_from_user() Jiri Slaby
                   ` (15 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.

* copy_from_user() on access_ok() failure ought to zero the destination
* none of those primitives should skip the access_ok() check in case of
small constant size.

Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/cris/include/asm/uaccess.h | 71 +++++++++++++++++++----------------------
 1 file changed, 32 insertions(+), 39 deletions(-)

diff --git a/arch/cris/include/asm/uaccess.h b/arch/cris/include/asm/uaccess.h
index 914540801c5e..93bfa8acc38b 100644
--- a/arch/cris/include/asm/uaccess.h
+++ b/arch/cris/include/asm/uaccess.h
@@ -176,30 +176,6 @@ extern unsigned long __copy_user(void __user *to, const void *from, unsigned lon
 extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
 extern unsigned long __do_clear_user(void __user *to, unsigned long n);
 
-static inline unsigned long
-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
-{
-	if (access_ok(VERIFY_WRITE, to, n))
-		return __copy_user(to,from,n);
-	return n;
-}
-
-static inline unsigned long
-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
-{
-	if (access_ok(VERIFY_READ, from, n))
-		return __copy_user_zeroing(to,from,n);
-	return n;
-}
-
-static inline unsigned long
-__generic_clear_user(void __user *to, unsigned long n)
-{
-	if (access_ok(VERIFY_WRITE, to, n))
-		return __do_clear_user(to,n);
-	return n;
-}
-
 static inline long
 __strncpy_from_user(char *dst, const char __user *src, long count)
 {
@@ -262,7 +238,7 @@ __constant_copy_from_user(void *to, const void __user *from, unsigned long n)
 	else if (n == 24)
 		__asm_copy_from_user_24(to, from, ret);
 	else
-		ret = __generic_copy_from_user(to, from, n);
+		ret = __copy_user_zeroing(to, from, n);
 
 	return ret;
 }
@@ -312,7 +288,7 @@ __constant_copy_to_user(void __user *to, const void *from, unsigned long n)
 	else if (n == 24)
 		__asm_copy_to_user_24(to, from, ret);
 	else
-		ret = __generic_copy_to_user(to, from, n);
+		ret = __copy_user(to, from, n);
 
 	return ret;
 }
@@ -344,26 +320,43 @@ __constant_clear_user(void __user *to, unsigned long n)
 	else if (n == 24)
 		__asm_clear_24(to, ret);
 	else
-		ret = __generic_clear_user(to, n);
+		ret = __do_clear_user(to, n);
 
 	return ret;
 }
 
 
-#define clear_user(to, n)			\
-(__builtin_constant_p(n) ?			\
- __constant_clear_user(to, n) :			\
- __generic_clear_user(to, n))
+static inline size_t clear_user(void __user *to, size_t n)
+{
+	if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+		return n;
+	if (__builtin_constant_p(n))
+		return __constant_clear_user(to, n);
+	else
+		return __do_clear_user(to, n);
+}
 
-#define copy_from_user(to, from, n)		\
-(__builtin_constant_p(n) ?			\
- __constant_copy_from_user(to, from, n) :	\
- __generic_copy_from_user(to, from, n))
+static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
+{
+	if (unlikely(!access_ok(VERIFY_READ, from, n))) {
+		memset(to, 0, n);
+		return n;
+	}
+	if (__builtin_constant_p(n))
+		return __constant_copy_from_user(to, from, n);
+	else
+		return __copy_user_zeroing(to, from, n);
+}
 
-#define copy_to_user(to, from, n)		\
-(__builtin_constant_p(n) ?			\
- __constant_copy_to_user(to, from, n) :		\
- __generic_copy_to_user(to, from, n))
+static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
+{
+	if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+		return n;
+	if (__builtin_constant_p(n))
+		return __constant_copy_to_user(to, from, n);
+	else
+		return __copy_user(to, from, n);
+}
 
