Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a307d0a0 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 

Pull final vfs updates from Al Viro:
 "Assorted cleanups and fixes all over the place"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  sg_write()/bsg_write() is not fit to be called under KERNEL_DS
  ufs: fix function declaration for ufs_truncate_blocks
  fs: exec: apply CLOEXEC before changing dumpable task flags
  seq_file: reset iterator to first record for zero offset
  vfs: fix isize/pos/len checks for reflink & dedupe
  [iov_iter] fix iterate_all_kinds() on empty iterators
  move aio compat to fs/aio.c
  reorganize do_make_slave()
  clone_private_mount() doesn't need to touch namespace_sem
  remove a bogus claim about namespace_sem being held by callers of mnt_alloc_id()
parents fc26901b faf0dceb

block/bsg.c

+3 −0
Original line number Diff line number Diff line
@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) 


	dprintk("%s: write %Zd bytes\n", bd->name, count);



	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))

		return -EINVAL;



	bsg_set_block(bd, file);



	bytes_written = 0;

drivers/scsi/sg.c

+3 −0
Original line number Diff line number Diff line
@@ -581,6 +581,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) 
	sg_io_hdr_t *hp;

	unsigned char cmnd[SG_MAX_CDB_SIZE];



	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))

		return -EINVAL;



	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))

		return -ENXIO;

	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,

fs/aio.c

+95 −2
Original line number Diff line number Diff line
@@ -1367,6 +1367,39 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp) 
	return ret;

}



#ifdef CONFIG_COMPAT

COMPAT_SYSCALL_DEFINE2(io_setup, unsigned, nr_events, u32 __user *, ctx32p)

{

	struct kioctx *ioctx = NULL;

	unsigned long ctx;

	long ret;



	ret = get_user(ctx, ctx32p);

	if (unlikely(ret))

		goto out;



	ret = -EINVAL;

	if (unlikely(ctx || nr_events == 0)) {

		pr_debug("EINVAL: ctx %lu nr_events %u\n",

		         ctx, nr_events);

		goto out;

	}



	ioctx = ioctx_alloc(nr_events);

	ret = PTR_ERR(ioctx);

	if (!IS_ERR(ioctx)) {

		/* truncating is ok because it's a user address */

		ret = put_user((u32)ioctx->user_id, ctx32p);

		if (ret)

			kill_ioctx(current->mm, ioctx, NULL);

		percpu_ref_put(&ioctx->users);

	}



out:

	return ret;

}

#endif



/* sys_io_destroy:

 *	Destroy the aio_context specified.  May cancel any outstanding 

 *	AIOs and block on completion.  Will fail with -ENOSYS if not
@@ -1591,7 +1624,7 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, 
	return ret;

}



long do_io_submit(aio_context_t ctx_id, long nr,

static long do_io_submit(aio_context_t ctx_id, long nr,

			  struct iocb __user *__user *iocbpp, bool compat)

{

	struct kioctx *ctx;
@@ -1662,6 +1695,44 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr, 
	return do_io_submit(ctx_id, nr, iocbpp, 0);

}



#ifdef CONFIG_COMPAT

static inline long

copy_iocb(long nr, u32 __user *ptr32, struct iocb __user * __user *ptr64)

{

	compat_uptr_t uptr;

	int i;



	for (i = 0; i < nr; ++i) {

		if (get_user(uptr, ptr32 + i))

			return -EFAULT;

		if (put_user(compat_ptr(uptr), ptr64 + i))

			return -EFAULT;

	}

	return 0;

}



#define MAX_AIO_SUBMITS 	(PAGE_SIZE/sizeof(struct iocb *))



COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id,

		       int, nr, u32 __user *, iocb)

{

	struct iocb __user * __user *iocb64;

	long ret;



	if (unlikely(nr < 0))

		return -EINVAL;



	if (nr > MAX_AIO_SUBMITS)

		nr = MAX_AIO_SUBMITS;



	iocb64 = compat_alloc_user_space(nr * sizeof(*iocb64));

	ret = copy_iocb(nr, iocb, iocb64);

	if (!ret)

		ret = do_io_submit(ctx_id, nr, iocb64, 1);

	return ret;

}

#endif



/* lookup_kiocb

 *	Finds a given iocb for cancellation.

