Merge branch 'akpm' (patches from Andrew)

Merge more updates from Andrew Morton:

 - procfs updates

 - various misc bits

 - lib/ updates

 - epoll updates

 - autofs

 - fatfs

 - a few more MM bits

* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (58 commits)
  mm/page_io.c: fix polled swap page in
  checkpatch: add Co-developed-by to signature tags
  docs: fix Co-Developed-by docs
  drivers/base/platform.c: kmemleak ignore a known leak
  fs: don't open code lru_to_page()
  fs/: remove caller signal_pending branch predictions
  mm/: remove caller signal_pending branch predictions
  arch/arc/mm/fault.c: remove caller signal_pending_branch predictions
  kernel/sched/: remove caller signal_pending branch predictions
  kernel/locking/mutex.c: remove caller signal_pending branch predictions
  mm: select HAVE_MOVE_PMD on x86 for faster mremap
  mm: speed up mremap by 20x on large regions
  mm: treewide: remove unused address argument from pte_alloc functions
  initramfs: cleanup incomplete rootfs
  scripts/gdb: fix lx-version string output
  kernel/kcov.c: mark write_comp_data() as notrace
  kernel/sysctl: add panic_print into sysctl
  panic: add options to print system info when panic happens
  bfs: extra sanity checking and static inode bitmap
  exec: separate MM_ANONPAGES and RLIMIT_STACK accounting
  ...

diff --git a/Documentation/networking/snmp_counter.rst b/Documentation/networking/snmp_counter.rst
index f8eb77ddbd4403d60513bff5c232d6297b305b79..b0dfdaaca512b38bc1b5a940ce52d55011618279 100644 (file)
--- a/Documentation/networking/snmp_counter.rst
+++ b/Documentation/networking/snmp_counter.rst
@@ -571,7 +571,97 @@ duplicate packet is received.
 
 * TcpExtTCPDSACKOfoRecv
 The TCP stack receives a DSACK, which indicate an out of order
-duplciate packet is received.
+duplicate packet is received.
+
+TCP out of order
+===============
+* TcpExtTCPOFOQueue
+The TCP layer receives an out of order packet and has enough memory
+to queue it.
+
+* TcpExtTCPOFODrop
+The TCP layer receives an out of order packet but doesn't have enough
+memory, so drops it. Such packets won't be counted into
+TcpExtTCPOFOQueue.
+
+* TcpExtTCPOFOMerge
+The received out of order packet has an overlay with the previous
+packet. the overlay part will be dropped. All of TcpExtTCPOFOMerge
+packets will also be counted into TcpExtTCPOFOQueue.
+
+TCP PAWS
+=======
+PAWS (Protection Against Wrapped Sequence numbers) is an algorithm
+which is used to drop old packets. It depends on the TCP
+timestamps. For detail information, please refer the `timestamp wiki`_
+and the `RFC of PAWS`_.
+
+.. _RFC of PAWS: https://tools.ietf.org/html/rfc1323#page-17
+.. _timestamp wiki: https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_timestamps
+
+* TcpExtPAWSActive
+Packets are dropped by PAWS in Syn-Sent status.
+
+* TcpExtPAWSEstab
+Packets are dropped by PAWS in any status other than Syn-Sent.
+
+TCP ACK skip
+===========
+In some scenarios, kernel would avoid sending duplicate ACKs too
+frequently. Please find more details in the tcp_invalid_ratelimit
+section of the `sysctl document`_. When kernel decides to skip an ACK
+due to tcp_invalid_ratelimit, kernel would update one of below
+counters to indicate the ACK is skipped in which scenario. The ACK
+would only be skipped if the received packet is either a SYN packet or
+it has no data.
+
+.. _sysctl document: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+
+* TcpExtTCPACKSkippedSynRecv
+The ACK is skipped in Syn-Recv status. The Syn-Recv status means the
+TCP stack receives a SYN and replies SYN+ACK. Now the TCP stack is
+waiting for an ACK. Generally, the TCP stack doesn't need to send ACK
+in the Syn-Recv status. But in several scenarios, the TCP stack need
+to send an ACK. E.g., the TCP stack receives the same SYN packet
+repeately, the received packet does not pass the PAWS check, or the
+received packet sequence number is out of window. In these scenarios,
+the TCP stack needs to send ACK. If the ACk sending frequency is higher than
+tcp_invalid_ratelimit allows, the TCP stack will skip sending ACK and
+increase TcpExtTCPACKSkippedSynRecv.
+
+
+* TcpExtTCPACKSkippedPAWS
+The ACK is skipped due to PAWS (Protect Against Wrapped Sequence
+numbers) check fails. If the PAWS check fails in Syn-Recv, Fin-Wait-2
+or Time-Wait statuses, the skipped ACK would be counted to
+TcpExtTCPACKSkippedSynRecv, TcpExtTCPACKSkippedFinWait2 or
+TcpExtTCPACKSkippedTimeWait. In all other statuses, the skipped ACK
+would be counted to TcpExtTCPACKSkippedPAWS.
+
+* TcpExtTCPACKSkippedSeq
+The sequence number is out of window and the timestamp passes the PAWS
+check and the TCP status is not Syn-Recv, Fin-Wait-2, and Time-Wait.
+
+* TcpExtTCPACKSkippedFinWait2
+The ACK is skipped in Fin-Wait-2 status, the reason would be either
+PAWS check fails or the received sequence number is out of window.
+
+* TcpExtTCPACKSkippedTimeWait
+Tha ACK is skipped in Time-Wait status, the reason would be either
+PAWS check failed or the received sequence number is out of window.
+
+* TcpExtTCPACKSkippedChallenge
+The ACK is skipped if the ACK is a challenge ACK. The RFC 5961 defines
+3 kind of challenge ACK, please refer `RFC 5961 section 3.2`_,
+`RFC 5961 section 4.2`_ and `RFC 5961 section 5.2`_. Besides these
+three scenarios, In some TCP status, the linux TCP stack would also
+send challenge ACKs if the ACK number is before the first
+unacknowledged number (more strict than `RFC 5961 section 5.2`_).
+
+.. _RFC 5961 section 3.2: https://tools.ietf.org/html/rfc5961#page-7
+.. _RFC 5961 section 4.2: https://tools.ietf.org/html/rfc5961#page-9
+.. _RFC 5961 section 5.2: https://tools.ietf.org/html/rfc5961#page-11
+
 
 examples
 =======
@@ -1188,3 +1278,151 @@ Run nstat on server B::
 We have deleted the default route on server B. Server B couldn't find
 a route for the 8.8.8.8 IP address, so server B increased
 IpOutNoRoutes.
+
+TcpExtTCPACKSkippedSynRecv
+------------------------
+In this test, we send 3 same SYN packets from client to server. The
+first SYN will let server create a socket, set it to Syn-Recv status,
+and reply a SYN/ACK. The second SYN will let server reply the SYN/ACK
+again, and record the reply time (the duplicate ACK reply time). The
+third SYN will let server check the previous duplicate ACK reply time,
+and decide to skip the duplicate ACK, then increase the
+TcpExtTCPACKSkippedSynRecv counter.
+
+Run tcpdump to capture a SYN packet::
+
+  nstatuser@nstat-a:~$ sudo tcpdump -c 1 -w /tmp/syn.pcap port 9000
+  tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
+
+Open another terminal, run nc command::
+
+  nstatuser@nstat-a:~$ nc nstat-b 9000
+
+As the nstat-b didn't listen on port 9000, it should reply a RST, and
+the nc command exited immediately. It was enough for the tcpdump
+command to capture a SYN packet. A linux server might use hardware
+offload for the TCP checksum, so the checksum in the /tmp/syn.pcap
+might be not correct. We call tcprewrite to fix it::
+
+  nstatuser@nstat-a:~$ tcprewrite --infile=/tmp/syn.pcap --outfile=/tmp/syn_fixcsum.pcap --fixcsum
+
+On nstat-b, we run nc to listen on port 9000::
+
+  nstatuser@nstat-b:~$ nc -lkv 9000
+  Listening on [0.0.0.0] (family 0, port 9000)
+
+On nstat-a, we blocked the packet from port 9000, or nstat-a would send
+RST to nstat-b::
+
+  nstatuser@nstat-a:~$ sudo iptables -A INPUT -p tcp --sport 9000 -j DROP
+
+Send 3 SYN repeatly to nstat-b::
+
+  nstatuser@nstat-a:~$ for i in {1..3}; do sudo tcpreplay -i ens3 /tmp/syn_fixcsum.pcap; done
+
+Check snmp cunter on nstat-b::
+
+  nstatuser@nstat-b:~$ nstat | grep -i skip
+  TcpExtTCPACKSkippedSynRecv      1                  0.0
+
+As we expected, TcpExtTCPACKSkippedSynRecv is 1.
+
+TcpExtTCPACKSkippedPAWS
+----------------------
+To trigger PAWS, we could send an old SYN.
+
+On nstat-b, let nc listen on port 9000::
+
+  nstatuser@nstat-b:~$ nc -lkv 9000
+  Listening on [0.0.0.0] (family 0, port 9000)
+
+On nstat-a, run tcpdump to capture a SYN::
+
+  nstatuser@nstat-a:~$ sudo tcpdump -w /tmp/paws_pre.pcap -c 1 port 9000
+  tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
+
+On nstat-a, run nc as a client to connect nstat-b::
+
+  nstatuser@nstat-a:~$ nc -v nstat-b 9000
+  Connection to nstat-b 9000 port [tcp/*] succeeded!
+
+Now the tcpdump has captured the SYN and exit. We should fix the
+checksum::
+
+  nstatuser@nstat-a:~$ tcprewrite --infile /tmp/paws_pre.pcap --outfile /tmp/paws.pcap --fixcsum
+
+Send the SYN packet twice::
+
+  nstatuser@nstat-a:~$ for i in {1..2}; do sudo tcpreplay -i ens3 /tmp/paws.pcap; done
+
+On nstat-b, check the snmp counter::
+
+  nstatuser@nstat-b:~$ nstat | grep -i skip
+  TcpExtTCPACKSkippedPAWS         1                  0.0
+
+We sent two SYN via tcpreplay, both of them would let PAWS check
+failed, the nstat-b replied an ACK for the first SYN, skipped the ACK
+for the second SYN, and updated TcpExtTCPACKSkippedPAWS.
+
+TcpExtTCPACKSkippedSeq
+--------------------
+To trigger TcpExtTCPACKSkippedSeq, we send packets which have valid
+timestamp (to pass PAWS check) but the sequence number is out of
+window. The linux TCP stack would avoid to skip if the packet has
+data, so we need a pure ACK packet. To generate such a packet, we
+could create two sockets: one on port 9000, another on port 9001. Then
+we capture an ACK on port 9001, change the source/destination port
+numbers to match the port 9000 socket. Then we could trigger
+TcpExtTCPACKSkippedSeq via this packet.
+
+On nstat-b, open two terminals, run two nc commands to listen on both
+port 9000 and port 9001::
+
+  nstatuser@nstat-b:~$ nc -lkv 9000
+  Listening on [0.0.0.0] (family 0, port 9000)
+
+  nstatuser@nstat-b:~$ nc -lkv 9001
+  Listening on [0.0.0.0] (family 0, port 9001)
+
+On nstat-a, run two nc clients::
+
+  nstatuser@nstat-a:~$ nc -v nstat-b 9000
+  Connection to nstat-b 9000 port [tcp/*] succeeded!
+
+  nstatuser@nstat-a:~$ nc -v nstat-b 9001
+  Connection to nstat-b 9001 port [tcp/*] succeeded!
+
+On nstat-a, run tcpdump to capture an ACK::
+
+  nstatuser@nstat-a:~$ sudo tcpdump -w /tmp/seq_pre.pcap -c 1 dst port 9001
+  tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
+
+On nstat-b, send a packet via the port 9001 socket. E.g. we sent a
+string 'foo' in our example::
+
+  nstatuser@nstat-b:~$ nc -lkv 9001
+  Listening on [0.0.0.0] (family 0, port 9001)
+  Connection from nstat-a 42132 received!
+  foo
+
+On nstat-a, the tcpdump should have caputred the ACK. We should check
+the source port numbers of the two nc clients::
+
+  nstatuser@nstat-a:~$ ss -ta '( dport = :9000 || dport = :9001 )' | tee
+  State  Recv-Q   Send-Q         Local Address:Port           Peer Address:Port
+  ESTAB  0        0            192.168.122.250:50208       192.168.122.251:9000
+  ESTAB  0        0            192.168.122.250:42132       192.168.122.251:9001
+
+Run tcprewrite, change port 9001 to port 9000, chagne port 42132 to
+port 50208::
+
+  nstatuser@nstat-a:~$ tcprewrite --infile /tmp/seq_pre.pcap --outfile /tmp/seq.pcap -r 9001:9000 -r 42132:50208 --fixcsum
+
+Now the /tmp/seq.pcap is the packet we need. Send it to nstat-b::
+
+  nstatuser@nstat-a:~$ for i in {1..2}; do sudo tcpreplay -i ens3 /tmp/seq.pcap; done
+
+Check TcpExtTCPACKSkippedSeq on nstat-b::
+
+  nstatuser@nstat-b:~$ nstat | grep -i skip
+  TcpExtTCPACKSkippedSeq          1                  0.0

diff --git a/arch/alpha/include/asm/futex.h b/arch/alpha/include/asm/futex.h
index ca3322536f7247d706bd70d7b7f044f3c3807bea..bfd3c01038f83bac87462029595c7d502bb123d3 100644 (file)
--- a/arch/alpha/include/asm/futex.h
+++ b/arch/alpha/include/asm/futex.h
@@ -68,7 +68,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        int ret = 0, cmp;
        u32 prev;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        __asm__ __volatile__ (

diff --git a/arch/alpha/include/asm/uaccess.h b/arch/alpha/include/asm/uaccess.h
index 87d8c4f0307d11539c15df2aa8dace09656a6560..e69c4e13c3283577579e21239653a01bef64fd26 100644 (file)
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -36,7 +36,7 @@
 #define __access_ok(addr, size) \
        ((get_fs().seg & (addr | size | (addr+size))) == 0)
 
-#define access_ok(type, addr, size)                    \
+#define access_ok(addr, size)                          \
 ({                                                     \
        __chk_user_ptr(addr);                           \
        __access_ok(((unsigned long)(addr)), (size));   \

diff --git a/arch/alpha/kernel/signal.c b/arch/alpha/kernel/signal.c
index 8c0c4ee0be6edb62d90be4ccbffdb4210a09b89c..33e904a05881797481c1d95b68e56332040bf809 100644 (file)
--- a/arch/alpha/kernel/signal.c
+++ b/arch/alpha/kernel/signal.c
@@ -65,7 +65,7 @@ SYSCALL_DEFINE3(osf_sigaction, int, sig,
 
        if (act) {
                old_sigset_t mask;
-               if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
+               if (!access_ok(act, sizeof(*act)) ||
                    __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
                    __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
                    __get_user(mask, &act->sa_mask))
@@ -77,7 +77,7 @@ SYSCALL_DEFINE3(osf_sigaction, int, sig,
        ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
        if (!ret && oact) {
-               if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
+               if (!access_ok(oact, sizeof(*oact)) ||
                    __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
                    __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
                    __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask))
@@ -207,7 +207,7 @@ do_sigreturn(struct sigcontext __user *sc)
        sigset_t set;
 
        /* Verify that it's a good sigcontext before using it */
-       if (!access_ok(VERIFY_READ, sc, sizeof(*sc)))
+       if (!access_ok(sc, sizeof(*sc)))
                goto give_sigsegv;
        if (__get_user(set.sig[0], &sc->sc_mask))
                goto give_sigsegv;
@@ -235,7 +235,7 @@ do_rt_sigreturn(struct rt_sigframe __user *frame)
        sigset_t set;
 
        /* Verify that it's a good ucontext_t before using it */
-       if (!access_ok(VERIFY_READ, &frame->uc, sizeof(frame->uc)))
+       if (!access_ok(&frame->uc, sizeof(frame->uc)))
                goto give_sigsegv;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto give_sigsegv;
@@ -332,7 +332,7 @@ setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
 
        oldsp = rdusp();
        frame = get_sigframe(ksig, oldsp, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= setup_sigcontext(&frame->sc, regs, set->sig[0], oldsp);
@@ -377,7 +377,7 @@ setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
 
        oldsp = rdusp();
        frame = get_sigframe(ksig, oldsp, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= copy_siginfo_to_user(&frame->info, &ksig->info);

diff --git a/arch/alpha/lib/csum_partial_copy.c b/arch/alpha/lib/csum_partial_copy.c
index ddb9c2f376fa2965035311f48b77e049581ed982..e53f96e8aa6d2bbe60bed40d0d549f3b428cdbc5 100644 (file)
--- a/arch/alpha/lib/csum_partial_copy.c
+++ b/arch/alpha/lib/csum_partial_copy.c
@@ -333,7 +333,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, int len,
        unsigned long doff = 7 & (unsigned long) dst;
 
        if (len) {
-               if (!access_ok(VERIFY_READ, src, len)) {
+               if (!access_ok(src, len)) {
                        if (errp) *errp = -EFAULT;
                        memset(dst, 0, len);
                        return sum;

diff --git a/arch/arc/include/asm/futex.h b/arch/arc/include/asm/futex.h
index eb887dd13e74862b9bfbba21c2d2d9f09e3b113c..c29c3fae68549b5d84a230a17094698db3037994 100644 (file)
--- a/arch/arc/include/asm/futex.h
+++ b/arch/arc/include/asm/futex.h
@@ -126,7 +126,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, u32 expval,
        int ret = 0;
        u32 existval;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
 #ifndef CONFIG_ARC_HAS_LLSC

diff --git a/arch/arc/kernel/process.c b/arch/arc/kernel/process.c
index 8ce6e723591556fc12765a19e08090632bb9d0ba..641c364fc232f01fe0763423894130047286dd35 100644 (file)
--- a/arch/arc/kernel/process.c
+++ b/arch/arc/kernel/process.c
@@ -61,7 +61,7 @@ SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
        /* Z indicates to userspace if operation succeded */
        regs->status32 &= ~STATUS_Z_MASK;
 
-       ret = access_ok(VERIFY_WRITE, uaddr, sizeof(*uaddr));
+       ret = access_ok(uaddr, sizeof(*uaddr));
        if (!ret)
                 goto fail;
 

diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c
index 48685445002e77ee55a2fe24c40a9c63319b4489..1bfb7de696bd67361a098be6a705df21d3c0ff00 100644 (file)
--- a/arch/arc/kernel/signal.c
+++ b/arch/arc/kernel/signal.c
@@ -169,7 +169,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
        sf = (struct rt_sigframe __force __user *)(regs->sp);
 
-       if (!access_ok(VERIFY_READ, sf, sizeof(*sf)))
+       if (!access_ok(sf, sizeof(*sf)))
                goto badframe;
 
        if (__get_user(magic, &sf->sigret_magic))
@@ -219,7 +219,7 @@ static inline void __user *get_sigframe(struct ksignal *ksig,
        frame = (void __user *)((sp - framesize) & ~7);
 
        /* Check that we can actually write to the signal frame */
-       if (!access_ok(VERIFY_WRITE, frame, framesize))
+       if (!access_ok(frame, framesize))
                frame = NULL;
 
        return frame;

diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
index ffebe7b7a5b743682c071fc14a7dd30f75ebfac9..0a46676b4245b3d15292eac1c03f5915033d8cae 100644 (file)
--- a/arch/arm/include/asm/futex.h
+++ b/arch/arm/include/asm/futex.h
@@ -50,7 +50,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        int ret;
        u32 val;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        smp_mb();
@@ -104,7 +104,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        int ret = 0;
        u32 val;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        preempt_disable();

diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index c136eef8f690be60bba14f6a871dff286a5942f0..27ed17ec45fe2a5728f8cec106baf3a8596afb2f 100644 (file)
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -279,7 +279,7 @@ static inline void set_fs(mm_segment_t fs)
 
 #endif /* CONFIG_MMU */
 
-#define access_ok(type, addr, size)    (__range_ok(addr, size) == 0)
+#define access_ok(addr, size)  (__range_ok(addr, size) == 0)
 
 #define user_addr_max() \
        (uaccess_kernel() ? ~0UL : get_fs())
@@ -560,7 +560,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n)
 
 static inline unsigned long __must_check clear_user(void __user *to, unsigned long n)
 {
-       if (access_ok(VERIFY_WRITE, to, n))
+       if (access_ok(to, n))
                n = __clear_user(to, n);
        return n;
 }

diff --git a/arch/arm/kernel/perf_callchain.c b/arch/arm/kernel/perf_callchain.c
index 08e43a32a693bd810f98d366e19c03e1e3767d63..3b69a76d341e784075a1f8ef053f0d308177feee 100644 (file)
--- a/arch/arm/kernel/perf_callchain.c
+++ b/arch/arm/kernel/perf_callchain.c
@@ -37,7 +37,7 @@ user_backtrace(struct frame_tail __user *tail,
        struct frame_tail buftail;
        unsigned long err;
 
-       if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+       if (!access_ok(tail, sizeof(buftail)))
                return NULL;
 
        pagefault_disable();

diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index b908382b69ff55a4036fc03208e327df6bc3fbd0..76bb8de6bf6b6983bf5a231ae66b8a162bd9e3ba 100644 (file)
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -241,7 +241,7 @@ asmlinkage int sys_sigreturn(struct pt_regs *regs)
 
        frame = (struct sigframe __user *)regs->ARM_sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                goto badframe;
 
        if (restore_sigframe(regs, frame))
@@ -271,7 +271,7 @@ asmlinkage int sys_rt_sigreturn(struct pt_regs *regs)
 
        frame = (struct rt_sigframe __user *)regs->ARM_sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                goto badframe;
 
        if (restore_sigframe(regs, &frame->sig))
@@ -355,7 +355,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, int framesize)
        /*
         * Check that we can actually write to the signal frame.
         */
-       if (!access_ok(VERIFY_WRITE, frame, framesize))
+       if (!access_ok(frame, framesize))
                frame = NULL;
 
        return frame;

diff --git a/arch/arm/kernel/swp_emulate.c b/arch/arm/kernel/swp_emulate.c
index a188d5e8ab7fa1c32f42a22d612a69603ea7629a..76f6e6a9736cd45f9c14a3165d2c9fb553c3bdf8 100644 (file)
--- a/arch/arm/kernel/swp_emulate.c
+++ b/arch/arm/kernel/swp_emulate.c
@@ -198,7 +198,7 @@ static int swp_handler(struct pt_regs *regs, unsigned int instr)
                 destreg, EXTRACT_REG_NUM(instr, RT2_OFFSET), data);
 
        /* Check access in reasonable access range for both SWP and SWPB */
-       if (!access_ok(VERIFY_WRITE, (address & ~3), 4)) {
+       if (!access_ok((address & ~3), 4)) {
                pr_debug("SWP{B} emulation: access to %p not allowed!\n",
                         (void *)address);
                res = -EFAULT;

diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index 40da0872170fca836d734b12257c63906d1e6b8f..92ab36f3879512979c4b0ba558b92599d3df89ab 100644 (file)
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -285,7 +285,7 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
                        maxevents > (INT_MAX/sizeof(*kbuf)) ||
                        maxevents > (INT_MAX/sizeof(*events)))
                return -EINVAL;
-       if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
+       if (!access_ok(events, sizeof(*events) * maxevents))
                return -EFAULT;
        kbuf = kmalloc_array(maxevents, sizeof(*kbuf), GFP_KERNEL);
        if (!kbuf)
@@ -326,7 +326,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
 
        if (nsops < 1 || nsops > SEMOPM)
                return -EINVAL;
-       if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
+       if (!access_ok(tsops, sizeof(*tsops) * nsops))
                return -EFAULT;
        sops = kmalloc_array(nsops, sizeof(*sops), GFP_KERNEL);
        if (!sops)

diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index 2d668cff8ef431dd00cde262fa7118fc846a2964..33af097c454bd53f6beea7419b76953e3228616d 100644 (file)
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -582,7 +582,7 @@ do_cache_op(unsigned long start, unsigned long end, int flags)
        if (end < start || flags)
                return -EINVAL;
 
-       if (!access_ok(VERIFY_READ, start, end - start))
+       if (!access_ok(start, end - start))
                return -EFAULT;
 
        return __do_cache_op(start, end);

diff --git a/arch/arm/oprofile/common.c b/arch/arm/oprofile/common.c
index cc649a1e46da27ae45488d743597edcc251430ff..7cb3e0453fcd928eb48bbd80dec6b98f38179820 100644 (file)
--- a/arch/arm/oprofile/common.c
+++ b/arch/arm/oprofile/common.c
@@ -88,7 +88,7 @@ static struct frame_tail* user_backtrace(struct frame_tail *tail)
        struct frame_tail buftail[2];
 
        /* Also check accessibility of one struct frame_tail beyond */
-       if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+       if (!access_ok(tail, sizeof(buftail)))
                return NULL;
        if (__copy_from_user_inatomic(buftail, tail, sizeof(buftail)))
                return NULL;

diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
index 07fe2479d3105da29feafcb57a209d3942e6dca3..cccb83ad7fa8ea2e1f4251dd724edc62c754771b 100644 (file)
--- a/arch/arm64/include/asm/futex.h
+++ b/arch/arm64/include/asm/futex.h
@@ -96,7 +96,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr,
        u32 val, tmp;
        u32 __user *uaddr;
 
-       if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32)))
+       if (!access_ok(_uaddr, sizeof(u32)))
                return -EFAULT;
 
        uaddr = __uaccess_mask_ptr(_uaddr);

diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index ed252435fd92484cde9d0c04a36ba27b35605948..547d7a0c9d05bdfa30cc102acbc4a7c403d5bfc6 100644 (file)
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -95,7 +95,7 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si
        return ret;
 }
 
-#define access_ok(type, addr, size)    __range_ok(addr, size)
+#define access_ok(addr, size)  __range_ok(addr, size)
 #define user_addr_max                  get_fs
 
 #define _ASM_EXTABLE(from, to)                                         \
@@ -301,7 +301,7 @@ do {                                                                        \
 ({                                                                     \
        __typeof__(*(ptr)) __user *__p = (ptr);                         \
        might_fault();                                                  \
-       if (access_ok(VERIFY_READ, __p, sizeof(*__p))) {                \
+       if (access_ok(__p, sizeof(*__p))) {                             \
                __p = uaccess_mask_ptr(__p);                            \
                __get_user_err((x), __p, (err));                        \
        } else {                                                        \
@@ -370,7 +370,7 @@ do {                                                                        \
 ({                                                                     \
        __typeof__(*(ptr)) __user *__p = (ptr);                         \
        might_fault();                                                  \
-       if (access_ok(VERIFY_WRITE, __p, sizeof(*__p))) {               \
+       if (access_ok(__p, sizeof(*__p))) {                             \
                __p = uaccess_mask_ptr(__p);                            \
                __put_user_err((x), __p, (err));                        \
        } else  {                                                       \
@@ -418,7 +418,7 @@ extern unsigned long __must_check __arch_copy_in_user(void __user *to, const voi
 extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n);
 static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n)
 {
-       if (access_ok(VERIFY_WRITE, to, n))
+       if (access_ok(to, n))
                n = __arch_clear_user(__uaccess_mask_ptr(to), n);
        return n;
 }

diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c
index 92be1d12d59080d06472e05e2f292f812a38d224..e52e7280884a850a033b9d91e495dd9e2cb82efc 100644 (file)
--- a/arch/arm64/kernel/armv8_deprecated.c
+++ b/arch/arm64/kernel/armv8_deprecated.c
@@ -402,7 +402,7 @@ static int swp_handler(struct pt_regs *regs, u32 instr)
 
        /* Check access in reasonable access range for both SWP and SWPB */
        user_ptr = (const void __user *)(unsigned long)(address & ~3);
-       if (!access_ok(VERIFY_WRITE, user_ptr, 4)) {
+       if (!access_ok(user_ptr, 4)) {
                pr_debug("SWP{B} emulation: access to 0x%08x not allowed!\n",
                        address);
                goto fault;

diff --git a/arch/arm64/kernel/perf_callchain.c b/arch/arm64/kernel/perf_callchain.c
index a34c26afacb0eaf38bebe89ea3dd13d19972c4a9..61d983f5756f8a94ff449cb53bb99534bbf4ac6b 100644 (file)
--- a/arch/arm64/kernel/perf_callchain.c
+++ b/arch/arm64/kernel/perf_callchain.c
@@ -39,7 +39,7 @@ user_backtrace(struct frame_tail __user *tail,
        unsigned long lr;
 
        /* Also check accessibility of one struct frame_tail beyond */
-       if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+       if (!access_ok(tail, sizeof(buftail)))
                return NULL;
 
        pagefault_disable();
@@ -86,7 +86,7 @@ compat_user_backtrace(struct compat_frame_tail __user *tail,
        unsigned long err;
 
        /* Also check accessibility of one struct frame_tail beyond */
-       if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+       if (!access_ok(tail, sizeof(buftail)))
                return NULL;
 
        pagefault_disable();

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 5dcc942906db3afe34cc9972a3eaaa6b72b0848c..867a7cea70e52efe753cc7e40b8815fa2b76e6d5 100644 (file)
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -470,7 +470,7 @@ static int parse_user_sigframe(struct user_ctxs *user,
                        offset = 0;
                        limit = extra_size;
 
-                       if (!access_ok(VERIFY_READ, base, limit))
+                       if (!access_ok(base, limit))
                                goto invalid;
 
                        continue;
@@ -556,7 +556,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
        frame = (struct rt_sigframe __user *)regs->sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                goto badframe;
 
        if (restore_sigframe(regs, frame))
@@ -730,7 +730,7 @@ static int get_sigframe(struct rt_sigframe_user_layout *user,
        /*
         * Check that we can actually write to the signal frame.
         */
-       if (!access_ok(VERIFY_WRITE, user->sigframe, sp_top - sp))
+       if (!access_ok(user->sigframe, sp_top - sp))
                return -EFAULT;
 
        return 0;

diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c
index 24b09003f8214ce0df5a222a112e6cf10d2161e9..cb7800acd19fbd4554b1d25adab62c908421a0cf 100644 (file)
--- a/arch/arm64/kernel/signal32.c
+++ b/arch/arm64/kernel/signal32.c
@@ -303,7 +303,7 @@ COMPAT_SYSCALL_DEFINE0(sigreturn)
 
        frame = (struct compat_sigframe __user *)regs->compat_sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                goto badframe;
 
        if (compat_restore_sigframe(regs, frame))
@@ -334,7 +334,7 @@ COMPAT_SYSCALL_DEFINE0(rt_sigreturn)
 
        frame = (struct compat_rt_sigframe __user *)regs->compat_sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                goto badframe;
 
        if (compat_restore_sigframe(regs, &frame->sig))
@@ -365,7 +365,7 @@ static void __user *compat_get_sigframe(struct ksignal *ksig,
        /*
         * Check that we can actually write to the signal frame.
         */
-       if (!access_ok(VERIFY_WRITE, frame, framesize))
+       if (!access_ok(frame, framesize))
                frame = NULL;
 
        return frame;

diff --git a/arch/arm64/kernel/sys_compat.c b/arch/arm64/kernel/sys_compat.c
index 32653d156747e7d8c23ce34ec72ba17341be43a3..21005dfe8406cc390fd34594d017853709d79858 100644 (file)
--- a/arch/arm64/kernel/sys_compat.c
+++ b/arch/arm64/kernel/sys_compat.c
@@ -58,7 +58,7 @@ do_compat_cache_op(unsigned long start, unsigned long end, int flags)
        if (end < start || flags)
                return -EINVAL;
 
-       if (!access_ok(VERIFY_READ, (const void __user *)start, end - start))
+       if (!access_ok((const void __user *)start, end - start))
                return -EFAULT;
 
        return __do_compat_cache_op(start, end);

diff --git a/arch/c6x/kernel/signal.c b/arch/c6x/kernel/signal.c
index 3c4bb5a5c3820a1d3ad7b7a1ffef55f6206ff838..33b9f69c38f7ba8f95aa5e07e259c3d343bd0c97 100644 (file)
--- a/arch/c6x/kernel/signal.c
+++ b/arch/c6x/kernel/signal.c
@@ -80,7 +80,7 @@ asmlinkage int do_rt_sigreturn(struct pt_regs *regs)
 
        frame = (struct rt_sigframe __user *) ((unsigned long) regs->sp + 8);
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;
@@ -149,7 +149,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= __put_user(&frame->info, &frame->pinfo);

diff --git a/arch/csky/abiv1/alignment.c b/arch/csky/abiv1/alignment.c
index 60205e98fb87a50b54b9cc55d34e8f87e9fe7569..d789be36eb4f092b992d77967dec5ad11ff7865d 100644 (file)
--- a/arch/csky/abiv1/alignment.c
+++ b/arch/csky/abiv1/alignment.c
@@ -32,7 +32,7 @@ static int ldb_asm(uint32_t addr, uint32_t *valp)
        uint32_t val;
        int err;
 
-       if (!access_ok(VERIFY_READ, (void *)addr, 1))
+       if (!access_ok((void *)addr, 1))
                return 1;
 
        asm volatile (
@@ -67,7 +67,7 @@ static int stb_asm(uint32_t addr, uint32_t val)
 {
        int err;
 
-       if (!access_ok(VERIFY_WRITE, (void *)addr, 1))
+       if (!access_ok((void *)addr, 1))
                return 1;
 
        asm volatile (

diff --git a/arch/csky/include/asm/uaccess.h b/arch/csky/include/asm/uaccess.h
index acaf0e210d81cfd32f4c394c1b895b601aa7ddb5..eaa1c3403a42458bec78a0a1cbf9678ec7a45b84 100644 (file)
--- a/arch/csky/include/asm/uaccess.h
+++ b/arch/csky/include/asm/uaccess.h
@@ -16,10 +16,7 @@
 #include <linux/version.h>
 #include <asm/segment.h>
 
-#define VERIFY_READ    0
-#define VERIFY_WRITE   1
-
-static inline int access_ok(int type, const void *addr, unsigned long size)
+static inline int access_ok(const void *addr, unsigned long size)
 {
        unsigned long limit = current_thread_info()->addr_limit.seg;
 
@@ -27,12 +24,7 @@ static inline int access_ok(int type, const void *addr, unsigned long size)
                ((unsigned long)(addr + size) < limit));
 }
 
-static inline int verify_area(int type, const void *addr, unsigned long size)
-{
-       return access_ok(type, addr, size) ? 0 : -EFAULT;
-}
-
-#define __addr_ok(addr) (access_ok(VERIFY_READ, addr, 0))
+#define __addr_ok(addr) (access_ok(addr, 0))
 
 extern int __put_user_bad(void);
 
@@ -91,7 +83,7 @@ extern int __put_user_bad(void);
        long __pu_err = -EFAULT;                                        \
        typeof(*(ptr)) *__pu_addr = (ptr);                              \
        typeof(*(ptr)) __pu_val = (typeof(*(ptr)))(x);                  \
-       if (access_ok(VERIFY_WRITE, __pu_addr, size) && __pu_addr)      \
+       if (access_ok(__pu_addr, size) && __pu_addr)    \
                __put_user_size(__pu_val, __pu_addr, (size), __pu_err); \
        __pu_err;                                                       \
 })
@@ -217,7 +209,7 @@ do {                                                                \
 ({                                                             \
        int __gu_err = -EFAULT;                                 \
        const __typeof__(*(ptr)) __user *__gu_ptr = (ptr);      \
-       if (access_ok(VERIFY_READ, __gu_ptr, size) && __gu_ptr) \
+       if (access_ok(__gu_ptr, size) && __gu_ptr)      \
                __get_user_size(x, __gu_ptr, size, __gu_err);   \
        __gu_err;                                               \
 })

diff --git a/arch/csky/kernel/signal.c b/arch/csky/kernel/signal.c
index 66e1b729b10b741d63cf841c0fa0bd733a3e4f3f..9967c10eee2bff00f7bab79ef4ab3fd1b6023430 100644 (file)
--- a/arch/csky/kernel/signal.c
+++ b/arch/csky/kernel/signal.c
@@ -88,7 +88,7 @@ do_rt_sigreturn(void)
        struct pt_regs *regs = current_pt_regs();
        struct rt_sigframe *frame = (struct rt_sigframe *)(regs->usp);
 
-       if (verify_area(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;

diff --git a/arch/csky/lib/usercopy.c b/arch/csky/lib/usercopy.c
index ac9170e2cbb8fff9bd01450ab3c6c69d91ec9b97..647a23986fb502bb7fad776cb05bce854ef956f3 100644 (file)
--- a/arch/csky/lib/usercopy.c
+++ b/arch/csky/lib/usercopy.c
@@ -7,7 +7,7 @@
 unsigned long raw_copy_from_user(void *to, const void *from,
                        unsigned long n)
 {
-       if (access_ok(VERIFY_READ, from, n))
+       if (access_ok(from, n))
                __copy_user_zeroing(to, from, n);
        else
                memset(to, 0, n);
@@ -18,7 +18,7 @@ EXPORT_SYMBOL(raw_copy_from_user);
 unsigned long raw_copy_to_user(void *to, const void *from,
                        unsigned long n)
 {
-       if (access_ok(VERIFY_WRITE, to, n))
+       if (access_ok(to, n))
                __copy_user(to, from, n);
        return n;
 }
@@ -113,7 +113,7 @@ long strncpy_from_user(char *dst, const char *src, long count)
 {
        long res = -EFAULT;
 
-       if (access_ok(VERIFY_READ, src, 1))
+       if (access_ok(src, 1))
                __do_strncpy_from_user(dst, src, count, res);
        return res;
 }
@@ -236,7 +236,7 @@ do {                                                        \
 unsigned long
 clear_user(void __user *to, unsigned long n)
 {
-       if (access_ok(VERIFY_WRITE, to, n))
+       if (access_ok(to, n))
                __do_clear_user(to, n);
        return n;
 }

diff --git a/arch/h8300/kernel/signal.c b/arch/h8300/kernel/signal.c
index 1e8070d08770a0cfaa0a4c05c48148ece129de0b..e0f2b708e5d9dbb6dd92cc7ac59c1f0a24411c96 100644 (file)
--- a/arch/h8300/kernel/signal.c
+++ b/arch/h8300/kernel/signal.c
@@ -110,7 +110,7 @@ asmlinkage int sys_rt_sigreturn(void)
        sigset_t set;
        int er0;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;
@@ -165,7 +165,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        if (ksig->ka.sa.sa_flags & SA_SIGINFO)

diff --git a/arch/hexagon/include/asm/futex.h b/arch/hexagon/include/asm/futex.h
index c889f5993ecd35f1646e06fa1fab846860655ac6..cb635216a732c98c2d05e965762696543d7ec3e4 100644 (file)
--- a/arch/hexagon/include/asm/futex.h
+++ b/arch/hexagon/include/asm/futex.h
@@ -77,7 +77,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, u32 oldval,
        int prev;
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        __asm__ __volatile__ (

diff --git a/arch/hexagon/include/asm/uaccess.h b/arch/hexagon/include/asm/uaccess.h
index 458b69886b3452fc66d3a33957285645db1c70e0..a30e58d5f3516cce39fd35caec420603e508a45b 100644 (file)
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -29,9 +29,6 @@
 
 /*
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *        %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *        to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *

diff --git a/arch/hexagon/kernel/signal.c b/arch/hexagon/kernel/signal.c
index 78aa7304a5c9f4ac6ddf97343e2a37f29df67a8d..31e2cf95f189c303cc4039753fb26fdd4db7505a 100644 (file)
--- a/arch/hexagon/kernel/signal.c
+++ b/arch/hexagon/kernel/signal.c
@@ -115,7 +115,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(ksig, regs, sizeof(struct rt_sigframe));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(struct rt_sigframe)))
+       if (!access_ok(frame, sizeof(struct rt_sigframe)))
                return -EFAULT;
 
        if (copy_siginfo_to_user(&frame->info, &ksig->info))
@@ -244,7 +244,7 @@ asmlinkage int sys_rt_sigreturn(void)
        current->restart_block.fn = do_no_restart_syscall;
 
        frame = (struct rt_sigframe __user *)pt_psp(regs);
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&blocked, &frame->uc.uc_sigmask, sizeof(blocked)))
                goto badframe;

diff --git a/arch/hexagon/mm/uaccess.c b/arch/hexagon/mm/uaccess.c
index c599eb126c9e7be9a3324744297f562ad743e97a..6f9c4697552cc302ab09a564175c4ffdead5830d 100644 (file)
--- a/arch/hexagon/mm/uaccess.c
+++ b/arch/hexagon/mm/uaccess.c
@@ -51,7 +51,7 @@ __kernel_size_t __clear_user_hexagon(void __user *dest, unsigned long count)
 
 unsigned long clear_user_hexagon(void __user *dest, unsigned long count)
 {
-       if (!access_ok(VERIFY_WRITE, dest, count))
+       if (!access_ok(dest, count))
                return count;
        else
                return __clear_user_hexagon(dest, count);

diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index ccd56f5df8cdd827703a7df7591076819230310f..8d7396bd1790319eb7fa9a10b671d2b922081b36 100644 (file)
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -31,7 +31,7 @@ config IA64
        select HAVE_MEMBLOCK_NODE_MAP
        select HAVE_VIRT_CPU_ACCOUNTING
        select ARCH_HAS_DMA_COHERENT_TO_PFN if SWIOTLB
-       select ARCH_HAS_SYNC_DMA_FOR_CPU
+       select ARCH_HAS_SYNC_DMA_FOR_CPU if SWIOTLB
        select VIRT_TO_BUS
        select ARCH_DISCARD_MEMBLOCK
        select GENERIC_IRQ_PROBE

diff --git a/arch/ia64/include/asm/futex.h b/arch/ia64/include/asm/futex.h
index db2dd85918c2923ce2877e76eed8d7d693885b2a..2e106d46219650bd8093c1100279aff3a73c7e2a 100644 (file)
--- a/arch/ia64/include/asm/futex.h
+++ b/arch/ia64/include/asm/futex.h
@@ -86,7 +86,7 @@ static inline int
 futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
                              u32 oldval, u32 newval)
 {
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        {

diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
index a74524f2d625f2f6669fafc9f9eead31b78a15ec..306d469e43da6d45e5b7bb2b5aac58f387fd9955 100644 (file)
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -67,7 +67,7 @@ static inline int __access_ok(const void __user *p, unsigned long size)
        return likely(addr <= seg) &&
         (seg == KERNEL_DS.seg || likely(REGION_OFFSET(addr) < RGN_MAP_LIMIT));
 }
-#define access_ok(type, addr, size)    __access_ok((addr), (size))
+#define access_ok(addr, size)  __access_ok((addr), (size))
 
 /*
  * These are the main single-value transfer routines.  They automatically

diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c
index 427cd565fd61d38429c9ed66cb9b2534a21ee7c3..6d50ede0ed691ca1899540722e65edb3cf896510 100644 (file)
--- a/arch/ia64/kernel/ptrace.c
+++ b/arch/ia64/kernel/ptrace.c
@@ -836,7 +836,7 @@ ptrace_getregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
        char nat = 0;
        int i;
 
-       if (!access_ok(VERIFY_WRITE, ppr, sizeof(struct pt_all_user_regs)))
+       if (!access_ok(ppr, sizeof(struct pt_all_user_regs)))
                return -EIO;
 
        pt = task_pt_regs(child);
@@ -981,7 +981,7 @@ ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
 
        memset(&fpval, 0, sizeof(fpval));
 