 /* We let the __ versions of copy_from/to_user inline, because they're often
  * used in fast paths and have only a small space overhead.
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] blackfin: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (25 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] cris: buggered copy_from_user/copy_to_user/clear_user Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] score: fix copy_from_user() and friends Jiri Slaby
                   ` (14 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/blackfin/include/asm/uaccess.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/arch/blackfin/include/asm/uaccess.h b/arch/blackfin/include/asm/uaccess.h
index 57701c3b8a59..a992a788409c 100644
--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -177,11 +177,12 @@ static inline int bad_user_access_length(void)
 static inline unsigned long __must_check
 copy_from_user(void *to, const void __user *from, unsigned long n)
 {
-	if (access_ok(VERIFY_READ, from, n))
+	if (likely(access_ok(VERIFY_READ, from, n))) {
 		memcpy(to, (const void __force *)from, n);
-	else
-		return n;
-	return 0;
+		return 0;
+	}
+	memset(to, 0, n);
+	return n;
 }
 
 static inline unsigned long __must_check
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] score: fix copy_from_user() and friends
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (26 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] blackfin: fix copy_from_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] sh: fix copy_from_user() Jiri Slaby
                   ` (13 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/score/include/asm/uaccess.h | 41 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 21 deletions(-)

diff --git a/arch/score/include/asm/uaccess.h b/arch/score/include/asm/uaccess.h
index c882d961e5b8..69326dfb894d 100644
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -296,35 +296,34 @@ extern int __copy_tofrom_user(void *to, const void *from, unsigned long len);
 static inline unsigned long
 copy_from_user(void *to, const void *from, unsigned long len)
 {
-	unsigned long over;
+	unsigned long res = len;
 
-	if (access_ok(VERIFY_READ, from, len))
-		return __copy_tofrom_user(to, from, len);
+	if (likely(access_ok(VERIFY_READ, from, len)))
+		res = __copy_tofrom_user(to, from, len);
 
-	if ((unsigned long)from < TASK_SIZE) {
-		over = (unsigned long)from + len - TASK_SIZE;
-		return __copy_tofrom_user(to, from, len - over) + over;
-	}
-	return len;
+	if (unlikely(res))
+		memset(to + (len - res), 0, res);
+
+	return res;
 }
 
 static inline unsigned long
 copy_to_user(void *to, const void *from, unsigned long len)
 {
-	unsigned long over;
-
-	if (access_ok(VERIFY_WRITE, to, len))
-		return __copy_tofrom_user(to, from, len);
+	if (likely(access_ok(VERIFY_WRITE, to, len)))
+		len = __copy_tofrom_user(to, from, len);
 
-	if ((unsigned long)to < TASK_SIZE) {
-		over = (unsigned long)to + len - TASK_SIZE;
-		return __copy_tofrom_user(to, from, len - over) + over;
-	}
 	return len;
 }
 
-#define __copy_from_user(to, from, len)	\
-		__copy_tofrom_user((to), (from), (len))
+static inline unsigned long
+__copy_from_user(void *to, const void *from, unsigned long len)
+{
+	unsigned long left = __copy_tofrom_user(to, from, len);
+	if (unlikely(left))
+		memset(to + (len - left), 0, left);
+	return left;
+}
 
 #define __copy_to_user(to, from, len)		\
 		__copy_tofrom_user((to), (from), (len))
@@ -338,17 +337,17 @@ __copy_to_user_inatomic(void *to, const void *from, unsigned long len)
 static inline unsigned long
 __copy_from_user_inatomic(void *to, const void *from, unsigned long len)
 {
-	return __copy_from_user(to, from, len);
+	return __copy_tofrom_user(to, from, len);
 }
 
-#define __copy_in_user(to, from, len)	__copy_from_user(to, from, len)
+#define __copy_in_user(to, from, len)	__copy_tofrom_user(to, from, len)
 
 static inline unsigned long
 copy_in_user(void *to, const void *from, unsigned long len)
 {
 	if (access_ok(VERIFY_READ, from, len) &&
 		      access_ok(VERFITY_WRITE, to, len))
-		return copy_from_user(to, from, len);
+		return __copy_tofrom_user(to, from, len);
 }
 