 */
@@ -1761,3 +1832,25 @@ SYSCALL_DEFINE5(io_getevents, aio_context_t, ctx_id, 
	}

	return ret;

}



#ifdef CONFIG_COMPAT

COMPAT_SYSCALL_DEFINE5(io_getevents, compat_aio_context_t, ctx_id,

		       compat_long_t, min_nr,

		       compat_long_t, nr,

		       struct io_event __user *, events,

		       struct compat_timespec __user *, timeout)

{

	struct timespec t;

	struct timespec __user *ut = NULL;



	if (timeout) {

		if (compat_get_timespec(&t, timeout))

			return -EFAULT;



		ut = compat_alloc_user_space(sizeof(*ut));

		if (copy_to_user(ut, &t, sizeof(t)))

			return -EFAULT;

	}

	return sys_io_getevents(ctx_id, min_nr, nr, events, ut);

}

#endif

fs/compat.c

+0 −75
Original line number Diff line number Diff line
@@ -487,45 +487,6 @@ COMPAT_SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd, 
	return compat_sys_fcntl64(fd, cmd, arg);

}



COMPAT_SYSCALL_DEFINE2(io_setup, unsigned, nr_reqs, u32 __user *, ctx32p)

{

	long ret;

	aio_context_t ctx64;



	mm_segment_t oldfs = get_fs();

	if (unlikely(get_user(ctx64, ctx32p)))

		return -EFAULT;



	set_fs(KERNEL_DS);

	/* The __user pointer cast is valid because of the set_fs() */

	ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);

	set_fs(oldfs);

	/* truncating is ok because it's a user address */

	if (!ret)

		ret = put_user((u32) ctx64, ctx32p);

	return ret;

}



COMPAT_SYSCALL_DEFINE5(io_getevents, compat_aio_context_t, ctx_id,

		       compat_long_t, min_nr,

		       compat_long_t, nr,

		       struct io_event __user *, events,

		       struct compat_timespec __user *, timeout)

{

	struct timespec t;

	struct timespec __user *ut = NULL;



	if (timeout) {

		if (compat_get_timespec(&t, timeout))

			return -EFAULT;



		ut = compat_alloc_user_space(sizeof(*ut));

		if (copy_to_user(ut, &t, sizeof(t)) )

			return -EFAULT;

	} 

	return sys_io_getevents(ctx_id, min_nr, nr, events, ut);

}



/* A write operation does a read from user space and vice versa */

#define vrfy_dir(type) ((type) == READ ? VERIFY_WRITE : VERIFY_READ)
@@ -602,42 +563,6 @@ ssize_t compat_rw_copy_check_uvector(int type, 
	return ret;

}



static inline long

copy_iocb(long nr, u32 __user *ptr32, struct iocb __user * __user *ptr64)

{

	compat_uptr_t uptr;

	int i;



	for (i = 0; i < nr; ++i) {

		if (get_user(uptr, ptr32 + i))

			return -EFAULT;

		if (put_user(compat_ptr(uptr), ptr64 + i))

			return -EFAULT;

	}

	return 0;

}



#define MAX_AIO_SUBMITS 	(PAGE_SIZE/sizeof(struct iocb *))



COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id,

		       int, nr, u32 __user *, iocb)

{

	struct iocb __user * __user *iocb64; 

	long ret;



	if (unlikely(nr < 0))

		return -EINVAL;



	if (nr > MAX_AIO_SUBMITS)

		nr = MAX_AIO_SUBMITS;

	

	iocb64 = compat_alloc_user_space(nr * sizeof(*iocb64));

	ret = copy_iocb(nr, iocb, iocb64);

	if (!ret)

		ret = do_io_submit(ctx_id, nr, iocb64, 1);

	return ret;

}



struct compat_ncp_mount_data {

	compat_int_t version;

	compat_uint_t ncp_fd;

fs/exec.c

+8 −2
Original line number Diff line number Diff line
@@ -1268,6 +1268,13 @@ int flush_old_exec(struct linux_binprm * bprm) 
	flush_thread();

	current->personality &= ~bprm->per_clear;



	/*

	 * We have to apply CLOEXEC before we change whether the process is

	 * dumpable (in setup_new_exec) to avoid a race with a process in userspace

	 * trying to access the should-be-closed file descriptors of a process

	 * undergoing exec(2).

	 */

	do_close_on_exec(current->files);

	return 0;



out:
@@ -1330,7 +1337,6 @@ void setup_new_exec(struct linux_binprm * bprm) 
	   group */

	current->self_exec_id++;

	flush_signal_handlers(current, 0);

	do_close_on_exec(current->files);

}

EXPORT_SYMBOL(setup_new_exec);