-       if (!access_ok(VERIFY_READ, ppr, sizeof(struct pt_all_user_regs)))
+       if (!access_ok(ppr, sizeof(struct pt_all_user_regs)))
                return -EIO;
 
        pt = task_pt_regs(child);

diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
index 99099f73b2072e7972c15aa61d57c5186d346141..6062fd14e34eb0312a310698d56c85283f453b3e 100644 (file)
--- a/arch/ia64/kernel/signal.c
+++ b/arch/ia64/kernel/signal.c
@@ -132,7 +132,7 @@ ia64_rt_sigreturn (struct sigscratch *scr)
                 */
                retval = (long) &ia64_strace_leave_kernel;
 
-       if (!access_ok(VERIFY_READ, sc, sizeof(*sc)))
+       if (!access_ok(sc, sizeof(*sc)))
                goto give_sigsegv;
 
        if (GET_SIGSET(&set, &sc->sc_mask))
@@ -264,7 +264,7 @@ setup_frame(struct ksignal *ksig, sigset_t *set, struct sigscratch *scr)
        }
        frame = (void __user *) ((new_sp - sizeof(*frame)) & -STACK_ALIGN);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) {
+       if (!access_ok(frame, sizeof(*frame))) {
                force_sigsegv(ksig->sig, current);
                return 1;
        }

diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
index 055382622f07c8d7706f7e244b341586ecec6d25..29d841525ca1fef5adf33247fa3e9ebebbda4fa0 100644 (file)
--- a/arch/ia64/mm/init.c
+++ b/arch/ia64/mm/init.c
@@ -67,6 +67,7 @@ __ia64_sync_icache_dcache (pte_t pte)
        set_bit(PG_arch_1, &page->flags);       /* mark page as clean */
 }
 
+#ifdef CONFIG_SWIOTLB
 /*
  * Since DMA is i-cache coherent, any (complete) pages that were written via
  * DMA can be marked as "clean" so that lazy_mmu_prot_update() doesn't have to
@@ -81,6 +82,7 @@ void arch_sync_dma_for_cpu(struct device *dev, phys_addr_t paddr,
                set_bit(PG_arch_1, &pfn_to_page(pfn)->flags);
        } while (++pfn <= PHYS_PFN(paddr + size - 1));
 }
+#endif
 
 inline void
 ia64_set_rbs_bot (void)

diff --git a/arch/m68k/include/asm/uaccess_mm.h b/arch/m68k/include/asm/uaccess_mm.h
index c4cb889660aa0c3582d59f0f40428fec718d92a3..7e85de984df197aebb6c56debfe56dbf1f3fc7fe 100644 (file)
--- a/arch/m68k/include/asm/uaccess_mm.h
+++ b/arch/m68k/include/asm/uaccess_mm.h
@@ -10,7 +10,7 @@
 #include <asm/segment.h>
 
 /* We let the MMU do all checking */
-static inline int access_ok(int type, const void __user *addr,
+static inline int access_ok(const void __user *addr,
                            unsigned long size)
 {
        return 1;

diff --git a/arch/m68k/include/asm/uaccess_no.h b/arch/m68k/include/asm/uaccess_no.h
index 892efb56beef81b184a8cf6e21f9cd998d613eb4..0134008bf539b8fc8f0c1a46b20052eca638b7be 100644 (file)
--- a/arch/m68k/include/asm/uaccess_no.h
+++ b/arch/m68k/include/asm/uaccess_no.h
@@ -10,7 +10,7 @@
 
 #include <asm/segment.h>
 
-#define access_ok(type,addr,size)      _access_ok((unsigned long)(addr),(size))
+#define access_ok(addr,size)   _access_ok((unsigned long)(addr),(size))
 
 /*
  * It is not enough to just have access_ok check for a real RAM address.

diff --git a/arch/m68k/kernel/signal.c b/arch/m68k/kernel/signal.c
index 72850b85ecf859a94bdc97b0043df7ccf42b5848..e2a9421c57975034e55695dd273cb42228723773 100644 (file)
--- a/arch/m68k/kernel/signal.c
+++ b/arch/m68k/kernel/signal.c
@@ -787,7 +787,7 @@ asmlinkage int do_sigreturn(struct pt_regs *regs, struct switch_stack *sw)
        struct sigframe __user *frame = (struct sigframe __user *)(usp - 4);
        sigset_t set;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__get_user(set.sig[0], &frame->sc.sc_mask) ||
            (_NSIG_WORDS > 1 &&
@@ -812,7 +812,7 @@ asmlinkage int do_rt_sigreturn(struct pt_regs *regs, struct switch_stack *sw)
        struct rt_sigframe __user *frame = (struct rt_sigframe __user *)(usp - 4);
        sigset_t set;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;

diff --git a/arch/microblaze/include/asm/futex.h b/arch/microblaze/include/asm/futex.h
index 2572077b04eaa48db06861d63a4322e4922dbd7f..8c90357e59831230afd31893ee7afe792fc1f832 100644 (file)
--- a/arch/microblaze/include/asm/futex.h
+++ b/arch/microblaze/include/asm/futex.h
@@ -71,7 +71,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        int ret = 0, cmp;
        u32 prev;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        __asm__ __volatile__ ("1:       lwx     %1, %3, r0;             \

diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
index 81f16aadbf9ea8fd61df1c91df7bfd64ccf843c3..dbfea093a7c7db596bd2e108a0a47220b7698457 100644 (file)
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -60,26 +60,25 @@ static inline int ___range_ok(unsigned long addr, unsigned long size)
 #define __range_ok(addr, size) \
                ___range_ok((unsigned long)(addr), (unsigned long)(size))
 
-#define access_ok(type, addr, size) (__range_ok((addr), (size)) == 0)
+#define access_ok(addr, size) (__range_ok((addr), (size)) == 0)
 
 #else
 
-static inline int access_ok(int type, const void __user *addr,
-                                                       unsigned long size)
+static inline int access_ok(const void __user *addr, unsigned long size)
 {
        if (!size)
                goto ok;
 
        if ((get_fs().seg < ((unsigned long)addr)) ||
                        (get_fs().seg < ((unsigned long)addr + size - 1))) {
-               pr_devel("ACCESS fail: %s at 0x%08x (size 0x%x), seg 0x%08x\n",
-                       type ? "WRITE" : "READ ", (__force u32)addr, (u32)size,
+               pr_devel("ACCESS fail at 0x%08x (size 0x%x), seg 0x%08x\n",
+                       (__force u32)addr, (u32)size,
                        (u32)get_fs().seg);
                return 0;
        }
 ok:
-       pr_devel("ACCESS OK: %s at 0x%08x (size 0x%x), seg 0x%08x\n",
-                       type ? "WRITE" : "READ ", (__force u32)addr, (u32)size,
+       pr_devel("ACCESS OK at 0x%08x (size 0x%x), seg 0x%08x\n",
+                       (__force u32)addr, (u32)size,
                        (u32)get_fs().seg);
        return 1;
 }
@@ -120,7 +119,7 @@ static inline unsigned long __must_check clear_user(void __user *to,
                                                        unsigned long n)
 {
        might_fault();
-       if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+       if (unlikely(!access_ok(to, n)))
                return n;
 
        return __clear_user(to, n);
@@ -174,7 +173,7 @@ extern long __user_bad(void);
        const typeof(*(ptr)) __user *__gu_addr = (ptr);                 \
        int __gu_err = 0;                                               \
                                                                        \
-       if (access_ok(VERIFY_READ, __gu_addr, size)) {                  \
+       if (access_ok(__gu_addr, size)) {                       \
                switch (size) {                                         \
                case 1:                                                 \
                        __get_user_asm("lbu", __gu_addr, __gu_val,      \
@@ -286,7 +285,7 @@ extern long __user_bad(void);
        typeof(*(ptr)) __user *__pu_addr = (ptr);                       \
        int __pu_err = 0;                                               \
                                                                        \
-       if (access_ok(VERIFY_WRITE, __pu_addr, size)) {                 \
+       if (access_ok(__pu_addr, size)) {                       \
                switch (size) {                                         \
                case 1:                                                 \
                        __put_user_asm("sb", __pu_addr, __pu_val,       \
@@ -358,7 +357,7 @@ extern int __strncpy_user(char *to, const char __user *from, int len);
 static inline long
 strncpy_from_user(char *dst, const char __user *src, long count)
 {
-       if (!access_ok(VERIFY_READ, src, 1))
+       if (!access_ok(src, 1))
                return -EFAULT;
        return __strncpy_user(dst, src, count);
 }
@@ -372,7 +371,7 @@ extern int __strnlen_user(const char __user *sstr, int len);
 
 static inline long strnlen_user(const char __user *src, long n)
 {
-       if (!access_ok(VERIFY_READ, src, 1))
+       if (!access_ok(src, 1))
                return 0;
        return __strnlen_user(src, n);
 }

diff --git a/arch/microblaze/kernel/signal.c b/arch/microblaze/kernel/signal.c
index 97001524ca2d8e3062a51e4a536ad4d1d18a702f..0685696349bb4415a4c4f1c6d9d3249c54be501f 100644 (file)
--- a/arch/microblaze/kernel/signal.c
+++ b/arch/microblaze/kernel/signal.c
@@ -91,7 +91,7 @@ asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
        /* Always make any pending restarted system calls return -EINTR */
        current->restart_block.fn = do_no_restart_syscall;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -166,7 +166,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        if (ksig->ka.sa.sa_flags & SA_SIGINFO)

diff --git a/arch/mips/include/asm/checksum.h b/arch/mips/include/asm/checksum.h
index e8161e4dfde7039a80cb3875bba7b9415520c67b..dcebaaf8c862497342631d469163b39fea9c41b9 100644 (file)
--- a/arch/mips/include/asm/checksum.h
+++ b/arch/mips/include/asm/checksum.h
@@ -63,7 +63,7 @@ static inline
 __wsum csum_and_copy_from_user(const void __user *src, void *dst,
                               int len, __wsum sum, int *err_ptr)
 {
-       if (access_ok(VERIFY_READ, src, len))
+       if (access_ok(src, len))
                return csum_partial_copy_from_user(src, dst, len, sum,
                                                   err_ptr);
        if (len)
@@ -81,7 +81,7 @@ __wsum csum_and_copy_to_user(const void *src, void __user *dst, int len,
                             __wsum sum, int *err_ptr)
 {
        might_fault();
-       if (access_ok(VERIFY_WRITE, dst, len)) {
+       if (access_ok(dst, len)) {
                if (uaccess_kernel())
                        return __csum_partial_copy_kernel(src,
                                                          (__force void *)dst,

diff --git a/arch/mips/include/asm/futex.h b/arch/mips/include/asm/futex.h
index 8eff134b3a4314382180e5e56e33b0e94b3c517f..c14d798f38886c15b0f8d8adfbcf7008ad863d74 100644 (file)
--- a/arch/mips/include/asm/futex.h
+++ b/arch/mips/include/asm/futex.h
@@ -129,7 +129,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        int ret = 0;
        u32 val;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        if (cpu_has_llsc && R10000_LLSC_WAR) {

diff --git a/arch/mips/include/asm/termios.h b/arch/mips/include/asm/termios.h
index ce2d72e34274c0f2d2e217277aa6706ab5f4cb93..bc29eeacc55adb17ac7b95759d62222636619c9e 100644 (file)
--- a/arch/mips/include/asm/termios.h
+++ b/arch/mips/include/asm/termios.h
@@ -32,7 +32,7 @@ static inline int user_termio_to_kernel_termios(struct ktermios *termios,
        unsigned short iflag, oflag, cflag, lflag;
        unsigned int err;
 
-       if (!access_ok(VERIFY_READ, termio, sizeof(struct termio)))
+       if (!access_ok(termio, sizeof(struct termio)))
                return -EFAULT;
 
        err = __get_user(iflag, &termio->c_iflag);
@@ -61,7 +61,7 @@ static inline int kernel_termios_to_user_termio(struct termio __user *termio,
 {
        int err;
 
-       if (!access_ok(VERIFY_WRITE, termio, sizeof(struct termio)))
+       if (!access_ok(termio, sizeof(struct termio)))
                return -EFAULT;
 
        err = __put_user(termios->c_iflag, &termio->c_iflag);

diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
index 06629011a4342f490bf4bcabd9e4fe06ed0952ac..d43c1dc6ef157a59c4b96d456aacc9d69ce077ed 100644 (file)
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -109,9 +109,6 @@ static inline bool eva_kernel_access(void)
 
 /*
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *       %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *       to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *
@@ -134,7 +131,7 @@ static inline int __access_ok(const void __user *p, unsigned long size)
        return (get_fs().seg & (addr | (addr + size) | __ua_size(size))) == 0;
 }
 
-#define access_ok(type, addr, size)                                    \
+#define access_ok(addr, size)                                  \
        likely(__access_ok((addr), (size)))
 
 /*
@@ -304,7 +301,7 @@ do {                                                                        \
        const __typeof__(*(ptr)) __user * __gu_ptr = (ptr);             \
                                                                        \
        might_fault();                                                  \
-       if (likely(access_ok(VERIFY_READ,  __gu_ptr, size))) {          \
+       if (likely(access_ok( __gu_ptr, size))) {               \
                if (eva_kernel_access())                                \
                        __get_kernel_common((x), size, __gu_ptr);       \
                else                                                    \
@@ -446,7 +443,7 @@ do {                                                                        \
        int __pu_err = -EFAULT;                                         \
                                                                        \
        might_fault();                                                  \
-       if (likely(access_ok(VERIFY_WRITE,  __pu_addr, size))) {        \
+       if (likely(access_ok( __pu_addr, size))) {      \
                if (eva_kernel_access())                                \
                        __put_kernel_common(__pu_addr, size);           \
                else                                                    \
@@ -691,8 +688,7 @@ __clear_user(void __user *addr, __kernel_size_t size)
 ({                                                                     \
        void __user * __cl_addr = (addr);                               \
        unsigned long __cl_size = (n);                                  \
-       if (__cl_size && access_ok(VERIFY_WRITE,                        \
-                                       __cl_addr, __cl_size))          \
+       if (__cl_size && access_ok(__cl_addr, __cl_size))               \
                __cl_size = __clear_user(__cl_addr, __cl_size);         \
        __cl_size;                                                      \
 })

diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
index cb22a558431e21ce4fca50fc87a51311f2fdc27e..c50c89a978f12761b7ed688517343e4ba37ed7bb 100644 (file)
--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
+++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
@@ -1205,7 +1205,7 @@ fpu_emul:
        case lwl_op:
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) {
+               if (!access_ok((void __user *)vaddr, 4)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1278,7 +1278,7 @@ fpu_emul:
        case lwr_op:
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) {
+               if (!access_ok((void __user *)vaddr, 4)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1352,7 +1352,7 @@ fpu_emul:
        case swl_op:
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) {
+               if (!access_ok((void __user *)vaddr, 4)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1422,7 +1422,7 @@ fpu_emul:
        case swr_op:
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) {
+               if (!access_ok((void __user *)vaddr, 4)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1497,7 +1497,7 @@ fpu_emul:
 
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) {
+               if (!access_ok((void __user *)vaddr, 8)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1616,7 +1616,7 @@ fpu_emul:
 
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) {
+               if (!access_ok((void __user *)vaddr, 8)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1735,7 +1735,7 @@ fpu_emul:
 
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) {
+               if (!access_ok((void __user *)vaddr, 8)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1853,7 +1853,7 @@ fpu_emul:
 
                rt = regs->regs[MIPSInst_RT(inst)];
                vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-               if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) {
+               if (!access_ok((void __user *)vaddr, 8)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGSEGV;
                        break;
@@ -1970,7 +1970,7 @@ fpu_emul:
                        err = SIGBUS;
                        break;
                }
-               if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) {
+               if (!access_ok((void __user *)vaddr, 4)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGBUS;
                        break;
@@ -2026,7 +2026,7 @@ fpu_emul:
                        err = SIGBUS;
                        break;
                }
-               if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) {
+               if (!access_ok((void __user *)vaddr, 4)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGBUS;
                        break;
@@ -2089,7 +2089,7 @@ fpu_emul:
                        err = SIGBUS;
                        break;
                }
-               if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) {
+               if (!access_ok((void __user *)vaddr, 8)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGBUS;
                        break;
@@ -2150,7 +2150,7 @@ fpu_emul:
                        err = SIGBUS;
                        break;
                }
-               if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) {
+               if (!access_ok((void __user *)vaddr, 8)) {
                        current->thread.cp0_baduaddr = vaddr;
                        err = SIGBUS;
                        break;

diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index ea54575255eaea11ff464935b742fef55601ef1b..0057c910bc2f34de0f518c43d2e234c845db0da1 100644 (file)
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -71,7 +71,7 @@ int ptrace_getregs(struct task_struct *child, struct user_pt_regs __user *data)
        struct pt_regs *regs;
        int i;
 
-       if (!access_ok(VERIFY_WRITE, data, 38 * 8))
+       if (!access_ok(data, 38 * 8))
                return -EIO;
 
        regs = task_pt_regs(child);
@@ -98,7 +98,7 @@ int ptrace_setregs(struct task_struct *child, struct user_pt_regs __user *data)
        struct pt_regs *regs;
        int i;
 
-       if (!access_ok(VERIFY_READ, data, 38 * 8))
+       if (!access_ok(data, 38 * 8))
                return -EIO;
 
        regs = task_pt_regs(child);
@@ -125,7 +125,7 @@ int ptrace_get_watch_regs(struct task_struct *child,
 
        if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0)
                return -EIO;
-       if (!access_ok(VERIFY_WRITE, addr, sizeof(struct pt_watch_regs)))
+       if (!access_ok(addr, sizeof(struct pt_watch_regs)))
                return -EIO;
 
 #ifdef CONFIG_32BIT
@@ -167,7 +167,7 @@ int ptrace_set_watch_regs(struct task_struct *child,
 
        if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0)
                return -EIO;
-       if (!access_ok(VERIFY_READ, addr, sizeof(struct pt_watch_regs)))
+       if (!access_ok(addr, sizeof(struct pt_watch_regs)))
                return -EIO;
        /* Check the values. */
        for (i = 0; i < boot_cpu_data.watch_reg_use_cnt; i++) {
@@ -359,7 +359,7 @@ int ptrace_getfpregs(struct task_struct *child, __u32 __user *data)
 {
        int i;
 
-       if (!access_ok(VERIFY_WRITE, data, 33 * 8))
+       if (!access_ok(data, 33 * 8))
                return -EIO;
 
        if (tsk_used_math(child)) {
@@ -385,7 +385,7 @@ int ptrace_setfpregs(struct task_struct *child, __u32 __user *data)
        u32 value;
        int i;
 
-       if (!access_ok(VERIFY_READ, data, 33 * 8))
+       if (!access_ok(data, 33 * 8))
                return -EIO;
 
        init_fp_ctx(child);

diff --git a/arch/mips/kernel/signal.c b/arch/mips/kernel/signal.c
index d3a23758592ca17e6c3f4dc13edd168ad45cd496..d75337974ee9b8ef8b8adb223f82cb4e17598659 100644 (file)
--- a/arch/mips/kernel/signal.c
+++ b/arch/mips/kernel/signal.c
@@ -590,7 +590,7 @@ SYSCALL_DEFINE3(sigaction, int, sig, const struct sigaction __user *, act,
        if (act) {
                old_sigset_t mask;
 
-               if (!access_ok(VERIFY_READ, act, sizeof(*act)))
+               if (!access_ok(act, sizeof(*act)))
                        return -EFAULT;
                err |= __get_user(new_ka.sa.sa_handler, &act->sa_handler);
                err |= __get_user(new_ka.sa.sa_flags, &act->sa_flags);
@@ -604,7 +604,7 @@ SYSCALL_DEFINE3(sigaction, int, sig, const struct sigaction __user *, act,
        ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
        if (!ret && oact) {
-               if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)))
+               if (!access_ok(oact, sizeof(*oact)))
                        return -EFAULT;
                err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
                err |= __put_user(old_ka.sa.sa_handler, &oact->sa_handler);
@@ -630,7 +630,7 @@ asmlinkage void sys_sigreturn(void)
 
        regs = current_pt_regs();
        frame = (struct sigframe __user *)regs->regs[29];
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&blocked, &frame->sf_mask, sizeof(blocked)))
                goto badframe;
@@ -667,7 +667,7 @@ asmlinkage void sys_rt_sigreturn(void)
 
        regs = current_pt_regs();
        frame = (struct rt_sigframe __user *)regs->regs[29];
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->rs_uc.uc_sigmask, sizeof(set)))
                goto badframe;
@@ -705,7 +705,7 @@ static int setup_frame(void *sig_return, struct ksignal *ksig,
        int err = 0;
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                return -EFAULT;
 
        err |= setup_sigcontext(regs, &frame->sf_sc);
@@ -744,7 +744,7 @@ static int setup_rt_frame(void *sig_return, struct ksignal *ksig,
        int err = 0;
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                return -EFAULT;
 
        /* Create siginfo.  */

diff --git a/arch/mips/kernel/signal32.c b/arch/mips/kernel/signal32.c
index b5d9e1784aff35ef0724a96e2784d11eb9e15057..59b8965433c2fdb2f8337de49680ca6a50b09dde 100644 (file)
--- a/arch/mips/kernel/signal32.c
+++ b/arch/mips/kernel/signal32.c
@@ -46,7 +46,7 @@ SYSCALL_DEFINE3(32_sigaction, long, sig, const struct compat_sigaction __user *,
                old_sigset_t mask;
                s32 handler;
 
-               if (!access_ok(VERIFY_READ, act, sizeof(*act)))
+               if (!access_ok(act, sizeof(*act)))
                        return -EFAULT;
                err |= __get_user(handler, &act->sa_handler);
                new_ka.sa.sa_handler = (void __user *)(s64)handler;
@@ -61,7 +61,7 @@ SYSCALL_DEFINE3(32_sigaction, long, sig, const struct compat_sigaction __user *,
        ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
        if (!ret && oact) {
-               if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)))
+               if (!access_ok(oact, sizeof(*oact)))
                        return -EFAULT;
                err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
                err |= __put_user((u32)(u64)old_ka.sa.sa_handler,

diff --git a/arch/mips/kernel/signal_n32.c b/arch/mips/kernel/signal_n32.c
index 8f65aaf9206d1ba88ab0f68e580eb176aacd173e..c498b027823e695a31f39bdee86d7056ccc56403 100644 (file)
--- a/arch/mips/kernel/signal_n32.c
+++ b/arch/mips/kernel/signal_n32.c
@@ -73,7 +73,7 @@ asmlinkage void sysn32_rt_sigreturn(void)
 
        regs = current_pt_regs();
        frame = (struct rt_sigframe_n32 __user *)regs->regs[29];
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask))
                goto badframe;
@@ -110,7 +110,7 @@ static int setup_rt_frame_n32(void *sig_return, struct ksignal *ksig,
        int err = 0;
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                return -EFAULT;
 
        /* Create siginfo.  */

diff --git a/arch/mips/kernel/signal_o32.c b/arch/mips/kernel/signal_o32.c
index b6e3ddef48a06f9a543a10edc3c96e5ce1116b2b..df259618e834bb390629b7df18e6a65225c9d109 100644 (file)
--- a/arch/mips/kernel/signal_o32.c
+++ b/arch/mips/kernel/signal_o32.c
@@ -118,7 +118,7 @@ static int setup_frame_32(void *sig_return, struct ksignal *ksig,
        int err = 0;
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                return -EFAULT;
 
        err |= setup_sigcontext32(regs, &frame->sf_sc);
@@ -160,7 +160,7 @@ asmlinkage void sys32_rt_sigreturn(void)
 
        regs = current_pt_regs();
        frame = (struct rt_sigframe32 __user *)regs->regs[29];
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask))
                goto badframe;
@@ -197,7 +197,7 @@ static int setup_rt_frame_32(void *sig_return, struct ksignal *ksig,
        int err = 0;
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+       if (!access_ok(frame, sizeof (*frame)))
                return -EFAULT;
 
        /* Convert (siginfo_t -> compat_siginfo_t) and copy to user. */
@@ -262,7 +262,7 @@ asmlinkage void sys32_sigreturn(void)
 
        regs = current_pt_regs();
        frame = (struct sigframe32 __user *)regs->regs[29];
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_conv_sigset_from_user(&blocked, &frame->sf_mask))
                goto badframe;

diff --git a/arch/mips/kernel/syscall.c b/arch/mips/kernel/syscall.c
index 41a0db08cd37a21affab3b8911b99715525f181a..b6dc78ad5d8c050fc75badc33c33ac46496238bc 100644 (file)
--- a/arch/mips/kernel/syscall.c
+++ b/arch/mips/kernel/syscall.c
@@ -101,7 +101,7 @@ static inline int mips_atomic_set(unsigned long addr, unsigned long new)
        if (unlikely(addr & 3))
                return -EINVAL;
 
-       if (unlikely(!access_ok(VERIFY_WRITE, (const void __user *)addr, 4)))
+       if (unlikely(!access_ok((const void __user *)addr, 4)))
                return -EINVAL;
 
        if (cpu_has_llsc && R10000_LLSC_WAR) {

diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c
index c60e7719ef77e434803b3f47aa7add3883416035..595ca9c851110db0a76847f596ba21197db9aaf9 100644 (file)
--- a/arch/mips/kernel/unaligned.c
+++ b/arch/mips/kernel/unaligned.c
@@ -936,7 +936,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                if (insn.dsp_format.func == lx_op) {
                        switch (insn.dsp_format.op) {
                        case lwx_op:
-                               if (!access_ok(VERIFY_READ, addr, 4))
+                               if (!access_ok(addr, 4))
                                        goto sigbus;
                                LoadW(addr, value, res);
                                if (res)
@@ -945,7 +945,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                regs->regs[insn.dsp_format.rd] = value;
                                break;
                        case lhx_op:
-                               if (!access_ok(VERIFY_READ, addr, 2))
+                               if (!access_ok(addr, 2))
                                        goto sigbus;
                                LoadHW(addr, value, res);
                                if (res)
@@ -968,7 +968,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                        set_fs(USER_DS);
                        switch (insn.spec3_format.func) {
                        case lhe_op:
-                               if (!access_ok(VERIFY_READ, addr, 2)) {
+                               if (!access_ok(addr, 2)) {
                                        set_fs(seg);
                                        goto sigbus;
                                }
@@ -981,7 +981,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                regs->regs[insn.spec3_format.rt] = value;
                                break;
                        case lwe_op:
-                               if (!access_ok(VERIFY_READ, addr, 4)) {
+                               if (!access_ok(addr, 4)) {
                                        set_fs(seg);
                                        goto sigbus;
                                }
@@ -994,7 +994,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                regs->regs[insn.spec3_format.rt] = value;
                                break;
                        case lhue_op:
-                               if (!access_ok(VERIFY_READ, addr, 2)) {
+                               if (!access_ok(addr, 2)) {
                                        set_fs(seg);
                                        goto sigbus;
                                }
@@ -1007,7 +1007,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                regs->regs[insn.spec3_format.rt] = value;
                                break;
                        case she_op:
-                               if (!access_ok(VERIFY_WRITE, addr, 2)) {
+                               if (!access_ok(addr, 2)) {
                                        set_fs(seg);
                                        goto sigbus;
                                }
@@ -1020,7 +1020,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                }
                                break;
                        case swe_op:
-                               if (!access_ok(VERIFY_WRITE, addr, 4)) {
+                               if (!access_ok(addr, 4)) {
                                        set_fs(seg);
                                        goto sigbus;
                                }
@@ -1041,7 +1041,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
 #endif
                break;
        case lh_op:
-               if (!access_ok(VERIFY_READ, addr, 2))
+               if (!access_ok(addr, 2))
                        goto sigbus;
 
                if (IS_ENABLED(CONFIG_EVA)) {
@@ -1060,7 +1060,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                break;
 
        case lw_op:
-               if (!access_ok(VERIFY_READ, addr, 4))
+               if (!access_ok(addr, 4))
                        goto sigbus;
 
                if (IS_ENABLED(CONFIG_EVA)) {
@@ -1079,7 +1079,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                break;
 
        case lhu_op:
-               if (!access_ok(VERIFY_READ, addr, 2))
+               if (!access_ok(addr, 2))
                        goto sigbus;
 
                if (IS_ENABLED(CONFIG_EVA)) {
@@ -1106,7 +1106,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (!access_ok(VERIFY_READ, addr, 4))
+               if (!access_ok(addr, 4))
                        goto sigbus;
 
                LoadWU(addr, value, res);
@@ -1129,7 +1129,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (!access_ok(VERIFY_READ, addr, 8))
+               if (!access_ok(addr, 8))
                        goto sigbus;
 
                LoadDW(addr, value, res);
@@ -1144,7 +1144,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                goto sigill;
 
        case sh_op:
-               if (!access_ok(VERIFY_WRITE, addr, 2))
+               if (!access_ok(addr, 2))
                        goto sigbus;
 
                compute_return_epc(regs);
@@ -1164,7 +1164,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                break;
 
        case sw_op:
-               if (!access_ok(VERIFY_WRITE, addr, 4))
+               if (!access_ok(addr, 4))
                        goto sigbus;
 
                compute_return_epc(regs);
@@ -1192,7 +1192,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (!access_ok(VERIFY_WRITE, addr, 8))
+               if (!access_ok(addr, 8))
                        goto sigbus;
 
                compute_return_epc(regs);
@@ -1254,7 +1254,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
 
                switch (insn.msa_mi10_format.func) {
                case msa_ld_op:
-                       if (!access_ok(VERIFY_READ, addr, sizeof(*fpr)))
+                       if (!access_ok(addr, sizeof(*fpr)))
                                goto sigbus;
 
                        do {
@@ -1290,7 +1290,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                        break;
 
                case msa_st_op:
-                       if (!access_ok(VERIFY_WRITE, addr, sizeof(*fpr)))
+                       if (!access_ok(addr, sizeof(*fpr)))
                                goto sigbus;
 
                        /*
@@ -1463,7 +1463,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if (reg == 31)
                                goto sigbus;
 
-                       if (!access_ok(VERIFY_READ, addr, 8))
+                       if (!access_ok(addr, 8))
                                goto sigbus;
 
                        LoadW(addr, value, res);
@@ -1482,7 +1482,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if (reg == 31)
                                goto sigbus;
 
-                       if (!access_ok(VERIFY_WRITE, addr, 8))
+                       if (!access_ok(addr, 8))
                                goto sigbus;
 
                        value = regs->regs[reg];
@@ -1502,7 +1502,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if (reg == 31)
                                goto sigbus;
 
-                       if (!access_ok(VERIFY_READ, addr, 16))
+                       if (!access_ok(addr, 16))
                                goto sigbus;
 
                        LoadDW(addr, value, res);
@@ -1525,7 +1525,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if (reg == 31)
                                goto sigbus;
 
-                       if (!access_ok(VERIFY_WRITE, addr, 16))
+                       if (!access_ok(addr, 16))
                                goto sigbus;
 
                        value = regs->regs[reg];
@@ -1548,11 +1548,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if ((rvar > 9) || !reg)
                                goto sigill;
                        if (reg & 0x10) {
-                               if (!access_ok
-                                   (VERIFY_READ, addr, 4 * (rvar + 1)))
+                               if (!access_ok(addr, 4 * (rvar + 1)))
                                        goto sigbus;
                        } else {
-                               if (!access_ok(VERIFY_READ, addr, 4 * rvar))
+                               if (!access_ok(addr, 4 * rvar))
                                        goto sigbus;
                        }
                        if (rvar == 9)
@@ -1585,11 +1584,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if ((rvar > 9) || !reg)
                                goto sigill;
                        if (reg & 0x10) {
-                               if (!access_ok
-                                   (VERIFY_WRITE, addr, 4 * (rvar + 1)))
+                               if (!access_ok(addr, 4 * (rvar + 1)))
                                        goto sigbus;
                        } else {
-                               if (!access_ok(VERIFY_WRITE, addr, 4 * rvar))
+                               if (!access_ok(addr, 4 * rvar))
                                        goto sigbus;
                        }
                        if (rvar == 9)
@@ -1623,11 +1621,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if ((rvar > 9) || !reg)
                                goto sigill;
                        if (reg & 0x10) {
-                               if (!access_ok
-                                   (VERIFY_READ, addr, 8 * (rvar + 1)))
+                               if (!access_ok(addr, 8 * (rvar + 1)))
                                        goto sigbus;
                        } else {
-                               if (!access_ok(VERIFY_READ, addr, 8 * rvar))
+                               if (!access_ok(addr, 8 * rvar))
                                        goto sigbus;
                        }
                        if (rvar == 9)
@@ -1665,11 +1662,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                        if ((rvar > 9) || !reg)
                                goto sigill;
                        if (reg & 0x10) {
-                               if (!access_ok
-                                   (VERIFY_WRITE, addr, 8 * (rvar + 1)))
+                               if (!access_ok(addr, 8 * (rvar + 1)))
                                        goto sigbus;
                        } else {
-                               if (!access_ok(VERIFY_WRITE, addr, 8 * rvar))
+                               if (!access_ok(addr, 8 * rvar))
                                        goto sigbus;
                        }
                        if (rvar == 9)
@@ -1788,7 +1784,7 @@ fpu_emul:
                case mm_lwm16_op:
                        reg = insn.mm16_m_format.rlist;
                        rvar = reg + 1;
-                       if (!access_ok(VERIFY_READ, addr, 4 * rvar))
+                       if (!access_ok(addr, 4 * rvar))
                                goto sigbus;
 
                        for (i = 16; rvar; rvar--, i++) {
@@ -1808,7 +1804,7 @@ fpu_emul:
                case mm_swm16_op:
                        reg = insn.mm16_m_format.rlist;
                        rvar = reg + 1;
-                       if (!access_ok(VERIFY_WRITE, addr, 4 * rvar))
+                       if (!access_ok(addr, 4 * rvar))
                                goto sigbus;
 
                        for (i = 16; rvar; rvar--, i++) {
@@ -1862,7 +1858,7 @@ fpu_emul:
        }
 
 loadHW:
-       if (!access_ok(VERIFY_READ, addr, 2))
+       if (!access_ok(addr, 2))
                goto sigbus;
 
        LoadHW(addr, value, res);
@@ -1872,7 +1868,7 @@ loadHW:
        goto success;
 
 loadHWU:
-       if (!access_ok(VERIFY_READ, addr, 2))
+       if (!access_ok(addr, 2))
                goto sigbus;
 
        LoadHWU(addr, value, res);
@@ -1882,7 +1878,7 @@ loadHWU:
        goto success;
 
 loadW:
-       if (!access_ok(VERIFY_READ, addr, 4))
+       if (!access_ok(addr, 4))
                goto sigbus;
 
        LoadW(addr, value, res);
@@ -1900,7 +1896,7 @@ loadWU:
         * would blow up, so for now we don't handle unaligned 64-bit
         * instructions on 32-bit kernels.
         */
-       if (!access_ok(VERIFY_READ, addr, 4))
+       if (!access_ok(addr, 4))
                goto sigbus;
 
        LoadWU(addr, value, res);
@@ -1922,7 +1918,7 @@ loadDW:
         * would blow up, so for now we don't handle unaligned 64-bit
         * instructions on 32-bit kernels.
         */
-       if (!access_ok(VERIFY_READ, addr, 8))
+       if (!access_ok(addr, 8))
                goto sigbus;
 
        LoadDW(addr, value, res);
@@ -1936,7 +1932,7 @@ loadDW:
        goto sigill;
 
 storeHW:
-       if (!access_ok(VERIFY_WRITE, addr, 2))
+       if (!access_ok(addr, 2))
                goto sigbus;
 
        value = regs->regs[reg];
@@ -1946,7 +1942,7 @@ storeHW:
        goto success;
 
 storeW:
-       if (!access_ok(VERIFY_WRITE, addr, 4))
+       if (!access_ok(addr, 4))
                goto sigbus;
 
        value = regs->regs[reg];
@@ -1964,7 +1960,7 @@ storeDW:
         * would blow up, so for now we don't handle unaligned 64-bit
         * instructions on 32-bit kernels.
         */
-       if (!access_ok(VERIFY_WRITE, addr, 8))
+       if (!access_ok(addr, 8))
                goto sigbus;
 
        value = regs->regs[reg];
@@ -2122,7 +2118,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
                goto sigbus;
 
        case MIPS16e_lh_op:
-               if (!access_ok(VERIFY_READ, addr, 2))
+               if (!access_ok(addr, 2))
                        goto sigbus;
 
                LoadHW(addr, value, res);
@@ -2133,7 +2129,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
                break;
 
        case MIPS16e_lhu_op:
-               if (!access_ok(VERIFY_READ, addr, 2))
+               if (!access_ok(addr, 2))
                        goto sigbus;
 
                LoadHWU(addr, value, res);
@@ -2146,7 +2142,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
        case MIPS16e_lw_op:
        case MIPS16e_lwpc_op:
        case MIPS16e_lwsp_op:
-               if (!access_ok(VERIFY_READ, addr, 4))
+               if (!access_ok(addr, 4))
                        goto sigbus;
 
                LoadW(addr, value, res);
@@ -2165,7 +2161,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (!access_ok(VERIFY_READ, addr, 4))
+               if (!access_ok(addr, 4))
                        goto sigbus;
 
                LoadWU(addr, value, res);
@@ -2189,7 +2185,7 @@ loadDW:
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (!access_ok(VERIFY_READ, addr, 8))
+               if (!access_ok(addr, 8))
                        goto sigbus;
 
                LoadDW(addr, value, res);
@@ -2204,7 +2200,7 @@ loadDW:
                goto sigill;
 
        case MIPS16e_sh_op:
-               if (!access_ok(VERIFY_WRITE, addr, 2))
+               if (!access_ok(addr, 2))
                        goto sigbus;
 
                MIPS16e_compute_return_epc(regs, &oldinst);
@@ -2217,7 +2213,7 @@ loadDW:
        case MIPS16e_sw_op:
        case MIPS16e_swsp_op:
        case MIPS16e_i8_op:     /* actually - MIPS16e_swrasp_func */
-               if (!access_ok(VERIFY_WRITE, addr, 4))
+               if (!access_ok(addr, 4))
                        goto sigbus;
 
                MIPS16e_compute_return_epc(regs, &oldinst);
@@ -2237,7 +2233,7 @@ writeDW:
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (!access_ok(VERIFY_WRITE, addr, 8))
+               if (!access_ok(addr, 8))
                        goto sigbus;
 
                MIPS16e_compute_return_epc(regs, &oldinst);

diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index 82e2993c1a2c49c3fcb31b803abb60642ade1f30..e60e29078ef55cc0cf8f56f24aaa90b6026edbcf 100644 (file)
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -1063,7 +1063,7 @@ emul:
                                     MIPSInst_SIMM(ir));
                MIPS_FPU_EMU_INC_STATS(loads);
 
-               if (!access_ok(VERIFY_READ, dva, sizeof(u64))) {
+               if (!access_ok(dva, sizeof(u64))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
                        *fault_addr = dva;
                        return SIGBUS;
@@ -1081,7 +1081,7 @@ emul:
                                      MIPSInst_SIMM(ir));
                MIPS_FPU_EMU_INC_STATS(stores);
                DIFROMREG(dval, MIPSInst_RT(ir));
-               if (!access_ok(VERIFY_WRITE, dva, sizeof(u64))) {
+               if (!access_ok(dva, sizeof(u64))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
                        *fault_addr = dva;
                        return SIGBUS;
@@ -1097,7 +1097,7 @@ emul:
                wva = (u32 __user *) (xcp->regs[MIPSInst_RS(ir)] +
                                      MIPSInst_SIMM(ir));
                MIPS_FPU_EMU_INC_STATS(loads);
-               if (!access_ok(VERIFY_READ, wva, sizeof(u32))) {
+               if (!access_ok(wva, sizeof(u32))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
                        *fault_addr = wva;
                        return SIGBUS;
@@ -1115,7 +1115,7 @@ emul:
                                      MIPSInst_SIMM(ir));
                MIPS_FPU_EMU_INC_STATS(stores);
                SIFROMREG(wval, MIPSInst_RT(ir));
-               if (!access_ok(VERIFY_WRITE, wva, sizeof(u32))) {
+               if (!access_ok(wva, sizeof(u32))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
                        *fault_addr = wva;
                        return SIGBUS;
@@ -1493,7 +1493,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                                xcp->regs[MIPSInst_FT(ir)]);
 
                        MIPS_FPU_EMU_INC_STATS(loads);
-                       if (!access_ok(VERIFY_READ, va, sizeof(u32))) {
+                       if (!access_ok(va, sizeof(u32))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
                                *fault_addr = va;
                                return SIGBUS;
@@ -1513,7 +1513,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                        MIPS_FPU_EMU_INC_STATS(stores);
 
                        SIFROMREG(val, MIPSInst_FS(ir));
-                       if (!access_ok(VERIFY_WRITE, va, sizeof(u32))) {
+                       if (!access_ok(va, sizeof(u32))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
                                *fault_addr = va;
                                return SIGBUS;
@@ -1590,7 +1590,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                                xcp->regs[MIPSInst_FT(ir)]);
 
                        MIPS_FPU_EMU_INC_STATS(loads);
-                       if (!access_ok(VERIFY_READ, va, sizeof(u64))) {
+                       if (!access_ok(va, sizeof(u64))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
                                *fault_addr = va;
                                return SIGBUS;
@@ -1609,7 +1609,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 
                        MIPS_FPU_EMU_INC_STATS(stores);
                        DIFROMREG(val, MIPSInst_FS(ir));
-                       if (!access_ok(VERIFY_WRITE, va, sizeof(u64))) {
+                       if (!access_ok(va, sizeof(u64))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
                                *fault_addr = va;
                                return SIGBUS;

diff --git a/arch/mips/mm/cache.c b/arch/mips/mm/cache.c
index 70a523151ff39dfa41b330f03c1dd1330838b4f5..55099fbff4e6d783ce184d8a6bb7242c27e1f164 100644 (file)
--- a/arch/mips/mm/cache.c
+++ b/arch/mips/mm/cache.c
@@ -76,7 +76,7 @@ SYSCALL_DEFINE3(cacheflush, unsigned long, addr, unsigned long, bytes,
 {
        if (bytes == 0)
                return 0;
-       if (!access_ok(VERIFY_WRITE, (void __user *) addr, bytes))
+       if (!access_ok((void __user *) addr, bytes))
                return -EFAULT;
 
        __flush_icache_user_range(addr, addr + bytes);

diff --git a/arch/mips/mm/gup.c b/arch/mips/mm/gup.c
index 5a4875cac1ec979da60be7ed3f80379eab5d6b65..0d14e0d8eacf058f49e25be97c1347847af6a137 100644 (file)
--- a/arch/mips/mm/gup.c
+++ b/arch/mips/mm/gup.c
@@ -195,8 +195,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
        addr = start;
        len = (unsigned long) nr_pages << PAGE_SHIFT;
        end = start + len;
-       if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                       (void __user *)start, len)))
+       if (unlikely(!access_ok((void __user *)start, len)))
                return 0;
 
        /*

diff --git a/arch/mips/oprofile/backtrace.c b/arch/mips/oprofile/backtrace.c
index 806fb798091f36f7a31d5efdab2e604c812e6ddb..07d98ba7f49e3a12a7c71ab5406d2e974e203e71 100644 (file)
--- a/arch/mips/oprofile/backtrace.c
+++ b/arch/mips/oprofile/backtrace.c
@@ -19,7 +19,7 @@ struct stackframe {
 static inline int get_mem(unsigned long addr, unsigned long *result)
 {
        unsigned long *address = (unsigned long *) addr;
-       if (!access_ok(VERIFY_READ, address, sizeof(unsigned long)))
+       if (!access_ok(address, sizeof(unsigned long)))
                return -1;
        if (__copy_from_user_inatomic(result, address, sizeof(unsigned long)))
                return -3;

diff --git a/arch/mips/sibyte/common/sb_tbprof.c b/arch/mips/sibyte/common/sb_tbprof.c
index 99c720be72d261abed3ff920f28716cdebafab51..9ff26b0cd3b660d8f31efdf0771e54f30da7fe80 100644 (file)
--- a/arch/mips/sibyte/common/sb_tbprof.c
+++ b/arch/mips/sibyte/common/sb_tbprof.c
@@ -458,7 +458,7 @@ static ssize_t sbprof_tb_read(struct file *filp, char *buf,
        char *dest    =  buf;
        long  cur_off = *offp;
 