 /*
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] sh: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (27 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] score: fix copy_from_user() and friends Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] hexagon: fix strncpy_from_user() error return Jiri Slaby
                   ` (12 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/sh/include/asm/uaccess.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
index 9486376605f4..c04cc18ae9cd 100644
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
 	__kernel_size_t __copy_size = (__kernel_size_t) n;
 
 	if (__copy_size && __access_ok(__copy_from, __copy_size))
-		return __copy_user(to, from, __copy_size);
+		__copy_size = __copy_user(to, from, __copy_size);
+
+	if (unlikely(__copy_size))
+		memset(to + (n - __copy_size), 0, __copy_size);
 
 	return __copy_size;
 }
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] hexagon: fix strncpy_from_user() error return
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (28 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] sh: fix copy_from_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] mips: copy_from_user() must zero the destination on access_ok() failure Jiri Slaby
                   ` (11 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.

It's -EFAULT, not -1 (and contrary to the comment in there,
__strnlen_user() can return 0 - on faults).

Acked-by: Richard Kuo <rkuo@codeaurora.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/hexagon/include/asm/uaccess.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/hexagon/include/asm/uaccess.h b/arch/hexagon/include/asm/uaccess.h
index e4127e4d6a5b..25fc9049db8a 100644
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_user(char *dst, const char __user *src,
 {
 	long res = __strnlen_user(src, n);
 
-	/* return from strnlen can't be zero -- that would be rubbish. */
+	if (unlikely(!res))
+		return -EFAULT;
 
 	if (res > n) {
 		copy_from_user(dst, src, n);
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] mips: copy_from_user() must zero the destination on access_ok() failure
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (29 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] hexagon: fix strncpy_from_user() error return Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] asm-generic: make copy_from_user() zero the destination properly Jiri Slaby
                   ` (10 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/mips/include/asm/uaccess.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
index f3fa3750f577..e09339df2232 100644
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -13,6 +13,7 @@
 #include <linux/kernel.h>
 #include <linux/errno.h>
 #include <linux/thread_info.h>
+#include <linux/string.h>
 
 /*
  * The fs value determines whether argument validity checking should be
@@ -938,6 +939,8 @@ extern size_t __copy_user_inatomic(void *__to, const void *__from, size_t __n);
 		might_fault();						\
 		__cu_len = __invoke_copy_from_user(__cu_to, __cu_from,	\
 						   __cu_len);		\
+	} else {							\
+		memset(__cu_to, 0, __cu_len);				\
 	}								\
 	__cu_len;							\
 })
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] asm-generic: make copy_from_user() zero the destination properly
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (30 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] mips: copy_from_user() must zero the destination on access_ok() failure Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] alpha: fix copy_from_user() Jiri Slaby
                   ` (9 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.

... in all cases, including the failing access_ok()

Note that some architectures using asm-generic/uaccess.h have
__copy_from_user() not zeroing the tail on failure halfway
through.  This variant works either way.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/asm-generic/uaccess.h | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index a79424155cfe..4b28210a14ea 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -259,11 +259,13 @@ extern int __get_user_bad(void) __attribute__((noreturn));
 static inline long copy_from_user(void *to,
 		const void __user * from, unsigned long n)
 {
+	unsigned long res = n;
 	might_fault();
-	if (access_ok(VERIFY_READ, from, n))
-		return __copy_from_user(to, from, n);
-	else
-		return n;
+	if (likely(access_ok(VERIFY_READ, from, n)))
+		res = __copy_from_user(to, from, n);
+	if (unlikely(res))
+		memset(to + (n - res), 0, res);
+	return res;
 }
 
 static inline long copy_to_user(void __user *to,
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] alpha: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (31 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] asm-generic: make copy_from_user() zero the destination properly Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] metag: copy_from_user() should zero the destination on access_ok() failure Jiri Slaby
                   ` (8 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.