-       if (!access_ok(VERIFY_WRITE, buf, size))
+       if (!access_ok(buf, size))
                return -EFAULT;
 
        mutex_lock(&sbp.lock);

diff --git a/arch/nds32/include/asm/futex.h b/arch/nds32/include/asm/futex.h
index cb6cb91cfdf81622dc170286d83803e2d4e7ad73..baf178bf1d0b2aa39ec940bbf833de228adb2882 100644 (file)
--- a/arch/nds32/include/asm/futex.h
+++ b/arch/nds32/include/asm/futex.h
@@ -40,7 +40,7 @@ futex_atomic_cmpxchg_inatomic(u32 * uval, u32 __user * uaddr,
        int ret = 0;
        u32 val, tmp, flags;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        smp_mb();

diff --git a/arch/nds32/include/asm/uaccess.h b/arch/nds32/include/asm/uaccess.h
index 362a32d9bd16871e1db6c45d544eb2c4450bfeb5..53dcb49b0b12f5b8a85dd1858f71d3b4a0f23939 100644 (file)
--- a/arch/nds32/include/asm/uaccess.h
+++ b/arch/nds32/include/asm/uaccess.h
@@ -13,9 +13,6 @@
 #include <asm/types.h>
 #include <linux/mm.h>
 
-#define VERIFY_READ    0
-#define VERIFY_WRITE   1
-
 #define __asmeq(x, y)  ".ifnc " x "," y " ; .err ; .endif\n\t"
 
 /*
@@ -53,7 +50,7 @@ static inline void set_fs(mm_segment_t fs)
 
 #define __range_ok(addr, size) (size <= get_fs() && addr <= (get_fs() -size))
 
-#define access_ok(type, addr, size)    \
+#define access_ok(addr, size)  \
        __range_ok((unsigned long)addr, (unsigned long)size)
 /*
  * Single-value transfer routines.  They automatically use the right
@@ -94,7 +91,7 @@ static inline void set_fs(mm_segment_t fs)
 ({                                                                     \
        const __typeof__(*(ptr)) __user *__p = (ptr);                   \
        might_fault();                                                  \
-       if (access_ok(VERIFY_READ, __p, sizeof(*__p))) {                \
+       if (access_ok(__p, sizeof(*__p))) {             \
                __get_user_err((x), __p, (err));                        \
        } else {                                                        \
                (x) = 0; (err) = -EFAULT;                               \
@@ -189,7 +186,7 @@ do {                                                                        \
 ({                                                                     \
        __typeof__(*(ptr)) __user *__p = (ptr);                         \
        might_fault();                                                  \
-       if (access_ok(VERIFY_WRITE, __p, sizeof(*__p))) {               \
+       if (access_ok(__p, sizeof(*__p))) {             \
                __put_user_err((x), __p, (err));                        \
        } else  {                                                       \
                (err) = -EFAULT;                                        \
@@ -279,7 +276,7 @@ extern unsigned long __arch_copy_to_user(void __user * to, const void *from,
 #define INLINE_COPY_TO_USER
 static inline unsigned long clear_user(void __user * to, unsigned long n)
 {
-       if (access_ok(VERIFY_WRITE, to, n))
+       if (access_ok(to, n))
                n = __arch_clear_user(to, n);
        return n;
 }

diff --git a/arch/nds32/kernel/perf_event_cpu.c b/arch/nds32/kernel/perf_event_cpu.c
index 5e00ce54d0ff33ec399cc1bb421cc393c81afb73..334c2a6cec23ddc1df7458737c15a4673159eef7 100644 (file)
--- a/arch/nds32/kernel/perf_event_cpu.c
+++ b/arch/nds32/kernel/perf_event_cpu.c
@@ -1306,7 +1306,7 @@ user_backtrace(struct perf_callchain_entry_ctx *entry, unsigned long fp)
                (unsigned long *)(fp - (unsigned long)sizeof(buftail));
 
        /* Check accessibility of one struct frame_tail beyond */
-       if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(buftail)))
+       if (!access_ok(user_frame_tail, sizeof(buftail)))
                return 0;
        if (__copy_from_user_inatomic
                (&buftail, user_frame_tail, sizeof(buftail)))
@@ -1332,7 +1332,7 @@ user_backtrace_opt_size(struct perf_callchain_entry_ctx *entry,
                (unsigned long *)(fp - (unsigned long)sizeof(buftail));
 
        /* Check accessibility of one struct frame_tail beyond */
-       if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(buftail)))
+       if (!access_ok(user_frame_tail, sizeof(buftail)))
                return 0;
        if (__copy_from_user_inatomic
                (&buftail, user_frame_tail, sizeof(buftail)))
@@ -1386,7 +1386,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
                user_frame_tail =
                        (unsigned long *)(fp - (unsigned long)sizeof(fp));
 
-               if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(fp)))
+               if (!access_ok(user_frame_tail, sizeof(fp)))
                        return;
 
                if (__copy_from_user_inatomic
@@ -1406,8 +1406,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
                                (unsigned long *)(fp -
                                        (unsigned long)sizeof(buftail));
 
-                       if (!access_ok
-                               (VERIFY_READ, user_frame_tail, sizeof(buftail)))
+                       if (!access_ok(user_frame_tail, sizeof(buftail)))
                                return;
 
                        if (__copy_from_user_inatomic
@@ -1424,7 +1423,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
                                        (unsigned long *)(fp - (unsigned long)
                                                sizeof(buftail_opt_size));
 
-                               if (!access_ok(VERIFY_READ, user_frame_tail,
+                               if (!access_ok(user_frame_tail,
                                               sizeof(buftail_opt_size)))
                                        return;
 

diff --git a/arch/nds32/kernel/signal.c b/arch/nds32/kernel/signal.c
index 5b5be082cfa40896b21fc4c7c2115a70066fef3d..5f7660aa2d68a7904e68d9b8ad5ad5a5389d53b2 100644 (file)
--- a/arch/nds32/kernel/signal.c
+++ b/arch/nds32/kernel/signal.c
@@ -151,7 +151,7 @@ asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
 
        frame = (struct rt_sigframe __user *)regs->sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (restore_sigframe(regs, frame))
@@ -275,7 +275,7 @@ setup_rt_frame(struct ksignal *ksig, sigset_t * set, struct pt_regs *regs)
            get_sigframe(ksig, regs, sizeof(*frame));
        int err = 0;
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        __put_user_error(0, &frame->uc.uc_flags, err);

diff --git a/arch/nds32/mm/alignment.c b/arch/nds32/mm/alignment.c
index e1aed9dc692dd3bac752720a82880de865e7cb2d..c8b9061a2ee3d58f713dfa6194e0e9d82bd71ce0 100644 (file)
--- a/arch/nds32/mm/alignment.c
+++ b/arch/nds32/mm/alignment.c
@@ -289,13 +289,13 @@ static inline int do_16(unsigned long inst, struct pt_regs *regs)
                unaligned_addr += shift;
 
        if (load) {
-               if (!access_ok(VERIFY_READ, (void *)unaligned_addr, len))
+               if (!access_ok((void *)unaligned_addr, len))
                        return -EACCES;
 
                get_data(unaligned_addr, &target_val, len);
                *idx_to_addr(regs, target_idx) = target_val;
        } else {
-               if (!access_ok(VERIFY_WRITE, (void *)unaligned_addr, len))
+               if (!access_ok((void *)unaligned_addr, len))
                        return -EACCES;
                target_val = *idx_to_addr(regs, target_idx);
                set_data((void *)unaligned_addr, target_val, len);
@@ -479,7 +479,7 @@ static inline int do_32(unsigned long inst, struct pt_regs *regs)
 
        if (load) {
 
-               if (!access_ok(VERIFY_READ, (void *)unaligned_addr, len))
+               if (!access_ok((void *)unaligned_addr, len))
                        return -EACCES;
 
                get_data(unaligned_addr, &target_val, len);
@@ -491,7 +491,7 @@ static inline int do_32(unsigned long inst, struct pt_regs *regs)
                        *idx_to_addr(regs, RT(inst)) = target_val;
        } else {
 
-               if (!access_ok(VERIFY_WRITE, (void *)unaligned_addr, len))
+               if (!access_ok((void *)unaligned_addr, len))
                        return -EACCES;
 
                target_val = *idx_to_addr(regs, RT(inst));

diff --git a/arch/nios2/include/asm/uaccess.h b/arch/nios2/include/asm/uaccess.h
index dfa3c7cb30b47cf3b8acd981af49d658d3adb3a8..e0ea10806491f47f8e9e7b21b8edd938881b1b5b 100644 (file)
--- a/arch/nios2/include/asm/uaccess.h
+++ b/arch/nios2/include/asm/uaccess.h
@@ -37,7 +37,7 @@
        (((signed long)(((long)get_fs().seg) &  \
                ((long)(addr) | (((long)(addr)) + (len)) | (len)))) == 0)
 
-#define access_ok(type, addr, len)             \
+#define access_ok(addr, len)           \
        likely(__access_ok((unsigned long)(addr), (unsigned long)(len)))
 
 # define __EX_TABLE_SECTION    ".section __ex_table,\"a\"\n"
@@ -70,7 +70,7 @@ static inline unsigned long __must_check __clear_user(void __user *to,
 static inline unsigned long __must_check clear_user(void __user *to,
                                                    unsigned long n)
 {
-       if (!access_ok(VERIFY_WRITE, to, n))
+       if (!access_ok(to, n))
                return n;
        return __clear_user(to, n);
 }
@@ -142,7 +142,7 @@ do {                                                                        \
        long __gu_err = -EFAULT;                                        \
        const __typeof__(*(ptr)) __user *__gu_ptr = (ptr);              \
        unsigned long __gu_val = 0;                                     \
-       if (access_ok(VERIFY_READ,  __gu_ptr, sizeof(*__gu_ptr)))       \
+       if (access_ok( __gu_ptr, sizeof(*__gu_ptr)))    \
                __get_user_common(__gu_val, sizeof(*__gu_ptr),          \
                        __gu_ptr, __gu_err);                            \
        (x) = (__force __typeof__(x))__gu_val;                          \
@@ -168,7 +168,7 @@ do {                                                                        \
        long __pu_err = -EFAULT;                                        \
        __typeof__(*(ptr)) __user *__pu_ptr = (ptr);                    \
        __typeof__(*(ptr)) __pu_val = (__typeof(*ptr))(x);              \
-       if (access_ok(VERIFY_WRITE, __pu_ptr, sizeof(*__pu_ptr))) {     \
+       if (access_ok(__pu_ptr, sizeof(*__pu_ptr))) {   \
                switch (sizeof(*__pu_ptr)) {                            \
                case 1:                                                 \
                        __put_user_asm(__pu_val, "stb", __pu_ptr, __pu_err); \

diff --git a/arch/nios2/kernel/signal.c b/arch/nios2/kernel/signal.c
index 20662b0f6c9e30cd52279ce3274bcbc463fa5236..4a81876b6086e57fb066e74817d976c74cdb1a23 100644 (file)
--- a/arch/nios2/kernel/signal.c
+++ b/arch/nios2/kernel/signal.c
@@ -106,7 +106,7 @@ asmlinkage int do_rt_sigreturn(struct switch_stack *sw)
        sigset_t set;
        int rval;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))

diff --git a/arch/openrisc/include/asm/futex.h b/arch/openrisc/include/asm/futex.h
index 618da4a1bffb9a54aa48daf8942324ea59d7e96f..fe894e6331aedb7c517eba144318494ab3ac623a 100644 (file)
--- a/arch/openrisc/include/asm/futex.h
+++ b/arch/openrisc/include/asm/futex.h
@@ -72,7 +72,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        int ret = 0;
        u32 prev;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        __asm__ __volatile__ (                          \

diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
index bbf5c79cce7a30832422c1a290e895074fab1042..bc8191a34db7889ef816676b19b643abf1494536 100644 (file)
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -58,7 +58,7 @@
 /* Ensure that addr is below task's addr_limit */
 #define __addr_ok(addr) ((unsigned long) addr < get_fs())
 
-#define access_ok(type, addr, size) \
+#define access_ok(addr, size) \
        __range_ok((unsigned long)addr, (unsigned long)size)
 
 /*
@@ -102,7 +102,7 @@ extern long __put_user_bad(void);
 ({                                                                     \
        long __pu_err = -EFAULT;                                        \
        __typeof__(*(ptr)) *__pu_addr = (ptr);                          \
-       if (access_ok(VERIFY_WRITE, __pu_addr, size))                   \
+       if (access_ok(__pu_addr, size))                 \
                __put_user_size((x), __pu_addr, (size), __pu_err);      \
        __pu_err;                                                       \
 })
@@ -175,7 +175,7 @@ struct __large_struct {
 ({                                                                     \
        long __gu_err = -EFAULT, __gu_val = 0;                          \
        const __typeof__(*(ptr)) * __gu_addr = (ptr);                   \
-       if (access_ok(VERIFY_READ, __gu_addr, size))                    \
+       if (access_ok(__gu_addr, size))                 \
                __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
        (x) = (__force __typeof__(*(ptr)))__gu_val;                     \
        __gu_err;                                                       \
@@ -254,7 +254,7 @@ extern unsigned long __clear_user(void *addr, unsigned long size);
 static inline __must_check unsigned long
 clear_user(void *addr, unsigned long size)
 {
-       if (likely(access_ok(VERIFY_WRITE, addr, size)))
+       if (likely(access_ok(addr, size)))
                size = __clear_user(addr, size);
        return size;
 }

diff --git a/arch/openrisc/kernel/signal.c b/arch/openrisc/kernel/signal.c
index 265f10fb393071a7264d350a8e88d3d498354cd0..5ac9d3b1d6158ba166c382ee70264613e763598d 100644 (file)
--- a/arch/openrisc/kernel/signal.c
+++ b/arch/openrisc/kernel/signal.c
@@ -50,7 +50,7 @@ static int restore_sigcontext(struct pt_regs *regs,
 
        /*
         * Restore the regs from &sc->regs.
-        * (sc is already checked for VERIFY_READ since the sigframe was
+        * (sc is already checked since the sigframe was
         *  checked in sys_sigreturn previously)
         */
        err |= __copy_from_user(regs, sc->regs.gpr, 32 * sizeof(unsigned long));
@@ -83,7 +83,7 @@ asmlinkage long _sys_rt_sigreturn(struct pt_regs *regs)
        if (((long)frame) & 3)
                goto badframe;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;
@@ -161,7 +161,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        /* Create siginfo.  */

diff --git a/arch/parisc/include/asm/futex.h b/arch/parisc/include/asm/futex.h
index cf7ba058f619a94d25d3d26ca7dfc3da27c91290..d2c3e410685188d24d54263f08c3c7c35c154053 100644 (file)
--- a/arch/parisc/include/asm/futex.h
+++ b/arch/parisc/include/asm/futex.h
@@ -95,7 +95,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        if (uaccess_kernel() && !uaddr)
                return -EFAULT;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        /* HPPA has no cmpxchg in hardware and therefore the

diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
index ea70e36ce6af52e5fe4b244ee61ce0769d7b6e93..30ac2865ea730cdf650efd7ca993cfd6daa79d2e 100644 (file)
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -27,7 +27,7 @@
  * that put_user is the same as __put_user, etc.
  */
 
-#define access_ok(type, uaddr, size)   \
+#define access_ok(uaddr, size) \
        ( (uaddr) == (uaddr) )
 
 #define put_user __put_user

diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h
index 94542776a62d630f6c9037e28264fc371d839245..88b38b37c21b160e2dbe43da5894f145ee6a4043 100644 (file)
--- a/arch/powerpc/include/asm/futex.h
+++ b/arch/powerpc/include/asm/futex.h
@@ -72,7 +72,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        int ret = 0;
        u32 prev;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
         __asm__ __volatile__ (

diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index ebc0b916dcf9047b5ec00d597a8d01137aef93de..e3a731793ea23f24bbe28981f7191ed48a14f715 100644 (file)
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -62,8 +62,8 @@ static inline int __access_ok(unsigned long addr, unsigned long size,
 
 #endif
 
-#define access_ok(type, addr, size)            \
-       (__chk_user_ptr(addr), (void)(type),            \
+#define access_ok(addr, size)          \
+       (__chk_user_ptr(addr),          \
         __access_ok((__force unsigned long)(addr), (size), get_fs()))
 
 /*
@@ -166,7 +166,7 @@ do {                                                                \
        long __pu_err = -EFAULT;                                        \
        __typeof__(*(ptr)) __user *__pu_addr = (ptr);                   \
        might_fault();                                                  \
-       if (access_ok(VERIFY_WRITE, __pu_addr, size))                   \
+       if (access_ok(__pu_addr, size))                 \
                __put_user_size((x), __pu_addr, (size), __pu_err);      \
        __pu_err;                                                       \
 })
@@ -276,7 +276,7 @@ do {                                                                \
        __long_type(*(ptr)) __gu_val = 0;                               \
        __typeof__(*(ptr)) __user *__gu_addr = (ptr);           \
        might_fault();                                                  \
-       if (access_ok(VERIFY_READ, __gu_addr, (size))) {                \
+       if (access_ok(__gu_addr, (size))) {             \
                barrier_nospec();                                       \
                __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
        }                                                               \
@@ -374,7 +374,7 @@ extern unsigned long __clear_user(void __user *addr, unsigned long size);
 static inline unsigned long clear_user(void __user *addr, unsigned long size)
 {
        might_fault();
-       if (likely(access_ok(VERIFY_WRITE, addr, size)))
+       if (likely(access_ok(addr, size)))
                return __clear_user(addr, size);
        return size;
 }

diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c
index 11550a3d1ac2e8c5cf092de7f4a849d4a3439d32..0d1b6370bae00bb1ce44442c19b8480e2a0b1d6e 100644 (file)
--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -131,8 +131,7 @@ static int emulate_spe(struct pt_regs *regs, unsigned int reg,
 
        /* Verify the address of the operand */
        if (unlikely(user_mode(regs) &&
-                    !access_ok((flags & ST ? VERIFY_WRITE : VERIFY_READ),
-                               addr, nb)))
+                    !access_ok(addr, nb)))
                return -EFAULT;
 
        /* userland only */

diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c
index 10fabae2574d5910b3cbf5ada83d912879d71351..8246f437bbc69b7bf2fdcda32e18fc6ebfe85a06 100644 (file)
--- a/arch/powerpc/kernel/rtas_flash.c
+++ b/arch/powerpc/kernel/rtas_flash.c
@@ -523,7 +523,7 @@ static ssize_t validate_flash_write(struct file *file, const char __user *buf,
                args_buf->status = VALIDATE_INCOMPLETE;
        }
 
-       if (!access_ok(VERIFY_READ, buf, count)) {
+       if (!access_ok(buf, count)) {
                rc = -EFAULT;
                goto done;
        }

diff --git a/arch/powerpc/kernel/rtasd.c b/arch/powerpc/kernel/rtasd.c
index 38cadae4ca4f70436fdd865b602f078d390d3ba8..8a1746d755c90b0e5d90bcfb7da6a7b8550c9a0a 100644 (file)
--- a/arch/powerpc/kernel/rtasd.c
+++ b/arch/powerpc/kernel/rtasd.c
@@ -335,7 +335,7 @@ static ssize_t rtas_log_read(struct file * file, char __user * buf,
 
        count = rtas_error_log_buffer_max;
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        tmp = kmalloc(count, GFP_KERNEL);

diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c
index b3e8db376ecde459bb8b5a1cd00b10c9606df289..e6c30cee6abf1748e52fe5a4ae9a0fbc01c3274a 100644 (file)
--- a/arch/powerpc/kernel/signal.c
+++ b/arch/powerpc/kernel/signal.c
@@ -44,7 +44,7 @@ void __user *get_sigframe(struct ksignal *ksig, unsigned long sp,
        newsp = (oldsp - frame_size) & ~0xFUL;
 
        /* Check access */
-       if (!access_ok(VERIFY_WRITE, (void __user *)newsp, oldsp - newsp))
+       if (!access_ok((void __user *)newsp, oldsp - newsp))
                return NULL;
 
         return (void __user *)newsp;

diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index 2d47cc79e5b3f332ab71dc9c4bb19c524c74644f..ede4f04281ae01ef36537b421504b297149fd6d9 100644 (file)
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1017,7 +1017,7 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int
 #else
        if (__get_user(mcp, &ucp->uc_regs))
                return -EFAULT;
-       if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp)))
+       if (!access_ok(mcp, sizeof(*mcp)))
                return -EFAULT;
 #endif
        set_current_blocked(&set);
@@ -1120,7 +1120,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
                 */
                mctx = (struct mcontext __user *)
                        ((unsigned long) &old_ctx->uc_mcontext & ~0xfUL);
-               if (!access_ok(VERIFY_WRITE, old_ctx, ctx_size)
+               if (!access_ok(old_ctx, ctx_size)
                    || save_user_regs(regs, mctx, NULL, 0, ctx_has_vsx_region)
                    || put_sigset_t(&old_ctx->uc_sigmask, &current->blocked)
                    || __put_user(to_user_ptr(mctx), &old_ctx->uc_regs))
@@ -1128,7 +1128,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
        }
        if (new_ctx == NULL)
                return 0;
-       if (!access_ok(VERIFY_READ, new_ctx, ctx_size) ||
+       if (!access_ok(new_ctx, ctx_size) ||
            fault_in_pages_readable((u8 __user *)new_ctx, ctx_size))
                return -EFAULT;
 
@@ -1169,7 +1169,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
        rt_sf = (struct rt_sigframe __user *)
                (regs->gpr[1] + __SIGNAL_FRAMESIZE + 16);
-       if (!access_ok(VERIFY_READ, rt_sf, sizeof(*rt_sf)))
+       if (!access_ok(rt_sf, sizeof(*rt_sf)))
                goto bad;
 
 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
@@ -1315,7 +1315,7 @@ SYSCALL_DEFINE3(debug_setcontext, struct ucontext __user *, ctx,
        current->thread.debug.dbcr0 = new_dbcr0;
 #endif
 
-       if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx)) ||
+       if (!access_ok(ctx, sizeof(*ctx)) ||
            fault_in_pages_readable((u8 __user *)ctx, sizeof(*ctx)))
                return -EFAULT;
 
@@ -1500,7 +1500,7 @@ SYSCALL_DEFINE0(sigreturn)
        {
                sr = (struct mcontext __user *)from_user_ptr(sigctx.regs);
                addr = sr;
-               if (!access_ok(VERIFY_READ, sr, sizeof(*sr))
+               if (!access_ok(sr, sizeof(*sr))
                    || restore_user_regs(regs, sr, 1))
                        goto badframe;
        }

diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 0935fe6c282a54b0fd6a86332a16b282a1d36c1b..bd5e6834ca6928c54a627a470dd1932fd4f91497 100644 (file)
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -383,7 +383,7 @@ static long restore_sigcontext(struct task_struct *tsk, sigset_t *set, int sig,
        err |= __get_user(v_regs, &sc->v_regs);
        if (err)
                return err;
-       if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128)))
+       if (v_regs && !access_ok(v_regs, 34 * sizeof(vector128)))
                return -EFAULT;
        /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
        if (v_regs != NULL && (msr & MSR_VEC) != 0) {
@@ -502,10 +502,9 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
        err |= __get_user(tm_v_regs, &tm_sc->v_regs);
        if (err)
                return err;
-       if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128)))
+       if (v_regs && !access_ok(v_regs, 34 * sizeof(vector128)))
                return -EFAULT;
-       if (tm_v_regs && !access_ok(VERIFY_READ,
-                                   tm_v_regs, 34 * sizeof(vector128)))
+       if (tm_v_regs && !access_ok(tm_v_regs, 34 * sizeof(vector128)))
                return -EFAULT;
        /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
        if (v_regs != NULL && tm_v_regs != NULL && (msr & MSR_VEC) != 0) {
@@ -671,7 +670,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
                ctx_has_vsx_region = 1;
 
        if (old_ctx != NULL) {
-               if (!access_ok(VERIFY_WRITE, old_ctx, ctx_size)
+               if (!access_ok(old_ctx, ctx_size)
                    || setup_sigcontext(&old_ctx->uc_mcontext, current, 0, NULL, 0,
                                        ctx_has_vsx_region)
                    || __copy_to_user(&old_ctx->uc_sigmask,
@@ -680,7 +679,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
        }
        if (new_ctx == NULL)
                return 0;
-       if (!access_ok(VERIFY_READ, new_ctx, ctx_size)
+       if (!access_ok(new_ctx, ctx_size)
            || __get_user(tmp, (u8 __user *) new_ctx)
            || __get_user(tmp, (u8 __user *) new_ctx + ctx_size - 1))
                return -EFAULT;
@@ -725,7 +724,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
        /* Always make any pending restarted system calls return -EINTR */
        current->restart_block.fn = do_no_restart_syscall;
 
-       if (!access_ok(VERIFY_READ, uc, sizeof(*uc)))
+       if (!access_ok(uc, sizeof(*uc)))
                goto badframe;
 
        if (__copy_from_user(&set, &uc->uc_sigmask, sizeof(set)))

diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
index 466216506eb2f4bfa7b6b94ed89140914b1ea682..e6982ab2181663037b210b24f697d8a1bb52e269 100644 (file)
--- a/arch/powerpc/kernel/syscalls.c
+++ b/arch/powerpc/kernel/syscalls.c
@@ -89,7 +89,7 @@ ppc_select(int n, fd_set __user *inp, fd_set __user *outp, fd_set __user *exp, s
        if ( (unsigned long)n >= 4096 )
        {
                unsigned long __user *buffer = (unsigned long __user *)n;
-               if (!access_ok(VERIFY_READ, buffer, 5*sizeof(unsigned long))
+               if (!access_ok(buffer, 5*sizeof(unsigned long))
                    || __get_user(n, buffer)
                    || __get_user(inp, ((fd_set __user * __user *)(buffer+1)))
                    || __get_user(outp, ((fd_set  __user * __user *)(buffer+2)))

diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
index 00af2c4febf4877fd30e41e73a830723e91e68fa..64936b60d5216e185670ebbb3424be395fe740d9 100644 (file)
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -837,7 +837,7 @@ static void p9_hmi_special_emu(struct pt_regs *regs)
        addr = (__force const void __user *)ea;
 
        /* Check it */
-       if (!access_ok(VERIFY_READ, addr, 16)) {
+       if (!access_ok(addr, 16)) {
                pr_devel("HMI vec emu: bad access %i:%s[%d] nip=%016lx"
                         " instr=%08x addr=%016lx\n",
                         smp_processor_id(), current->comm, current->pid,

diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c
index 6f2d2fb4e0982237ba2b1ca0daa778bab6fc7ae7..bd2dcfbf00cdb1cc6a20a766bb68bf17d9f5e3dc 100644 (file)
--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
+++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
@@ -1744,7 +1744,7 @@ static ssize_t kvm_htab_read(struct file *file, char __user *buf,
        int first_pass;
        unsigned long hpte[2];
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
        if (kvm_is_radix(kvm))
                return 0;
@@ -1844,7 +1844,7 @@ static ssize_t kvm_htab_write(struct file *file, const char __user *buf,
        int mmu_ready;
        int pshift;
 
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
        if (kvm_is_radix(kvm))
                return -EINVAL;

diff --git a/arch/powerpc/lib/checksum_wrappers.c b/arch/powerpc/lib/checksum_wrappers.c
index a0cb63fb76a1ada4b6ab727533c62e0cc681e33c..890d4ddd91d619c33d21f41f7b39db7621ec443c 100644 (file)
--- a/arch/powerpc/lib/checksum_wrappers.c
+++ b/arch/powerpc/lib/checksum_wrappers.c
@@ -37,7 +37,7 @@ __wsum csum_and_copy_from_user(const void __user *src, void *dst,
                goto out;
        }
 
-       if (unlikely((len < 0) || !access_ok(VERIFY_READ, src, len))) {
+       if (unlikely((len < 0) || !access_ok(src, len))) {
                *err_ptr = -EFAULT;
                csum = (__force unsigned int)sum;
                goto out;
@@ -78,7 +78,7 @@ __wsum csum_and_copy_to_user(const void *src, void __user *dst, int len,
                goto out;
        }
 
-       if (unlikely((len < 0) || !access_ok(VERIFY_WRITE, dst, len))) {
+       if (unlikely((len < 0) || !access_ok(dst, len))) {
                *err_ptr = -EFAULT;
                csum = -1; /* invalid checksum */
                goto out;

diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index a6dcfda3e11e675c544f5523be1b86858f741f2a..887f11bcf3300a638d15c926ac91b883346fd569 100644 (file)
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -274,7 +274,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
                        return false;
 
                if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
-                   access_ok(VERIFY_READ, nip, sizeof(*nip))) {
+                   access_ok(nip, sizeof(*nip))) {
                        unsigned int inst;
                        int res;
 

diff --git a/arch/powerpc/mm/subpage-prot.c b/arch/powerpc/mm/subpage-prot.c
index 3327551c8b47ceb693e40b4da4f7a068a7d63fcc..5e4178790deef77d7edebd8601113c4c96829e9c 100644 (file)
--- a/arch/powerpc/mm/subpage-prot.c
+++ b/arch/powerpc/mm/subpage-prot.c
@@ -214,7 +214,7 @@ SYSCALL_DEFINE3(subpage_prot, unsigned long, addr,
                return 0;
        }
 
-       if (!access_ok(VERIFY_READ, map, (len >> PAGE_SHIFT) * sizeof(u32)))
+       if (!access_ok(map, (len >> PAGE_SHIFT) * sizeof(u32)))
                return -EFAULT;
 
        down_write(&mm->mmap_sem);

diff --git a/arch/powerpc/oprofile/backtrace.c b/arch/powerpc/oprofile/backtrace.c
index 5df6290d1ccc02fed2ba71d14ec9c06017046f3c..260c5370097880e4e8f2a274c17d3f0276ea4b57 100644 (file)
--- a/arch/powerpc/oprofile/backtrace.c
+++ b/arch/powerpc/oprofile/backtrace.c
@@ -31,7 +31,7 @@ static unsigned int user_getsp32(unsigned int sp, int is_first)
        unsigned int stack_frame[2];
        void __user *p = compat_ptr(sp);
 
-       if (!access_ok(VERIFY_READ, p, sizeof(stack_frame)))
+       if (!access_ok(p, sizeof(stack_frame)))
                return 0;
 
        /*
@@ -57,7 +57,7 @@ static unsigned long user_getsp64(unsigned long sp, int is_first)
 {
        unsigned long stack_frame[3];
 
-       if (!access_ok(VERIFY_READ, (void __user *)sp, sizeof(stack_frame)))
+       if (!access_ok((void __user *)sp, sizeof(stack_frame)))
                return 0;
 
        if (__copy_from_user_inatomic(stack_frame, (void __user *)sp,

diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
index 43e7b93f27c71c609d75b96089aa4e34d958a899..ae8123edddc670ed2b413129ee8a97aade121200 100644 (file)
--- a/arch/powerpc/platforms/cell/spufs/file.c
+++ b/arch/powerpc/platforms/cell/spufs/file.c
@@ -609,7 +609,7 @@ static ssize_t spufs_mbox_read(struct file *file, char __user *buf,
        if (len < 4)
                return -EINVAL;
 
-       if (!access_ok(VERIFY_WRITE, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        udata = (void __user *)buf;
@@ -717,7 +717,7 @@ static ssize_t spufs_ibox_read(struct file *file, char __user *buf,
        if (len < 4)
                return -EINVAL;
 
-       if (!access_ok(VERIFY_WRITE, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        udata = (void __user *)buf;
@@ -856,7 +856,7 @@ static ssize_t spufs_wbox_write(struct file *file, const char __user *buf,
                return -EINVAL;
 
        udata = (void __user *)buf;
-       if (!access_ok(VERIFY_READ, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        if (__get_user(wbox_data, udata))
@@ -1994,7 +1994,7 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
        int ret;
        struct spu_context *ctx = file->private_data;
 
-       if (!access_ok(VERIFY_WRITE, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        ret = spu_acquire_saved(ctx);
@@ -2034,7 +2034,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
        struct spu_context *ctx = file->private_data;
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        ret = spu_acquire_saved(ctx);
@@ -2077,7 +2077,7 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
        struct spu_context *ctx = file->private_data;
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        ret = spu_acquire_saved(ctx);
@@ -2129,7 +2129,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
        struct spu_context *ctx = file->private_data;
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        ret = spu_acquire_saved(ctx);
@@ -2160,7 +2160,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
        if (len < ret)
                return -EINVAL;
 
-       if (!access_ok(VERIFY_WRITE, buf, len))
+       if (!access_ok(buf, len))
                return -EFAULT;
 
        info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW;

diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c
index 6c7ad1d8b32edad20154322a246385aea42ee244..2623996a193ab292cab4c9e37bf0dcf3824cc414 100644 (file)
--- a/arch/powerpc/platforms/powernv/opal-lpc.c
+++ b/arch/powerpc/platforms/powernv/opal-lpc.c
@@ -192,7 +192,7 @@ static ssize_t lpc_debug_read(struct file *filp, char __user *ubuf,
        u32 data, pos, len, todo;
        int rc;
 
-       if (!access_ok(VERIFY_WRITE, ubuf, count))
+       if (!access_ok(ubuf, count))
                return -EFAULT;
 
        todo = count;
@@ -283,7 +283,7 @@ static ssize_t lpc_debug_write(struct file *filp, const char __user *ubuf,
        u32 data, pos, len, todo;
        int rc;
 
-       if (!access_ok(VERIFY_READ, ubuf, count))
+       if (!access_ok(ubuf, count))
                return -EFAULT;
 
        todo = count;

diff --git a/arch/powerpc/platforms/pseries/scanlog.c b/arch/powerpc/platforms/pseries/scanlog.c
index 054ce7a16fc336b42b1c05243be5a45a68b91d5a..24b157e1e89020de3c881187bbc3b96ea643b9dd 100644 (file)
--- a/arch/powerpc/platforms/pseries/scanlog.c
+++ b/arch/powerpc/platforms/pseries/scanlog.c
@@ -63,7 +63,7 @@ static ssize_t scanlog_read(struct file *file, char __user *buf,
                return -EINVAL;
        }
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        for (;;) {

diff --git a/arch/riscv/include/asm/futex.h b/arch/riscv/include/asm/futex.h
index 3b19eba1bc8e24a65278a5be5a2a4d06cf8c8e47..66641624d8a5e0ff915f04e0461c124a1decddc6 100644 (file)
--- a/arch/riscv/include/asm/futex.h
+++ b/arch/riscv/include/asm/futex.h
@@ -95,7 +95,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        u32 val;
        uintptr_t tmp;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        __enable_user_access();

diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
index 8c3e3e3c8be1204b67076985a9b54e80217707b1..637b896894fc4380ad19e8f96fa0d76e35da7b69 100644 (file)
--- a/arch/riscv/include/asm/uaccess.h
+++ b/arch/riscv/include/asm/uaccess.h
@@ -54,14 +54,8 @@ static inline void set_fs(mm_segment_t fs)
 #define user_addr_max()        (get_fs())
 
 
-#define VERIFY_READ    0
-#define VERIFY_WRITE   1
-
 /**
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *        %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *        to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *
@@ -76,7 +70,7 @@ static inline void set_fs(mm_segment_t fs)
  * checks that the pointer is in the user space range - after calling
  * this function, memory access functions may still return -EFAULT.
  */
-#define access_ok(type, addr, size) ({                                 \
+#define access_ok(addr, size) ({                                       \
        __chk_user_ptr(addr);                                           \
        likely(__access_ok((unsigned long __force)(addr), (size)));     \
 })
@@ -258,7 +252,7 @@ do {                                                                \
 ({                                                             \
        const __typeof__(*(ptr)) __user *__p = (ptr);           \
        might_fault();                                          \
-       access_ok(VERIFY_READ, __p, sizeof(*__p)) ?             \
+       access_ok(__p, sizeof(*__p)) ?          \
                __get_user((x), __p) :                          \
                ((x) = 0, -EFAULT);                             \
 })
@@ -386,7 +380,7 @@ do {                                                                \
 ({                                                             \
        __typeof__(*(ptr)) __user *__p = (ptr);                 \
        might_fault();                                          \
-       access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ?            \
+       access_ok(__p, sizeof(*__p)) ?          \
                __put_user((x), __p) :                          \
                -EFAULT;                                        \
 })
@@ -421,7 +415,7 @@ static inline
 unsigned long __must_check clear_user(void __user *to, unsigned long n)
 {
        might_fault();
-       return access_ok(VERIFY_WRITE, to, n) ?
+       return access_ok(to, n) ?
                __clear_user(to, n) : n;
 }
 

diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c
index f9b5e7e352ef7c489a582edf4982cfddeb1e457a..837e1646091a83ecb81feda8ddefb4b5914cdce8 100644 (file)
--- a/arch/riscv/kernel/signal.c
+++ b/arch/riscv/kernel/signal.c
@@ -115,7 +115,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
        frame = (struct rt_sigframe __user *)regs->sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -187,7 +187,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
        long err = 0;
 
        frame = get_sigframe(ksig, regs, sizeof(*frame));
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= copy_siginfo_to_user(&frame->info, &ksig->info);

diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
index ad6b91013a0525d82002090788038e0c9773b34a..bd2545977ad35f33ee8c2f3fa63466e52a97a59b 100644 (file)
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -48,7 +48,7 @@ static inline int __range_ok(unsigned long addr, unsigned long size)
        __range_ok((unsigned long)(addr), (size));      \
 })
 
-#define access_ok(type, addr, size) __access_ok(addr, size)
+#define access_ok(addr, size) __access_ok(addr, size)
 
 unsigned long __must_check
 raw_copy_from_user(void *to, const void __user *from, unsigned long n);

diff --git a/arch/sh/include/asm/checksum_32.h b/arch/sh/include/asm/checksum_32.h
index b58f3d95dc1913deacf48314535faac0ae4e37a9..36b84cfd3f673f25722eddaf7a4b5cbd397dc9d3 100644 (file)
--- a/arch/sh/include/asm/checksum_32.h
+++ b/arch/sh/include/asm/checksum_32.h
@@ -197,7 +197,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
                                           int len, __wsum sum,
                                           int *err_ptr)
 {
-       if (access_ok(VERIFY_WRITE, dst, len))
+       if (access_ok(dst, len))
                return csum_partial_copy_generic((__force const void *)src,
                                                dst, len, sum, NULL, err_ptr);
 

diff --git a/arch/sh/include/asm/futex.h b/arch/sh/include/asm/futex.h
index 6d192f4908a729c5d9d57b58dc060442a362ed49..3190ec89df81c3b41597fc7fbec032d2b5de7ba8 100644 (file)
--- a/arch/sh/include/asm/futex.h
+++ b/arch/sh/include/asm/futex.h
@@ -22,7 +22,7 @@ static inline int
 futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
                              u32 oldval, u32 newval)
 {
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        return atomic_futex_op_cmpxchg_inatomic(uval, uaddr, oldval, newval);

diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
index 32eb56e00c11f9558b346a809d66643463203d4e..deebbfab5342dd858e1753b423ec53d58249d43f 100644 (file)
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -18,7 +18,7 @@
  */
 #define __access_ok(addr, size)                \
        (__addr_ok((addr) + (size)))
-#define access_ok(type, addr, size)    \
+#define access_ok(addr, size)  \
        (__chk_user_ptr(addr),          \
         __access_ok((unsigned long __force)(addr), (size)))
 
@@ -66,7 +66,7 @@ struct __large_struct { unsigned long buf[100]; };
        long __gu_err = -EFAULT;                                        \
        unsigned long __gu_val = 0;                                     \
        const __typeof__(*(ptr)) *__gu_addr = (ptr);                    \
-       if (likely(access_ok(VERIFY_READ, __gu_addr, (size))))          \
+       if (likely(access_ok(__gu_addr, (size))))               \
                __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
        (x) = (__force __typeof__(*(ptr)))__gu_val;                     \
        __gu_err;                                                       \
@@ -87,7 +87,7 @@ struct __large_struct { unsigned long buf[100]; };
        long __pu_err = -EFAULT;                                \
        __typeof__(*(ptr)) __user *__pu_addr = (ptr);           \
        __typeof__(*(ptr)) __pu_val = x;                        \
-       if (likely(access_ok(VERIFY_WRITE, __pu_addr, size)))   \
+       if (likely(access_ok(__pu_addr, size))) \
                __put_user_size(__pu_val, __pu_addr, (size),    \
                                __pu_err);                      \
        __pu_err;                                               \
@@ -132,8 +132,7 @@ __kernel_size_t __clear_user(void *addr, __kernel_size_t size);
        void __user * __cl_addr = (addr);                               \
        unsigned long __cl_size = (n);                                  \
                                                                        \
-       if (__cl_size && access_ok(VERIFY_WRITE,                        \
-               ((unsigned long)(__cl_addr)), __cl_size))               \
+       if (__cl_size && access_ok(__cl_addr, __cl_size))               \
                __cl_size = __clear_user(__cl_addr, __cl_size);         \
                                                                        \
        __cl_size;                                                      \

diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c
index c46c0020ff55edf0fdfda120ed90cd3fa7b65d17..2a2121ba8ebe2eee55e479abbdc29878701e86b7 100644 (file)
--- a/arch/sh/kernel/signal_32.c
+++ b/arch/sh/kernel/signal_32.c
@@ -160,7 +160,7 @@ asmlinkage int sys_sigreturn(void)
         /* Always make any pending restarted system calls return -EINTR */
        current->restart_block.fn = do_no_restart_syscall;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__get_user(set.sig[0], &frame->sc.oldmask)
@@ -190,7 +190,7 @@ asmlinkage int sys_rt_sigreturn(void)
        /* Always make any pending restarted system calls return -EINTR */
        current->restart_block.fn = do_no_restart_syscall;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -272,7 +272,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
@@ -338,7 +338,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= copy_siginfo_to_user(&frame->info, &ksig->info);

diff --git a/arch/sh/kernel/signal_64.c b/arch/sh/kernel/signal_64.c
index 76661dee3c65610b6589e3247959e537ea02ad5c..f1f1598879c22828f94be08fb201d44fbb1d26d1 100644 (file)
--- a/arch/sh/kernel/signal_64.c
+++ b/arch/sh/kernel/signal_64.c
@@ -259,7 +259,7 @@ asmlinkage int sys_sigreturn(unsigned long r2, unsigned long r3,
        /* Always make any pending restarted system calls return -EINTR */
        current->restart_block.fn = do_no_restart_syscall;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__get_user(set.sig[0], &frame->sc.oldmask)
@@ -293,7 +293,7 @@ asmlinkage int sys_rt_sigreturn(unsigned long r2, unsigned long r3,
        /* Always make any pending restarted system calls return -EINTR */
        current->restart_block.fn = do_no_restart_syscall;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -379,7 +379,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
 
        frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
@@ -465,7 +465,7 @@ static int setup_rt_frame(struct ksignal *kig, sigset_t *set,
 
        frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        err |= __put_user(&frame->info, &frame->pinfo);

diff --git a/arch/sh/kernel/traps_64.c b/arch/sh/kernel/traps_64.c
index c52bda4d2574aab18d91329c27c6015720363765..8ce90a7da67d9b4dd77850fee840dfc2cfa87844 100644 (file)
--- a/arch/sh/kernel/traps_64.c
+++ b/arch/sh/kernel/traps_64.c
@@ -40,7 +40,7 @@ static int read_opcode(reg_size_t pc, insn_size_t *result_opcode, int from_user_
                /* SHmedia */
                aligned_pc = pc & ~3;
                if (from_user_mode) {
-                       if (!access_ok(VERIFY_READ, aligned_pc, sizeof(insn_size_t))) {
+                       if (!access_ok(aligned_pc, sizeof(insn_size_t))) {
                                get_user_error = -EFAULT;
                        } else {
                                get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc);
@@ -180,7 +180,7 @@ static int misaligned_load(struct pt_regs *regs,
        if (user_mode(regs)) {
                __u64 buffer;
 
-               if (!access_ok(VERIFY_READ, (unsigned long) address, 1UL<<width_shift)) {
+               if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                        return -1;
                }
 
@@ -254,7 +254,7 @@ static int misaligned_store(struct pt_regs *regs,
        if (user_mode(regs)) {
                __u64 buffer;
 
-               if (!access_ok(VERIFY_WRITE, (unsigned long) address, 1UL<<width_shift)) {
+               if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                        return -1;
                }
 
@@ -327,7 +327,7 @@ static int misaligned_fpu_load(struct pt_regs *regs,
                __u64 buffer;
                __u32 buflo, bufhi;
 
-               if (!access_ok(VERIFY_READ, (unsigned long) address, 1UL<<width_shift)) {
+               if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                        return -1;
                }
 
@@ -400,7 +400,7 @@ static int misaligned_fpu_store(struct pt_regs *regs,
                /* Initialise these to NaNs. */
                __u32 buflo=0xffffffffUL, bufhi=0xffffffffUL;
 
-               if (!access_ok(VERIFY_WRITE, (unsigned long) address, 1UL<<width_shift)) {
+               if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                        return -1;
                }
 
@@ -663,7 +663,7 @@ void do_reserved_inst(unsigned long error_code, struct pt_regs *regs)
        /* SHmedia : check for defect.  This requires executable vmas
           to be readable too. */
        aligned_pc = pc & ~3;
-       if (!access_ok(VERIFY_READ, aligned_pc, sizeof(insn_size_t)))
+       if (!access_ok(aligned_pc, sizeof(insn_size_t)))
                get_user_error = -EFAULT;
        else
                get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc);

diff --git a/arch/sh/mm/gup.c b/arch/sh/mm/gup.c
index 56c86ca98ecfe774eecf197af16aa90240423e15..3e27f6d1f1ec109e45d976eb3a38ef04d583bff7 100644 (file)
--- a/arch/sh/mm/gup.c
+++ b/arch/sh/mm/gup.c
@@ -177,8 +177,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
        addr = start;
        len = (unsigned long) nr_pages << PAGE_SHIFT;
        end = start + len;
-       if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                       (void __user *)start, len)))
+       if (unlikely(!access_ok((void __user *)start, len)))
                return 0;
 
        /*

diff --git a/arch/sh/oprofile/backtrace.c b/arch/sh/oprofile/backtrace.c
index c7695f99c8c3cb2e6fc2972607cca9f555d2e6d8..8279a7e91043cb079b8121c3a884c8ee0c8e98fb 100644 (file)
--- a/arch/sh/oprofile/backtrace.c
+++ b/arch/sh/oprofile/backtrace.c
@@ -51,7 +51,7 @@ user_backtrace(unsigned long *stackaddr, struct pt_regs *regs)
        unsigned long buf_stack;
 
        /* Also check accessibility of address */
-       if (!access_ok(VERIFY_READ, stackaddr, sizeof(unsigned long)))
+       if (!access_ok(stackaddr, sizeof(unsigned long)))
                return NULL;
 
        if (__copy_from_user_inatomic(&buf_stack, stackaddr, sizeof(unsigned long)))

diff --git a/arch/sparc/include/asm/checksum_32.h b/arch/sparc/include/asm/checksum_32.h
index d1e53d7aed39f1fe30b2c041e2aeba6d9cad8eff..5fc98d80b03bccd0a3be9aea757836bd0465535e 100644 (file)
--- a/arch/sparc/include/asm/checksum_32.h
+++ b/arch/sparc/include/asm/checksum_32.h
@@ -87,7 +87,7 @@ static inline __wsum
 csum_partial_copy_to_user(const void *src, void __user *dst, int len,
                          __wsum sum, int *err)
 {
-       if (!access_ok (VERIFY_WRITE, dst, len)) {
+       if (!access_ok(dst, len)) {
                *err = -EFAULT;
                return sum;
        } else {

diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index de71c65b99f022b586c306df754ea36f3a9d7471..5153798051fb2f0a3a529ec62e8f8fe9b7b7ff2e 100644 (file)
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -39,8 +39,7 @@
 #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
 #define __kernel_ok (uaccess_kernel())
 #define __access_ok(addr, size) (__user_ok((addr) & get_fs().seg, (size)))
-#define access_ok(type, addr, size) \
-       ({ (void)(type); __access_ok((unsigned long)(addr), size); })
+#define access_ok(addr, size) __access_ok((unsigned long)(addr), size)
 
 /*
  * The exception table consists of pairs of addresses: the first is the

diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
index cbb308cee394f51b0d5e161d34dfe1cfb2cc316b..87ae9ffb1521b199ea57b477c4fc8fb789bf3dc3 100644 (file)
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -68,7 +68,7 @@ static inline int __access_ok(const void __user * addr, unsigned long size)
        return 1;
 }
 
-static inline int access_ok(int type, const void __user * addr, unsigned long size)
+static inline int access_ok(const void __user * addr, unsigned long size)
 {
        return 1;
 }

diff --git a/arch/sparc/kernel/sigutil_32.c b/arch/sparc/kernel/sigutil_32.c
index 1e9fae56a8530417a1a72667464dd35fa09c19f7..f25c6daa9f5254c45f3e4446cba33af4a4c995a8 100644 (file)
--- a/arch/sparc/kernel/sigutil_32.c
+++ b/arch/sparc/kernel/sigutil_32.c
@@ -65,7 +65,7 @@ int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
        set_used_math();
        clear_tsk_thread_flag(current, TIF_USEDFPU);
 
-       if (!access_ok(VERIFY_READ, fpu, sizeof(*fpu)))
+       if (!access_ok(fpu, sizeof(*fpu)))
                return -EFAULT;
 
        err = __copy_from_user(&current->thread.float_regs[0], &fpu->si_float_regs[0],

diff --git a/arch/sparc/kernel/unaligned_32.c b/arch/sparc/kernel/unaligned_32.c
index 64ac8c0c14290e53543d58b77b8d9753729bfbf8..83db94c0b43189e4c938d30878368ee2cbf41c08 100644 (file)
--- a/arch/sparc/kernel/unaligned_32.c
+++ b/arch/sparc/kernel/unaligned_32.c
@@ -278,7 +278,6 @@ static inline int ok_for_user(struct pt_regs *regs, unsigned int insn,
                              enum direction dir)
 {
        unsigned int reg;
-       int check = (dir == load) ? VERIFY_READ : VERIFY_WRITE;
        int size = ((insn >> 19) & 3) == 3 ? 8 : 4;
 
        if ((regs->pc | regs->npc) & 3)
@@ -290,18 +289,18 @@ static inline int ok_for_user(struct pt_regs *regs, unsigned int insn,
 
        reg = (insn >> 25) & 0x1f;
        if (reg >= 16) {
-               if (!access_ok(check, WINREG_ADDR(reg - 16), size))
+               if (!access_ok(WINREG_ADDR(reg - 16), size))
                        return -EFAULT;
        }
        reg = (insn >> 14) & 0x1f;
        if (reg >= 16) {
-               if (!access_ok(check, WINREG_ADDR(reg - 16), size))
+               if (!access_ok(WINREG_ADDR(reg - 16), size))
                        return -EFAULT;
        }
        if (!(insn & 0x2000)) {
                reg = (insn & 0x1f);
                if (reg >= 16) {
-                       if (!access_ok(check, WINREG_ADDR(reg - 16), size))
+                       if (!access_ok(WINREG_ADDR(reg - 16), size))
                                return -EFAULT;
                }
        }

diff --git a/arch/um/kernel/ptrace.c b/arch/um/kernel/ptrace.c
index 1a1d88a4d94035b8cd0685ea5d6ea34ae23cd7f5..5f47422401e1e98d634d12882bd098a9c77a6207 100644 (file)
--- a/arch/um/kernel/ptrace.c
+++ b/arch/um/kernel/ptrace.c
@@ -66,7 +66,7 @@ long arch_ptrace(struct task_struct *child, long request,
 
 #ifdef PTRACE_GETREGS
        case PTRACE_GETREGS: { /* Get all gp regs from the child. */
-               if (!access_ok(VERIFY_WRITE, p, MAX_REG_OFFSET)) {
+               if (!access_ok(p, MAX_REG_OFFSET)) {
                        ret = -EIO;
                        break;
                }
@@ -81,7 +81,7 @@ long arch_ptrace(struct task_struct *child, long request,
 #ifdef PTRACE_SETREGS
        case PTRACE_SETREGS: { /* Set all gp regs in the child. */
                unsigned long tmp = 0;
-               if (!access_ok(VERIFY_READ, p, MAX_REG_OFFSET)) {
+               if (!access_ok(p, MAX_REG_OFFSET)) {
                        ret = -EIO;
                        break;
                }

diff --git a/arch/unicore32/kernel/signal.c b/arch/unicore32/kernel/signal.c
index 4ae51cf15adea6ef7ddc6741b431793b545903d3..63be04809d401df14681d4671ef38897f3abb1cd 100644 (file)
--- a/arch/unicore32/kernel/signal.c
+++ b/arch/unicore32/kernel/signal.c
@@ -117,7 +117,7 @@ asmlinkage int __sys_rt_sigreturn(struct pt_regs *regs)
 
        frame = (struct rt_sigframe __user *)regs->UCreg_sp;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (restore_sigframe(regs, &frame->sig))
@@ -205,7 +205,7 @@ static inline void __user *get_sigframe(struct k_sigaction *ka,
        /*
         * Check that we can actually write to the signal frame.
         */
-       if (!access_ok(VERIFY_WRITE, frame, framesize))
+       if (!access_ok(frame, framesize))
                frame = NULL;
 
        return frame;

diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
index d78bcc03e60e740f9169813309cce71750a9c88e..d9d81ad7a4009aac0bfb37cd0345366a5d206164 100644 (file)
--- a/arch/x86/entry/vsyscall/vsyscall_64.c
+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
@@ -99,7 +99,7 @@ static bool write_ok_or_segv(unsigned long ptr, size_t size)
         * sig_on_uaccess_err, this could go away.
         */
 
-       if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
+       if (!access_ok((void __user *)ptr, size)) {
                struct thread_struct *thread = &current->thread;
 
                thread->error_code      = X86_PF_USER | X86_PF_WRITE;

diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
index 8e02b30cf08e16a2ca5b3d0b6aa97bda051a2c85..f65b78d32f5eb7bb0a926c7c4e49b41cb0e66969 100644 (file)
--- a/arch/x86/ia32/ia32_aout.c
+++ b/arch/x86/ia32/ia32_aout.c
@@ -176,10 +176,10 @@ static int aout_core_dump(struct coredump_params *cprm)
 
        /* make sure we actually have a data and stack area to dump */
        set_fs(USER_DS);
-       if (!access_ok(VERIFY_READ, (void *) (unsigned long)START_DATA(dump),
+       if (!access_ok((void *) (unsigned long)START_DATA(dump),
                       dump.u_dsize << PAGE_SHIFT))
                dump.u_dsize = 0;
-       if (!access_ok(VERIFY_READ, (void *) (unsigned long)START_STACK(dump),
+       if (!access_ok((void *) (unsigned long)START_STACK(dump),
                       dump.u_ssize << PAGE_SHIFT))
                dump.u_ssize = 0;
 

diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 86b1341cba9ac5c6b32a3dd941091d59f8ebb56c..321fe5f5d0e96f8ed3f4962dbf982bc60551cf0e 100644 (file)
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -119,7 +119,7 @@ asmlinkage long sys32_sigreturn(void)
        struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
        sigset_t set;
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__get_user(set.sig[0], &frame->sc.oldmask)
            || (_COMPAT_NSIG_WORDS > 1
@@ -147,7 +147,7 @@ asmlinkage long sys32_rt_sigreturn(void)
 
        frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4);
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;
@@ -269,7 +269,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
 
        frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        if (__put_user(sig, &frame->sig))
@@ -349,7 +349,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
 
        frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        put_user_try {

diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
index 11ef7b7c9cc897940ec445498f338a31a3844d28..a4321203625797007091094be941587840558f59 100644 (file)
--- a/arch/x86/ia32/sys_ia32.c
+++ b/arch/x86/ia32/sys_ia32.c
@@ -75,7 +75,7 @@ static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
        typeof(ubuf->st_gid) gid = 0;
        SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid));
        SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid));
-       if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
+       if (!access_ok(ubuf, sizeof(struct stat64)) ||
            __put_user(huge_encode_dev(stat->dev), &ubuf->st_dev) ||
            __put_user(stat->ino, &ubuf->__st_ino) ||
            __put_user(stat->ino, &ubuf->st_ino) ||

diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
index 7a659c74cd037039896c8c3313a5967a86393020..f57b94e02c5770f9c33f281b8ff647adc7280e12 100644 (file)
--- a/arch/x86/include/asm/checksum_32.h
+++ b/arch/x86/include/asm/checksum_32.h
@@ -182,7 +182,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
        __wsum ret;
 
        might_sleep();
-       if (access_ok(VERIFY_WRITE, dst, len)) {
+       if (access_ok(dst, len)) {
                stac();
                ret = csum_partial_copy_generic(src, (__force void *)dst,
                                                len, sum, NULL, err_ptr);

diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
index 832da8229cc78019d3a790346e764ca630b1c03e..686247db3106f2b01e058ff6ab3e7a20948b2ddf 100644 (file)
--- a/arch/x86/include/asm/io.h
+++ b/arch/x86/include/asm/io.h
@@ -221,6 +221,14 @@ extern void set_iounmap_nonlazy(void);
 
 #ifdef __KERNEL__
 
+void memcpy_fromio(void *, const volatile void __iomem *, size_t);
+void memcpy_toio(volatile void __iomem *, const void *, size_t);
+void memset_io(volatile void __iomem *, int, size_t);
+
+#define memcpy_fromio memcpy_fromio
+#define memcpy_toio memcpy_toio
+#define memset_io memset_io
+
 #include <asm-generic/iomap.h>
 
 /*

diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
index b3ec519e39827e58eaeb8a567303e37a6bc2e919..4fe9e7fc74d37d8a5af686cebf7d4a21d9c38b95 100644 (file)
--- a/arch/x86/include/asm/pgtable_32.h
+++ b/arch/x86/include/asm/pgtable_32.h
@@ -37,7 +37,7 @@ void sync_initial_page_table(void);
 /*
  * Define this if things work differently on an i386 and an i486:
  * it will (on an i486) warn about kernel memory accesses that are
- * done without a 'access_ok(VERIFY_WRITE,..)'
+ * done without a 'access_ok( ..)'
  */
 #undef TEST_ACCESS_OK
 

diff --git a/arch/x86/include/asm/string_64.h b/arch/x86/include/asm/string_64.h
index 7ad41bfcc16cfa32cf2b59312ed2cec2a972c873..4e4194e21a097e1a9e052580a5d5e50db33cbbf0 100644 (file)
--- a/arch/x86/include/asm/string_64.h
+++ b/arch/x86/include/asm/string_64.h
@@ -7,24 +7,6 @@
 
 /* Written 2002 by Andi Kleen */
 
-/* Only used for special circumstances. Stolen from i386/string.h */
-static __always_inline void *__inline_memcpy(void *to, const void *from, size_t n)
-{
-       unsigned long d0, d1, d2;
-       asm volatile("rep ; movsl\n\t"
-                    "testb $2,%b4\n\t"
-                    "je 1f\n\t"
-                    "movsw\n"
-                    "1:\ttestb $1,%b4\n\t"
-                    "je 2f\n\t"
-                    "movsb\n"
-                    "2:"
-                    : "=&c" (d0), "=&D" (d1), "=&S" (d2)
-                    : "0" (n / 4), "q" (n), "1" ((long)to), "2" ((long)from)
-                    : "memory");
-       return to;
-}
-
 /* Even with __builtin_ the compiler may decide to use the out of line
    function. */
 

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index b5e58cc0c5e75d29aed2cf45ecf52d86ebac1a37..a77445d1b0348675b5b750ad6acd617321b49b1b 100644 (file)
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -77,9 +77,6 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
 
 /**
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *        %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *        to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *
@@ -95,7 +92,7 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
  * checks that the pointer is in the user space range - after calling
  * this function, memory access functions may still return -EFAULT.
  */
-#define access_ok(type, addr, size)                                    \
+#define access_ok(addr, size)                                  \
 ({                                                                     \
        WARN_ON_IN_IRQ();                                               \
        likely(!__range_not_ok(addr, size, user_addr_max()));           \
@@ -189,19 +186,14 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
 
 
 #ifdef CONFIG_X86_32
-#define __put_user_asm_u64(x, addr, err, errret)                       \
-       asm volatile("\n"                                               \
-                    "1:        movl %%eax,0(%2)\n"                     \
-                    "2:        movl %%edx,4(%2)\n"                     \
-                    "3:"                                               \
-                    ".section .fixup,\"ax\"\n"                         \
-                    "4:        movl %3,%0\n"                           \
-                    "  jmp 3b\n"                                       \
-                    ".previous\n"                                      \
-                    _ASM_EXTABLE_UA(1b, 4b)                            \
-                    _ASM_EXTABLE_UA(2b, 4b)                            \
-                    : "=r" (err)                                       \
-                    : "A" (x), "r" (addr), "i" (errret), "0" (err))
+#define __put_user_goto_u64(x, addr, label)                    \
+       asm_volatile_goto("\n"                                  \
+                    "1:        movl %%eax,0(%1)\n"             \
+                    "2:        movl %%edx,4(%1)\n"             \
+                    _ASM_EXTABLE_UA(1b, %l2)                   \
+                    _ASM_EXTABLE_UA(2b, %l2)                   \
+                    : : "A" (x), "r" (addr)                    \
+                    : : label)
 
 #define __put_user_asm_ex_u64(x, addr)                                 \
        asm volatile("\n"                                               \
@@ -216,8 +208,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
        asm volatile("call __put_user_8" : "=a" (__ret_pu)      \
                     : "A" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
 #else
-#define __put_user_asm_u64(x, ptr, retval, errret) \
-       __put_user_asm(x, ptr, retval, "q", "", "er", errret)
+#define __put_user_goto_u64(x, ptr, label) \
+       __put_user_goto(x, ptr, "q", "", "er", label)
 #define __put_user_asm_ex_u64(x, addr) \
        __put_user_asm_ex(x, addr, "q", "", "er")
 #define __put_user_x8(x, ptr, __ret_pu) __put_user_x(8, x, ptr, __ret_pu)
@@ -278,23 +270,21 @@ extern void __put_user_8(void);
        __builtin_expect(__ret_pu, 0);                          \
 })
 
-#define __put_user_size(x, ptr, size, retval, errret)                  \
+#define __put_user_size(x, ptr, size, label)                           \
 do {                                                                   \
-       retval = 0;                                                     \
        __chk_user_ptr(ptr);                                            \
        switch (size) {                                                 \
        case 1:                                                         \
-               __put_user_asm(x, ptr, retval, "b", "b", "iq", errret); \
+               __put_user_goto(x, ptr, "b", "b", "iq", label); \
                break;                                                  \
        case 2:                                                         \
-               __put_user_asm(x, ptr, retval, "w", "w", "ir", errret); \
+               __put_user_goto(x, ptr, "w", "w", "ir", label);         \
                break;                                                  \
        case 4:                                                         \
-               __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \
+               __put_user_goto(x, ptr, "l", "k", "ir", label);         \
                break;                                                  \
        case 8:                                                         \
-               __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval,  \
-                                  errret);                             \
+               __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \
                break;                                                  \
        default:                                                        \
                __put_user_bad();                                       \
@@ -439,9 +429,12 @@ do {                                                                       \
 
 #define __put_user_nocheck(x, ptr, size)                       \
 ({                                                             \
-       int __pu_err;                                           \
+       __label__ __pu_label;                                   \
+       int __pu_err = -EFAULT;                                 \
        __uaccess_begin();                                      \
-       __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \
+       __put_user_size((x), (ptr), (size), __pu_label);        \
+       __pu_err = 0;                                           \
+__pu_label:                                                    \
        __uaccess_end();                                        \
        __builtin_expect(__pu_err, 0);                          \
 })
@@ -466,17 +459,23 @@ struct __large_struct { unsigned long buf[100]; };
  * we do not write to any memory gcc knows about, so there are no
  * aliasing issues.
  */
-#define __put_user_asm(x, addr, err, itype, rtype, ltype, errret)      \
-       asm volatile("\n"                                               \
-                    "1:        mov"itype" %"rtype"1,%2\n"              \
-                    "2:\n"                                             \
-                    ".section .fixup,\"ax\"\n"                         \
-                    "3:        mov %3,%0\n"                            \
-                    "  jmp 2b\n"                                       \
-                    ".previous\n"                                      \
-                    _ASM_EXTABLE_UA(1b, 3b)                            \
-                    : "=r"(err)                                        \
-                    : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
+#define __put_user_goto(x, addr, itype, rtype, ltype, label)   \
+       asm_volatile_goto("\n"                                          \
+               "1:     mov"itype" %"rtype"0,%1\n"                      \
+               _ASM_EXTABLE_UA(1b, %l2)                                        \
+               : : ltype(x), "m" (__m(addr))                           \
+               : : label)
+
+#define __put_user_failed(x, addr, itype, rtype, ltype, errret)                \
+       ({      __label__ __puflab;                                     \
+               int __pufret = errret;                                  \
+               __put_user_goto(x,addr,itype,rtype,ltype,__puflab);     \
+               __pufret = 0;                                           \
+       __puflab: __pufret; })
+
+#define __put_user_asm(x, addr, retval, itype, rtype, ltype, errret)   do {    \
+       retval = __put_user_failed(x, addr, itype, rtype, ltype, errret);       \
+} while (0)
 
 #define __put_user_asm_ex(x, addr, itype, rtype, ltype)                        \
        asm volatile("1:        mov"itype" %"rtype"0,%1\n"              \
@@ -670,7 +669,7 @@ extern void __cmpxchg_wrong_size(void)
 
 #define user_atomic_cmpxchg_inatomic(uval, ptr, old, new)              \
 ({                                                                     \
-       access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) ?                \
+       access_ok((ptr), sizeof(*(ptr))) ?              \
                __user_atomic_cmpxchg_inatomic((uval), (ptr),           \
                                (old), (new), sizeof(*(ptr))) :         \
                -EFAULT;                                                \
@@ -708,16 +707,18 @@ extern struct movsl_mask {
  * checking before using them, but you have to surround them with the
  * user_access_begin/end() pair.
  */
-#define user_access_begin()    __uaccess_begin()
+static __must_check inline bool user_access_begin(const void __user *ptr, size_t len)
+{
+       if (unlikely(!access_ok(ptr,len)))
+               return 0;
+       __uaccess_begin();
+       return 1;
+}
+#define user_access_begin(a,b) user_access_begin(a,b)
 #define user_access_end()      __uaccess_end()
 
-#define unsafe_put_user(x, ptr, err_label)                                     \
-do {                                                                           \
-       int __pu_err;                                                           \
-       __typeof__(*(ptr)) __pu_val = (x);                                      \
-       __put_user_size(__pu_val, (ptr), sizeof(*(ptr)), __pu_err, -EFAULT);    \
-       if (unlikely(__pu_err)) goto err_label;                                 \
-} while (0)
+#define unsafe_put_user(x, ptr, label) \
+       __put_user_size((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), label)
 
 #define unsafe_get_user(x, ptr, err_label)                                     \
 do {                                                                           \

diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index d99a8ee9e185e00be294bace7596bddd1dcc02d1..f6a1d299627c5825adb8214afe18731a3d39a53e 100644 (file)
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -164,7 +164,7 @@ int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
        ia32_fxstate &= (IS_ENABLED(CONFIG_X86_32) ||
                         IS_ENABLED(CONFIG_IA32_EMULATION));
 
-       if (!access_ok(VERIFY_WRITE, buf, size))
+       if (!access_ok(buf, size))
                return -EACCES;
 
        if (!static_cpu_has(X86_FEATURE_FPU))
@@ -281,7 +281,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
                return 0;
        }
 
-       if (!access_ok(VERIFY_READ, buf, size))
+       if (!access_ok(buf, size))
                return -EACCES;
 
        fpu__initialize(fpu);

diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 92a3b312a53c465bbde5f006b5707b62671a49ae..08dfd4c1a4f95a19c78c855028e95b6be01ba02b 100644 (file)
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -322,7 +322,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
 
        frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        if (__put_user(sig, &frame->sig))
@@ -385,7 +385,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
 
        frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        put_user_try {
@@ -465,7 +465,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
 
        frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe), &fp);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
@@ -547,7 +547,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
 
        frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return -EFAULT;
 
        if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
@@ -610,7 +610,7 @@ SYSCALL_DEFINE0(sigreturn)
 
        frame = (struct sigframe __user *)(regs->sp - 8);
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__get_user(set.sig[0], &frame->sc.oldmask) || (_NSIG_WORDS > 1
                && __copy_from_user(&set.sig[1], &frame->extramask,
@@ -642,7 +642,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
        unsigned long uc_flags;
 
        frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long));
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;
@@ -871,7 +871,7 @@ asmlinkage long sys32_x32_rt_sigreturn(void)
 
        frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8);
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                goto badframe;

diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 7627455047c2d58e2db96cc6af1186debc2bdff1..5c2d71a1dc069fd2b7ea2457fdd83e85c5e3383a 100644 (file)
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -177,7 +177,7 @@ copy_stack_frame(const void __user *fp, struct stack_frame_user *frame)
 {
        int ret;
 
-       if (!access_ok(VERIFY_READ, fp, sizeof(*frame)))
+       if (!access_ok(fp, sizeof(*frame)))
                return 0;
 
        ret = 1;

diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index c2fd39752da886776f0ff9a32b7acef157f12e6a..a092b6b40c6b5113f95d374fbbc966717ddf8ca4 100644 (file)
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -114,7 +114,7 @@ void save_v86_state(struct kernel_vm86_regs *regs, int retval)
        set_flags(regs->pt.flags, VEFLAGS, X86_EFLAGS_VIF | vm86->veflags_mask);
        user = vm86->user_vm86;
 
-       if (!access_ok(VERIFY_WRITE, user, vm86->vm86plus.is_vm86pus ?
+       if (!access_ok(user, vm86->vm86plus.is_vm86pus ?
                       sizeof(struct vm86plus_struct) :
                       sizeof(struct vm86_struct))) {
                pr_alert("could not access userspace vm86 info\n");
@@ -278,7 +278,7 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus)
        if (vm86->saved_sp0)
                return -EPERM;
 
-       if (!access_ok(VERIFY_READ, user_vm86, plus ?
+       if (!access_ok(user_vm86, plus ?
                       sizeof(struct vm86_struct) :
                       sizeof(struct vm86plus_struct)))
                return -EFAULT;

diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
index 25a972c61b0ae9816a817eb9681f4cd374e9e32a..ce28829f12811ff5a3b482ab3cd2867c57630719 100644 (file)
--- a/arch/x86/lib/Makefile
+++ b/arch/x86/lib/Makefile
@@ -30,6 +30,7 @@ lib-$(CONFIG_FUNCTION_ERROR_INJECTION)        += error-inject.o
 lib-$(CONFIG_RETPOLINE) += retpoline.o
 
 obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
+obj-y += iomem.o
 
 ifeq ($(CONFIG_X86_32),y)
         obj-y += atomic64_32.o

diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
index 8bd53589ecfb93337c920d254e9307617bc21a32..a6a2b7dccbfff163ff650fce42f422c5bf20cc7e 100644 (file)
--- a/arch/x86/lib/csum-wrappers_64.c
+++ b/arch/x86/lib/csum-wrappers_64.c
@@ -27,7 +27,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
        might_sleep();
        *errp = 0;
 
-       if (!likely(access_ok(VERIFY_READ, src, len)))
+       if (!likely(access_ok(src, len)))
                goto out_err;
 
        /*
@@ -89,7 +89,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
 
        might_sleep();
 
-       if (unlikely(!access_ok(VERIFY_WRITE, dst, len))) {
+       if (unlikely(!access_ok(dst, len))) {
                *errp = -EFAULT;
                return 0;
        }

diff --git a/arch/x86/lib/iomem.c b/arch/x86/lib/iomem.c
new file mode 100644 (file)
index 0000000..6689467
--- /dev/null
+++ b/arch/x86/lib/iomem.c
@@ -0,0 +1,42 @@
+#include <linux/string.h>
+#include <linux/module.h>
+#include <linux/io.h>
+
+/* Originally from i386/string.h */
+static __always_inline void __iomem_memcpy(void *to, const void *from, size_t n)
+{
+       unsigned long d0, d1, d2;
+       asm volatile("rep ; movsl\n\t"
+                    "testb $2,%b4\n\t"
+                    "je 1f\n\t"
+                    "movsw\n"
+                    "1:\ttestb $1,%b4\n\t"
+                    "je 2f\n\t"
+                    "movsb\n"
+                    "2:"
+                    : "=&c" (d0), "=&D" (d1), "=&S" (d2)
+                    : "0" (n / 4), "q" (n), "1" ((long)to), "2" ((long)from)
+                    : "memory");
+}
+
+void memcpy_fromio(void *to, const volatile void __iomem *from, size_t n)
+{
+       __iomem_memcpy(to, (const void *)from, n);
+}
+EXPORT_SYMBOL(memcpy_fromio);
+
+void memcpy_toio(volatile void __iomem *to, const void *from, size_t n)
+{
+       __iomem_memcpy((void *)to, (const void *) from, n);
+}
+EXPORT_SYMBOL(memcpy_toio);
+
+void memset_io(volatile void __iomem *a, int b, size_t c)
+{
+       /*
+        * TODO: memset can mangle the IO patterns quite a bit.
+        * perhaps it would be better to use a dumb one:
+        */
+       memset((void *)a, b, c);
+}
+EXPORT_SYMBOL(memset_io);

diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
index 71fb58d44d5867dcaa1441c5cf1b630553382798..bfd94e7812fcb8642817784ab7be3032fa95ef37 100644 (file)
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
@@ -67,7 +67,7 @@ unsigned long
 clear_user(void __user *to, unsigned long n)
 {
        might_fault();
-       if (access_ok(VERIFY_WRITE, to, n))
+       if (access_ok(to, n))
                __do_clear_user(to, n);
        return n;
 }

diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
index 1bd837cdc4b197483a7b694a9084151db8e27770..ee42bb0cbeb3f66d1e17fdec0c4994749fc55828 100644 (file)
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -48,7 +48,7 @@ EXPORT_SYMBOL(__clear_user);
 
 unsigned long clear_user(void __user *to, unsigned long n)
 {
-       if (access_ok(VERIFY_WRITE, to, n))
+       if (access_ok(to, n))
                return __clear_user(to, n);
        return n;
 }

diff --git a/arch/x86/math-emu/fpu_system.h b/arch/x86/math-emu/fpu_system.h
index c8b1b31ed7c44b9bcfc0b570d5643e80655147ab..f98a0c956764687e9afc8a982edc5e4f40d61aee 100644 (file)
--- a/arch/x86/math-emu/fpu_system.h
+++ b/arch/x86/math-emu/fpu_system.h
@@ -104,7 +104,7 @@ static inline bool seg_writable(struct desc_struct *d)
 #define instruction_address    (*(struct address *)&I387->soft.fip)
 #define operand_address                (*(struct address *)&I387->soft.foo)
 
-#define FPU_access_ok(x,y,z)   if ( !access_ok(x,y,z) ) \
+#define FPU_access_ok(y,z)     if ( !access_ok(y,z) ) \
                                math_abort(FPU_info,SIGSEGV)
 #define FPU_abort              math_abort(FPU_info, SIGSEGV)
 
@@ -119,7 +119,7 @@ static inline bool seg_writable(struct desc_struct *d)
 /* A simpler test than access_ok() can probably be done for
    FPU_code_access_ok() because the only possible error is to step
    past the upper boundary of a legal code area. */
-#define        FPU_code_access_ok(z) FPU_access_ok(VERIFY_READ,(void __user *)FPU_EIP,z)
+#define        FPU_code_access_ok(z) FPU_access_ok((void __user *)FPU_EIP,z)
 #endif
 
 #define FPU_get_user(x,y)       get_user((x),(y))

diff --git a/arch/x86/math-emu/load_store.c b/arch/x86/math-emu/load_store.c
index f821a9cd7753c8940901911472423e6f280b2995..f15263e158e8e669d82398bd40b3f2f8415cd88d 100644 (file)
--- a/arch/x86/math-emu/load_store.c
+++ b/arch/x86/math-emu/load_store.c
@@ -251,7 +251,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
                break;
        case 024:               /* fldcw */
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_READ, data_address, 2);
+               FPU_access_ok(data_address, 2);
                FPU_get_user(control_word,
                             (unsigned short __user *)data_address);
                RE_ENTRANT_CHECK_ON;
@@ -291,7 +291,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
                break;
        case 034:               /* fstcw m16int */
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_WRITE, data_address, 2);
+               FPU_access_ok(data_address, 2);
                FPU_put_user(control_word,
                             (unsigned short __user *)data_address);
                RE_ENTRANT_CHECK_ON;
@@ -305,7 +305,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
                break;
        case 036:               /* fstsw m2byte */
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_WRITE, data_address, 2);
+               FPU_access_ok(data_address, 2);
                FPU_put_user(status_word(),
                             (unsigned short __user *)data_address);
                RE_ENTRANT_CHECK_ON;

diff --git a/arch/x86/math-emu/reg_ld_str.c b/arch/x86/math-emu/reg_ld_str.c
index d40ff45497b9bb554aa14d49fe5d7f15da660b97..f3779743d15e695fae569b969825857c38610a4a 100644 (file)
--- a/arch/x86/math-emu/reg_ld_str.c
+++ b/arch/x86/math-emu/reg_ld_str.c
@@ -84,7 +84,7 @@ int FPU_load_extended(long double __user *s, int stnr)
        FPU_REG *sti_ptr = &st(stnr);
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, s, 10);
+       FPU_access_ok(s, 10);
        __copy_from_user(sti_ptr, s, 10);
        RE_ENTRANT_CHECK_ON;
 
@@ -98,7 +98,7 @@ int FPU_load_double(double __user *dfloat, FPU_REG *loaded_data)
        unsigned m64, l64;
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, dfloat, 8);
+       FPU_access_ok(dfloat, 8);
        FPU_get_user(m64, 1 + (unsigned long __user *)dfloat);
        FPU_get_user(l64, (unsigned long __user *)dfloat);
        RE_ENTRANT_CHECK_ON;
@@ -159,7 +159,7 @@ int FPU_load_single(float __user *single, FPU_REG *loaded_data)
        int exp, tag, negative;
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, single, 4);
+       FPU_access_ok(single, 4);
        FPU_get_user(m32, (unsigned long __user *)single);
        RE_ENTRANT_CHECK_ON;
 
@@ -214,7 +214,7 @@ int FPU_load_int64(long long __user *_s)
        FPU_REG *st0_ptr = &st(0);
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, _s, 8);
+       FPU_access_ok(_s, 8);
        if (copy_from_user(&s, _s, 8))
                FPU_abort;
        RE_ENTRANT_CHECK_ON;
@@ -243,7 +243,7 @@ int FPU_load_int32(long __user *_s, FPU_REG *loaded_data)
        int negative;
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, _s, 4);
+       FPU_access_ok(_s, 4);
        FPU_get_user(s, _s);
        RE_ENTRANT_CHECK_ON;
 
@@ -271,7 +271,7 @@ int FPU_load_int16(short __user *_s, FPU_REG *loaded_data)
        int s, negative;
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, _s, 2);
+       FPU_access_ok(_s, 2);
        /* Cast as short to get the sign extended. */
        FPU_get_user(s, _s);
        RE_ENTRANT_CHECK_ON;
@@ -304,7 +304,7 @@ int FPU_load_bcd(u_char __user *s)
        int sign;
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, s, 10);
+       FPU_access_ok(s, 10);
        RE_ENTRANT_CHECK_ON;
        for (pos = 8; pos >= 0; pos--) {
                l *= 10;
@@ -345,7 +345,7 @@ int FPU_store_extended(FPU_REG *st0_ptr, u_char st0_tag,
 
        if (st0_tag != TAG_Empty) {
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_WRITE, d, 10);
+               FPU_access_ok(d, 10);
 
                FPU_put_user(st0_ptr->sigl, (unsigned long __user *)d);
                FPU_put_user(st0_ptr->sigh,
@@ -364,7 +364,7 @@ int FPU_store_extended(FPU_REG *st0_ptr, u_char st0_tag,
                /* The masked response */
                /* Put out the QNaN indefinite */
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_WRITE, d, 10);
+               FPU_access_ok(d, 10);
                FPU_put_user(0, (unsigned long __user *)d);
                FPU_put_user(0xc0000000, 1 + (unsigned long __user *)d);
                FPU_put_user(0xffff, 4 + (short __user *)d);
@@ -539,7 +539,7 @@ denormal_arg:
                        /* The masked response */
                        /* Put out the QNaN indefinite */
                        RE_ENTRANT_CHECK_OFF;
-                       FPU_access_ok(VERIFY_WRITE, dfloat, 8);
+                       FPU_access_ok(dfloat, 8);
                        FPU_put_user(0, (unsigned long __user *)dfloat);
                        FPU_put_user(0xfff80000,
                                     1 + (unsigned long __user *)dfloat);
@@ -552,7 +552,7 @@ denormal_arg:
                l[1] |= 0x80000000;
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_WRITE, dfloat, 8);
+       FPU_access_ok(dfloat, 8);
        FPU_put_user(l[0], (unsigned long __user *)dfloat);
        FPU_put_user(l[1], 1 + (unsigned long __user *)dfloat);
        RE_ENTRANT_CHECK_ON;
@@ -724,7 +724,7 @@ int FPU_store_single(FPU_REG *st0_ptr, u_char st0_tag, float __user *single)
                        /* The masked response */
                        /* Put out the QNaN indefinite */
                        RE_ENTRANT_CHECK_OFF;
-                       FPU_access_ok(VERIFY_WRITE, single, 4);
+                       FPU_access_ok(single, 4);
                        FPU_put_user(0xffc00000,
                                     (unsigned long __user *)single);
                        RE_ENTRANT_CHECK_ON;
@@ -742,7 +742,7 @@ int FPU_store_single(FPU_REG *st0_ptr, u_char st0_tag, float __user *single)
                templ |= 0x80000000;
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_WRITE, single, 4);
+       FPU_access_ok(single, 4);
        FPU_put_user(templ, (unsigned long __user *)single);
        RE_ENTRANT_CHECK_ON;
 
@@ -791,7 +791,7 @@ int FPU_store_int64(FPU_REG *st0_ptr, u_char st0_tag, long long __user *d)
        }
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_WRITE, d, 8);
+       FPU_access_ok(d, 8);
        if (copy_to_user(d, &tll, 8))
                FPU_abort;
        RE_ENTRANT_CHECK_ON;
@@ -838,7 +838,7 @@ int FPU_store_int32(FPU_REG *st0_ptr, u_char st0_tag, long __user *d)
        }
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_WRITE, d, 4);
+       FPU_access_ok(d, 4);
        FPU_put_user(t.sigl, (unsigned long __user *)d);
        RE_ENTRANT_CHECK_ON;
 
@@ -884,7 +884,7 @@ int FPU_store_int16(FPU_REG *st0_ptr, u_char st0_tag, short __user *d)
        }
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_WRITE, d, 2);
+       FPU_access_ok(d, 2);
        FPU_put_user((short)t.sigl, d);
        RE_ENTRANT_CHECK_ON;
 
@@ -925,7 +925,7 @@ int FPU_store_bcd(FPU_REG *st0_ptr, u_char st0_tag, u_char __user *d)
                if (control_word & CW_Invalid) {
                        /* Produce the QNaN "indefinite" */
                        RE_ENTRANT_CHECK_OFF;
-                       FPU_access_ok(VERIFY_WRITE, d, 10);
+                       FPU_access_ok(d, 10);
                        for (i = 0; i < 7; i++)
                                FPU_put_user(0, d + i); /* These bytes "undefined" */
                        FPU_put_user(0xc0, d + 7);      /* This byte "undefined" */
@@ -941,7 +941,7 @@ int FPU_store_bcd(FPU_REG *st0_ptr, u_char st0_tag, u_char __user *d)
        }
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_WRITE, d, 10);
+       FPU_access_ok(d, 10);
        RE_ENTRANT_CHECK_ON;
        for (i = 0; i < 9; i++) {
                b = FPU_div_small(&ll, 10);
@@ -1034,7 +1034,7 @@ u_char __user *fldenv(fpu_addr_modes addr_modes, u_char __user *s)
            ((addr_modes.default_mode == PM16)
             ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) {
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_READ, s, 0x0e);
+               FPU_access_ok(s, 0x0e);
                FPU_get_user(control_word, (unsigned short __user *)s);
                FPU_get_user(partial_status, (unsigned short __user *)(s + 2));
                FPU_get_user(tag_word, (unsigned short __user *)(s + 4));
@@ -1056,7 +1056,7 @@ u_char __user *fldenv(fpu_addr_modes addr_modes, u_char __user *s)
                }
        } else {
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_READ, s, 0x1c);
+               FPU_access_ok(s, 0x1c);
                FPU_get_user(control_word, (unsigned short __user *)s);
                FPU_get_user(partial_status, (unsigned short __user *)(s + 4));
                FPU_get_user(tag_word, (unsigned short __user *)(s + 8));
@@ -1125,7 +1125,7 @@ void frstor(fpu_addr_modes addr_modes, u_char __user *data_address)
 
        /* Copy all registers in stack order. */
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_READ, s, 80);
+       FPU_access_ok(s, 80);
        __copy_from_user(register_base + offset, s, other);
        if (offset)
                __copy_from_user(register_base, s + other, offset);
@@ -1146,7 +1146,7 @@ u_char __user *fstenv(fpu_addr_modes addr_modes, u_char __user *d)
            ((addr_modes.default_mode == PM16)
             ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) {
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_WRITE, d, 14);
+               FPU_access_ok(d, 14);
 #ifdef PECULIAR_486
                FPU_put_user(control_word & ~0xe080, (unsigned long __user *)d);
 #else
@@ -1174,7 +1174,7 @@ u_char __user *fstenv(fpu_addr_modes addr_modes, u_char __user *d)
                d += 0x0e;
        } else {
                RE_ENTRANT_CHECK_OFF;
-               FPU_access_ok(VERIFY_WRITE, d, 7 * 4);
+               FPU_access_ok(d, 7 * 4);
 #ifdef PECULIAR_486
                control_word &= ~0xe080;
                /* An 80486 sets nearly all of the reserved bits to 1. */
@@ -1204,7 +1204,7 @@ void fsave(fpu_addr_modes addr_modes, u_char __user *data_address)
        d = fstenv(addr_modes, data_address);
 
        RE_ENTRANT_CHECK_OFF;
-       FPU_access_ok(VERIFY_WRITE, d, 80);
+       FPU_access_ok(d, 80);
 