it should clear the destination even when access_ok() fails.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/arch/alpha/include/asm/uaccess.h b/arch/alpha/include/asm/uaccess.h
index 766fdfde2b7a..6e9d27ad5103 100644
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, const void *from, long len)
 	return __cu_len;
 }
 
-extern inline long
-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
-{
-	if (__access_ok((unsigned long)validate, len, get_fs()))
-		len = __copy_tofrom_user_nocheck(to, from, len);
-	return len;
-}
-
 #define __copy_to_user(to,from,n)					\
 ({									\
 	__chk_user_ptr(to);						\
@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void *from, long len, const void __user *vali
 #define __copy_to_user_inatomic __copy_to_user
 #define __copy_from_user_inatomic __copy_from_user
 
-
 extern inline long
 copy_to_user(void __user *to, const void *from, long n)
 {
-	return __copy_tofrom_user((__force void *)to, from, n, to);
+	if (likely(__access_ok((unsigned long)to, n, get_fs())))
+		n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
+	return n;
 }
 
 extern inline long
 copy_from_user(void *to, const void __user *from, long n)
 {
-	return __copy_tofrom_user(to, (__force void *)from, n, from);
+	if (likely(__access_ok((unsigned long)from, n, get_fs())))
+		n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
+	else
+		memset(to, 0, n);
+	return n;
 }
 
 extern void __do_clear_user(void);
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] metag: copy_from_user() should zero the destination on access_ok() failure
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (32 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] alpha: fix copy_from_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] parisc: fix copy_from_user() Jiri Slaby
                   ` (7 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream.

Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/metag/include/asm/uaccess.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/metag/include/asm/uaccess.h b/arch/metag/include/asm/uaccess.h
index 0748b0a97986..7841f2290385 100644
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -199,8 +199,9 @@ extern unsigned long __must_check __copy_user_zeroing(void *to,
 static inline unsigned long
 copy_from_user(void *to, const void __user *from, unsigned long n)
 {
-	if (access_ok(VERIFY_READ, from, n))
+	if (likely(access_ok(VERIFY_READ, from, n)))
 		return __copy_user_zeroing(to, from, n);
+	memset(to, 0, n);
 	return n;
 }
 
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] parisc: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (33 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] metag: copy_from_user() should zero the destination on access_ok() failure Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] openrisc: " Jiri Slaby
                   ` (6 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit aace880feea38875fbc919761b77e5732a3659ef upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/parisc/include/asm/uaccess.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
index e0a82358517e..9bbddafb0da3 100644
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -9,6 +9,8 @@
 #include <asm/errno.h>
 #include <asm-generic/uaccess-unaligned.h>
 
+#include <linux/string.h>
+
 #define VERIFY_READ 0
 #define VERIFY_WRITE 1
 
@@ -246,13 +248,14 @@ static inline unsigned long __must_check copy_from_user(void *to,
                                           unsigned long n)
 {
         int sz = __compiletime_object_size(to);
-        int ret = -EFAULT;
+        unsigned long ret = n;
 
         if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
                 ret = __copy_from_user(to, from, n);
         else
                 copy_from_user_overflow();
-
+	if (unlikely(ret))
+		memset(to + (n - ret), 0, ret);
         return ret;
 }
 
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] openrisc: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (34 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] parisc: fix copy_from_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] mn10300: copy_from_user() should zero on access_ok() failure Jiri Slaby
                   ` (5 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit acb2505d0119033a80c85ac8d02dccae41271667 upstream.