        /* Copy all registers in stack order. */
        if (__copy_to_user(d, register_base + offset, other))

diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index 2385538e80656aca15b9507827d45885b453cf8d..de1851d156997b58969455cf3ea9ce92336beb87 100644 (file)
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -495,7 +495,7 @@ static int get_bt_addr(struct mm_struct *mm,
        unsigned long bd_entry;
        unsigned long bt_addr;
 
-       if (!access_ok(VERIFY_READ, (bd_entry_ptr), sizeof(*bd_entry_ptr)))
+       if (!access_ok((bd_entry_ptr), sizeof(*bd_entry_ptr)))
                return -EFAULT;
 
        while (1) {

diff --git a/arch/x86/um/asm/checksum_32.h b/arch/x86/um/asm/checksum_32.h
index 83a75f8a12330237a73b20a9d5c96c9a77d4b450..b9ac7c9eb72c553fdd13ac4e3a8a5282f3d2f2b8 100644 (file)
--- a/arch/x86/um/asm/checksum_32.h
+++ b/arch/x86/um/asm/checksum_32.h
@@ -43,7 +43,7 @@ static __inline__ __wsum csum_and_copy_to_user(const void *src,
                                                     void __user *dst,
                                                     int len, __wsum sum, int *err_ptr)
 {
-       if (access_ok(VERIFY_WRITE, dst, len)) {
+       if (access_ok(dst, len)) {
                if (copy_to_user(dst, src, len)) {
                        *err_ptr = -EFAULT;
                        return (__force __wsum)-1;

diff --git a/arch/x86/um/signal.c b/arch/x86/um/signal.c
index 727ed442e0a52f0b60b57567abf5bbc59c8e6e5f..8b4a71efe7eef1c71e778bf17ff1929c6d68b0a8 100644 (file)
--- a/arch/x86/um/signal.c
+++ b/arch/x86/um/signal.c
@@ -367,7 +367,7 @@ int setup_signal_stack_sc(unsigned long stack_top, struct ksignal *ksig,
        /* This is the same calculation as i386 - ((sp + 4) & 15) == 0 */
        stack_top = ((stack_top + 4) & -16UL) - 4;
        frame = (struct sigframe __user *) stack_top - 1;
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return 1;
 
        restorer = frame->retcode;
@@ -412,7 +412,7 @@ int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
 
        stack_top &= -8UL;
        frame = (struct rt_sigframe __user *) stack_top - 1;
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                return 1;
 
        restorer = frame->retcode;
@@ -497,7 +497,7 @@ int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
        /* Subtract 128 for a red zone and 8 for proper alignment */
        frame = (struct rt_sigframe __user *) ((unsigned long) frame - 128 - 8);
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto out;
 
        if (ksig->ka.sa.sa_flags & SA_SIGINFO) {

diff --git a/arch/xtensa/include/asm/checksum.h b/arch/xtensa/include/asm/checksum.h
index 3ae74d7e074b5970c92b4e2e5158ea631809eccf..f302ef57973a45e8a9dccf82a8329158f48172a3 100644 (file)
--- a/arch/xtensa/include/asm/checksum.h
+++ b/arch/xtensa/include/asm/checksum.h
@@ -243,7 +243,7 @@ static __inline__ __wsum csum_and_copy_to_user(const void *src,
                                               void __user *dst, int len,
                                               __wsum sum, int *err_ptr)
 {
-       if (access_ok(VERIFY_WRITE, dst, len))
+       if (access_ok(dst, len))
                return csum_partial_copy_generic(src,dst,len,sum,NULL,err_ptr);
 
        if (len)

diff --git a/arch/xtensa/include/asm/futex.h b/arch/xtensa/include/asm/futex.h
index fd0eef6b8e7c967b9563856ba0aa89711a946ac1..505d09eff184dba703f8e3ef52203de03faa0617 100644 (file)
--- a/arch/xtensa/include/asm/futex.h
+++ b/arch/xtensa/include/asm/futex.h
@@ -93,7 +93,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
 {
        int ret = 0;
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
 #if !XCHAL_HAVE_S32C1I

diff --git a/arch/xtensa/include/asm/uaccess.h b/arch/xtensa/include/asm/uaccess.h
index d11ef29396528a43dba06ff0a781311611e0f2e5..4b2480304bc311ffd8c1769efa885a2b78e65357 100644 (file)
--- a/arch/xtensa/include/asm/uaccess.h
+++ b/arch/xtensa/include/asm/uaccess.h
@@ -42,7 +42,7 @@
 #define __user_ok(addr, size) \
                (((size) <= TASK_SIZE)&&((addr) <= TASK_SIZE-(size)))
 #define __access_ok(addr, size) (__kernel_ok || __user_ok((addr), (size)))
-#define access_ok(type, addr, size) __access_ok((unsigned long)(addr), (size))
+#define access_ok(addr, size) __access_ok((unsigned long)(addr), (size))
 
 #define user_addr_max() (uaccess_kernel() ? ~0UL : TASK_SIZE)
 
@@ -86,7 +86,7 @@ extern long __put_user_bad(void);
 ({                                                                     \
        long __pu_err = -EFAULT;                                        \
        __typeof__(*(ptr)) *__pu_addr = (ptr);                          \
-       if (access_ok(VERIFY_WRITE, __pu_addr, size))                   \
+       if (access_ok(__pu_addr, size))                 \
                __put_user_size((x), __pu_addr, (size), __pu_err);      \
        __pu_err;                                                       \
 })
@@ -183,7 +183,7 @@ __asm__ __volatile__(                                       \
 ({                                                                     \
        long __gu_err = -EFAULT, __gu_val = 0;                          \
        const __typeof__(*(ptr)) *__gu_addr = (ptr);                    \
-       if (access_ok(VERIFY_READ, __gu_addr, size))                    \
+       if (access_ok(__gu_addr, size))                 \
                __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
        (x) = (__force __typeof__(*(ptr)))__gu_val;                     \
        __gu_err;                                                       \
@@ -269,7 +269,7 @@ __xtensa_clear_user(void *addr, unsigned long size)
 static inline unsigned long
 clear_user(void *addr, unsigned long size)
 {
-       if (access_ok(VERIFY_WRITE, addr, size))
+       if (access_ok(addr, size))
                return __xtensa_clear_user(addr, size);
        return size ? -EFAULT : 0;
 }
@@ -284,7 +284,7 @@ extern long __strncpy_user(char *, const char *, long);
 static inline long
 strncpy_from_user(char *dst, const char *src, long count)
 {
-       if (access_ok(VERIFY_READ, src, 1))
+       if (access_ok(src, 1))
                return __strncpy_user(dst, src, count);
        return -EFAULT;
 }

diff --git a/arch/xtensa/kernel/signal.c b/arch/xtensa/kernel/signal.c
index 74e1682876acbd36cd318195ba49a99dc42df890..dc22a238ed9c18d59f8d2721cc1fab16b41bfdae 100644 (file)
--- a/arch/xtensa/kernel/signal.c
+++ b/arch/xtensa/kernel/signal.c
@@ -251,7 +251,7 @@ asmlinkage long xtensa_rt_sigreturn(long a0, long a1, long a2, long a3,
 
        frame = (struct rt_sigframe __user *) regs->areg[1];
 
-       if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+       if (!access_ok(frame, sizeof(*frame)))
                goto badframe;
 
        if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -348,7 +348,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
        if (regs->depc > 64)
                panic ("Double exception sys_sigreturn\n");
 
-       if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) {
+       if (!access_ok(frame, sizeof(*frame))) {
                return -EFAULT;
        }
 

diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c
index 0df4080fa20f2276563eb64f8694959548a3f557..174c11f13bba375472f77a02eca75b1408d5e2de 100644 (file)
--- a/arch/xtensa/kernel/stacktrace.c
+++ b/arch/xtensa/kernel/stacktrace.c
@@ -91,7 +91,7 @@ void xtensa_backtrace_user(struct pt_regs *regs, unsigned int depth,
                pc = MAKE_PC_FROM_RA(a0, pc);
 
                /* Check if the region is OK to access. */
-               if (!access_ok(VERIFY_READ, &SPILL_SLOT(a1, 0), 8))
+               if (!access_ok(&SPILL_SLOT(a1, 0), 8))
                        return;
                /* Copy a1, a0 from user space stack frame. */
                if (__get_user(a0, &SPILL_SLOT(a1, 0)) ||

diff --git a/drivers/acpi/acpi_dbg.c b/drivers/acpi/acpi_dbg.c
index f21c99ec46ee0935605f09d28e4e2161be1abdc4..a2dcd62ea32ffb54818a3f16482608f12ee92cc0 100644 (file)
--- a/drivers/acpi/acpi_dbg.c
+++ b/drivers/acpi/acpi_dbg.c
@@ -614,7 +614,7 @@ static ssize_t acpi_aml_read(struct file *file, char __user *buf,
 
        if (!count)
                return 0;
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        while (count > 0) {
@@ -684,7 +684,7 @@ static ssize_t acpi_aml_write(struct file *file, const char __user *buf,
 
        if (!count)
                return 0;
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        while (count > 0) {

diff --git a/drivers/char/generic_nvram.c b/drivers/char/generic_nvram.c
index 14e728fbb8a009bcb8988c63f52c812c122943b7..ff5394f475875b6fe0c666d760a1a45daae8a0db 100644 (file)
--- a/drivers/char/generic_nvram.c
+++ b/drivers/char/generic_nvram.c
@@ -44,7 +44,7 @@ static ssize_t read_nvram(struct file *file, char __user *buf,
        unsigned int i;
        char __user *p = buf;
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
        if (*ppos >= nvram_len)
                return 0;
@@ -62,7 +62,7 @@ static ssize_t write_nvram(struct file *file, const char __user *buf,
        const char __user *p = buf;
        char c;
 
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
        if (*ppos >= nvram_len)
                return 0;

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 7b4e4de778e45f7900732a243f6d53f783089d32..b08dc50f9f26026730c5eb12ee8e4be47012c2f8 100644 (file)
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -609,7 +609,7 @@ static ssize_t read_port(struct file *file, char __user *buf,
        unsigned long i = *ppos;
        char __user *tmp = buf;
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
        while (count-- > 0 && i < 65536) {
                if (__put_user(inb(i), tmp) < 0)
@@ -627,7 +627,7 @@ static ssize_t write_port(struct file *file, const char __user *buf,
        unsigned long i = *ppos;
        const char __user *tmp = buf;
 
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
        while (count-- > 0 && i < 65536) {
                char c;

diff --git a/drivers/char/nwflash.c b/drivers/char/nwflash.c
index a284ae25e69a1bcee2b4eda407c51b616e9432cc..76fb434068d4f7b85be5ab6b2abf3ebd5c58ae4a 100644 (file)
--- a/drivers/char/nwflash.c
+++ b/drivers/char/nwflash.c
@@ -167,7 +167,7 @@ static ssize_t flash_write(struct file *file, const char __user *buf,
        if (count > gbFlashSize - p)
                count = gbFlashSize - p;
                        
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        /*

diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 809507bf8f1cd8c371845e450cfd4e7151b59eb0..7a4eb86aedac6862f947a85b726eab9660427cd6 100644 (file)
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -1445,11 +1445,11 @@ static long cmm_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
              _IOC_DIR(cmd), _IOC_READ, _IOC_WRITE, size, cmd);
 
        if (_IOC_DIR(cmd) & _IOC_READ) {
-               if (!access_ok(VERIFY_WRITE, argp, size))
+               if (!access_ok(argp, size))
                        goto out;
        }
        if (_IOC_DIR(cmd) & _IOC_WRITE) {
-               if (!access_ok(VERIFY_READ, argp, size))
+               if (!access_ok(argp, size))
                        goto out;
        }
        rc = 0;

diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index d64a78ccc03e318986daa8cda8200c1dbe709ff7..b16be8a11d92d63382612461d7a7bedafa0ba966 100644 (file)
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -364,7 +364,7 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp)
                goto cmd;
 
        /* allocate a physically contiguous buffer to store the CSR blob */
-       if (!access_ok(VERIFY_WRITE, input.address, input.length) ||
+       if (!access_ok(input.address, input.length) ||
            input.length > SEV_FW_BLOB_MAX_SIZE) {
                ret = -EFAULT;
                goto e_free;
@@ -644,14 +644,14 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp)
 
        /* Allocate a physically contiguous buffer to store the PDH blob. */
        if ((input.pdh_cert_len > SEV_FW_BLOB_MAX_SIZE) ||
-           !access_ok(VERIFY_WRITE, input.pdh_cert_address, input.pdh_cert_len)) {
+           !access_ok(input.pdh_cert_address, input.pdh_cert_len)) {
                ret = -EFAULT;
                goto e_free;
        }
 
        /* Allocate a physically contiguous buffer to store the cert chain blob. */
        if ((input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) ||
-           !access_ok(VERIFY_WRITE, input.cert_chain_address, input.cert_chain_len)) {
+           !access_ok(input.cert_chain_address, input.cert_chain_len)) {
                ret = -EFAULT;
                goto e_free;
        }

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index d8e185582642bcdc72e7989c4d47e7529a458353..16a7045736a94e156e3375d5901facac009e513d 100644 (file)
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1094,7 +1094,7 @@ static int ioctl_queue_iso(struct client *client, union ioctl_arg *arg)
                return -EINVAL;
 
        p = (struct fw_cdev_iso_packet __user *)u64_to_uptr(a->packets);
-       if (!access_ok(VERIFY_READ, p, a->size))
+       if (!access_ok(p, a->size))
                return -EFAULT;
 
        end = (void __user *)p + a->size;

diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 769640940c9fc86dff2ce107e3500aeb6a33f93f..51ecf7d6da48a383c8afed701fcfaa7faa6465cb 100644 (file)
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -68,7 +68,7 @@ copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src,
                return 0;
        }
 
-       if (!access_ok(VERIFY_READ, src, 1))
+       if (!access_ok(src, 1))
                return -EFAULT;
 
        buf = memdup_user(src, len);
@@ -89,7 +89,7 @@ copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src,
 static inline int
 get_ucs2_strsize_from_user(efi_char16_t __user *src, size_t *len)
 {
-       if (!access_ok(VERIFY_READ, src, 1))
+       if (!access_ok(src, 1))
                return -EFAULT;
 
        *len = user_ucs2_strsize(src);
@@ -116,7 +116,7 @@ copy_ucs2_from_user(efi_char16_t **dst, efi_char16_t __user *src)
 {
        size_t len;
 
-       if (!access_ok(VERIFY_READ, src, 1))
+       if (!access_ok(src, 1))
                return -EFAULT;
 
        len = user_ucs2_strsize(src);
@@ -140,7 +140,7 @@ copy_ucs2_to_user_len(efi_char16_t __user *dst, efi_char16_t *src, size_t len)
        if (!src)
                return 0;
 
-       if (!access_ok(VERIFY_WRITE, dst, 1))
+       if (!access_ok(dst, 1))
                return -EFAULT;
 
        return copy_to_user(dst, src, len);

diff --git a/drivers/fpga/dfl-afu-dma-region.c b/drivers/fpga/dfl-afu-dma-region.c
index 025aba3ea76c044591590aab3525f9fdaad85008..e18a786fc94383e2fbd5f6b1c9a4692de6506fa6 100644 (file)
--- a/drivers/fpga/dfl-afu-dma-region.c
+++ b/drivers/fpga/dfl-afu-dma-region.c
@@ -369,7 +369,7 @@ int afu_dma_map_region(struct dfl_feature_platform_data *pdata,
        if (user_addr + length < user_addr)
                return -EINVAL;
 
-       if (!access_ok(VERIFY_WRITE, (void __user *)(unsigned long)user_addr,
+       if (!access_ok((void __user *)(unsigned long)user_addr,
                       length))
                return -EINVAL;
 

diff --git a/drivers/fpga/dfl-fme-pr.c b/drivers/fpga/dfl-fme-pr.c
index fe5a5578fbf7039a24b8b61a43d17d3247da62c8..d9ca9554844abd3386322ba9ce830b2a19017317 100644 (file)
--- a/drivers/fpga/dfl-fme-pr.c
+++ b/drivers/fpga/dfl-fme-pr.c
@@ -99,8 +99,7 @@ static int fme_pr(struct platform_device *pdev, unsigned long arg)
                return -EINVAL;
        }
 
-       if (!access_ok(VERIFY_READ,
-                      (void __user *)(unsigned long)port_pr.buffer_address,
+       if (!access_ok((void __user *)(unsigned long)port_pr.buffer_address,
                       port_pr.buffer_size))
                return -EFAULT;
 

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 3623538baf6fc9c20dd79167826ded7d52acbc9e..be68752c3469f32296c0cb369389fb259aa34ff2 100644 (file)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -158,8 +158,7 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
        }
 
        if ((args->ring_base_address) &&
-               (!access_ok(VERIFY_WRITE,
-                       (const void __user *) args->ring_base_address,
+               (!access_ok((const void __user *) args->ring_base_address,
                        sizeof(uint64_t)))) {
                pr_err("Can't access ring base address\n");
                return -EFAULT;
@@ -170,31 +169,27 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
                return -EINVAL;
        }
 
-       if (!access_ok(VERIFY_WRITE,
-                       (const void __user *) args->read_pointer_address,
+       if (!access_ok((const void __user *) args->read_pointer_address,
                        sizeof(uint32_t))) {
                pr_err("Can't access read pointer\n");
                return -EFAULT;
        }
 
-       if (!access_ok(VERIFY_WRITE,
-                       (const void __user *) args->write_pointer_address,
+       if (!access_ok((const void __user *) args->write_pointer_address,
                        sizeof(uint32_t))) {
                pr_err("Can't access write pointer\n");
                return -EFAULT;
        }
 
        if (args->eop_buffer_address &&
-               !access_ok(VERIFY_WRITE,
-                       (const void __user *) args->eop_buffer_address,
+               !access_ok((const void __user *) args->eop_buffer_address,
                        sizeof(uint32_t))) {
                pr_debug("Can't access eop buffer");
                return -EFAULT;
        }
 
        if (args->ctx_save_restore_address &&
-               !access_ok(VERIFY_WRITE,
-                       (const void __user *) args->ctx_save_restore_address,
+               !access_ok((const void __user *) args->ctx_save_restore_address,
                        sizeof(uint32_t))) {
                pr_debug("Can't access ctx save restore buffer");
                return -EFAULT;
@@ -365,8 +360,7 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p,
        }
 
        if ((args->ring_base_address) &&
-               (!access_ok(VERIFY_WRITE,
-                       (const void __user *) args->ring_base_address,
+               (!access_ok((const void __user *) args->ring_base_address,
                        sizeof(uint64_t)))) {
                pr_err("Can't access ring base address\n");
                return -EFAULT;

diff --git a/drivers/gpu/drm/armada/armada_gem.c b/drivers/gpu/drm/armada/armada_gem.c
index 892c1d9304bb7640d46f192c587958c0946c48b1..642d0e70d0f8ffe4634046b5327039321e08a1a4 100644 (file)
--- a/drivers/gpu/drm/armada/armada_gem.c
+++ b/drivers/gpu/drm/armada/armada_gem.c
@@ -334,7 +334,7 @@ int armada_gem_pwrite_ioctl(struct drm_device *dev, void *data,
 
        ptr = (char __user *)(uintptr_t)args->ptr;
 
-       if (!access_ok(VERIFY_READ, ptr, args->size))
+       if (!access_ok(ptr, args->size))
                return -EFAULT;
 
        ret = fault_in_pages_readable(ptr, args->size);

diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index ffa8dc35515ffaddf0f87c56cc2108e0be4151f6..46f48f245eb5a5df0db52e17d188ac01da723510 100644 (file)
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -525,7 +525,7 @@ ssize_t drm_read(struct file *filp, char __user *buffer,
        struct drm_device *dev = file_priv->minor->dev;
        ssize_t ret;
 
-       if (!access_ok(VERIFY_WRITE, buffer, count))
+       if (!access_ok(buffer, count))
                return -EFAULT;
 
        ret = mutex_lock_interruptible(&file_priv->event_read_lock);

diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
index 96efc84396bf73e7abe6dfe3cac90384099f9db2..18c27f795cf612c89304cab2e72e94aa46e199b3 100644 (file)
--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
@@ -339,7 +339,6 @@ static int etnaviv_ioctl_gem_userptr(struct drm_device *dev, void *data,
        struct drm_file *file)
 {
        struct drm_etnaviv_gem_userptr *args = data;
-       int access;
 
        if (args->flags & ~(ETNA_USERPTR_READ|ETNA_USERPTR_WRITE) ||
            args->flags == 0)
@@ -351,12 +350,7 @@ static int etnaviv_ioctl_gem_userptr(struct drm_device *dev, void *data,
            args->user_ptr & ~PAGE_MASK)
                return -EINVAL;
 
-       if (args->flags & ETNA_USERPTR_WRITE)
-               access = VERIFY_WRITE;
-       else
-               access = VERIFY_READ;
-
-       if (!access_ok(access, (void __user *)(unsigned long)args->user_ptr,
+       if (!access_ok((void __user *)(unsigned long)args->user_ptr,
                       args->user_size))
                return -EFAULT;
 

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index a9de07bb72c896e8f3714799fd3a9264010bb79e..216f52b744a637fca6406fe31a25f5d5befa4c2c 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1282,8 +1282,7 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
        if (args->size == 0)
                return 0;
 
-       if (!access_ok(VERIFY_WRITE,
-                      u64_to_user_ptr(args->data_ptr),
+       if (!access_ok(u64_to_user_ptr(args->data_ptr),
                       args->size))
                return -EFAULT;
 
@@ -1609,9 +1608,7 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
        if (args->size == 0)
                return 0;
 
-       if (!access_ok(VERIFY_READ,
-                      u64_to_user_ptr(args->data_ptr),
-                      args->size))
+       if (!access_ok(u64_to_user_ptr(args->data_ptr), args->size))
                return -EFAULT;
 
        obj = i915_gem_object_lookup(file, args->handle);

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 8ff6b581cf1c73f318be40bbf1d0718129c765ae..485b259127c36fdb4aeb619559e790f394ff412a 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1447,7 +1447,7 @@ static int eb_relocate_vma(struct i915_execbuffer *eb, struct i915_vma *vma)
         * to read. However, if the array is not writable the user loses
         * the updated relocation values.
         */
-       if (unlikely(!access_ok(VERIFY_READ, urelocs, remain*sizeof(*urelocs))))
+       if (unlikely(!access_ok(urelocs, remain*sizeof(*urelocs))))
                return -EFAULT;
 
        do {
@@ -1554,7 +1554,7 @@ static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
 
        addr = u64_to_user_ptr(entry->relocs_ptr);
        size *= sizeof(struct drm_i915_gem_relocation_entry);
-       if (!access_ok(VERIFY_READ, addr, size))
+       if (!access_ok(addr, size))
                return -EFAULT;
 
        end = addr + size;
@@ -1605,6 +1605,7 @@ static int eb_copy_relocations(const struct i915_execbuffer *eb)
                                             (char __user *)urelocs + copied,
                                             len)) {
 end_user:
+                               user_access_end();
                                kvfree(relocs);
                                err = -EFAULT;
                                goto err;
@@ -1623,7 +1624,9 @@ end_user:
                 * happened we would make the mistake of assuming that the
                 * relocations were valid.
                 */
-               user_access_begin();
+               if (!user_access_begin(urelocs, size))
+                       goto end_user;
+
                for (copied = 0; copied < nreloc; copied++)
                        unsafe_put_user(-1,
                                        &urelocs[copied].presumed_offset,
@@ -2090,7 +2093,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
                return ERR_PTR(-EINVAL);
 
        user = u64_to_user_ptr(args->cliprects_ptr);
-       if (!access_ok(VERIFY_READ, user, nfences * sizeof(*user)))
+       if (!access_ok(user, nfences * sizeof(*user)))
                return ERR_PTR(-EFAULT);
 
        fences = kvmalloc_array(nfences, sizeof(*fences),
@@ -2605,7 +2608,16 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
                unsigned int i;
 
                /* Copy the new buffer offsets back to the user's exec list. */
-               user_access_begin();
+               /*
+                * Note: count * sizeof(*user_exec_list) does not overflow,
+                * because we checked 'count' in check_buffer_count().
+                *
+                * And this range already got effectively checked earlier
+                * when we did the "copy_from_user()" above.
+                */
+               if (!user_access_begin(user_exec_list, count * sizeof(*user_exec_list)))
+                       goto end_user;
+
                for (i = 0; i < args->buffer_count; i++) {
                        if (!(exec2_list[i].offset & UPDATE))
                                continue;

diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c
index 3df77020aada8539330a8d3b86f1f23fbadd20f9..9558582c105ec4953ba0616b23966000a095cfab 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/i915_gem_userptr.c
@@ -789,8 +789,7 @@ i915_gem_userptr_ioctl(struct drm_device *dev,
        if (offset_in_page(args->user_ptr | args->user_size))
                return -EINVAL;
 
-       if (!access_ok(args->flags & I915_USERPTR_READ_ONLY ? VERIFY_READ : VERIFY_WRITE,
-                      (char __user *)(unsigned long)args->user_ptr, args->user_size))
+       if (!access_ok((char __user *)(unsigned long)args->user_ptr, args->user_size))
                return -EFAULT;
 
        if (args->flags & I915_USERPTR_READ_ONLY) {

diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
index 0e5c580d117cfcced6254ddab4dfcec04611bea9..e869daf9c8a9e0c21f409506ab60240f76bd95c7 100644 (file)
--- a/drivers/gpu/drm/i915/i915_ioc32.c
+++ b/drivers/gpu/drm/i915/i915_ioc32.c
@@ -52,7 +52,7 @@ static int compat_i915_getparam(struct file *file, unsigned int cmd,
                return -EFAULT;
 
        request = compat_alloc_user_space(sizeof(*request));
-       if (!access_ok(VERIFY_WRITE, request, sizeof(*request)) ||
+       if (!access_ok(request, sizeof(*request)) ||
            __put_user(req32.param, &request->param) ||
            __put_user((void __user *)(unsigned long)req32.value,
                       &request->value))

diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
index 4529edfdcfc80580ea66b306713a42250e1f2626..2b2eb57ca71f2905020aed9f7797684f69c148e7 100644 (file)
--- a/drivers/gpu/drm/i915/i915_perf.c
+++ b/drivers/gpu/drm/i915/i915_perf.c
@@ -3052,7 +3052,7 @@ static struct i915_oa_reg *alloc_oa_regs(struct drm_i915_private *dev_priv,
        if (!n_regs)
                return NULL;
 
-       if (!access_ok(VERIFY_READ, regs, n_regs * sizeof(u32) * 2))
+       if (!access_ok(regs, n_regs * sizeof(u32) * 2))
                return ERR_PTR(-EFAULT);
 
        /* No is_valid function means we're not allowing any register to be programmed. */

diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
index 6fc4b8eeab428f7b10bf56ba5c07eba5789b59a7..fe56465cdfd67512aca73d3cdf0bc3b7e7f6bf2f 100644 (file)
--- a/drivers/gpu/drm/i915/i915_query.c
+++ b/drivers/gpu/drm/i915/i915_query.c
@@ -46,7 +46,7 @@ static int query_topology_info(struct drm_i915_private *dev_priv,
        if (topo.flags != 0)
                return -EINVAL;
 
-       if (!access_ok(VERIFY_WRITE, u64_to_user_ptr(query_item->data_ptr),
+       if (!access_ok(u64_to_user_ptr(query_item->data_ptr),
                       total_length))
                return -EFAULT;
 

diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index a28465d9052908787d569a970f431ac564ba2f22..12b983fc0b567601fa796840b65f7135209b933b 100644 (file)
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -77,7 +77,7 @@ void msm_gem_submit_free(struct msm_gem_submit *submit)
 static inline unsigned long __must_check
 copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
 {
-       if (access_ok(VERIFY_READ, from, n))
+       if (access_ok(from, n))
                return __copy_from_user_inatomic(to, from, n);
        return -EFAULT;
 }

diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
index 6e828158bcb02d3e5dbc09225c7c353ea3766eb2..d410e29251629d494efe0e14a525be6e26573da6 100644 (file)
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -163,8 +163,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
        if (cmd->command_size > PAGE_SIZE - sizeof(union qxl_release_info))
                return -EINVAL;
 
-       if (!access_ok(VERIFY_READ,
-                      u64_to_user_ptr(cmd->command),
+       if (!access_ok(u64_to_user_ptr(cmd->command),
                       cmd->command_size))
                return -EFAULT;
 

diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index 9f9172eb15123a8fd5078b56db5700e7aeb8a93a..fb0007aa0c27eb8dd279b58dfb4a40c5d51950d2 100644 (file)
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -611,8 +611,7 @@ static ssize_t verify_hdr(struct ib_uverbs_cmd_hdr *hdr,
                        if (hdr->out_words * 8 < method_elm->resp_size)
                                return -ENOSPC;
 
-                       if (!access_ok(VERIFY_WRITE,
-                                      u64_to_user_ptr(ex_hdr->response),
+                       if (!access_ok(u64_to_user_ptr(ex_hdr->response),
                                       (hdr->out_words + ex_hdr->provider_out_words) * 8))
                                return -EFAULT;
                } else {

diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index dbe7d14a5c76d18f23ddf13e264f97c56d086d86..0cd71ce7cc71f767fef7865049bdd09cb5cc0e0f 100644 (file)
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -232,7 +232,7 @@ static int pin_rcv_pages(struct hfi1_filedata *fd, struct tid_user_buf *tidbuf)
        }
 
        /* Verify that access is OK for the user buffer */
-       if (!access_ok(VERIFY_WRITE, (void __user *)vaddr,
+       if (!access_ok((void __user *)vaddr,
                       npages * PAGE_SIZE)) {
                dd_dev_err(dd, "Fail vaddr %p, %u pages, !access_ok\n",
                           (void *)vaddr, npages);

diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
index 98e1ce14fa2ab901a4d8fe53f50e3cde5bc2daf5..78fa634de98a3db4a16e345007ee28bee0cf9c42 100644 (file)
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -343,7 +343,7 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp,
 
        /* virtual address of first page in transfer */
        vaddr = ti->tidvaddr;
-       if (!access_ok(VERIFY_WRITE, (void __user *) vaddr,
+       if (!access_ok((void __user *) vaddr,
                       cnt * PAGE_SIZE)) {
                ret = -EFAULT;
                goto done;

diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
index 0ff517d3c98f98e91aaabafc8051440a0486ce74..a4ceb61c5b6035fef835759d0761c733dea3fde8 100644 (file)
--- a/drivers/isdn/capi/kcapi.c
+++ b/drivers/isdn/capi/kcapi.c
@@ -852,7 +852,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
        u16 ret;
 
        if (contr == 0) {
-               strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
+               strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
                return CAPI_NOERROR;
        }
 
@@ -860,7 +860,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
 
        ctr = get_capi_ctr_by_nr(contr);
        if (ctr && ctr->state == CAPI_CTR_RUNNING) {
-               strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
+               strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
                ret = CAPI_NOERROR;
        } else
                ret = CAPI_REGNOTINSTALLED;

diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c
index 5b719b561860c630508e337b9be367a5aa7e3547..81dd465afcf411d1bea0422f27daed2b1c2c5594 100644 (file)
--- a/drivers/isdn/hisax/hfc_pci.c
+++ b/drivers/isdn/hisax/hfc_pci.c
@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg)
                if (cs->debug & L1_DEB_LAPD)
                        debugl1(cs, "-> PH_REQUEST_PULL");
 #endif
+               spin_lock_irqsave(&cs->lock, flags);
                if (!cs->tx_skb) {
                        test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
                        st->l1.l1l2(st, PH_PULL | CONFIRM, NULL);
                } else
                        test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
+               spin_unlock_irqrestore(&cs->lock, flags);
                break;
        case (HW_RESET | REQUEST):
                spin_lock_irqsave(&cs->lock, flags);

diff --git a/drivers/macintosh/ans-lcd.c b/drivers/macintosh/ans-lcd.c
index ef0c2366cf5902e4102e8d7184bc2c4ed6988577..400960cf04d53da854b83eb56a572aed41143aef 100644 (file)
--- a/drivers/macintosh/ans-lcd.c
+++ b/drivers/macintosh/ans-lcd.c
@@ -64,7 +64,7 @@ anslcd_write( struct file * file, const char __user * buf,
        printk(KERN_DEBUG "LCD: write\n");
 #endif
 
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        mutex_lock(&anslcd_mutex);

diff --git a/drivers/macintosh/via-pmu.c b/drivers/macintosh/via-pmu.c
index ac0cf37d62397664b6063d42f17d6c77bcc1aa1b..21d532a78fa4759fb1237b19ef164d898101d989 100644 (file)
--- a/drivers/macintosh/via-pmu.c
+++ b/drivers/macintosh/via-pmu.c
@@ -2188,7 +2188,7 @@ pmu_read(struct file *file, char __user *buf,
 
        if (count < 1 || !pp)
                return -EINVAL;
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        spin_lock_irqsave(&pp->lock, flags);

diff --git a/drivers/media/pci/ivtv/ivtvfb.c b/drivers/media/pci/ivtv/ivtvfb.c
index 3e02de02ffdd624683da0f74353f7ee28927ccd8..8ec2525d8ef5c518c01d385efc24777769c773e0 100644 (file)
--- a/drivers/media/pci/ivtv/ivtvfb.c
+++ b/drivers/media/pci/ivtv/ivtvfb.c
@@ -356,7 +356,7 @@ static int ivtvfb_prep_frame(struct ivtv *itv, int cmd, void __user *source,
                IVTVFB_WARN("ivtvfb_prep_frame: Count not a multiple of 4 (%d)\n", count);
 
        /* Check Source */
-       if (!access_ok(VERIFY_READ, source + dest_offset, count)) {
+       if (!access_ok(source + dest_offset, count)) {
                IVTVFB_WARN("Invalid userspace pointer %p\n", source);
 
                IVTVFB_DEBUG_WARN("access_ok() failed for offset 0x%08lx source %p count %d\n",

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index fe4577a46869d2070eb3813c9f24d2f14ef554bc..73dac1d8d4f648a9c5e27320dc67abe85245c96c 100644 (file)
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -158,7 +158,7 @@ static int get_v4l2_window32(struct v4l2_window __user *p64,
        compat_caddr_t p;
        u32 clipcount;
 
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            copy_in_user(&p64->w, &p32->w, sizeof(p32->w)) ||
            assign_in_user(&p64->field, &p32->field) ||
            assign_in_user(&p64->chromakey, &p32->chromakey) ||
@@ -283,7 +283,7 @@ static int __bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
 
 static int bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
 {
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+       if (!access_ok(p32, sizeof(*p32)))
                return -EFAULT;
        return __bufsize_v4l2_format(p32, size);
 }
@@ -335,7 +335,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
                             struct v4l2_format32 __user *p32,
                             void __user *aux_buf, u32 aux_space)
 {
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+       if (!access_ok(p32, sizeof(*p32)))
                return -EFAULT;
        return __get_v4l2_format32(p64, p32, aux_buf, aux_space);
 }
@@ -343,7 +343,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
 static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *p32,
                               u32 *size)
 {
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+       if (!access_ok(p32, sizeof(*p32)))
                return -EFAULT;
        return __bufsize_v4l2_format(&p32->format, size);
 }
@@ -352,7 +352,7 @@ static int get_v4l2_create32(struct v4l2_create_buffers __user *p64,
                             struct v4l2_create_buffers32 __user *p32,
                             void __user *aux_buf, u32 aux_space)
 {
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            copy_in_user(p64, p32,
                         offsetof(struct v4l2_create_buffers32, format)))
                return -EFAULT;
@@ -404,7 +404,7 @@ static int __put_v4l2_format32(struct v4l2_format __user *p64,
 static int put_v4l2_format32(struct v4l2_format __user *p64,
                             struct v4l2_format32 __user *p32)
 {
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)))
+       if (!access_ok(p32, sizeof(*p32)))
                return -EFAULT;
        return __put_v4l2_format32(p64, p32);
 }
@@ -412,7 +412,7 @@ static int put_v4l2_format32(struct v4l2_format __user *p64,
 static int put_v4l2_create32(struct v4l2_create_buffers __user *p64,
                             struct v4l2_create_buffers32 __user *p32)
 {
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            copy_in_user(p32, p64,
                         offsetof(struct v4l2_create_buffers32, format)) ||
            assign_in_user(&p32->capabilities, &p64->capabilities) ||
@@ -434,7 +434,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
                               struct v4l2_standard32 __user *p32)
 {
        /* other fields are not set by the user, nor used by the driver */
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p64->index, &p32->index))
                return -EFAULT;
        return 0;
@@ -443,7 +443,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
 static int put_v4l2_standard32(struct v4l2_standard __user *p64,
                               struct v4l2_standard32 __user *p32)
 {
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p32->index, &p64->index) ||
            assign_in_user(&p32->id, &p64->id) ||
            copy_in_user(p32->name, p64->name, sizeof(p32->name)) ||
@@ -560,7 +560,7 @@ static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *p32, u32 *size)
        u32 type;
        u32 length;
 
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            get_user(type, &p32->type) ||
            get_user(length, &p32->length))
                return -EFAULT;
@@ -593,7 +593,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
        compat_caddr_t p;
        int ret;
 
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p64->index, &p32->index) ||
            get_user(type, &p32->type) ||
            put_user(type, &p64->type) ||
@@ -632,7 +632,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
                        return -EFAULT;
 
                uplane32 = compat_ptr(p);
-               if (!access_ok(VERIFY_READ, uplane32,
+               if (!access_ok(uplane32,
                               num_planes * sizeof(*uplane32)))
                        return -EFAULT;
 
@@ -691,7 +691,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user *p64,
        compat_caddr_t p;
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p32->index, &p64->index) ||
            get_user(type, &p64->type) ||
            put_user(type, &p32->type) ||
@@ -781,7 +781,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
 {
        compat_caddr_t tmp;
 
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            get_user(tmp, &p32->base) ||
            put_user_force(compat_ptr(tmp), &p64->base) ||
            assign_in_user(&p64->capability, &p32->capability) ||
@@ -796,7 +796,7 @@ static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
 {
        void *base;
 
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            get_user(base, &p64->base) ||
            put_user(ptr_to_compat((void __user *)base), &p32->base) ||
            assign_in_user(&p32->capability, &p64->capability) ||
@@ -893,7 +893,7 @@ static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *p32,
 {
        u32 count;
 
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            get_user(count, &p32->count))
                return -EFAULT;
        if (count > V4L2_CID_MAX_CTRLS)
@@ -913,7 +913,7 @@ static int get_v4l2_ext_controls32(struct file *file,
        u32 n;
        compat_caddr_t p;
 
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p64->which, &p32->which) ||
            get_user(count, &p32->count) ||
            put_user(count, &p64->count) ||
@@ -929,7 +929,7 @@ static int get_v4l2_ext_controls32(struct file *file,
        if (get_user(p, &p32->controls))
                return -EFAULT;
        ucontrols = compat_ptr(p);
-       if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols)))
+       if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
                return -EFAULT;
        if (aux_space < count * sizeof(*kcontrols))
                return -EFAULT;
@@ -979,7 +979,7 @@ static int put_v4l2_ext_controls32(struct file *file,
         * with __user causes smatch warnings, so instead declare it
         * without __user and cast it as a userspace pointer where needed.
         */
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p32->which, &p64->which) ||
            get_user(count, &p64->count) ||
            put_user(count, &p32->count) ||
@@ -994,7 +994,7 @@ static int put_v4l2_ext_controls32(struct file *file,
        if (get_user(p, &p32->controls))
                return -EFAULT;
        ucontrols = compat_ptr(p);
-       if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols)))
+       if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
                return -EFAULT;
 
        for (n = 0; n < count; n++) {
@@ -1043,7 +1043,7 @@ struct v4l2_event32 {
 static int put_v4l2_event32(struct v4l2_event __user *p64,
                            struct v4l2_event32 __user *p32)
 {
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p32->type, &p64->type) ||
            copy_in_user(&p32->u, &p64->u, sizeof(p64->u)) ||
            assign_in_user(&p32->pending, &p64->pending) ||
@@ -1069,7 +1069,7 @@ static int get_v4l2_edid32(struct v4l2_edid __user *p64,
 {
        compat_uptr_t tmp;
 
-       if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p64->pad, &p32->pad) ||
            assign_in_user(&p64->start_block, &p32->start_block) ||
            assign_in_user_cast(&p64->blocks, &p32->blocks) ||
@@ -1085,7 +1085,7 @@ static int put_v4l2_edid32(struct v4l2_edid __user *p64,
 {
        void *edid;
 
-       if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+       if (!access_ok(p32, sizeof(*p32)) ||
            assign_in_user(&p32->pad, &p64->pad) ||
            assign_in_user(&p32->start_block, &p64->start_block) ||
            assign_in_user(&p32->blocks, &p64->blocks) ||

diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c
index 5da1f3e3f9978f5ca78f4f9a3784efb2f5f1c94a..997f92543dd442b4c4ae3d9944b0b05c4ff2c4c0 100644 (file)
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -236,7 +236,7 @@ static int vmci_host_setup_notify(struct vmci_ctx *context,
         * about the size.
         */
        BUILD_BUG_ON(sizeof(bool) != sizeof(u8));
-       if (!access_ok(VERIFY_WRITE, (void __user *)uva, sizeof(u8)))
+       if (!access_ok((void __user *)uva, sizeof(u8)))
                return VMCI_ERROR_GENERIC;
 
        /*

diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index aa4a1f5206f1fc48a44a51f8bef61f58492569a5..361fbde766540230348367b3766a829bdcd3dd12 100644 (file)
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -303,11 +303,10 @@ static int bcm_sf2_sw_mdio_write(struct mii_bus *bus, int addr, int regnum,
         * send them to our master MDIO bus controller
         */
        if (addr == BRCM_PSEUDO_PHY_ADDR && priv->indir_phy_mask & BIT(addr))
-               bcm_sf2_sw_indir_rw(priv, 0, addr, regnum, val);
+               return bcm_sf2_sw_indir_rw(priv, 0, addr, regnum, val);
        else
-               mdiobus_write_nested(priv->master_mii_bus, addr, regnum, val);
-
-       return 0;
+               return mdiobus_write_nested(priv->master_mii_bus, addr,
+                               regnum, val);
 }
 
 static irqreturn_t bcm_sf2_switch_0_isr(int irq, void *dev_id)

diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
index 9dc6da039a6d90ac4137a70e94b2c3213c2a4741..3164aad29bcf879aa0841a912d6bbeaa757caad6 100644 (file)
--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
@@ -473,7 +473,9 @@ static void atl1e_mdio_write(struct net_device *netdev, int phy_id,
 {
        struct atl1e_adapter *adapter = netdev_priv(netdev);
 
-       atl1e_write_phy_reg(&adapter->hw, reg_num & MDIO_REG_ADDR_MASK, val);
+       if (atl1e_write_phy_reg(&adapter->hw,
+                               reg_num & MDIO_REG_ADDR_MASK, val))
+               netdev_err(netdev, "write phy register failed\n");
 }
 
 static int atl1e_mii_ioctl(struct net_device *netdev,

diff --git a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
index 7c49681407ad5a3c4696ae27f3847eccad988ad7..127b1f6244132c12b04685e38f7fa2030965fce2 100644 (file)
--- a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
@@ -1229,6 +1229,10 @@ int cudbg_collect_hw_sched(struct cudbg_init *pdbg_init,
 
        rc = cudbg_get_buff(pdbg_init, dbg_buff, sizeof(struct cudbg_hw_sched),
                            &temp_buff);
+
+       if (rc)
+               return rc;
+
        hw_sched_buff = (struct cudbg_hw_sched *)temp_buff.data;
        hw_sched_buff->map = t4_read_reg(padap, TP_TX_MOD_QUEUE_REQ_MAP_A);
        hw_sched_buff->mode = TIMERMODE_G(t4_read_reg(padap, TP_MOD_CONFIG_A));

diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c
index bc6eb30aa20f1736cc49a78531a945740a76a62f..41c6fa200e7467af31a05ef4c365705fe89f2329 100644 (file)
--- a/drivers/net/ethernet/freescale/fman/fman_memac.c
+++ b/drivers/net/ethernet/freescale/fman/fman_memac.c
@@ -928,7 +928,7 @@ int memac_add_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr)
        hash = get_mac_addr_hash_code(addr) & HASH_CTRL_ADDR_MASK;
 
        /* Create element to be added to the driver hash table */
-       hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
+       hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
        if (!hash_entry)
                return -ENOMEM;
        hash_entry->addr = addr;

diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c
index 40705938eeccfb4e532d9d2732774934172bac6c..f75b9c11b2d293783cab997be83404b735b62ebe 100644 (file)
--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c
+++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c
@@ -553,7 +553,7 @@ int tgec_add_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr)
        hash = (crc >> TGEC_HASH_MCAST_SHIFT) & TGEC_HASH_ADR_MSK;
 
        /* Create element to be added to the driver hash table */
-       hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
+       hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
        if (!hash_entry)
                return -ENOMEM;
        hash_entry->addr = addr;

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index d3b9aaf96c1c3046edd30d57600a440b6e67a9c2..07cd58798083cfce90afbaf8f545cef1c760d763 100644 (file)
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -3995,17 +3995,18 @@ static int hns3_reset_notify_up_enet(struct hnae3_handle *handle)
        struct hns3_nic_priv *priv = netdev_priv(kinfo->netdev);
        int ret = 0;
 
+       clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
+
        if (netif_running(kinfo->netdev)) {
-               ret = hns3_nic_net_up(kinfo->netdev);
+               ret = hns3_nic_net_open(kinfo->netdev);
                if (ret) {
+                       set_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
                        netdev_err(kinfo->netdev,
                                   "hns net up fail, ret=%d!\n", ret);
                        return ret;
                }
        }
 
-       clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
-
        return ret;
 }
 

diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c
index 6d48dc62a44b5d1d560a2eeab0173bf2bd7f5543..da323b9e1f62fbd4b677deed68320f7879fd58aa 100644 (file)
--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c
@@ -1106,6 +1106,11 @@ static void hinic_remove(struct pci_dev *pdev)
        dev_info(&pdev->dev, "HiNIC driver - removed\n");
 }
 
+static void hinic_shutdown(struct pci_dev *pdev)
+{
+       pci_disable_device(pdev);
+}
+
 static const struct pci_device_id hinic_pci_table[] = {
        { PCI_VDEVICE(HUAWEI, HINIC_DEV_ID_QUAD_PORT_25GE), 0},
        { PCI_VDEVICE(HUAWEI, HINIC_DEV_ID_DUAL_PORT_25GE), 0},
@@ -1119,6 +1124,7 @@ static struct pci_driver hinic_driver = {
        .id_table       = hinic_pci_table,
        .probe          = hinic_probe,
        .remove         = hinic_remove,
+       .shutdown       = hinic_shutdown,
 };
 
 module_pci_driver(hinic_driver);

diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
index a4681780a55d2e415e755b271585a9983c6ac5dc..098d8764c0ea96ed2c270e287672cccb7b720c45 100644 (file)
--- a/drivers/net/ethernet/ibm/ibmveth.c
+++ b/drivers/net/ethernet/ibm/ibmveth.c
@@ -1171,11 +1171,15 @@ out:
 
 map_failed_frags:
        last = i+1;
-       for (i = 0; i < last; i++)
+       for (i = 1; i < last; i++)
                dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
                               descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
                               DMA_TO_DEVICE);
 
+       dma_unmap_single(&adapter->vdev->dev,
+                        descs[0].fields.address,
+                        descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
+                        DMA_TO_DEVICE);
 map_failed:
        if (!firmware_has_feature(FW_FEATURE_CMO))
                netdev_err(netdev, "tx: unable to map xmit buffer\n");

diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 6a059d6ee03f3e001cc3f16f020ef082ced5bed0..e0875476a7802758f4622e1a22595159e627b9dd 100644 (file)
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -5240,6 +5240,8 @@ static int mvpp2_probe(struct platform_device *pdev)
        if (has_acpi_companion(&pdev->dev)) {
                acpi_id = acpi_match_device(pdev->dev.driver->acpi_match_table,
                                            &pdev->dev);
+               if (!acpi_id)
+                       return -EINVAL;
                priv->hw_version = (unsigned long)acpi_id->driver_data;
        } else {
                priv->hw_version =

diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index 99bc3de906e2df662d4024f47adac55844d1295f..298930d39b7945aa216aa17418d032473b8b4e0e 100644 (file)
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -1477,6 +1477,8 @@ static void __rtl8169_set_wol(struct rtl8169_private *tp, u32 wolopts)
        }
 
        RTL_W8(tp, Cfg9346, Cfg9346_Lock);
+
+       device_set_wakeup_enable(tp_to_dev(tp), wolopts);
 }
 
 static int rtl8169_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
@@ -1498,8 +1500,6 @@ static int rtl8169_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
 
        rtl_unlock_work(tp);
 
-       device_set_wakeup_enable(d, tp->saved_wolopts);
-
        pm_runtime_put_noidle(d);
 
        return 0;

diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
index d07520fb969e687aa6ee5c384c7e23ecf3a8e38a..62ccbd47c1db2b60319051718a51fe159d2e7a54 100644 (file)
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
@@ -59,7 +59,9 @@ static int sun7i_gmac_init(struct platform_device *pdev, void *priv)
                gmac->clk_enabled = 1;
        } else {
                clk_set_rate(gmac->tx_clk, SUN7I_GMAC_MII_RATE);
-               clk_prepare(gmac->tx_clk);
+               ret = clk_prepare(gmac->tx_clk);
+               if (ret)
+                       return ret;
        }
 
        return 0;

diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
index 9319d84bf49f07e9a9cf8514783dacb32b78fee7..d84501441eddeb812156ae206e92c869aa41f426 100644 (file)
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -8100,6 +8100,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
                start += 3;
 
                prop_len = niu_pci_eeprom_read(np, start + 4);
+               if (prop_len < 0)
+                       return prop_len;
                err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64);
                if (err < 0)
                        return err;
@@ -8144,8 +8146,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
                        netif_printk(np, probe, KERN_DEBUG, np->dev,
                                     "VPD_SCAN: Reading in property [%s] len[%d]\n",
                                     namebuf, prop_len);
-                       for (i = 0; i < prop_len; i++)
-                               *prop_buf++ = niu_pci_eeprom_read(np, off + i);
+                       for (i = 0; i < prop_len; i++) {
+                               err = niu_pci_eeprom_read(np, off + i);
+                               if (err >= 0)
+                                       *prop_buf = err;
+                               ++prop_buf;
+                       }
                }
 
                start += len;

diff --git a/drivers/net/ethernet/ti/cpts.c b/drivers/net/ethernet/ti/cpts.c
index 054f78295d1d4834a7cff29e2469c2072c4f2f51..2a9ba4acd7fabc06fbc001d7b40e02f4d5963caa 100644 (file)
--- a/drivers/net/ethernet/ti/cpts.c
+++ b/drivers/net/ethernet/ti/cpts.c
@@ -590,7 +590,9 @@ struct cpts *cpts_create(struct device *dev, void __iomem *regs,
                return ERR_CAST(cpts->refclk);
        }
 
-       clk_prepare(cpts->refclk);
+       ret = clk_prepare(cpts->refclk);
+       if (ret)
+               return ERR_PTR(ret);
 
        cpts->cc.read = cpts_systim_read;
        cpts->cc.mask = CLOCKSOURCE_MASK(32);

diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 28c74998035946d42c5d3a9113df212be3316114..a19868cba48cb06388e9b56dd18800228ba07540 100644 (file)
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -523,10 +523,7 @@ static void resync_tnc(struct timer_list *t)
 
 
        /* Start resync timer again -- the TNC might be still absent */
-
-       del_timer(&sp->resync_t);
-       sp->resync_t.expires    = jiffies + SIXP_RESYNC_TIMEOUT;
-       add_timer(&sp->resync_t);
+       mod_timer(&sp->resync_t, jiffies + SIXP_RESYNC_TIMEOUT);
 }
 
 static inline int tnc_init(struct sixpack *sp)
@@ -537,9 +534,7 @@ static inline int tnc_init(struct sixpack *sp)
 
        sp->tty->ops->write(sp->tty, &inbyte, 1);
 
-       del_timer(&sp->resync_t);
-       sp->resync_t.expires = jiffies + SIXP_RESYNC_TIMEOUT;
-       add_timer(&sp->resync_t);
+       mod_timer(&sp->resync_t, jiffies + SIXP_RESYNC_TIMEOUT);
 
        return 0;
 }
@@ -897,11 +892,8 @@ static void decode_prio_command(struct sixpack *sp, unsigned char cmd)
         /* if the state byte has been received, the TNC is present,
            so the resync timer can be reset. */
 
-       if (sp->tnc_state == TNC_IN_SYNC) {
-               del_timer(&sp->resync_t);
-               sp->resync_t.expires    = jiffies + SIXP_INIT_RESYNC_TIMEOUT;
-               add_timer(&sp->resync_t);
-       }
+       if (sp->tnc_state == TNC_IN_SYNC)
+               mod_timer(&sp->resync_t, jiffies + SIXP_INIT_RESYNC_TIMEOUT);
 
        sp->status1 = cmd & SIXP_PRIO_DATA_MASK;
 }

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 443b2694130cda32682436931b67e3de73ee7645..c0b52e48f0e63c94f2d829dd20dcf3aac811333d 100644 (file)
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1177,8 +1177,6 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
                        goto err_kfree;
        }
 
-       skb_probe_transport_header(skb, ETH_HLEN);
-
        /* Move network header to the right position for VLAN tagged packets */
        if ((skb->protocol == htons(ETH_P_8021Q) ||
             skb->protocol == htons(ETH_P_8021AD)) &&
@@ -1189,6 +1187,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
        tap = rcu_dereference(q->tap);
        if (tap) {
                skb->dev = tap->dev;
+               skb_probe_transport_header(skb, ETH_HLEN);
                dev_queue_xmit(skb);
        } else {
                kfree_skb(skb);

diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c
index 7a42336c8af8e35f464dd3ada81914d3d9872541..839fa7715709bfdd51236b017ec85a507ffd50a0 100644 (file)
--- a/drivers/net/wan/fsl_ucc_hdlc.c
+++ b/drivers/net/wan/fsl_ucc_hdlc.c
@@ -1180,7 +1180,6 @@ static int ucc_hdlc_probe(struct platform_device *pdev)
        if (register_hdlc_device(dev)) {
                ret = -ENOBUFS;
                pr_err("ucc_hdlc: unable to register hdlc device\n");
-               free_netdev(dev);
                goto free_dev;
        }
 

diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
index 1098263ab862ee83003493a839d03aea477d59ea..46c3d983b7b75069e35cd909306879561aa08cf2 100644 (file)
--- a/drivers/net/wan/x25_asy.c
+++ b/drivers/net/wan/x25_asy.c
@@ -485,8 +485,10 @@ static int x25_asy_open(struct net_device *dev)
 
        /* Cleanup */
        kfree(sl->xbuff);
+       sl->xbuff = NULL;
 noxbuff:
        kfree(sl->rbuff);
+       sl->rbuff = NULL;
 norbuff:
        return -ENOMEM;
 }

diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 7ac035af39f0458ac26431a0629e3d0a144939d7..6fa1627ce08d35360bca82b8059ad968423574a1 100644 (file)
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -52,7 +52,7 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
                nbytes = size - pos;
        cnt = nbytes;
 
-       if (!access_ok(VERIFY_WRITE, buf, cnt))
+       if (!access_ok(buf, cnt))
                return -EINVAL;
 
        pci_config_pm_runtime_get(dev);
@@ -125,7 +125,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
                nbytes = size - pos;
        cnt = nbytes;
 
-       if (!access_ok(VERIFY_READ, buf, cnt))
+       if (!access_ok(buf, cnt))
                return -EINVAL;
 
        pci_config_pm_runtime_get(dev);

diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index 7c639006252ec912058b8f7c1933b2c2db5dc454..321bc673c4173d2d3613619cf05bc9275b650285 100644 (file)
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -416,8 +416,7 @@ static ssize_t goldfish_pipe_read_write(struct file *filp,
        if (unlikely(bufflen == 0))
                return 0;
        /* Check the buffer range for access */
-       if (unlikely(!access_ok(is_write ? VERIFY_WRITE : VERIFY_READ,
-                               buffer, bufflen)))
+       if (unlikely(!access_ok(buffer, bufflen)))
                return -EFAULT;
 
        address = (unsigned long)buffer;

diff --git a/drivers/pnp/isapnp/proc.c b/drivers/pnp/isapnp/proc.c
index 262285e48a09481807940bea4aa4e53e45f9bb3d..0516131408121aa43d7a7284340cb15423015409 100644 (file)
--- a/drivers/pnp/isapnp/proc.c
+++ b/drivers/pnp/isapnp/proc.c
@@ -47,7 +47,7 @@ static ssize_t isapnp_proc_bus_read(struct file *file, char __user * buf,
                nbytes = size - pos;
        cnt = nbytes;
 
-       if (!access_ok(VERIFY_WRITE, buf, cnt))
+       if (!access_ok(buf, cnt))
                return -EINVAL;
 
        isapnp_cfg_begin(dev->card->number, dev->number);

diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
index 7c4673308f5ba8ccae3e28d642d1c1b30e4aa848..e338d7a4f57153facf21a65b3dd8ef0c6ba0da80 100644 (file)
--- a/drivers/scsi/pmcraid.c
+++ b/drivers/scsi/pmcraid.c
@@ -3600,7 +3600,7 @@ static long pmcraid_ioctl_passthrough(
        u32 ioasc;
        int request_size;
        int buffer_size;
-       u8 access, direction;
+       u8 direction;
        int rc = 0;
 
        /* If IOA reset is in progress, wait 10 secs for reset to complete */
@@ -3649,10 +3649,8 @@ static long pmcraid_ioctl_passthrough(
        request_size = le32_to_cpu(buffer->ioarcb.data_transfer_length);
 
        if (buffer->ioarcb.request_flags0 & TRANSFER_DIR_WRITE) {
-               access = VERIFY_READ;
                direction = DMA_TO_DEVICE;
        } else {
-               access = VERIFY_WRITE;
                direction = DMA_FROM_DEVICE;
        }
 

diff --git a/drivers/scsi/scsi_ioctl.c b/drivers/scsi/scsi_ioctl.c
index cc30fccc1a2ec6a49cdcd9942e6eb15d6d7cf132..840d96fe81bc15fb67efd9bc90335b6e16aa524c 100644 (file)
--- a/drivers/scsi/scsi_ioctl.c
+++ b/drivers/scsi/scsi_ioctl.c
@@ -221,7 +221,7 @@ int scsi_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
 
        switch (cmd) {
        case SCSI_IOCTL_GET_IDLUN:
-               if (!access_ok(VERIFY_WRITE, arg, sizeof(struct scsi_idlun)))
+               if (!access_ok(arg, sizeof(struct scsi_idlun)))
                        return -EFAULT;
 
                __put_user((sdev->id & 0xff)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 4e27460ec92676433d00669ce8e18f137cc30e12..d3f15319b9b3c05ddd4801b54537b981c067a0d6 100644 (file)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -434,7 +434,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
        SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
                                      "sg_read: count=%d\n", (int) count));
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
        if (sfp->force_packid && (count >= SZ_SG_HEADER)) {
                old_hdr = kmalloc(SZ_SG_HEADER, GFP_KERNEL);
@@ -632,7 +632,7 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
              scsi_block_when_processing_errors(sdp->device)))
                return -ENXIO;
 
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT; /* protects following copy_from_user()s + get_user()s */
        if (count < SZ_SG_HEADER)
                return -EIO;
@@ -729,7 +729,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
 
        if (count < SZ_SG_IO_HDR)
                return -EINVAL;
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT; /* protects following copy_from_user()s + get_user()s */
 
        sfp->cmd_q = 1; /* when sg_io_hdr seen, set command queuing on */
@@ -768,7 +768,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
                sg_remove_request(sfp, srp);
                return -EMSGSIZE;
        }
-       if (!access_ok(VERIFY_READ, hp->cmdp, hp->cmd_len)) {
+       if (!access_ok(hp->cmdp, hp->cmd_len)) {
                sg_remove_request(sfp, srp);
                return -EFAULT; /* protects following copy_from_user()s + get_user()s */
        }
@@ -922,7 +922,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                        return -ENODEV;
                if (!scsi_block_when_processing_errors(sdp->device))
                        return -ENXIO;
-               if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))
+               if (!access_ok(p, SZ_SG_IO_HDR))
                        return -EFAULT;
                result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
                                 1, read_only, 1, &srp);
@@ -968,7 +968,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
        case SG_GET_LOW_DMA:
                return put_user((int) sdp->device->host->unchecked_isa_dma, ip);
        case SG_GET_SCSI_ID:
-               if (!access_ok(VERIFY_WRITE, p, sizeof (sg_scsi_id_t)))
+               if (!access_ok(p, sizeof (sg_scsi_id_t)))
                        return -EFAULT;
                else {
                        sg_scsi_id_t __user *sg_idp = p;
@@ -997,7 +997,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                sfp->force_packid = val ? 1 : 0;
                return 0;
        case SG_GET_PACK_ID:
-               if (!access_ok(VERIFY_WRITE, ip, sizeof (int)))
+               if (!access_ok(ip, sizeof (int)))
                        return -EFAULT;
                read_lock_irqsave(&sfp->rq_list_lock, iflags);
                list_for_each_entry(srp, &sfp->rq_list, entry) {
@@ -1078,7 +1078,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                val = (sdp->device ? 1 : 0);
                return put_user(val, ip);
        case SG_GET_REQUEST_TABLE:
-               if (!access_ok(VERIFY_WRITE, p, SZ_SG_REQ_INFO * SG_MAX_QUEUE))
+               if (!access_ok(p, SZ_SG_REQ_INFO * SG_MAX_QUEUE))
                        return -EFAULT;
                else {
                        sg_req_info_t *rinfo;

diff --git a/drivers/staging/comedi/comedi_compat32.c b/drivers/staging/comedi/comedi_compat32.c
index fa9d239474ee97d1300051016cecf8086d220d77..36a3564ba1fb5d8ac8e1261a4a6ab5123b2fbe95 100644 (file)
--- a/drivers/staging/comedi/comedi_compat32.c
+++ b/drivers/staging/comedi/comedi_compat32.c
@@ -102,8 +102,8 @@ static int compat_chaninfo(struct file *file, unsigned long arg)
        chaninfo = compat_alloc_user_space(sizeof(*chaninfo));
 
        /* Copy chaninfo structure.  Ignore unused members. */
-       if (!access_ok(VERIFY_READ, chaninfo32, sizeof(*chaninfo32)) ||
-           !access_ok(VERIFY_WRITE, chaninfo, sizeof(*chaninfo)))
+       if (!access_ok(chaninfo32, sizeof(*chaninfo32)) ||
+           !access_ok(chaninfo, sizeof(*chaninfo)))
                return -EFAULT;
 
        err = 0;
@@ -136,8 +136,8 @@ static int compat_rangeinfo(struct file *file, unsigned long arg)
        rangeinfo = compat_alloc_user_space(sizeof(*rangeinfo));
 
        /* Copy rangeinfo structure. */
-       if (!access_ok(VERIFY_READ, rangeinfo32, sizeof(*rangeinfo32)) ||
-           !access_ok(VERIFY_WRITE, rangeinfo, sizeof(*rangeinfo)))
+       if (!access_ok(rangeinfo32, sizeof(*rangeinfo32)) ||
+           !access_ok(rangeinfo, sizeof(*rangeinfo)))
                return -EFAULT;
 
        err = 0;
@@ -163,8 +163,8 @@ static int get_compat_cmd(struct comedi_cmd __user *cmd,
        } temp;
 
        /* Copy cmd structure. */
-       if (!access_ok(VERIFY_READ, cmd32, sizeof(*cmd32)) ||
-           !access_ok(VERIFY_WRITE, cmd, sizeof(*cmd)))
+       if (!access_ok(cmd32, sizeof(*cmd32)) ||
+           !access_ok(cmd, sizeof(*cmd)))
                return -EFAULT;
 
        err = 0;
@@ -217,8 +217,8 @@ static int put_compat_cmd(struct comedi32_cmd_struct __user *cmd32,
         * Assume the pointer values are already valid.
         * (Could use ptr_to_compat() to set them.)
         */
-       if (!access_ok(VERIFY_READ, cmd, sizeof(*cmd)) ||
-           !access_ok(VERIFY_WRITE, cmd32, sizeof(*cmd32)))
+       if (!access_ok(cmd, sizeof(*cmd)) ||
+           !access_ok(cmd32, sizeof(*cmd32)))
                return -EFAULT;
 
        err = 0;
@@ -317,8 +317,8 @@ static int get_compat_insn(struct comedi_insn __user *insn,
 
        /* Copy insn structure.  Ignore the unused members. */
        err = 0;
-       if (!access_ok(VERIFY_READ, insn32, sizeof(*insn32)) ||
-           !access_ok(VERIFY_WRITE, insn, sizeof(*insn)))
+       if (!access_ok(insn32, sizeof(*insn32)) ||
+           !access_ok(insn, sizeof(*insn)))
                return -EFAULT;
 
        err |= __get_user(temp.uint, &insn32->insn);
@@ -350,7 +350,7 @@ static int compat_insnlist(struct file *file, unsigned long arg)
        insnlist32 = compat_ptr(arg);
 
        /* Get 32-bit insnlist structure.  */
-       if (!access_ok(VERIFY_READ, insnlist32, sizeof(*insnlist32)))
+       if (!access_ok(insnlist32, sizeof(*insnlist32)))
                return -EFAULT;
 
        err = 0;
@@ -365,7 +365,7 @@ static int compat_insnlist(struct file *file, unsigned long arg)
                                             insn[n_insns]));
 
        /* Set native insnlist structure. */
-       if (!access_ok(VERIFY_WRITE, &s->insnlist, sizeof(s->insnlist)))
+       if (!access_ok(&s->insnlist, sizeof(s->insnlist)))
                return -EFAULT;
 
        err |= __put_user(n_insns, &s->insnlist.n_insns);

diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 99460af61b7712a6339b04bb4fd3d7561c9cc9e6..4164414d4c64b266dfce58772241cb009363f4c0 100644 (file)
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -573,7 +573,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
                return -EIO;
 
        /* verify user access to buffer */
-       if (!access_ok(VERIFY_WRITE, buf, nr)) {
+       if (!access_ok(buf, nr)) {
                printk(KERN_WARNING "%s(%d) n_hdlc_tty_read() can't verify user "
                "buffer\n", __FILE__, __LINE__);
                return -EFAULT;

diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index 3de3c750b5f6e01414d84e1579c001a36e53e478..44f28a114c2b6bb43456b2c67a03b8ec02b7a389 100644 (file)
--- a/drivers/usb/core/devices.c
+++ b/drivers/usb/core/devices.c
@@ -598,7 +598,7 @@ static ssize_t usb_device_read(struct file *file, char __user *buf,
                return -EINVAL;
        if (nbytes <= 0)
                return 0;
-       if (!access_ok(VERIFY_WRITE, buf, nbytes))
+       if (!access_ok(buf, nbytes))
                return -EFAULT;
 
        mutex_lock(&usb_bus_idr_lock);

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index a75bc0b8a50f06b7ea16d993a3c65662fad97c89..d65566341dd1c941932df3cb43b9675ed83f015c 100644 (file)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1094,7 +1094,7 @@ static int proc_control(struct usb_dev_state *ps, void __user *arg)
                ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
                ctrl.wIndex, ctrl.wLength);
        if (ctrl.bRequestType & 0x80) {
-               if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
+               if (ctrl.wLength && !access_ok(ctrl.data,
                                               ctrl.wLength)) {
                        ret = -EINVAL;
                        goto done;
@@ -1183,7 +1183,7 @@ static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
        }
        tmo = bulk.timeout;
        if (bulk.ep & 0x80) {
-               if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
+               if (len1 && !access_ok(bulk.data, len1)) {
                        ret = -EINVAL;
                        goto done;
                }
@@ -1584,8 +1584,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
        }
 
        if (uurb->buffer_length > 0 &&
-                       !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
-                               uurb->buffer, uurb->buffer_length)) {
+                       !access_ok(uurb->buffer, uurb->buffer_length)) {
                ret = -EFAULT;
                goto error;
        }

diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 54e859dcb25c3c136795ce605ee50dac47c54d0a..75b113a5b25cb6af28a8d7776e58678f6fcf7202 100644 (file)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -252,7 +252,7 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
        if (!count)
                return 0;
 
-       if (!access_ok(VERIFY_WRITE, buffer, count))
+       if (!access_ok(buffer, count))
                return -EFAULT;
 
        spin_lock_irqsave(&hidg->read_spinlock, flags);
@@ -339,7 +339,7 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
        unsigned long flags;
        ssize_t status = -ENOMEM;
 
-       if (!access_ok(VERIFY_READ, buffer, count))
+       if (!access_ok(buffer, count))
                return -EFAULT;
 
        spin_lock_irqsave(&hidg->write_spinlock, flags);

diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
index 11247322d587584bb71fb66d14837fb4a929d381..660712e0bf980dc485cd7a49628c20a2f29981c3 100644 (file)
--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
+++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
@@ -88,7 +88,7 @@ static ssize_t queue_dbg_read(struct file *file, char __user *buf,
        size_t len, remaining, actual = 0;
        char tmpbuf[38];
 
-       if (!access_ok(VERIFY_WRITE, buf, nbytes))
+       if (!access_ok(buf, nbytes))
                return -EFAULT;
 
        inode_lock(file_inode(file));

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 55e5aa662ad59d4b72c44db743198876654f2d2d..9f7942cbcbb22a9f09eb0dd4d052b8d0c562004d 100644 (file)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -655,7 +655,7 @@ static bool log_access_ok(void __user *log_base, u64 addr, unsigned long sz)
            a + (unsigned long)log_base > ULONG_MAX)
                return false;
 
-       return access_ok(VERIFY_WRITE, log_base + a,
+       return access_ok(log_base + a,
                         (sz + VHOST_PAGE_SIZE * 8 - 1) / VHOST_PAGE_SIZE / 8);
 }
 
@@ -681,7 +681,7 @@ static bool vq_memory_access_ok(void __user *log_base, struct vhost_umem *umem,
                        return false;
 
 
-               if (!access_ok(VERIFY_WRITE, (void __user *)a,
+               if (!access_ok((void __user *)a,
                                    node->size))
                        return false;
                else if (log_all && !log_access_ok(log_base,
@@ -973,10 +973,10 @@ static bool umem_access_ok(u64 uaddr, u64 size, int access)
                return false;
 
        if ((access & VHOST_ACCESS_RO) &&
-           !access_ok(VERIFY_READ, (void __user *)a, size))
+           !access_ok((void __user *)a, size))
                return false;
        if ((access & VHOST_ACCESS_WO) &&
-           !access_ok(VERIFY_WRITE, (void __user *)a, size))
+           !access_ok((void __user *)a, size))
                return false;
        return true;
 }
@@ -1185,10 +1185,10 @@ static bool vq_access_ok(struct vhost_virtqueue *vq, unsigned int num,
 {
        size_t s = vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX) ? 2 : 0;
 
-       return access_ok(VERIFY_READ, desc, num * sizeof *desc) &&
-              access_ok(VERIFY_READ, avail,
+       return access_ok(desc, num * sizeof *desc) &&
+              access_ok(avail,
                         sizeof *avail + num * sizeof *avail->ring + s) &&
-              access_ok(VERIFY_WRITE, used,
+              access_ok(used,
                        sizeof *used + num * sizeof *used->ring + s);
 }
 
@@ -1814,7 +1814,7 @@ int vhost_vq_init_access(struct vhost_virtqueue *vq)
                goto err;
        vq->signalled_used_valid = false;
        if (!vq->iotlb &&
-           !access_ok(VERIFY_READ, &vq->used->idx, sizeof vq->used->idx)) {
+           !access_ok(&vq->used->idx, sizeof vq->used->idx)) {
                r = -EFAULT;
                goto err;
        }

diff --git a/drivers/video/fbdev/amifb.c b/drivers/video/fbdev/amifb.c
index 0777aff211e5cddad3c216e0f58f6c9576e9ac7f..7584570266940cf05f9b9a9947b131c2c3562339 100644 (file)
--- a/drivers/video/fbdev/amifb.c
+++ b/drivers/video/fbdev/amifb.c
@@ -1855,7 +1855,7 @@ static int ami_get_var_cursorinfo(struct fb_var_cursorinfo *var,
        var->yspot = par->crsr.spot_y;
        if (size > var->height * var->width)
                return -ENAMETOOLONG;
-       if (!access_ok(VERIFY_WRITE, data, size))
+       if (!access_ok(data, size))
                return -EFAULT;
        delta = 1 << par->crsr.fmode;
        lspr = lofsprite + (delta << 1);
@@ -1935,7 +1935,7 @@ static int ami_set_var_cursorinfo(struct fb_var_cursorinfo *var,
                return -EINVAL;
        if (!var->height)
                return -EINVAL;
-       if (!access_ok(VERIFY_READ, data, var->width * var->height))
+       if (!access_ok(data, var->width * var->height))
                return -EFAULT;
        delta = 1 << fmode;
        lofsprite = shfsprite = (u_short *)spritememory;

diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
index a3edb20ea4c36094104e1cc45bfd30c976b0b41e..53f93616c671cd9e758d243fd3691662b98e0355 100644 (file)
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -493,7 +493,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
        if (!display || !display->driver->memory_read)
                return -ENOENT;
 
-       if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
+       if (!access_ok(mr->buffer, mr->buffer_size))
                return -EFAULT;
 
        if (mr->w > 4096 || mr->h > 4096)

diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index 7e6e682104dc4e9a77d8149e2f4500ded81b41b8..b24ddac1604b8fa35570f5510b5c13093ddc1a45 100644 (file)
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -459,14 +459,14 @@ static long privcmd_ioctl_mmap_batch(
                        return -EFAULT;
                /* Returns per-frame error in m.arr. */
                m.err = NULL;
-               if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr)))
+               if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
                        return -EFAULT;
                break;
        case 2:
                if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
                        return -EFAULT;
                /* Returns per-frame error code in m.err. */
-               if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err))))
+               if (!access_ok(m.err, m.num * (sizeof(*m.err))))
                        return -EFAULT;
                break;
        default:
@@ -661,7 +661,7 @@ static long privcmd_ioctl_dm_op(struct file *file, void __user *udata)
                        goto out;
                }
 
-               if (!access_ok(VERIFY_WRITE, kbufs[i].uptr,
+               if (!access_ok(kbufs[i].uptr,
                               kbufs[i].size)) {
                        rc = -EFAULT;
                        goto out;

diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
index c3deb2e35f2030a43fb15a1d918d7bcf01ca1fe4..ca9725f18e00566264d6331b5770ec05b94c557d 100644 (file)
--- a/fs/binfmt_aout.c
+++ b/fs/binfmt_aout.c
@@ -78,9 +78,9 @@ static int aout_core_dump(struct coredump_params *cprm)
 
 /* make sure we actually have a data and stack area to dump */
        set_fs(USER_DS);
-       if (!access_ok(VERIFY_READ, START_DATA(dump), dump.u_dsize << PAGE_SHIFT))
+       if (!access_ok(START_DATA(dump), dump.u_dsize << PAGE_SHIFT))
                dump.u_dsize = 0;
-       if (!access_ok(VERIFY_READ, START_STACK(dump), dump.u_ssize << PAGE_SHIFT))
+       if (!access_ok(START_STACK(dump), dump.u_ssize << PAGE_SHIFT))
                dump.u_ssize = 0;
 
        set_fs(KERNEL_DS);

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 1b15b43905f88a848ba1e533f4a2a12537a1209c..7ea2d6b1f170bc7b20eec66051d69f20986fc827 100644 (file)
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6646,7 +6646,7 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
                goto out;
        }
 
-       if (!access_ok(VERIFY_READ, arg->clone_sources,
+       if (!access_ok(arg->clone_sources,
                        sizeof(*arg->clone_sources) *
                        arg->clone_sources_count)) {
                ret = -EFAULT;

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 2329f96469e2d719fa074c6486396c32ebce3d90..a5d219d920e755aa7761253c87a1da6470f26782 100644 (file)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -2190,7 +2190,7 @@ static int do_epoll_wait(int epfd, struct epoll_event __user *events,
                return -EINVAL;
 
        /* Verify that the area passed by the user is writeable */
-       if (!access_ok(VERIFY_WRITE, events, maxevents * sizeof(struct epoll_event)))
+       if (!access_ok(events, maxevents * sizeof(struct epoll_event)))
                return -EFAULT;
 
        /* Get the "struct file *" for the eventpoll file */

diff --git a/fs/fat/dir.c b/fs/fat/dir.c
index 20acaea8a7e6f2c5c0187481335dd8b973fce089..9d01db37183f2616feec648fd63c9ab292a45b8f 100644 (file)
--- a/fs/fat/dir.c
+++ b/fs/fat/dir.c
@@ -805,7 +805,7 @@ static long fat_dir_ioctl(struct file *filp, unsigned int cmd,
                return fat_generic_ioctl(filp, cmd, arg);
        }
 
-       if (!access_ok(VERIFY_WRITE, d1, sizeof(struct __fat_dirent[2])))
+       if (!access_ok(d1, sizeof(struct __fat_dirent[2])))
                return -EFAULT;
        /*
         * Yes, we don't need this put_user() absolutely. However old
@@ -845,7 +845,7 @@ static long fat_compat_dir_ioctl(struct file *filp, unsigned cmd,
                return fat_generic_ioctl(filp, cmd, (unsigned long)arg);
        }
 
-       if (!access_ok(VERIFY_WRITE, d1, sizeof(struct compat_dirent[2])))
+       if (!access_ok(d1, sizeof(struct compat_dirent[2])))
                return -EFAULT;
        /*
         * Yes, we don't need this put_user() absolutely. However old

diff --git a/fs/ioctl.c b/fs/ioctl.c
index d64f622cac8b8f7a9cb0fdd842ce0f788f857c8d..fef3a6bf7c78dd2e6dc8587ae4837f9d4e35cf1c 100644 (file)
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -203,7 +203,7 @@ static int ioctl_fiemap(struct file *filp, unsigned long arg)
        fieinfo.fi_extents_start = ufiemap->fm_extents;
 
        if (fiemap.fm_extent_count != 0 &&
-           !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
+           !access_ok(fieinfo.fi_extents_start,
                       fieinfo.fi_extents_max * sizeof(struct fiemap_extent)))
                return -EFAULT;
 

diff --git a/fs/locks.c b/fs/locks.c
index f0b24d98f36beeefeb4802e41604e44eb7d9782c..ff6af2c326012cb027378d6e909506fc7e687531 100644 (file)
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -453,7 +453,7 @@ static void locks_move_blocks(struct file_lock *new, struct file_lock *fl)
                return;
        spin_lock(&blocked_lock_lock);
        list_splice_init(&fl->fl_blocked_requests, &new->fl_blocked_requests);
-       list_for_each_entry(f, &fl->fl_blocked_requests, fl_blocked_member)
+       list_for_each_entry(f, &new->fl_blocked_requests, fl_blocked_member)
                f->fl_blocker = new;
        spin_unlock(&blocked_lock_lock);
 }

diff --git a/fs/namespace.c b/fs/namespace.c
index a7f91265ea671d0f6ebe59d2b9fb0f91bd6155cf..97b7c7098c3dd4ffe44f91c79ba05381147ae7f3 100644 (file)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2651,7 +2651,7 @@ static long exact_copy_from_user(void *to, const void __user * from,
        const char __user *f = from;
        char c;
 
-       if (!access_ok(VERIFY_READ, from, n))
+       if (!access_ok(from, n))
                return n;
 
        current->kernel_uaccess_faults_ok++;

diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c
index b8fa1487cd85a40a901f8480075c2d58165548ed..8decbe95dcecb93649f6935114727e91456bd1e9 100644 (file)
--- a/fs/ocfs2/dlmfs/dlmfs.c
+++ b/fs/ocfs2/dlmfs/dlmfs.c
@@ -254,7 +254,7 @@ static ssize_t dlmfs_file_read(struct file *filp,
        if (!count)
                return 0;
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        /* don't read past the lvb */
@@ -302,7 +302,7 @@ static ssize_t dlmfs_file_write(struct file *filp,
        if (!count)
                return 0;
 
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        /* don't write past the lvb */

diff --git a/fs/pstore/pmsg.c b/fs/pstore/pmsg.c
index 24db02de1787453d4ad838443dd39e4a7e948484..97fcef74e5af0bd380a63051080b25c4027e6f97 100644 (file)
--- a/fs/pstore/pmsg.c
+++ b/fs/pstore/pmsg.c
@@ -33,7 +33,7 @@ static ssize_t write_pmsg(struct file *file, const char __user *buf,
        record.size = count;
 
        /* check outside lock, page in any data. write_user also checks */
-       if (!access_ok(VERIFY_READ, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        mutex_lock(&pmsg_lock);

diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index c11711c2cc83676f687942b9bfdeb748c4f7e32c..f375c0735351cb5964549c85513df82ee76aa93a 100644 (file)
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -357,7 +357,7 @@ int notrace persistent_ram_write_user(struct persistent_ram_zone *prz,
        int rem, ret = 0, c = count;
        size_t start;
 
-       if (unlikely(!access_ok(VERIFY_READ, s, count)))
+       if (unlikely(!access_ok(s, count)))
                return -EFAULT;
        if (unlikely(c > prz->buffer_size)) {
                s += c - prz->buffer_size;

diff --git a/fs/read_write.c b/fs/read_write.c
index 58f30537c47a0a9d04cdba4abbd78188379ae463..ff3c5e6f87cfaa7c84064161c08d1b76de314505 100644 (file)
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -442,7 +442,7 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
                return -EBADF;
        if (!(file->f_mode & FMODE_CAN_READ))
                return -EINVAL;
-       if (unlikely(!access_ok(VERIFY_WRITE, buf, count)))
+       if (unlikely(!access_ok(buf, count)))
                return -EFAULT;
 
        ret = rw_verify_area(READ, file, pos, count);
@@ -538,7 +538,7 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_
                return -EBADF;
        if (!(file->f_mode & FMODE_CAN_WRITE))
                return -EINVAL;
-       if (unlikely(!access_ok(VERIFY_READ, buf, count)))
+       if (unlikely(!access_ok(buf, count)))
                return -EFAULT;
 
        ret = rw_verify_area(WRITE, file, pos, count);
@@ -718,9 +718,6 @@ static ssize_t do_loop_readv_writev(struct file *filp, struct iov_iter *iter,
        return ret;
 }
 
-/* A write operation does a read from user space and vice versa */
-#define vrfy_dir(type) ((type) == READ ? VERIFY_WRITE : VERIFY_READ)
-
 /**
  * rw_copy_check_uvector() - Copy an array of &struct iovec from userspace
  *     into the kernel and check that it is valid.
@@ -810,7 +807,7 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
                        goto out;
                }
                if (type >= 0
-                   && unlikely(!access_ok(vrfy_dir(type), buf, len))) {
+                   && unlikely(!access_ok(buf, len))) {
                        ret = -EFAULT;
                        goto out;
                }
@@ -856,7 +853,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
        *ret_pointer = iov;
 
        ret = -EFAULT;
-       if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
+       if (!access_ok(uvector, nr_segs*sizeof(*uvector)))
                goto out;
 
        /*
@@ -881,7 +878,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
                if (len < 0)    /* size_t not fitting in compat_ssize_t .. */
                        goto out;
                if (type >= 0 &&
-                   !access_ok(vrfy_dir(type), compat_ptr(buf), len)) {
+                   !access_ok(compat_ptr(buf), len)) {
                        ret = -EFAULT;
                        goto out;
                }

diff --git a/fs/readdir.c b/fs/readdir.c
index d97f548e632339dbabfdff92d864e821cfa3e824..2f6a4534e0dfeb644ccc005471826e4654cafe90 100644 (file)
--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -105,7 +105,7 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
        }
        buf->result++;
        dirent = buf->dirent;
-       if (!access_ok(VERIFY_WRITE, dirent,
+       if (!access_ok(dirent,
                        (unsigned long)(dirent->d_name + namlen + 1) -
                                (unsigned long)dirent))
                goto efault;
@@ -221,7 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
        };
        int error;
 
-       if (!access_ok(VERIFY_WRITE, dirent, count))
+       if (!access_ok(dirent, count))
                return -EFAULT;
 
        f = fdget_pos(fd);
@@ -304,7 +304,7 @@ int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
        };
        int error;
 
-       if (!access_ok(VERIFY_WRITE, dirent, count))
+       if (!access_ok(dirent, count))
                return -EFAULT;
 
        f = fdget_pos(fd);
@@ -365,7 +365,7 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
        }
        buf->result++;
        dirent = buf->dirent;
-       if (!access_ok(VERIFY_WRITE, dirent,
+       if (!access_ok(dirent,
                        (unsigned long)(dirent->d_name + namlen + 1) -
                                (unsigned long)dirent))
                goto efault;
@@ -475,7 +475,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
        };
        int error;
 
-       if (!access_ok(VERIFY_WRITE, dirent, count))
+       if (!access_ok(dirent, count))
                return -EFAULT;
 
        f = fdget_pos(fd);

diff --git a/fs/select.c b/fs/select.c
index 4c8652390c944b47ce9286aa1db409baf9cc75eb..d0f35dbc0e8fd3f6569a4afc380fcea90e21ef14 100644 (file)
--- a/fs/select.c
+++ b/fs/select.c
@@ -381,9 +381,6 @@ typedef struct {
 #define FDS_BYTES(nr)  (FDS_LONGS(nr)*sizeof(long))
 
 /*
- * We do a VERIFY_WRITE here even though we are only reading this time:
- * we'll write to it eventually..
- *
  * Use "unsigned long" accesses to let user-mode fd_set's be long-aligned.
  */
 static inline
@@ -782,7 +779,7 @@ SYSCALL_DEFINE6(pselect6, int, n, fd_set __user *, inp, fd_set __user *, outp,
        sigset_t __user *up = NULL;
 
        if (sig) {
-               if (!access_ok(VERIFY_READ, sig, sizeof(void *)+sizeof(size_t))
+               if (!access_ok(sig, sizeof(void *)+sizeof(size_t))
                    || __get_user(up, (sigset_t __user * __user *)sig)
                    || __get_user(sigsetsize,
                                (size_t __user *)(sig+sizeof(void *))))
@@ -802,7 +799,7 @@ SYSCALL_DEFINE6(pselect6_time32, int, n, fd_set __user *, inp, fd_set __user *,
        sigset_t __user *up = NULL;
 
        if (sig) {
-               if (!access_ok(VERIFY_READ, sig, sizeof(void *)+sizeof(size_t))
+               if (!access_ok(sig, sizeof(void *)+sizeof(size_t))
                    || __get_user(up, (sigset_t __user * __user *)sig)
                    || __get_user(sigsetsize,
                                (size_t __user *)(sig+sizeof(void *))))
@@ -1368,7 +1365,7 @@ COMPAT_SYSCALL_DEFINE6(pselect6_time64, int, n, compat_ulong_t __user *, inp,
        compat_uptr_t up = 0;
 
        if (sig) {
-               if (!access_ok(VERIFY_READ, sig,
+               if (!access_ok(sig,
                                sizeof(compat_uptr_t)+sizeof(compat_size_t)) ||
                                __get_user(up, (compat_uptr_t __user *)sig) ||
                                __get_user(sigsetsize,
@@ -1390,7 +1387,7 @@ COMPAT_SYSCALL_DEFINE6(pselect6, int, n, compat_ulong_t __user *, inp,
        compat_uptr_t up = 0;
 
        if (sig) {
-               if (!access_ok(VERIFY_READ, sig,
+               if (!access_ok(sig,
                                sizeof(compat_uptr_t)+sizeof(compat_size_t)) ||
                        __get_user(up, (compat_uptr_t __user *)sig) ||
                        __get_user(sigsetsize,

diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index 6b2e63df27391dc7050e823cd6a6057c7043d50f..d82c78a79da59027914b51513f7b5a3a9f1ce17b 100644 (file)
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -35,7 +35,7 @@ static inline void set_fs(mm_segment_t fs)
 #define segment_eq(a, b) ((a).seg == (b).seg)
 #endif
 