... that should zero on faults.  Also remove the <censored> helpful
logics wrt range truncation copied from ppc32.  Where it had ever
been needed only in case of copy_from_user() *and* had not been merged
into the mainline until a month after the need had disappeared.
A decade before openrisc went into mainline, I might add...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/openrisc/include/asm/uaccess.h | 35 +++++++++++------------------------
 1 file changed, 11 insertions(+), 24 deletions(-)

diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
index ab2e7a198a4c..908c0904bdd6 100644
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void *from, unsigned long size);
 static inline unsigned long
 copy_from_user(void *to, const void *from, unsigned long n)
 {
-	unsigned long over;
-
-	if (access_ok(VERIFY_READ, from, n))
-		return __copy_tofrom_user(to, from, n);
-	if ((unsigned long)from < TASK_SIZE) {
-		over = (unsigned long)from + n - TASK_SIZE;
-		return __copy_tofrom_user(to, from, n - over) + over;
-	}
-	return n;
+	unsigned long res = n;
+
+	if (likely(access_ok(VERIFY_READ, from, n)))
+		n = __copy_tofrom_user(to, from, n);
+	if (unlikely(res))
+		memset(to + (n - res), 0, res);
+	return res;
 }
 
 static inline unsigned long
 copy_to_user(void *to, const void *from, unsigned long n)
 {
-	unsigned long over;
-
-	if (access_ok(VERIFY_WRITE, to, n))
-		return __copy_tofrom_user(to, from, n);
-	if ((unsigned long)to < TASK_SIZE) {
-		over = (unsigned long)to + n - TASK_SIZE;
-		return __copy_tofrom_user(to, from, n - over) + over;
-	}
+	if (likely(access_ok(VERIFY_WRITE, to, n)))
+		n = __copy_tofrom_user(to, from, n);
 	return n;
 }
 
@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *addr, unsigned long size);
 static inline __must_check unsigned long
 clear_user(void *addr, unsigned long size)
 {
-
-	if (access_ok(VERIFY_WRITE, addr, size))
-		return __clear_user(addr, size);
-	if ((unsigned long)addr < TASK_SIZE) {
-		unsigned long over = (unsigned long)addr + size - TASK_SIZE;
-		return __clear_user(addr, size - over) + over;
-	}
+	if (likely(access_ok(VERIFY_WRITE, addr, size)))
+		size = __clear_user(addr, size);
 	return size;
 }
 
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] mn10300: copy_from_user() should zero on access_ok() failure...
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (35 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] openrisc: " Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] sparc32: fix copy_from_user() Jiri Slaby
                   ` (4 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/mn10300/lib/usercopy.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/mn10300/lib/usercopy.c b/arch/mn10300/lib/usercopy.c
index 7826e6c364e7..ce8899e5e171 100644
--- a/arch/mn10300/lib/usercopy.c
+++ b/arch/mn10300/lib/usercopy.c
@@ -9,7 +9,7 @@
  * as published by the Free Software Foundation; either version
  * 2 of the Licence, or (at your option) any later version.
  */
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 
 unsigned long
 __generic_copy_to_user(void *to, const void *from, unsigned long n)
@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const void *from, unsigned long n)
 {
 	if (access_ok(VERIFY_READ, from, n))
 		__copy_user_zeroing(to, from, n);
+	else
+		memset(to, 0, n);
 	return n;
 }
 
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] sparc32: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (36 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] mn10300: copy_from_user() should zero on access_ok() failure Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] ppc32: " Jiri Slaby
                   ` (3 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream.

Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/sparc/include/asm/uaccess_32.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index 53a28dd59f59..01f602858de1 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -265,8 +265,10 @@ static inline unsigned long copy_from_user(void *to, const void __user *from, un
 {
 	if (n && __access_ok((unsigned long) from, n))
 		return __copy_user((__force void __user *) to, from, n);
-	else
+	else {
+		memset(to, 0, n);
 		return n;
+	}
 }
 
 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] ppc32: fix copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (37 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] sparc32: fix copy_from_user() Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] ia64: copy_from_user() should zero the destination on access_ok() failure Jiri Slaby
                   ` (2 subsequent siblings)
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 224264657b8b228f949b42346e09ed8c90136a8e upstream.