-#define access_ok(type, addr, size) __access_ok((unsigned long)(addr),(size))
+#define access_ok(addr, size) __access_ok((unsigned long)(addr),(size))
 
 /*
  * The architecture should really override this if possible, at least
@@ -78,7 +78,7 @@ static inline int __access_ok(unsigned long addr, unsigned long size)
 ({                                                             \
        void __user *__p = (ptr);                               \
        might_fault();                                          \
-       access_ok(VERIFY_WRITE, __p, sizeof(*ptr)) ?            \
+       access_ok(__p, sizeof(*ptr)) ?          \
                __put_user((x), ((__typeof__(*(ptr)) __user *)__p)) :   \
                -EFAULT;                                        \
 })
@@ -140,7 +140,7 @@ extern int __put_user_bad(void) __attribute__((noreturn));
 ({                                                             \
        const void __user *__p = (ptr);                         \
        might_fault();                                          \
-       access_ok(VERIFY_READ, __p, sizeof(*ptr)) ?             \
+       access_ok(__p, sizeof(*ptr)) ?          \
                __get_user((x), (__typeof__(*(ptr)) __user *)__p) :\
                ((x) = (__typeof__(*(ptr)))0,-EFAULT);          \
 })
@@ -175,7 +175,7 @@ __strncpy_from_user(char *dst, const char __user *src, long count)
 static inline long
 strncpy_from_user(char *dst, const char __user *src, long count)
 {
-       if (!access_ok(VERIFY_READ, src, 1))
+       if (!access_ok(src, 1))
                return -EFAULT;
        return __strncpy_from_user(dst, src, count);
 }
@@ -196,7 +196,7 @@ strncpy_from_user(char *dst, const char __user *src, long count)
  */
 static inline long strnlen_user(const char __user *src, long n)
 {
-       if (!access_ok(VERIFY_READ, src, 1))
+       if (!access_ok(src, 1))
                return 0;
        return __strnlen_user(src, n);
 }
@@ -217,7 +217,7 @@ static inline __must_check unsigned long
 clear_user(void __user *to, unsigned long n)
 {
        might_fault();
-       if (!access_ok(VERIFY_WRITE, to, n))
+       if (!access_ok(to, n))
                return n;
 
        return __clear_user(to, n);

diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index c233efc106c608be173e5f2875042b13b9ef5d0f..27b74947cd2bd9de8e9dba3518fc876b2308a528 100644 (file)
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -148,6 +148,7 @@ struct bpf_verifier_state {
        /* call stack tracking */
        struct bpf_func_state *frame[MAX_CALL_FRAMES];
        u32 curframe;
+       bool speculative;
 };
 
 #define bpf_get_spilled_reg(slot, frame)                               \
@@ -167,15 +168,24 @@ struct bpf_verifier_state_list {
        struct bpf_verifier_state_list *next;
 };
 
+/* Possible states for alu_state member. */
+#define BPF_ALU_SANITIZE_SRC           1U
+#define BPF_ALU_SANITIZE_DST           2U
+#define BPF_ALU_NEG_VALUE              (1U << 2)
+#define BPF_ALU_SANITIZE               (BPF_ALU_SANITIZE_SRC | \
+                                        BPF_ALU_SANITIZE_DST)
+
 struct bpf_insn_aux_data {
        union {
                enum bpf_reg_type ptr_type;     /* pointer type for load/store insns */
                unsigned long map_state;        /* pointer/poison value for maps */
                s32 call_imm;                   /* saved imm field of call insn */
+               u32 alu_limit;                  /* limit for add/sub register with pointer */
        };
        int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
        int sanitize_stack_off; /* stack slot to be cleared */
        bool seen; /* this insn was processed by the verifier */
+       u8 alu_state; /* used in combination with alu_limit */
 };
 
 #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
@@ -212,6 +222,8 @@ struct bpf_subprog_info {
  * one verifier_env per bpf_check() call
  */
 struct bpf_verifier_env {
+       u32 insn_idx;
+       u32 prev_insn_idx;
        struct bpf_prog *prog;          /* eBPF program being verified */
        const struct bpf_verifier_ops *ops;
        struct bpf_verifier_stack_elem *head; /* stack of verifier states to be processed */

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 8c8544b375ebd93cea7d2b66e1384db2041232cd..ad106d845b2290a106765b96cab3cdd555dc9211 100644 (file)
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -53,14 +53,10 @@ struct sock_reuseport;
 #define BPF_REG_D      BPF_REG_8       /* data, callee-saved */
 #define BPF_REG_H      BPF_REG_9       /* hlen, callee-saved */
 
-/* Kernel hidden auxiliary/helper register for hardening step.
- * Only used by eBPF JITs. It's nothing more than a temporary
- * register that JITs use internally, only that here it's part
- * of eBPF instructions that have been rewritten for blinding
- * constants. See JIT pre-step in bpf_jit_blind_constants().
- */
+/* Kernel hidden auxiliary/helper register. */
 #define BPF_REG_AX             MAX_BPF_REG
-#define MAX_BPF_JIT_REG                (MAX_BPF_REG + 1)
+#define MAX_BPF_EXT_REG                (MAX_BPF_REG + 1)
+#define MAX_BPF_JIT_REG                MAX_BPF_EXT_REG
 
 /* unused opcode to mark special call to bpf_tail_call() helper */
 #define BPF_TAIL_CALL  0xf0

diff --git a/include/linux/phy.h b/include/linux/phy.h
index da039f211c228a8f6027a98c6c3df076b26a1842..3b051f7614505ada10ac2a5bebbabf4f6cf9c8b4 100644 (file)
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -1,6 +1,6 @@
 /*
  * Framework and drivers for configuring and reading different PHYs
- * Based on code in sungem_phy.c and gianfar_phy.c
+ * Based on code in sungem_phy.c and (long-removed) gianfar_phy.c
  *
  * Author: Andy Fleming
  *
@@ -110,9 +110,9 @@ typedef enum {
  * @speeds: buffer to store supported speeds in.
  * @size: size of speeds buffer.
  *
- * Description: Returns the number of supported speeds, and
- * fills the speeds * buffer with the supported speeds. If speeds buffer is
- * too small to contain * all currently supported speeds, will return as
+ * Description: Returns the number of supported speeds, and fills
+ * the speeds buffer with the supported speeds. If speeds buffer is
+ * too small to contain all currently supported speeds, will return as
  * many speeds as can fit.
  */
 unsigned int phy_supported_speeds(struct phy_device *phy,
@@ -120,7 +120,10 @@ unsigned int phy_supported_speeds(struct phy_device *phy,
                                      unsigned int size);
 
 /**
- * It maps 'enum phy_interface_t' found in include/linux/phy.h
+ * phy_modes - map phy_interface_t enum to device tree binding of phy-mode
+ * @interface: enum phy_interface_t value
+ *
+ * Description: maps 'enum phy_interface_t' defined in this file
  * into the device tree binding of 'phy-mode', so that Ethernet
  * device driver can get phy interface from device tree.
  */

diff --git a/include/linux/phy/phy.h b/include/linux/phy/phy.h
index 1fdefadf150a90e9ec6267a79c31742de70713da..e8e118d70fd7ad01ec9f7ed592f2d476fd3ffd4c 100644 (file)
--- a/include/linux/phy/phy.h
+++ b/include/linux/phy/phy.h
@@ -110,6 +110,7 @@ struct phy_ops {
 /**
  * struct phy_attrs - represents phy attributes
  * @bus_width: Data path width implemented by PHY
+ * @mode: PHY mode
  */
 struct phy_attrs {
        u32                     bus_width;
@@ -121,7 +122,6 @@ struct phy_attrs {
  * @dev: phy device
  * @id: id of the phy device
  * @ops: function pointers for performing phy operations
- * @init_data: list of PHY consumers (non-dt only)
  * @mutex: mutex to protect phy_ops
  * @init_count: used to protect when the PHY is used by multiple consumers
  * @power_count: used to protect when the PHY is used by multiple consumers

diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
index 6894976b54e376da3c203932ec2c1152ddfc527d..186cd8e970c70fdba6067691256c66efc6a8b64d 100644 (file)
--- a/include/linux/ptr_ring.h
+++ b/include/linux/ptr_ring.h
@@ -573,6 +573,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
                else if (destroy)
                        destroy(ptr);
 
+       if (producer >= size)
+               producer = 0;
        __ptr_ring_set_size(r, size);
        r->producer = producer;
        r->consumer_head = 0;

diff --git a/include/linux/regset.h b/include/linux/regset.h
index 494cedaafdf2b4806d92abc20f27ece4e31d80de..a85c1707285ca935b90316ce809e30899b090077 100644 (file)
--- a/include/linux/regset.h
+++ b/include/linux/regset.h
@@ -376,7 +376,7 @@ static inline int copy_regset_to_user(struct task_struct *target,
        if (!regset->get)
                return -EOPNOTSUPP;
 
-       if (!access_ok(VERIFY_WRITE, data, size))
+       if (!access_ok(data, size))
                return -EFAULT;
 
        return regset->get(target, regset, offset, size, NULL, data);
@@ -402,7 +402,7 @@ static inline int copy_regset_from_user(struct task_struct *target,
        if (!regset->set)
                return -EOPNOTSUPP;
 
-       if (!access_ok(VERIFY_READ, data, size))
+       if (!access_ok(data, size))
                return -EFAULT;
 
        return regset->set(target, regset, offset, size, NULL, data);

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd4765335e28efb3cb58b9a1b8b06f18..37b226e8df13f3b6235277485519b5de37cf6fe2 100644 (file)
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -6,9 +6,6 @@
 #include <linux/thread_info.h>
 #include <linux/kasan-checks.h>
 
-#define VERIFY_READ 0
-#define VERIFY_WRITE 1
-
 #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
 
 #include <asm/uaccess.h>
@@ -111,7 +108,7 @@ _copy_from_user(void *to, const void __user *from, unsigned long n)
 {
        unsigned long res = n;
        might_fault();
-       if (likely(access_ok(VERIFY_READ, from, n))) {
+       if (likely(access_ok(from, n))) {
                kasan_check_write(to, n);
                res = raw_copy_from_user(to, from, n);
        }
@@ -129,7 +126,7 @@ static inline unsigned long
 _copy_to_user(void __user *to, const void *from, unsigned long n)
 {
        might_fault();
-       if (access_ok(VERIFY_WRITE, to, n)) {
+       if (access_ok(to, n)) {
                kasan_check_read(from, n);
                n = raw_copy_to_user(to, from, n);
        }
@@ -160,7 +157,7 @@ static __always_inline unsigned long __must_check
 copy_in_user(void __user *to, const void __user *from, unsigned long n)
 {
        might_fault();
-       if (access_ok(VERIFY_WRITE, to, n) && access_ok(VERIFY_READ, from, n))
+       if (access_ok(to, n) && access_ok(from, n))
                n = raw_copy_in_user(to, from, n);
        return n;
 }
@@ -267,7 +264,7 @@ extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
        probe_kernel_read(&retval, addr, sizeof(retval))
 
 #ifndef user_access_begin
-#define user_access_begin() do { } while (0)
+#define user_access_begin(ptr,len) access_ok(ptr, len)
 #define user_access_end() do { } while (0)
 #define unsafe_get_user(x, ptr, err) do { if (unlikely(__get_user(x, ptr))) goto err; } while (0)
 #define unsafe_put_user(x, ptr, err) do { if (unlikely(__put_user(x, ptr))) goto err; } while (0)

diff --git a/include/net/checksum.h b/include/net/checksum.h
index aef2b2bb6603fa5c308c7aca4c1ef9d47d6496f9..0f319e13be2c1f836f5a9f7a47832fb3fd74d88c 100644 (file)
--- a/include/net/checksum.h
+++ b/include/net/checksum.h
@@ -30,7 +30,7 @@ static inline
 __wsum csum_and_copy_from_user (const void __user *src, void *dst,
                                      int len, __wsum sum, int *err_ptr)
 {
-       if (access_ok(VERIFY_READ, src, len))
+       if (access_ok(src, len))
                return csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
 
        if (len)
@@ -46,7 +46,7 @@ static __inline__ __wsum csum_and_copy_to_user
 {
        sum = csum_partial(src, len, sum);
 
-       if (access_ok(VERIFY_WRITE, dst, len)) {
+       if (access_ok(dst, len)) {
                if (copy_to_user(dst, src, len) == 0)
                        return sum;
        }

diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
index cbcf35ce1b14963178e276035fccd7e460fb962f..34f019650941bd108e6d75d029b0564a53ce1c0e 100644 (file)
--- a/include/net/ip_tunnels.h
+++ b/include/net/ip_tunnels.h
@@ -308,6 +308,26 @@ int ip_tunnel_encap_del_ops(const struct ip_tunnel_encap_ops *op,
 int ip_tunnel_encap_setup(struct ip_tunnel *t,
                          struct ip_tunnel_encap *ipencap);
 
+static inline bool pskb_inet_may_pull(struct sk_buff *skb)
+{
+       int nhlen;
+
+       switch (skb->protocol) {
+#if IS_ENABLED(CONFIG_IPV6)
+       case htons(ETH_P_IPV6):
+               nhlen = sizeof(struct ipv6hdr);
+               break;
+#endif
+       case htons(ETH_P_IP):
+               nhlen = sizeof(struct iphdr);
+               break;
+       default:
+               nhlen = 0;
+       }
+
+       return pskb_network_may_pull(skb, nhlen);
+}
+
 static inline int ip_encap_hlen(struct ip_tunnel_encap *e)
 {
        const struct ip_tunnel_encap_ops *ops;

diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index 4b2b2baf8ab4bbddd7f7cc104b42b15434aee18b..f32fc8289473200138803ac2c292df643633e102 100644 (file)
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -5,17 +5,10 @@
 
 struct nf_conncount_data;
 
-enum nf_conncount_list_add {
-       NF_CONNCOUNT_ADDED,     /* list add was ok */
-       NF_CONNCOUNT_ERR,       /* -ENOMEM, must drop skb */
-       NF_CONNCOUNT_SKIP,      /* list is already reclaimed by gc */
-};
-
 struct nf_conncount_list {
        spinlock_t list_lock;
        struct list_head head;  /* connections with the same filtering key */
        unsigned int count;     /* length of list */
-       bool dead;
 };
 
 struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
@@ -29,18 +22,12 @@ unsigned int nf_conncount_count(struct net *net,
                                const struct nf_conntrack_tuple *tuple,
                                const struct nf_conntrack_zone *zone);
 
-void nf_conncount_lookup(struct net *net, struct nf_conncount_list *list,
-                        const struct nf_conntrack_tuple *tuple,
-                        const struct nf_conntrack_zone *zone,
-                        bool *addit);
+int nf_conncount_add(struct net *net, struct nf_conncount_list *list,
+                    const struct nf_conntrack_tuple *tuple,
+                    const struct nf_conntrack_zone *zone);
 
 void nf_conncount_list_init(struct nf_conncount_list *list);
 
-enum nf_conncount_list_add
-nf_conncount_add(struct nf_conncount_list *list,
-                const struct nf_conntrack_tuple *tuple,
-                const struct nf_conntrack_zone *zone);
-
 bool nf_conncount_gc_list(struct net *net,
                          struct nf_conncount_list *list);
 

diff --git a/include/net/sock.h b/include/net/sock.h
index a6235c286ef9969532696f1af0565edd6150256a..2b229f7be8ebbc160706012f7ed03db85c5689d0 100644 (file)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -298,6 +298,7 @@ struct sock_common {
   *    @sk_filter: socket filtering instructions
   *    @sk_timer: sock cleanup timer
   *    @sk_stamp: time stamp of last packet received
+  *    @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
   *    @sk_tsflags: SO_TIMESTAMPING socket options
   *    @sk_tskey: counter to disambiguate concurrent tstamp requests
   *    @sk_zckey: counter to order MSG_ZEROCOPY notifications
@@ -474,6 +475,9 @@ struct sock {
        const struct cred       *sk_peer_cred;
        long                    sk_rcvtimeo;
        ktime_t                 sk_stamp;
+#if BITS_PER_LONG==32
+       seqlock_t               sk_stamp_seq;
+#endif
        u16                     sk_tsflags;
        u8                      sk_shutdown;
        u32                     sk_tskey;
@@ -2297,6 +2301,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb)
        atomic_add(segs, &sk->sk_drops);
 }
 
+static inline ktime_t sock_read_timestamp(struct sock *sk)
+{
+#if BITS_PER_LONG==32
+       unsigned int seq;
+       ktime_t kt;
+
+       do {
+               seq = read_seqbegin(&sk->sk_stamp_seq);
+               kt = sk->sk_stamp;
+       } while (read_seqretry(&sk->sk_stamp_seq, seq));
+
+       return kt;
+#else
+       return sk->sk_stamp;
+#endif
+}
+
+static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
+{
+#if BITS_PER_LONG==32
+       write_seqlock(&sk->sk_stamp_seq);
+       sk->sk_stamp = kt;
+       write_sequnlock(&sk->sk_stamp_seq);
+#else
+       sk->sk_stamp = kt;
+#endif
+}
+
 void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
                           struct sk_buff *skb);
 void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
@@ -2321,7 +2353,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
             (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
                __sock_recv_timestamp(msg, sk, skb);
        else
-               sk->sk_stamp = kt;
+               sock_write_timestamp(sk, kt);
 
        if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
                __sock_recv_wifi_status(msg, sk, skb);
@@ -2342,9 +2374,9 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
        if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
                __sock_recv_ts_and_drops(msg, sk, skb);
        else if (unlikely(sock_flag(sk, SOCK_TIMESTAMP)))
-               sk->sk_stamp = skb->tstamp;
+               sock_write_timestamp(sk, skb->tstamp);
        else if (unlikely(sk->sk_stamp == SK_DEFAULT_STAMP))
-               sk->sk_stamp = 0;
+               sock_write_timestamp(sk, 0);
 }
 
 void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags);

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 38de580abcc25bd5dbf44fb9fcfbf8fb19692434..f908b9356025d27da489b7a1ceaac302169a1c98 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -54,6 +54,7 @@
 #define DST    regs[insn->dst_reg]
 #define SRC    regs[insn->src_reg]
 #define FP     regs[BPF_REG_FP]
+#define AX     regs[BPF_REG_AX]
 #define ARG1   regs[BPF_REG_ARG1]
 #define CTX    regs[BPF_REG_CTX]
 #define IMM    insn->imm
@@ -857,6 +858,26 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
        BUILD_BUG_ON(BPF_REG_AX  + 1 != MAX_BPF_JIT_REG);
        BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
 
+       /* Constraints on AX register:
+        *
+        * AX register is inaccessible from user space. It is mapped in
+        * all JITs, and used here for constant blinding rewrites. It is
+        * typically "stateless" meaning its contents are only valid within
+        * the executed instruction, but not across several instructions.
+        * There are a few exceptions however which are further detailed
+        * below.
+        *
+        * Constant blinding is only used by JITs, not in the interpreter.
+        * The interpreter uses AX in some occasions as a local temporary
+        * register e.g. in DIV or MOD instructions.
+        *
+        * In restricted circumstances, the verifier can also use the AX
+        * register for rewrites as long as they do not interfere with
+        * the above cases!
+        */
+       if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
+               goto out;
+
        if (from->imm == 0 &&
            (from->code == (BPF_ALU   | BPF_MOV | BPF_K) ||
             from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
@@ -1188,7 +1209,6 @@ bool bpf_opcode_in_insntable(u8 code)
  */
 static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
 {
-       u64 tmp;
 #define BPF_INSN_2_LBL(x, y)    [BPF_##x | BPF_##y] = &&x##_##y
 #define BPF_INSN_3_LBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = &&x##_##y##_##z
        static const void *jumptable[256] = {
@@ -1268,36 +1288,36 @@ select_insn:
                (*(s64 *) &DST) >>= IMM;
                CONT;
        ALU64_MOD_X:
-               div64_u64_rem(DST, SRC, &tmp);
-               DST = tmp;
+               div64_u64_rem(DST, SRC, &AX);
+               DST = AX;
                CONT;
        ALU_MOD_X:
-               tmp = (u32) DST;
-               DST = do_div(tmp, (u32) SRC);
+               AX = (u32) DST;
+               DST = do_div(AX, (u32) SRC);
                CONT;
        ALU64_MOD_K:
-               div64_u64_rem(DST, IMM, &tmp);
-               DST = tmp;
+               div64_u64_rem(DST, IMM, &AX);
+               DST = AX;
                CONT;
        ALU_MOD_K:
-               tmp = (u32) DST;
-               DST = do_div(tmp, (u32) IMM);
+               AX = (u32) DST;
+               DST = do_div(AX, (u32) IMM);
                CONT;
        ALU64_DIV_X:
                DST = div64_u64(DST, SRC);
                CONT;
        ALU_DIV_X:
-               tmp = (u32) DST;
-               do_div(tmp, (u32) SRC);
-               DST = (u32) tmp;
+               AX = (u32) DST;
+               do_div(AX, (u32) SRC);
+               DST = (u32) AX;
                CONT;
        ALU64_DIV_K:
                DST = div64_u64(DST, IMM);
                CONT;
        ALU_DIV_K:
-               tmp = (u32) DST;
-               do_div(tmp, (u32) IMM);
-               DST = (u32) tmp;
+               AX = (u32) DST;
+               do_div(AX, (u32) IMM);
+               DST = (u32) AX;
                CONT;
        ALU_END_TO_BE:
                switch (IMM) {
@@ -1553,7 +1573,7 @@ STACK_FRAME_NON_STANDARD(___bpf_prog_run); /* jump table */
 static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \
 { \
        u64 stack[stack_size / sizeof(u64)]; \
-       u64 regs[MAX_BPF_REG]; \
+       u64 regs[MAX_BPF_EXT_REG]; \
 \
        FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
        ARG1 = (u64) (unsigned long) ctx; \
@@ -1566,7 +1586,7 @@ static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \
                                      const struct bpf_insn *insn) \
 { \
        u64 stack[stack_size / sizeof(u64)]; \
-       u64 regs[MAX_BPF_REG]; \
+       u64 regs[MAX_BPF_EXT_REG]; \
 \
        FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
        BPF_R1 = r1; \

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 0607db304def8bceea439caf72682301b56f047f..b155cd17c1bd77d6c40e215a09ef2af37bd2a077 100644 (file)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -79,7 +79,7 @@ int bpf_check_uarg_tail_zero(void __user *uaddr,
        if (unlikely(actual_size > PAGE_SIZE))  /* silly large */
                return -E2BIG;
 
-       if (unlikely(!access_ok(VERIFY_READ, uaddr, actual_size)))
+       if (unlikely(!access_ok(uaddr, actual_size)))
                return -EFAULT;
 
        if (actual_size <= expected_size)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 71d86e3024aeb93351d9b165aa0f9d2d0dfa5204..f6bc62a9ee8e9ddea251e353dfe4b6758560ba4f 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -710,6 +710,7 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
                free_func_state(dst_state->frame[i]);
                dst_state->frame[i] = NULL;
        }
+       dst_state->speculative = src->speculative;
        dst_state->curframe = src->curframe;
        for (i = 0; i <= src->curframe; i++) {
                dst = dst_state->frame[i];
@@ -754,7 +755,8 @@ static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx,
 }
 
 static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
-                                            int insn_idx, int prev_insn_idx)
+                                            int insn_idx, int prev_insn_idx,
+                                            bool speculative)
 {
        struct bpf_verifier_state *cur = env->cur_state;
        struct bpf_verifier_stack_elem *elem;
@@ -772,6 +774,7 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
        err = copy_verifier_state(&elem->st, cur);
        if (err)
                goto err;
+       elem->st.speculative |= speculative;
        if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {
                verbose(env, "BPF program is too complex\n");
                goto err;
@@ -1387,6 +1390,31 @@ static int check_stack_read(struct bpf_verifier_env *env,
        }
 }
 
+static int check_stack_access(struct bpf_verifier_env *env,
+                             const struct bpf_reg_state *reg,
+                             int off, int size)
+{
+       /* Stack accesses must be at a fixed offset, so that we
+        * can determine what type of data were returned. See
+        * check_stack_read().
+        */
+       if (!tnum_is_const(reg->var_off)) {
+               char tn_buf[48];
+
+               tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+               verbose(env, "variable stack access var_off=%s off=%d size=%d",
+                       tn_buf, off, size);
+               return -EACCES;
+       }
+
+       if (off >= 0 || off < -MAX_BPF_STACK) {
+               verbose(env, "invalid stack off=%d size=%d\n", off, size);
+               return -EACCES;
+       }
+
+       return 0;
+}
+
 /* check read/write into map element returned by bpf_map_lookup_elem() */
 static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
                              int size, bool zero_size_allowed)
@@ -1418,13 +1446,17 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
         */
        if (env->log.level)
                print_verifier_state(env, state);
+
        /* The minimum value is only important with signed
         * comparisons where we can't assume the floor of a
         * value is 0.  If we are using signed variables for our
         * index'es we need to make sure that whatever we use
         * will have a set floor within our range.
         */
-       if (reg->smin_value < 0) {
+       if (reg->smin_value < 0 &&
+           (reg->smin_value == S64_MIN ||
+            (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||
+             reg->smin_value + off < 0)) {
                verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
                        regno);
                return -EACCES;
@@ -1954,24 +1986,10 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
                }
 
        } else if (reg->type == PTR_TO_STACK) {
-               /* stack accesses must be at a fixed offset, so that we can
-                * determine what type of data were returned.
-                * See check_stack_read().
-                */
-               if (!tnum_is_const(reg->var_off)) {
-                       char tn_buf[48];
-
-                       tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
-                       verbose(env, "variable stack access var_off=%s off=%d size=%d",
-                               tn_buf, off, size);
-                       return -EACCES;
-               }
                off += reg->var_off.value;
-               if (off >= 0 || off < -MAX_BPF_STACK) {
-                       verbose(env, "invalid stack off=%d size=%d\n", off,
-                               size);
-                       return -EACCES;
-               }
+               err = check_stack_access(env, reg, off, size);
+               if (err)
+                       return err;
 
                state = func(env, reg);
                err = update_stack_depth(env, state, off);
@@ -3052,6 +3070,102 @@ static bool check_reg_sane_offset(struct bpf_verifier_env *env,
        return true;
 }
 
+static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)
+{
+       return &env->insn_aux_data[env->insn_idx];
+}
+
+static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
+                             u32 *ptr_limit, u8 opcode, bool off_is_neg)
+{
+       bool mask_to_left = (opcode == BPF_ADD &&  off_is_neg) ||
+                           (opcode == BPF_SUB && !off_is_neg);
+       u32 off;
+
+       switch (ptr_reg->type) {
+       case PTR_TO_STACK:
+               off = ptr_reg->off + ptr_reg->var_off.value;
+               if (mask_to_left)
+                       *ptr_limit = MAX_BPF_STACK + off;
+               else
+                       *ptr_limit = -off;
+               return 0;
+       case PTR_TO_MAP_VALUE:
+               if (mask_to_left) {
+                       *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
+               } else {
+                       off = ptr_reg->smin_value + ptr_reg->off;
+                       *ptr_limit = ptr_reg->map_ptr->value_size - off;
+               }
+               return 0;
+       default:
+               return -EINVAL;
+       }
+}
+
+static int sanitize_ptr_alu(struct bpf_verifier_env *env,
+                           struct bpf_insn *insn,
+                           const struct bpf_reg_state *ptr_reg,
+                           struct bpf_reg_state *dst_reg,
+                           bool off_is_neg)
+{
+       struct bpf_verifier_state *vstate = env->cur_state;
+       struct bpf_insn_aux_data *aux = cur_aux(env);
+       bool ptr_is_dst_reg = ptr_reg == dst_reg;
+       u8 opcode = BPF_OP(insn->code);
+       u32 alu_state, alu_limit;
+       struct bpf_reg_state tmp;
+       bool ret;
+
+       if (env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K)
+               return 0;
+
+       /* We already marked aux for masking from non-speculative
+        * paths, thus we got here in the first place. We only care
+        * to explore bad access from here.
+        */
+       if (vstate->speculative)
+               goto do_sim;
+
+       alu_state  = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
+       alu_state |= ptr_is_dst_reg ?
+                    BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
+
+       if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))
+               return 0;
+
+       /* If we arrived here from different branches with different
+        * limits to sanitize, then this won't work.
+        */
+       if (aux->alu_state &&
+           (aux->alu_state != alu_state ||
+            aux->alu_limit != alu_limit))
+               return -EACCES;
+
+       /* Corresponding fixup done in fixup_bpf_calls(). */
+       aux->alu_state = alu_state;
+       aux->alu_limit = alu_limit;
+
+do_sim:
+       /* Simulate and find potential out-of-bounds access under
+        * speculative execution from truncation as a result of
+        * masking when off was not within expected range. If off
+        * sits in dst, then we temporarily need to move ptr there
+        * to simulate dst (== 0) +/-= ptr. Needed, for example,
+        * for cases where we use K-based arithmetic in one direction
+        * and truncated reg-based in the other in order to explore
+        * bad access.
+        */
+       if (!ptr_is_dst_reg) {
+               tmp = *dst_reg;
+               *dst_reg = *ptr_reg;
+       }
+       ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
+       if (!ptr_is_dst_reg)
+               *dst_reg = tmp;
+       return !ret ? -EFAULT : 0;
+}
+
 /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
  * Caller should also handle BPF_MOV case separately.
  * If we return -EACCES, caller may want to try again treating pointer as a
@@ -3070,8 +3184,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
            smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;
        u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,
            umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;
+       u32 dst = insn->dst_reg, src = insn->src_reg;
        u8 opcode = BPF_OP(insn->code);
-       u32 dst = insn->dst_reg;
+       int ret;
 
        dst_reg = &regs[dst];
 
@@ -3104,6 +3219,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
                verbose(env, "R%d pointer arithmetic on %s prohibited\n",
                        dst, reg_type_str[ptr_reg->type]);
                return -EACCES;
+       case PTR_TO_MAP_VALUE:
+               if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
+                       verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
+                               off_reg == dst_reg ? dst : src);
+                       return -EACCES;
+               }
+               /* fall-through */
        default:
                break;
        }
@@ -3120,6 +3242,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
 
        switch (opcode) {
        case BPF_ADD:
+               ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
+               if (ret < 0) {
+                       verbose(env, "R%d tried to add from different maps or paths\n", dst);
+                       return ret;
+               }
                /* We can take a fixed offset as long as it doesn't overflow
                 * the s32 'off' field
                 */
@@ -3170,6 +3297,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
                }
                break;
        case BPF_SUB:
+               ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
+               if (ret < 0) {
+                       verbose(env, "R%d tried to sub from different maps or paths\n", dst);
+                       return ret;
+               }
                if (dst_reg == off_reg) {
                        /* scalar -= pointer.  Creates an unknown scalar */
                        verbose(env, "R%d tried to subtract pointer from scalar\n",
@@ -3249,6 +3381,25 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
        __update_reg_bounds(dst_reg);
        __reg_deduce_bounds(dst_reg);
        __reg_bound_offset(dst_reg);
+
+       /* For unprivileged we require that resulting offset must be in bounds
+        * in order to be able to sanitize access later on.
+        */
+       if (!env->allow_ptr_leaks) {
+               if (dst_reg->type == PTR_TO_MAP_VALUE &&
+                   check_map_access(env, dst, dst_reg->off, 1, false)) {
+                       verbose(env, "R%d pointer arithmetic of map value goes out of range, "
+                               "prohibited for !root\n", dst);
+                       return -EACCES;
+               } else if (dst_reg->type == PTR_TO_STACK &&
+                          check_stack_access(env, dst_reg, dst_reg->off +
+                                             dst_reg->var_off.value, 1)) {
+                       verbose(env, "R%d stack pointer arithmetic goes out of range, "
+                               "prohibited for !root\n", dst);
+                       return -EACCES;
+               }
+       }
+
        return 0;
 }
 
@@ -4348,7 +4499,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
                }
        }
 
-       other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx);
+       other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
+                                 false);
        if (!other_branch)
                return -EFAULT;
        other_branch_regs = other_branch->frame[other_branch->curframe]->regs;
@@ -5458,6 +5610,12 @@ static bool states_equal(struct bpf_verifier_env *env,
        if (old->curframe != cur->curframe)
                return false;
 
+       /* Verification state from speculative execution simulation
+        * must never prune a non-speculative execution one.
+        */
+       if (old->speculative && !cur->speculative)
+               return false;
+
        /* for states to be equal callsites have to be the same
         * and all frame states need to be equivalent
         */
@@ -5650,7 +5808,6 @@ static int do_check(struct bpf_verifier_env *env)
        struct bpf_insn *insns = env->prog->insnsi;
        struct bpf_reg_state *regs;
        int insn_cnt = env->prog->len, i;
-       int insn_idx, prev_insn_idx = 0;
        int insn_processed = 0;
        bool do_print_state = false;
 
@@ -5660,6 +5817,7 @@ static int do_check(struct bpf_verifier_env *env)
        if (!state)
                return -ENOMEM;
        state->curframe = 0;
+       state->speculative = false;
        state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);
        if (!state->frame[0]) {
                kfree(state);
@@ -5670,19 +5828,19 @@ static int do_check(struct bpf_verifier_env *env)
                        BPF_MAIN_FUNC /* callsite */,
                        0 /* frameno */,
                        0 /* subprogno, zero == main subprog */);
-       insn_idx = 0;
+
        for (;;) {
                struct bpf_insn *insn;
                u8 class;
                int err;
 
-               if (insn_idx >= insn_cnt) {
+               if (env->insn_idx >= insn_cnt) {
                        verbose(env, "invalid insn idx %d insn_cnt %d\n",
-                               insn_idx, insn_cnt);
+                               env->insn_idx, insn_cnt);
                        return -EFAULT;
                }
 
-               insn = &insns[insn_idx];
+               insn = &insns[env->insn_idx];
                class = BPF_CLASS(insn->code);
 
                if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
@@ -5692,17 +5850,19 @@ static int do_check(struct bpf_verifier_env *env)
                        return -E2BIG;
                }
 
-               err = is_state_visited(env, insn_idx);
+               err = is_state_visited(env, env->insn_idx);
                if (err < 0)
                        return err;
                if (err == 1) {
                        /* found equivalent state, can prune the search */
                        if (env->log.level) {
                                if (do_print_state)
-                                       verbose(env, "\nfrom %d to %d: safe\n",
-                                               prev_insn_idx, insn_idx);
+                                       verbose(env, "\nfrom %d to %d%s: safe\n",
+                                               env->prev_insn_idx, env->insn_idx,
+                                               env->cur_state->speculative ?
+                                               " (speculative execution)" : "");
                                else
-                                       verbose(env, "%d: safe\n", insn_idx);
+                                       verbose(env, "%d: safe\n", env->insn_idx);
                        }
                        goto process_bpf_exit;
                }
@@ -5715,10 +5875,12 @@ static int do_check(struct bpf_verifier_env *env)
 
                if (env->log.level > 1 || (env->log.level && do_print_state)) {
                        if (env->log.level > 1)
-                               verbose(env, "%d:", insn_idx);
+                               verbose(env, "%d:", env->insn_idx);
                        else
-                               verbose(env, "\nfrom %d to %d:",
-                                       prev_insn_idx, insn_idx);
+                               verbose(env, "\nfrom %d to %d%s:",
+                                       env->prev_insn_idx, env->insn_idx,
+                                       env->cur_state->speculative ?
+                                       " (speculative execution)" : "");
                        print_verifier_state(env, state->frame[state->curframe]);
                        do_print_state = false;
                }
@@ -5729,20 +5891,20 @@ static int do_check(struct bpf_verifier_env *env)
                                .private_data   = env,
                        };
 
-                       verbose_linfo(env, insn_idx, "; ");
-                       verbose(env, "%d: ", insn_idx);
+                       verbose_linfo(env, env->insn_idx, "; ");
+                       verbose(env, "%d: ", env->insn_idx);
                        print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
                }
 
                if (bpf_prog_is_dev_bound(env->prog->aux)) {
-                       err = bpf_prog_offload_verify_insn(env, insn_idx,
-                                                          prev_insn_idx);
+                       err = bpf_prog_offload_verify_insn(env, env->insn_idx,
+                                                          env->prev_insn_idx);
                        if (err)
                                return err;
                }
 
                regs = cur_regs(env);
-               env->insn_aux_data[insn_idx].seen = true;
+               env->insn_aux_data[env->insn_idx].seen = true;
 
                if (class == BPF_ALU || class == BPF_ALU64) {
                        err = check_alu_op(env, insn);
@@ -5768,13 +5930,13 @@ static int do_check(struct bpf_verifier_env *env)
                        /* check that memory (src_reg + off) is readable,
                         * the state of dst_reg will be updated by this func
                         */
-                       err = check_mem_access(env, insn_idx, insn->src_reg, insn->off,
-                                              BPF_SIZE(insn->code), BPF_READ,
-                                              insn->dst_reg, false);
+                       err = check_mem_access(env, env->insn_idx, insn->src_reg,
+                                              insn->off, BPF_SIZE(insn->code),
+                                              BPF_READ, insn->dst_reg, false);
                        if (err)
                                return err;
 
-                       prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
+                       prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;
 
                        if (*prev_src_type == NOT_INIT) {
                                /* saw a valid insn
@@ -5799,10 +5961,10 @@ static int do_check(struct bpf_verifier_env *env)
                        enum bpf_reg_type *prev_dst_type, dst_reg_type;
 
                        if (BPF_MODE(insn->code) == BPF_XADD) {
-                               err = check_xadd(env, insn_idx, insn);
+                               err = check_xadd(env, env->insn_idx, insn);
                                if (err)
                                        return err;
-                               insn_idx++;
+                               env->insn_idx++;
                                continue;
                        }
 
@@ -5818,13 +5980,13 @@ static int do_check(struct bpf_verifier_env *env)
                        dst_reg_type = regs[insn->dst_reg].type;
 
                        /* check that memory (dst_reg + off) is writeable */
-                       err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
-                                              BPF_SIZE(insn->code), BPF_WRITE,
-                                              insn->src_reg, false);
+                       err = check_mem_access(env, env->insn_idx, insn->dst_reg,
+                                              insn->off, BPF_SIZE(insn->code),
+                                              BPF_WRITE, insn->src_reg, false);
                        if (err)
                                return err;
 
-                       prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
+                       prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;
 
                        if (*prev_dst_type == NOT_INIT) {
                                *prev_dst_type = dst_reg_type;
@@ -5852,9 +6014,9 @@ static int do_check(struct bpf_verifier_env *env)
                        }
 
                        /* check that memory (dst_reg + off) is writeable */
-                       err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
-                                              BPF_SIZE(insn->code), BPF_WRITE,
-                                              -1, false);
+                       err = check_mem_access(env, env->insn_idx, insn->dst_reg,
+                                              insn->off, BPF_SIZE(insn->code),
+                                              BPF_WRITE, -1, false);
                        if (err)
                                return err;
 
@@ -5872,9 +6034,9 @@ static int do_check(struct bpf_verifier_env *env)
                                }
 
                                if (insn->src_reg == BPF_PSEUDO_CALL)
-                                       err = check_func_call(env, insn, &insn_idx);
+                                       err = check_func_call(env, insn, &env->insn_idx);
                                else
-                                       err = check_helper_call(env, insn->imm, insn_idx);
+                                       err = check_helper_call(env, insn->imm, env->insn_idx);
                                if (err)
                                        return err;
 
@@ -5887,7 +6049,7 @@ static int do_check(struct bpf_verifier_env *env)
                                        return -EINVAL;
                                }
 
-                               insn_idx += insn->off + 1;
+                               env->insn_idx += insn->off + 1;
                                continue;
 
                        } else if (opcode == BPF_EXIT) {
@@ -5901,8 +6063,8 @@ static int do_check(struct bpf_verifier_env *env)
 
                                if (state->curframe) {
                                        /* exit from nested function */
-                                       prev_insn_idx = insn_idx;
-                                       err = prepare_func_exit(env, &insn_idx);
+                                       env->prev_insn_idx = env->insn_idx;
+                                       err = prepare_func_exit(env, &env->insn_idx);
                                        if (err)
                                                return err;
                                        do_print_state = true;
@@ -5932,7 +6094,8 @@ static int do_check(struct bpf_verifier_env *env)
                                if (err)
                                        return err;
 process_bpf_exit:
-                               err = pop_stack(env, &prev_insn_idx, &insn_idx);
+                               err = pop_stack(env, &env->prev_insn_idx,
+                                               &env->insn_idx);
                                if (err < 0) {
                                        if (err != -ENOENT)
                                                return err;
@@ -5942,7 +6105,7 @@ process_bpf_exit:
                                        continue;
                                }
                        } else {
-                               err = check_cond_jmp_op(env, insn, &insn_idx);
+                               err = check_cond_jmp_op(env, insn, &env->insn_idx);
                                if (err)
                                        return err;
                        }
@@ -5959,8 +6122,8 @@ process_bpf_exit:
                                if (err)
                                        return err;
 
-                               insn_idx++;
-                               env->insn_aux_data[insn_idx].seen = true;
+                               env->insn_idx++;
+                               env->insn_aux_data[env->insn_idx].seen = true;
                        } else {
                                verbose(env, "invalid BPF_LD mode\n");
                                return -EINVAL;
@@ -5970,7 +6133,7 @@ process_bpf_exit:
                        return -EINVAL;
                }
 
-               insn_idx++;
+               env->insn_idx++;
        }
 
        verbose(env, "processed %d insns (limit %d), stack depth ",
@@ -6709,6 +6872,57 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
                        continue;
                }
 