should clear on access_ok() failures.  Also remove the useless
range truncation logics.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/include/asm/uaccess.h | 21 ++-------------------
 1 file changed, 2 insertions(+), 19 deletions(-)

diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 9485b43a7c00..46c486599645 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -323,30 +323,17 @@ extern unsigned long __copy_tofrom_user(void __user *to,
 static inline unsigned long copy_from_user(void *to,
 		const void __user *from, unsigned long n)
 {
-	unsigned long over;
-
-	if (access_ok(VERIFY_READ, from, n))
+	if (likely(access_ok(VERIFY_READ, from, n)))
 		return __copy_tofrom_user((__force void __user *)to, from, n);
-	if ((unsigned long)from < TASK_SIZE) {
-		over = (unsigned long)from + n - TASK_SIZE;
-		return __copy_tofrom_user((__force void __user *)to, from,
-				n - over) + over;
-	}
+	memset(to, 0, n);
 	return n;
 }
 
 static inline unsigned long copy_to_user(void __user *to,
 		const void *from, unsigned long n)
 {
-	unsigned long over;
-
 	if (access_ok(VERIFY_WRITE, to, n))
 		return __copy_tofrom_user(to, (__force void __user *)from, n);
-	if ((unsigned long)to < TASK_SIZE) {
-		over = (unsigned long)to + n - TASK_SIZE;
-		return __copy_tofrom_user(to, (__force void __user *)from,
-				n - over) + over;
-	}
 	return n;
 }
 
@@ -437,10 +424,6 @@ static inline unsigned long clear_user(void __user *addr, unsigned long size)
 	might_fault();
 	if (likely(access_ok(VERIFY_WRITE, addr, size)))
 		return __clear_user(addr, size);
-	if ((unsigned long)addr < TASK_SIZE) {
-		unsigned long over = (unsigned long)addr + size - TASK_SIZE;
-		return __clear_user(addr, size - over) + over;
-	}
 	return size;
 }
 
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] ia64: copy_from_user() should zero the destination on access_ok() failure
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (38 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] ppc32: " Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] avr32: fix 'undefined reference to `___copy_from_user' Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] openrisc: fix the fix of copy_from_user() Jiri Slaby
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/ia64/include/asm/uaccess.h | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
index 449c8c0fa2bd..810926c56e31 100644
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -262,17 +262,15 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
 	__cu_len;									\
 })
 
-#define copy_from_user(to, from, n)							\
-({											\
-	void *__cu_to = (to);								\
-	const void __user *__cu_from = (from);						\
-	long __cu_len = (n);								\
-											\
-	__chk_user_ptr(__cu_from);							\
-	if (__access_ok(__cu_from, __cu_len, get_fs()))					\
-		__cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len);	\
-	__cu_len;									\
-})
+static inline unsigned long
+copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+	if (likely(__access_ok(from, n, get_fs())))
+		n = __copy_user((__force void __user *) to, from, n);
+	else
+		memset(to, 0, n);
+	return n;
+}
 
 #define __copy_in_user(to, from, size)	__copy_user((to), (from), (size))
 
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] avr32: fix 'undefined reference to `___copy_from_user'
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (39 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] ia64: copy_from_user() should zero the destination on access_ok() failure Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  2016-09-29  9:06 ` [patch added to 3.12-stable] openrisc: fix the fix of copy_from_user() Jiri Slaby
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Guenter Roeck, Al Viro, Jiri Slaby

From: Guenter Roeck <linux@roeck-us.net>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 upstream.

avr32 builds fail with:

arch/avr32/kernel/built-in.o: In function `arch_ptrace':
(.text+0x650): undefined reference to `___copy_from_user'
arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined
reference to `___copy_from_user'
kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax':
(.text+0x5dd8): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin':
sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `ptrace_has_cap':
ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user'
kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to
`___copy_from_user' follow

Fixes: 8630c32275ba ("avr32: fix copy_from_user()")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Havard Skinnemoen <hskinnemoen@gmail.com>
Acked-by: Hans-Christian Noren Egtvedt <egtvedt@samfundet.no>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/avr32/lib/copy_user.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/avr32/lib/copy_user.S b/arch/avr32/lib/copy_user.S
index 96a6de9d578f..075373471da1 100644
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -23,8 +23,8 @@
 	 */
 	.text
 	.align	1
-	.global	copy_from_user
-	.type	copy_from_user, @function
+	.global	___copy_from_user
+	.type	___copy_from_user, @function
 ___copy_from_user:
 	branch_if_kernel r8, __copy_user
 	ret_if_privileged r8, r11, r10, r10
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

* [patch added to 3.12-stable] openrisc: fix the fix of copy_from_user()
  2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
                   ` (40 preceding siblings ...)
  2016-09-29  9:06 ` [patch added to 3.12-stable] avr32: fix 'undefined reference to `___copy_from_user' Jiri Slaby
@ 2016-09-29  9:06 ` Jiri Slaby
  41 siblings, 0 replies; 44+ messages in thread
From: Jiri Slaby @ 2016-09-29  9:06 UTC (permalink / raw)
  To: stable; +Cc: Guenter Roeck, Al Viro, Jiri Slaby

From: Guenter Roeck <linux@roeck-us.net>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 8e4b72054f554967827e18be1de0e8122e6efc04 upstream.

Since commit acb2505d0119 ("openrisc: fix copy_from_user()"),
copy_from_user() returns the number of bytes requested, not the
number of bytes not copied.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: acb2505d0119 ("openrisc: fix copy_from_user()")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/openrisc/include/asm/uaccess.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
index 908c0904bdd6..d441480a4af4 100644
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -276,7 +276,7 @@ copy_from_user(void *to, const void *from, unsigned long n)
 	unsigned long res = n;
 
 	if (likely(access_ok(VERIFY_READ, from, n)))
-		n = __copy_tofrom_user(to, from, n);
+		res = __copy_tofrom_user(to, from, n);
 	if (unlikely(res))
 		memset(to + (n - res), 0, res);
 	return res;
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 44+ messages in thread

end of thread, other threads:[~2016-09-29  9:07 UTC | newest]

Thread overview: 44+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-29  9:06 [patch added to 3.12-stable] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] dm flakey: fix reads to be issued if drop_writes configured Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] x86/paravirt: Do not trace _paravirt_ident_*() functions Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] kvm-arm: Unmap shadow pagetables properly Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] iio: accel: kxsd9: Fix raw read return Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] iio: accel: kxsd9: Fix scaling bug Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] USB: serial: simple: add support for another Infineon flashloader Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] USB: change bInterval default to 10 ms Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] ARM: OMAP3: hwmod data: Add sysc information for DSI Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] crypto: cryptd - initialize child shash_desc on import Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] microblaze: fix __get_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] avr32: fix copy_from_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] microblaze: " Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] fix minor infoleak in get_user_ex() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] mn10300: failing __get_user() and get_user() should zero Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] m32r: fix __get_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] sh64: failing __get_user() should zero Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] score: fix __get_user/get_user Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] s390: get_user() should zero on failure Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] ARC: uaccess: get_user to zero out dest in cause of fault Jiri Slaby
2016-09-29  9:06   ` Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] asm-generic: make get_user() clear the destination on errors Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] frv: fix clear_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] cris: buggered copy_from_user/copy_to_user/clear_user Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] blackfin: fix copy_from_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] score: fix copy_from_user() and friends Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] sh: fix copy_from_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] hexagon: fix strncpy_from_user() error return Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] mips: copy_from_user() must zero the destination on access_ok() failure Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] asm-generic: make copy_from_user() zero the destination properly Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] alpha: fix copy_from_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] metag: copy_from_user() should zero the destination on access_ok() failure Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] parisc: fix copy_from_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] openrisc: " Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] mn10300: copy_from_user() should zero on access_ok() failure Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] sparc32: fix copy_from_user() Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] ppc32: " Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] ia64: copy_from_user() should zero the destination on access_ok() failure Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] avr32: fix 'undefined reference to `___copy_from_user' Jiri Slaby
2016-09-29  9:06 ` [patch added to 3.12-stable] openrisc: fix the fix of copy_from_user() Jiri Slaby

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.