+               if (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||
+                   insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {
+                       const u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;
+                       const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;
+                       struct bpf_insn insn_buf[16];
+                       struct bpf_insn *patch = &insn_buf[0];
+                       bool issrc, isneg;
+                       u32 off_reg;
+
+                       aux = &env->insn_aux_data[i + delta];
+                       if (!aux->alu_state)
+                               continue;
+
+                       isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
+                       issrc = (aux->alu_state & BPF_ALU_SANITIZE) ==
+                               BPF_ALU_SANITIZE_SRC;
+
+                       off_reg = issrc ? insn->src_reg : insn->dst_reg;
+                       if (isneg)
+                               *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
+                       *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
+                       *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
+                       *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
+                       *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
+                       *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
+                       if (issrc) {
+                               *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
+                                                        off_reg);
+                               insn->src_reg = BPF_REG_AX;
+                       } else {
+                               *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
+                                                        BPF_REG_AX);
+                       }
+                       if (isneg)
+                               insn->code = insn->code == code_add ?
+                                            code_sub : code_add;
+                       *patch++ = *insn;
+                       if (issrc && isneg)
+                               *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
+                       cnt = patch - insn_buf;
+
+                       new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+                       if (!new_prog)
+                               return -ENOMEM;
+
+                       delta    += cnt - 1;
+                       env->prog = prog = new_prog;
+                       insn      = new_prog->insnsi + i + delta;
+                       continue;
+               }
+
                if (insn->code != (BPF_JMP | BPF_CALL))
                        continue;
                if (insn->src_reg == BPF_PSEUDO_CALL)

diff --git a/kernel/compat.c b/kernel/compat.c
index 089d00d0da9c330111eeeea1ee3c008b8ec71cec..f01affa17e225d29be50f58b8f9c430e971ae42a 100644 (file)
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -95,28 +95,28 @@ int compat_put_timex(struct compat_timex __user *utp, const struct timex *txc)
 
 static int __compat_get_timeval(struct timeval *tv, const struct old_timeval32 __user *ctv)
 {
-       return (!access_ok(VERIFY_READ, ctv, sizeof(*ctv)) ||
+       return (!access_ok(ctv, sizeof(*ctv)) ||
                        __get_user(tv->tv_sec, &ctv->tv_sec) ||
                        __get_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0;
 }
 
 static int __compat_put_timeval(const struct timeval *tv, struct old_timeval32 __user *ctv)
 {
-       return (!access_ok(VERIFY_WRITE, ctv, sizeof(*ctv)) ||
+       return (!access_ok(ctv, sizeof(*ctv)) ||
                        __put_user(tv->tv_sec, &ctv->tv_sec) ||
                        __put_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0;
 }
 
 static int __compat_get_timespec(struct timespec *ts, const struct old_timespec32 __user *cts)
 {
-       return (!access_ok(VERIFY_READ, cts, sizeof(*cts)) ||
+       return (!access_ok(cts, sizeof(*cts)) ||
                        __get_user(ts->tv_sec, &cts->tv_sec) ||
                        __get_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
 }
 
 static int __compat_put_timespec(const struct timespec *ts, struct old_timespec32 __user *cts)
 {
-       return (!access_ok(VERIFY_WRITE, cts, sizeof(*cts)) ||
+       return (!access_ok(cts, sizeof(*cts)) ||
                        __put_user(ts->tv_sec, &cts->tv_sec) ||
                        __put_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
 }
@@ -335,7 +335,7 @@ int get_compat_sigevent(struct sigevent *event,
                const struct compat_sigevent __user *u_event)
 {
        memset(event, 0, sizeof(*event));
-       return (!access_ok(VERIFY_READ, u_event, sizeof(*u_event)) ||
+       return (!access_ok(u_event, sizeof(*u_event)) ||
                __get_user(event->sigev_value.sival_int,
                        &u_event->sigev_value.sival_int) ||
                __get_user(event->sigev_signo, &u_event->sigev_signo) ||
@@ -354,10 +354,9 @@ long compat_get_bitmap(unsigned long *mask, const compat_ulong_t __user *umask,
        bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
        nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
 
-       if (!access_ok(VERIFY_READ, umask, bitmap_size / 8))
+       if (!user_access_begin(umask, bitmap_size / 8))
                return -EFAULT;
 
-       user_access_begin();
        while (nr_compat_longs > 1) {
                compat_ulong_t l1, l2;
                unsafe_get_user(l1, umask++, Efault);
@@ -384,10 +383,9 @@ long compat_put_bitmap(compat_ulong_t __user *umask, unsigned long *mask,
        bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
        nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
 
-       if (!access_ok(VERIFY_WRITE, umask, bitmap_size / 8))
+       if (!user_access_begin(umask, bitmap_size / 8))
                return -EFAULT;
 
-       user_access_begin();
        while (nr_compat_longs > 1) {
                unsigned long m = *mask++;
                unsafe_put_user((compat_ulong_t)m, umask++, Efault);
@@ -438,7 +436,7 @@ void __user *compat_alloc_user_space(unsigned long len)
 
        ptr = arch_compat_alloc_user_space(len);
 
-       if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
+       if (unlikely(!access_ok(ptr, len)))
                return NULL;
 
        return ptr;

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 67ecac337374a41d7e1d144ed8df2f2baab8271f..3cd13a30f732921bec9ac0235613b02da5f91de9 100644 (file)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10135,7 +10135,7 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
        u32 size;
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, uattr, PERF_ATTR_SIZE_VER0))
+       if (!access_ok(uattr, PERF_ATTR_SIZE_VER0))
                return -EFAULT;
 
        /*

diff --git a/kernel/exit.c b/kernel/exit.c
index 0e21e6d21f35f884f5b89b4237bd0be4f2b8a085..2d14979577ee1ef536bf3e554057e14dab90ce0f 100644 (file)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1604,10 +1604,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
        if (!infop)
                return err;
 
-       if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+       if (!user_access_begin(infop, sizeof(*infop)))
                return -EFAULT;
 
-       user_access_begin();
        unsafe_put_user(signo, &infop->si_signo, Efault);
        unsafe_put_user(0, &infop->si_errno, Efault);
        unsafe_put_user(info.cause, &infop->si_code, Efault);
@@ -1732,10 +1731,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
        if (!infop)
                return err;
 
-       if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+       if (!user_access_begin(infop, sizeof(*infop)))
                return -EFAULT;
 
-       user_access_begin();
        unsafe_put_user(signo, &infop->si_signo, Efault);
        unsafe_put_user(0, &infop->si_errno, Efault);
        unsafe_put_user(info.cause, &infop->si_code, Efault);

diff --git a/kernel/futex.c b/kernel/futex.c
index 054105854e0e38fbab1fbaee8fc743729526de2c..be3bff2315ff75c46565a42c126f05641c753b98 100644 (file)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -481,13 +481,18 @@ static void drop_futex_key_refs(union futex_key *key)
        }
 }
 
+enum futex_access {
+       FUTEX_READ,
+       FUTEX_WRITE
+};
+
 /**
  * get_futex_key() - Get parameters which are the keys for a futex
  * @uaddr:     virtual address of the futex
  * @fshared:   0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
  * @key:       address where result is stored.
- * @rw:                mapping needs to be read/write (values: VERIFY_READ,
- *              VERIFY_WRITE)
+ * @rw:                mapping needs to be read/write (values: FUTEX_READ,
+ *              FUTEX_WRITE)
  *
  * Return: a negative error code or 0
  *
@@ -500,7 +505,7 @@ static void drop_futex_key_refs(union futex_key *key)
  * lock_page() might sleep, the caller should not hold a spinlock.
  */
 static int
-get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
+get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, enum futex_access rw)
 {
        unsigned long address = (unsigned long)uaddr;
        struct mm_struct *mm = current->mm;
@@ -516,7 +521,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
                return -EINVAL;
        address -= key->both.offset;
 
-       if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
+       if (unlikely(!access_ok(uaddr, sizeof(u32))))
                return -EFAULT;
 
        if (unlikely(should_fail_futex(fshared)))
@@ -546,7 +551,7 @@ again:
         * If write access is not required (eg. FUTEX_WAIT), try
         * and get read-only access.
         */
-       if (err == -EFAULT && rw == VERIFY_READ) {
+       if (err == -EFAULT && rw == FUTEX_READ) {
                err = get_user_pages_fast(address, 1, 0, &page);
                ro = 1;
        }
@@ -1583,7 +1588,7 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset)
        if (!bitset)
                return -EINVAL;
 
-       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_READ);
+       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_READ);
        if (unlikely(ret != 0))
                goto out;
 
@@ -1642,7 +1647,7 @@ static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
                oparg = 1 << oparg;
        }
 
-       if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+       if (!access_ok(uaddr, sizeof(u32)))
                return -EFAULT;
 
        ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
@@ -1682,10 +1687,10 @@ futex_wake_op(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2,
        DEFINE_WAKE_Q(wake_q);
 
 retry:
-       ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
+       ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
        if (unlikely(ret != 0))
                goto out;
-       ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
+       ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
        if (unlikely(ret != 0))
                goto out_put_key1;
 
@@ -1961,11 +1966,11 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
        }
 
 retry:
-       ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
+       ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
        if (unlikely(ret != 0))
                goto out;
        ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2,
-                           requeue_pi ? VERIFY_WRITE : VERIFY_READ);
+                           requeue_pi ? FUTEX_WRITE : FUTEX_READ);
        if (unlikely(ret != 0))
                goto out_put_key1;
 
@@ -2634,7 +2639,7 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
         * while the syscall executes.
         */
 retry:
-       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, VERIFY_READ);
+       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, FUTEX_READ);
        if (unlikely(ret != 0))
                return ret;
 
@@ -2793,7 +2798,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
        }
 
 retry:
-       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, VERIFY_WRITE);
+       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE);
        if (unlikely(ret != 0))
                goto out;
 
@@ -2972,7 +2977,7 @@ retry:
        if ((uval & FUTEX_TID_MASK) != vpid)
                return -EPERM;
 
-       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE);
+       ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_WRITE);
        if (ret)
                return ret;
 
@@ -3199,7 +3204,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
         */
        rt_mutex_init_waiter(&rt_waiter);
 
-       ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
+       ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
        if (unlikely(ret != 0))
                goto out;
 

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 1306fe0c1dc6f3bf8ee7b280b1c98202b99da2a8..d3d170374cebf884169c754071813e418336e188 100644 (file)
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1466,7 +1466,7 @@ int do_syslog(int type, char __user *buf, int len, int source)
                        return -EINVAL;
                if (!len)
                        return 0;
-               if (!access_ok(VERIFY_WRITE, buf, len))
+               if (!access_ok(buf, len))
                        return -EFAULT;
                error = wait_event_interruptible(log_wait,
                                                 syslog_seq != log_next_seq);
@@ -1484,7 +1484,7 @@ int do_syslog(int type, char __user *buf, int len, int source)
                        return -EINVAL;
                if (!len)
                        return 0;
-               if (!access_ok(VERIFY_WRITE, buf, len))
+               if (!access_ok(buf, len))
                        return -EFAULT;
                error = syslog_print_all(buf, len, clear);
                break;

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index c2cee9db52040a069188fa9949d37785b0539f7b..771e93f9c43f826270c1927665fa5d6aaa8654e7 100644 (file)
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1073,7 +1073,7 @@ int ptrace_request(struct task_struct *child, long request,
                struct iovec kiov;
                struct iovec __user *uiov = datavp;
 
-               if (!access_ok(VERIFY_WRITE, uiov, sizeof(*uiov)))
+               if (!access_ok(uiov, sizeof(*uiov)))
                        return -EFAULT;
 
                if (__get_user(kiov.iov_base, &uiov->iov_base) ||
@@ -1229,7 +1229,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
                compat_uptr_t ptr;
                compat_size_t len;
 
-               if (!access_ok(VERIFY_WRITE, uiov, sizeof(*uiov)))
+               if (!access_ok(uiov, sizeof(*uiov)))
                        return -EFAULT;
 
                if (__get_user(ptr, &uiov->iov_base) ||

diff --git a/kernel/rseq.c b/kernel/rseq.c
index c6242d8594dc7c0fab52de9df7f9cf01e49e5d0f..25e9a7b60eba43e14db86283cb07e8a172c9de4f 100644 (file)
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -267,7 +267,7 @@ void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs)
 
        if (unlikely(t->flags & PF_EXITING))
                return;
-       if (unlikely(!access_ok(VERIFY_WRITE, t->rseq, sizeof(*t->rseq))))
+       if (unlikely(!access_ok(t->rseq, sizeof(*t->rseq))))
                goto error;
        ret = rseq_ip_fixup(regs);
        if (unlikely(ret < 0))
@@ -295,7 +295,7 @@ void rseq_syscall(struct pt_regs *regs)
 
        if (!t->rseq)
                return;
-       if (!access_ok(VERIFY_READ, t->rseq, sizeof(*t->rseq)) ||
+       if (!access_ok(t->rseq, sizeof(*t->rseq)) ||
            rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs))
                force_sig(SIGSEGV, t);
 }
@@ -351,7 +351,7 @@ SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len,
        if (!IS_ALIGNED((unsigned long)rseq, __alignof__(*rseq)) ||
            rseq_len != sizeof(*rseq))
                return -EINVAL;
-       if (!access_ok(VERIFY_WRITE, rseq, rseq_len))
+       if (!access_ok(rseq, rseq_len))
                return -EFAULT;
        current->rseq = rseq;
        current->rseq_len = rseq_len;

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 17a954c9e15377adf4e97a53c8760a6a03797ca0..223f78d5c1110d90d7d64e0ee55d1efb99f0ec6a 100644 (file)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4450,7 +4450,7 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a
        u32 size;
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, uattr, SCHED_ATTR_SIZE_VER0))
+       if (!access_ok(uattr, SCHED_ATTR_SIZE_VER0))
                return -EFAULT;
 
        /* Zero the full structure, so that a short copy will be nice: */
@@ -4650,7 +4650,7 @@ static int sched_read_attr(struct sched_attr __user *uattr,
 {
        int ret;
 
-       if (!access_ok(VERIFY_WRITE, uattr, usize))
+       if (!access_ok(uattr, usize))
                return -EFAULT;
 
        /*

diff --git a/kernel/signal.c b/kernel/signal.c
index 53e07d97ffe018f391fa7976573dc0e0c93c40cb..e1d7ad8e6ab179835d719d87aa9cb5c87c29339d 100644 (file)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3997,7 +3997,7 @@ SYSCALL_DEFINE3(sigaction, int, sig,
 
        if (act) {
                old_sigset_t mask;
-               if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
+               if (!access_ok(act, sizeof(*act)) ||
                    __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
                    __get_user(new_ka.sa.sa_restorer, &act->sa_restorer) ||
                    __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
@@ -4012,7 +4012,7 @@ SYSCALL_DEFINE3(sigaction, int, sig,
        ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
        if (!ret && oact) {
-               if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
+               if (!access_ok(oact, sizeof(*oact)) ||
                    __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
                    __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer) ||
                    __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
@@ -4034,7 +4034,7 @@ COMPAT_SYSCALL_DEFINE3(sigaction, int, sig,
        compat_uptr_t handler, restorer;
 
        if (act) {
-               if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
+               if (!access_ok(act, sizeof(*act)) ||
                    __get_user(handler, &act->sa_handler) ||
                    __get_user(restorer, &act->sa_restorer) ||
                    __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
@@ -4052,7 +4052,7 @@ COMPAT_SYSCALL_DEFINE3(sigaction, int, sig,
        ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
        if (!ret && oact) {
-               if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
+               if (!access_ok(oact, sizeof(*oact)) ||
                    __put_user(ptr_to_compat(old_ka.sa.sa_handler),
                               &oact->sa_handler) ||
                    __put_user(ptr_to_compat(old_ka.sa.sa_restorer),

diff --git a/kernel/sys.c b/kernel/sys.c
index 64b5a230f38d785846ff69699bd74915a77a76d1..a48cbf1414b88f9c5986f8283a8e59f735dc308b 100644 (file)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2627,7 +2627,7 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info)
                s.freehigh >>= bitcount;
        }
 
-       if (!access_ok(VERIFY_WRITE, info, sizeof(struct compat_sysinfo)) ||
+       if (!access_ok(info, sizeof(struct compat_sysinfo)) ||
            __put_user(s.uptime, &info->uptime) ||
            __put_user(s.loads[0], &info->loads[0]) ||
            __put_user(s.loads[1], &info->loads[1]) ||

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 9ddb6fddb4e01b52850ba173d53a24914b4eb4c9..8b068adb9da1ce23538eeb3bdf3fc7fbd94f2f59 100644 (file)
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -170,7 +170,7 @@ BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
                return -EPERM;
        if (unlikely(uaccess_kernel()))
                return -EPERM;
-       if (!access_ok(VERIFY_WRITE, unsafe_ptr, size))
+       if (!access_ok(unsafe_ptr, size))
                return -EPERM;
 
        return probe_kernel_write(unsafe_ptr, src, size);

diff --git a/lib/bitmap.c b/lib/bitmap.c
index eead55aa71706b385bb76830ba20ba043a076927..98872e9025dabd336fbb01dc5970376adc88c4e8 100644 (file)
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -443,7 +443,7 @@ int bitmap_parse_user(const char __user *ubuf,
                        unsigned int ulen, unsigned long *maskp,
                        int nmaskbits)
 {
-       if (!access_ok(VERIFY_READ, ubuf, ulen))
+       if (!access_ok(ubuf, ulen))
                return -EFAULT;
        return __bitmap_parse((const char __force *)ubuf,
                                ulen, 1, maskp, nmaskbits);
@@ -641,7 +641,7 @@ int bitmap_parselist_user(const char __user *ubuf,
                        unsigned int ulen, unsigned long *maskp,
                        int nmaskbits)
 {
-       if (!access_ok(VERIFY_READ, ubuf, ulen))
+       if (!access_ok(ubuf, ulen))
                return -EFAULT;
        return __bitmap_parselist((const char __force *)ubuf,
                                        ulen, 1, maskp, nmaskbits);

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1928009f506e8e4531cea681257da6df4b8a8024..c93870987b58279bc21a1cfa64d991aff160378d 100644 (file)
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -136,7 +136,7 @@
 
 static int copyout(void __user *to, const void *from, size_t n)
 {
-       if (access_ok(VERIFY_WRITE, to, n)) {
+       if (access_ok(to, n)) {
                kasan_check_read(from, n);
                n = raw_copy_to_user(to, from, n);
        }
@@ -145,7 +145,7 @@ static int copyout(void __user *to, const void *from, size_t n)
 
 static int copyin(void *to, const void __user *from, size_t n)
 {
-       if (access_ok(VERIFY_READ, from, n)) {
+       if (access_ok(from, n)) {
                kasan_check_write(to, n);
                n = raw_copy_from_user(to, from, n);
        }
@@ -614,7 +614,7 @@ EXPORT_SYMBOL(_copy_to_iter);
 #ifdef CONFIG_ARCH_HAS_UACCESS_MCSAFE
 static int copyout_mcsafe(void __user *to, const void *from, size_t n)
 {
-       if (access_ok(VERIFY_WRITE, to, n)) {
+       if (access_ok(to, n)) {
                kasan_check_read(from, n);
                n = copy_to_user_mcsafe((__force void *) to, from, n);
        }
@@ -1663,7 +1663,7 @@ int import_single_range(int rw, void __user *buf, size_t len,
 {
        if (len > MAX_RW_COUNT)
                len = MAX_RW_COUNT;
-       if (unlikely(!access_ok(!rw, buf, len)))
+       if (unlikely(!access_ok(buf, len)))
                return -EFAULT;
 
        iov->iov_base = buf;

diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
index b53e1b5d80f429e611cd0be58e9ec1079fb68ead..58eacd41526c58339a7cb35ef92a618f0f3517e4 100644 (file)
--- a/lib/strncpy_from_user.c
+++ b/lib/strncpy_from_user.c
@@ -114,10 +114,11 @@ long strncpy_from_user(char *dst, const char __user *src, long count)
 
                kasan_check_write(dst, count);
                check_object_size(dst, count, false);
-               user_access_begin();
-               retval = do_strncpy_from_user(dst, src, count, max);
-               user_access_end();
-               return retval;
+               if (user_access_begin(src, max)) {
+                       retval = do_strncpy_from_user(dst, src, count, max);
+                       user_access_end();
+                       return retval;
+               }
        }
        return -EFAULT;
 }

diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
index 60d0bbda8f5e581178719e9122b0e9f19b0876a5..1c1a1b0e38a5f5c853cf935ed06eb9abb2b56ef2 100644 (file)
--- a/lib/strnlen_user.c
+++ b/lib/strnlen_user.c
@@ -114,10 +114,11 @@ long strnlen_user(const char __user *str, long count)
                unsigned long max = max_addr - src_addr;
                long retval;
 
-               user_access_begin();
-               retval = do_strnlen_user(str, count, max);
-               user_access_end();
-               return retval;
+               if (user_access_begin(str, max)) {
+                       retval = do_strnlen_user(str, count, max);
+                       user_access_end();
+                       return retval;
+               }
        }
        return 0;
 }

diff --git a/lib/usercopy.c b/lib/usercopy.c
index 3744b2a8e591c666e932b25aa80fd43f0d9956b3..c2bfbcaeb3dc5bb9dc2a1efd4b30acd2e0ad6f90 100644 (file)
--- a/lib/usercopy.c
+++ b/lib/usercopy.c
@@ -8,7 +8,7 @@ unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n
 {
        unsigned long res = n;
        might_fault();
-       if (likely(access_ok(VERIFY_READ, from, n))) {
+       if (likely(access_ok(from, n))) {
                kasan_check_write(to, n);
                res = raw_copy_from_user(to, from, n);
        }
@@ -23,7 +23,7 @@ EXPORT_SYMBOL(_copy_from_user);
 unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n)
 {
        might_fault();
-       if (likely(access_ok(VERIFY_WRITE, to, n))) {
+       if (likely(access_ok(to, n))) {
                kasan_check_read(from, n);
                n = raw_copy_to_user(to, from, n);
        }

diff --git a/mm/gup.c b/mm/gup.c
index 6dd33e16a8063ca21c653cbdf68537ebefdd710c..05acd7e2eb22e0849c5125d0cabc671fdc58f71f 100644 (file)
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1813,8 +1813,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
        len = (unsigned long) nr_pages << PAGE_SHIFT;
        end = start + len;
 
-       if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                       (void __user *)start, len)))
+       if (unlikely(!access_ok((void __user *)start, len)))
                return 0;
 
        /*
@@ -1868,8 +1867,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
        if (nr_pages <= 0)
                return 0;
 
-       if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                       (void __user *)start, len)))
+       if (unlikely(!access_ok((void __user *)start, len)))
                return -EFAULT;
 
        if (gup_fast_permitted(start, nr_pages, write)) {

diff --git a/mm/mincore.c b/mm/mincore.c
index 4985965aa20a56fbafeaff20096d1fddbbb0d51f..218099b5ed31d1e971d8d64b0951a31b8e310c01 100644 (file)
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -233,14 +233,14 @@ SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len,
                return -EINVAL;
 
        /* ..and we need to be passed a valid user-space range */
-       if (!access_ok(VERIFY_READ, (void __user *) start, len))
+       if (!access_ok((void __user *) start, len))
                return -ENOMEM;
 
        /* This also avoids any overflows on PAGE_ALIGN */
        pages = len >> PAGE_SHIFT;
        pages += (offset_in_page(len)) != 0;
 
-       if (!access_ok(VERIFY_WRITE, vec, pages))
+       if (!access_ok(vec, pages))
                return -EFAULT;
 
        tmp = (void *) __get_free_page(GFP_USER);

diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index c603d33d54108b9f93f1745534da28d25f12c0ea..5d01edf8d819e89aec03df70e9f3bcf6340314cb 100644 (file)
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -653,15 +653,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
                        break;
                }
 
-               dev = dev_get_by_name(&init_net, devname);
+               rtnl_lock();
+               dev = __dev_get_by_name(&init_net, devname);
                if (!dev) {
+                       rtnl_unlock();
                        res = -ENODEV;
                        break;
                }
 
                ax25->ax25_dev = ax25_dev_ax25dev(dev);
+               if (!ax25->ax25_dev) {
+                       rtnl_unlock();
+                       res = -ENODEV;
+                       break;
+               }
                ax25_fillin_cb(ax25, ax25->ax25_dev);
-               dev_put(dev);
+               rtnl_unlock();
                break;
 
        default:

diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 9a3a301e1e2f0e1dce8f716750c652d031877cb0..d92195cd78349f2d50eefdc31ac186087c2c77c3 100644 (file)
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev)
        if ((s = ax25_dev_list) == ax25_dev) {
                ax25_dev_list = s->next;
                spin_unlock_bh(&ax25_dev_lock);
+               dev->ax25_ptr = NULL;
                dev_put(dev);
                kfree(ax25_dev);
                return;
@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev)
                if (s->next == ax25_dev) {
                        s->next = ax25_dev->next;
                        spin_unlock_bh(&ax25_dev_lock);
+                       dev->ax25_ptr = NULL;
                        dev_put(dev);
                        kfree(ax25_dev);
                        return;

diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index d70f363c52ae2219aa819d897c1872278005db27..6d5859714f52ba453f10055598074ceca25c1323 100644 (file)
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -147,7 +147,7 @@ static ssize_t batadv_socket_read(struct file *file, char __user *buf,
        if (!buf || count < sizeof(struct batadv_icmp_packet))
                return -EINVAL;
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        error = wait_event_interruptible(socket_client->queue_wait,

diff --git a/net/batman-adv/log.c b/net/batman-adv/log.c
index 02e55b78132f018f01200a228d080403f54fa444..75f602e1ce94ecf3b2aa570939bd4444185b3ce2 100644 (file)
--- a/net/batman-adv/log.c
+++ b/net/batman-adv/log.c
@@ -136,7 +136,7 @@ static ssize_t batadv_log_read(struct file *file, char __user *buf,
        if (count == 0)
                return 0;
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        error = wait_event_interruptible(debug_log->queue_wait,

diff --git a/net/compat.c b/net/compat.c
index f7084780a8f81d073f4796e8732f61ab917afa05..959d1c51826d8b18765bce50b4378f177e912797 100644 (file)
--- a/net/compat.c
+++ b/net/compat.c
@@ -358,7 +358,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
 
        if (optlen < sizeof(*up))
                return -EINVAL;
-       if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
+       if (!access_ok(up, sizeof(*up)) ||
            __get_user(ktime.tv_sec, &up->tv_sec) ||
            __get_user(ktime.tv_usec, &up->tv_usec))
                return -EFAULT;
@@ -438,7 +438,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
 
        if (!err) {
                if (put_user(sizeof(*up), optlen) ||
-                   !access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
+                   !access_ok(up, sizeof(*up)) ||
                    __put_user(ktime.tv_sec, &up->tv_sec) ||
                    __put_user(ktime.tv_usec, &up->tv_usec))
                        err = -EFAULT;
@@ -467,12 +467,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
        ctv = (struct compat_timeval __user *) userstamp;
        err = -ENOENT;
        sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-       tv = ktime_to_timeval(sk->sk_stamp);
+       tv = ktime_to_timeval(sock_read_timestamp(sk));
+
        if (tv.tv_sec == -1)
                return err;
        if (tv.tv_sec == 0) {
-               sk->sk_stamp = ktime_get_real();
-               tv = ktime_to_timeval(sk->sk_stamp);
+               ktime_t kt = ktime_get_real();
+               sock_write_timestamp(sk, kt);
+               tv = ktime_to_timeval(kt);
        }
        err = 0;
        if (put_user(tv.tv_sec, &ctv->tv_sec) ||
@@ -494,12 +496,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta
        ctv = (struct compat_timespec __user *) userstamp;
        err = -ENOENT;
        sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-       ts = ktime_to_timespec(sk->sk_stamp);
+       ts = ktime_to_timespec(sock_read_timestamp(sk));
        if (ts.tv_sec == -1)
                return err;
        if (ts.tv_sec == 0) {
-               sk->sk_stamp = ktime_get_real();
-               ts = ktime_to_timespec(sk->sk_stamp);
+               ktime_t kt = ktime_get_real();
+               sock_write_timestamp(sk, kt);
+               ts = ktime_to_timespec(kt);
        }
        err = 0;
        if (put_user(ts.tv_sec, &ctv->tv_sec) ||
@@ -587,8 +590,8 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                        compat_alloc_user_space(sizeof(struct group_req));
                u32 interface;
 
-               if (!access_ok(VERIFY_READ, gr32, sizeof(*gr32)) ||
-                   !access_ok(VERIFY_WRITE, kgr, sizeof(struct group_req)) ||
+               if (!access_ok(gr32, sizeof(*gr32)) ||
+                   !access_ok(kgr, sizeof(struct group_req)) ||
                    __get_user(interface, &gr32->gr_interface) ||
                    __put_user(interface, &kgr->gr_interface) ||
                    copy_in_user(&kgr->gr_group, &gr32->gr_group,
@@ -608,8 +611,8 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                        sizeof(struct group_source_req));
                u32 interface;
 
-               if (!access_ok(VERIFY_READ, gsr32, sizeof(*gsr32)) ||
-                   !access_ok(VERIFY_WRITE, kgsr,
+               if (!access_ok(gsr32, sizeof(*gsr32)) ||
+                   !access_ok(kgsr,
                        sizeof(struct group_source_req)) ||
                    __get_user(interface, &gsr32->gsr_interface) ||
                    __put_user(interface, &kgsr->gsr_interface) ||
@@ -628,7 +631,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                struct group_filter __user *kgf;
                u32 interface, fmode, numsrc;
 
-               if (!access_ok(VERIFY_READ, gf32, __COMPAT_GF0_SIZE) ||
+               if (!access_ok(gf32, __COMPAT_GF0_SIZE) ||
                    __get_user(interface, &gf32->gf_interface) ||
                    __get_user(fmode, &gf32->gf_fmode) ||
                    __get_user(numsrc, &gf32->gf_numsrc))
@@ -638,7 +641,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                if (koptlen < GROUP_FILTER_SIZE(numsrc))
                        return -EINVAL;
                kgf = compat_alloc_user_space(koptlen);
-               if (!access_ok(VERIFY_WRITE, kgf, koptlen) ||
+               if (!access_ok(kgf, koptlen) ||
                    __put_user(interface, &kgf->gf_interface) ||
                    __put_user(fmode, &kgf->gf_fmode) ||
                    __put_user(numsrc, &kgf->gf_numsrc) ||
@@ -672,7 +675,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
                return getsockopt(sock, level, optname, optval, optlen);
 
        koptlen = compat_alloc_user_space(sizeof(*koptlen));
-       if (!access_ok(VERIFY_READ, optlen, sizeof(*optlen)) ||
+       if (!access_ok(optlen, sizeof(*optlen)) ||
            __get_user(ulen, optlen))
                return -EFAULT;
 
@@ -682,14 +685,14 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
        if (klen < GROUP_FILTER_SIZE(0))
                return -EINVAL;
 
-       if (!access_ok(VERIFY_WRITE, koptlen, sizeof(*koptlen)) ||
+       if (!access_ok(koptlen, sizeof(*koptlen)) ||
            __put_user(klen, koptlen))
                return -EFAULT;
 
        /* have to allow space for previous compat_alloc_user_space, too */
        kgf = compat_alloc_user_space(klen+sizeof(*optlen));
 
-       if (!access_ok(VERIFY_READ, gf32, __COMPAT_GF0_SIZE) ||
+       if (!access_ok(gf32, __COMPAT_GF0_SIZE) ||
            __get_user(interface, &gf32->gf_interface) ||
            __get_user(fmode, &gf32->gf_fmode) ||
            __get_user(numsrc, &gf32->gf_numsrc) ||
@@ -703,18 +706,18 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
        if (err)
                return err;
 
-       if (!access_ok(VERIFY_READ, koptlen, sizeof(*koptlen)) ||
+       if (!access_ok(koptlen, sizeof(*koptlen)) ||
            __get_user(klen, koptlen))
                return -EFAULT;
 
        ulen = klen - (sizeof(*kgf)-sizeof(*gf32));
 
-       if (!access_ok(VERIFY_WRITE, optlen, sizeof(*optlen)) ||
+       if (!access_ok(optlen, sizeof(*optlen)) ||
            __put_user(ulen, optlen))
                return -EFAULT;
 
-       if (!access_ok(VERIFY_READ, kgf, klen) ||
-           !access_ok(VERIFY_WRITE, gf32, ulen) ||
+       if (!access_ok(kgf, klen) ||
+           !access_ok(gf32, ulen) ||
            __get_user(interface, &kgf->gf_interface) ||
            __get_user(fmode, &kgf->gf_fmode) ||
            __get_user(numsrc, &kgf->gf_numsrc) ||

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index d05402868575825917537bd77fd8a8a057737463..158264f7cfafbe8d857a2781204979de3b8958aa 100644 (file)
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -793,8 +793,13 @@ static noinline_for_stack int ethtool_get_drvinfo(struct net_device *dev,
                if (rc >= 0)
                        info.n_priv_flags = rc;
        }
-       if (ops->get_regs_len)
-               info.regdump_len = ops->get_regs_len(dev);
+       if (ops->get_regs_len) {
+               int ret = ops->get_regs_len(dev);
+
+               if (ret > 0)
+                       info.regdump_len = ret;
+       }
+
        if (ops->get_eeprom_len)
                info.eedump_len = ops->get_eeprom_len(dev);
 
@@ -1337,6 +1342,9 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
                return -EFAULT;
 
        reglen = ops->get_regs_len(dev);
+       if (reglen <= 0)
+               return reglen;
+
        if (regs.len > reglen)
                regs.len = reglen;
 

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 48f61885fd6f9feb2ff9afeff78d03e98e97afd4..5ea1bed08edef2cc5a35c95130165eba39968710 100644 (file)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4104,6 +4104,11 @@ static int rtnl_fdb_get(struct sk_buff *in_skb, struct nlmsghdr *nlh,
        if (err < 0)
                return err;
 
+       if (!addr) {
+               NL_SET_ERR_MSG(extack, "Missing lookup address for fdb get request");
+               return -EINVAL;
+       }
+
        if (brport_idx) {
                dev = __dev_get_by_index(net, brport_idx);
                if (!dev) {

diff --git a/net/core/sock.c b/net/core/sock.c
index f00902c532cc777335eaad8989e472ef71089ecd..6aa2e7e0b4fbdbc29d43d6b61a53b8de2a7ba269 100644 (file)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2751,6 +2751,9 @@ void sock_init_data(struct socket *sock, struct sock *sk)
        sk->sk_sndtimeo         =       MAX_SCHEDULE_TIMEOUT;
 
        sk->sk_stamp = SK_DEFAULT_STAMP;
+#if BITS_PER_LONG==32
+       seqlock_init(&sk->sk_stamp_seq);
+#endif
        atomic_set(&sk->sk_zckey, 0);
 
 #ifdef CONFIG_NET_RX_BUSY_POLL
@@ -2850,12 +2853,13 @@ int sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
        struct timeval tv;
 
        sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-       tv = ktime_to_timeval(sk->sk_stamp);
+       tv = ktime_to_timeval(sock_read_timestamp(sk));
        if (tv.tv_sec == -1)
                return -ENOENT;
        if (tv.tv_sec == 0) {
-               sk->sk_stamp = ktime_get_real();
-               tv = ktime_to_timeval(sk->sk_stamp);
+               ktime_t kt = ktime_get_real();
+               sock_write_timestamp(sk, kt);
+               tv = ktime_to_timeval(kt);
        }
        return copy_to_user(userstamp, &tv, sizeof(tv)) ? -EFAULT : 0;
 }
@@ -2866,11 +2870,12 @@ int sock_get_timestampns(struct sock *sk, struct timespec __user *userstamp)
        struct timespec ts;
 
        sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-       ts = ktime_to_timespec(sk->sk_stamp);
+       ts = ktime_to_timespec(sock_read_timestamp(sk));
        if (ts.tv_sec == -1)
                return -ENOENT;
        if (ts.tv_sec == 0) {
-               sk->sk_stamp = ktime_get_real();
+               ktime_t kt = ktime_get_real();
+               sock_write_timestamp(sk, kt);
                ts = ktime_to_timespec(sk->sk_stamp);
        }
        return copy_to_user(userstamp, &ts, sizeof(ts)) ? -EFAULT : 0;

diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index f8eb78d042a48e658792fa38d7466a87eca944aa..cfec3af54c8d3729d6d1c7bbd00f1d7e301d03ca 100644 (file)
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -198,11 +198,15 @@ static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
 
 static struct fib_table *fib_empty_table(struct net *net)
 {
-       u32 id;
+       u32 id = 1;
 
-       for (id = 1; id <= RT_TABLE_MAX; id++)
+       while (1) {
                if (!fib_get_table(net, id))
                        return fib_new_table(net, id);
+
+               if (id++ == RT_TABLE_MAX)
+                       break;
+       }
        return NULL;
 }
 

diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index c7a7bd58a23c585778cce9bb0dcf6525caef6e55..d1d09f3e5f9ec9493d7749447307784a771f501e 100644 (file)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -676,6 +676,9 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
        struct ip_tunnel *tunnel = netdev_priv(dev);
        const struct iphdr *tnl_params;
 
+       if (!pskb_inet_may_pull(skb))
+               goto free_skb;
+
        if (tunnel->collect_md) {
                gre_fb_xmit(skb, dev, skb->protocol);
                return NETDEV_TX_OK;
@@ -719,6 +722,9 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
        struct ip_tunnel *tunnel = netdev_priv(dev);
        bool truncate = false;
 
+       if (!pskb_inet_may_pull(skb))
+               goto free_skb;
+
        if (tunnel->collect_md) {
                erspan_fb_xmit(skb, dev, skb->protocol);
                return NETDEV_TX_OK;
@@ -762,6 +768,9 @@ static netdev_tx_t gre_tap_xmit(struct sk_buff *skb,
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
 
+       if (!pskb_inet_may_pull(skb))
+               goto free_skb;
+
        if (tunnel->collect_md) {
                gre_fb_xmit(skb, dev, htons(ETH_P_TEB));
                return NETDEV_TX_OK;

diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 284a22154b4e6cb129ca7dfd127ce11e306dba19..c4f5602308edca064297fe8764764f65ebe84569 100644 (file)
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -627,7 +627,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
                    const struct iphdr *tnl_params, u8 protocol)
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
-       unsigned int inner_nhdr_len = 0;
        const struct iphdr *inner_iph;
        struct flowi4 fl4;
        u8     tos, ttl;
@@ -637,14 +636,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
        __be32 dst;
        bool connected;
 
-       /* ensure we can access the inner net header, for several users below */
-       if (skb->protocol == htons(ETH_P_IP))
-               inner_nhdr_len = sizeof(struct iphdr);
-       else if (skb->protocol == htons(ETH_P_IPV6))
-               inner_nhdr_len = sizeof(struct ipv6hdr);
-       if (unlikely(!pskb_may_pull(skb, inner_nhdr_len)))
-               goto tx_error;
-
        inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
        connected = (tunnel->parms.iph.daddr != 0);
 

diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index de31b302d69c6bd29c1b9fb2b9f681456c6cd2c3..d7b43e700023a0fa8791600393f0c2931b22bb25 100644 (file)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -241,6 +241,9 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        struct ip_tunnel *tunnel = netdev_priv(dev);
        struct flowi fl;
 
+       if (!pskb_inet_may_pull(skb))
+               goto tx_err;
+
        memset(&fl, 0, sizeof(fl));
 
        switch (skb->protocol) {
@@ -253,15 +256,18 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
                break;
        default:
-               dev->stats.tx_errors++;
-               dev_kfree_skb(skb);
-               return NETDEV_TX_OK;
+               goto tx_err;
        }
 
        /* override mark with tunnel output key */
        fl.flowi_mark = be32_to_cpu(tunnel->parms.o_key);
 
        return vti_xmit(skb, dev, &fl);
+
+tx_err:
+       dev->stats.tx_errors++;
+       kfree_skb(skb);
+       return NETDEV_TX_OK;
 }
 
 static int vti4_err(struct sk_buff *skb, u32 info)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 521e471f1cf92017933deda65bff1d13ddde0ec2..8eeec6eb2bd3730a7445eabffb06ffb03e82e78f 100644 (file)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4736,8 +4736,8 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh,
                         IFA_F_MCAUTOJOIN | IFA_F_OPTIMISTIC;
 
        idev = ipv6_find_idev(dev);
-       if (IS_ERR(idev))
-               return PTR_ERR(idev);
+       if (!idev)
+               return -ENOBUFS;
 
        if (!ipv6_allow_optimistic_dad(net, idev))
                cfg.ifa_flags &= ~IFA_F_OPTIMISTIC;

diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index f0cd291034f0fa8ece55acd0fccf79e02629c98a..0bfb6cc0a30a6387baffef47c83eb2e2fb1bddf8 100644 (file)
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -350,6 +350,9 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
                                        err = -EINVAL;
                                        goto out_unlock;
                                }
+                       }
+
+                       if (sk->sk_bound_dev_if) {
                                dev = dev_get_by_index_rcu(net, sk->sk_bound_dev_if);
                                if (!dev) {
                                        err = -ENODEV;

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index ae3786132c236b2bcde4f8f3008fceb2d6bc1cdd..6613d8dbb0e5a5c3ba883c957e5bc4ba2bf00777 100644 (file)
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -627,7 +627,11 @@ static int inet6_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
                        return -ENOENT;
                }
 
-               res = fib6_dump_table(tb, skb, cb);
+               if (!cb->args[0]) {
+                       res = fib6_dump_table(tb, skb, cb);
+                       if (!res)
+                               cb->args[0] = 1;
+               }
                goto out;
        }
 

diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 229e55c99021a887bde599c3f8ac73013084d23b..09d0826742f89f32fec444993f50812bbaec8366 100644 (file)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -881,6 +881,9 @@ static netdev_tx_t ip6gre_tunnel_xmit(struct sk_buff *skb,
        struct net_device_stats *stats = &t->dev->stats;
        int ret;
 
+       if (!pskb_inet_may_pull(skb))
+               goto tx_err;
+
        if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
                goto tx_err;
 
@@ -923,6 +926,9 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
        int nhoff;
        int thoff;
 
+       if (!pskb_inet_may_pull(skb))
+               goto tx_err;
+
        if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
                goto tx_err;
 
@@ -995,8 +1001,6 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                        goto tx_err;
                }
        } else {
-               struct ipv6hdr *ipv6h = ipv6_hdr(skb);
-
                switch (skb->protocol) {
                case htons(ETH_P_IP):
                        memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
@@ -1004,7 +1008,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                                                 &dsfield, &encap_limit);
                        break;
                case htons(ETH_P_IPV6):
-                       if (ipv6_addr_equal(&t->parms.raddr, &ipv6h->saddr))
+                       if (ipv6_addr_equal(&t->parms.raddr, &ipv6_hdr(skb)->saddr))
                                goto tx_err;
                        if (prepare_ip6gre_xmit_ipv6(skb, dev, &fl6,
                                                     &dsfield, &encap_limit))

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 99179b9c83840bb730a27e7391c9e7f67d043cf1..0c6403cf8b5226fbe4bf2e4506b3816b30973b0b 100644 (file)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1243,10 +1243,6 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
        u8 tproto;
        int err;
 
-       /* ensure we can access the full inner ip header */
-       if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-               return -1;
-
        iph = ip_hdr(skb);
        memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
 
@@ -1321,9 +1317,6 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
        u8 tproto;
        int err;
 
-       if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
-               return -1;
-
        ipv6h = ipv6_hdr(skb);
        tproto = READ_ONCE(t->parms.proto);
        if ((tproto != IPPROTO_IPV6 && tproto != 0) ||
@@ -1405,6 +1398,9 @@ ip6_tnl_start_xmit(struct sk_buff *skb, struct net_device *dev)
        struct net_device_stats *stats = &t->dev->stats;
        int ret;
 
+       if (!pskb_inet_may_pull(skb))
+               goto tx_err;
+
        switch (skb->protocol) {
        case htons(ETH_P_IP):
                ret = ip4ip6_tnl_xmit(skb, dev);

diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 706fe42e4928990c84ba157496628d14803f7199..8b6eefff2f7eaf624d854064b5f4b31121ba5079 100644 (file)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -522,18 +522,18 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct ip6_tnl *t = netdev_priv(dev);
        struct net_device_stats *stats = &t->dev->stats;
-       struct ipv6hdr *ipv6h;
        struct flowi fl;
        int ret;
 
+       if (!pskb_inet_may_pull(skb))
+               goto tx_err;
+
        memset(&fl, 0, sizeof(fl));
 
        switch (skb->protocol) {
        case htons(ETH_P_IPV6):
-               ipv6h = ipv6_hdr(skb);
-
                if ((t->parms.proto != IPPROTO_IPV6 && t->parms.proto != 0) ||
-                   vti6_addr_conflict(t, ipv6h))
+                   vti6_addr_conflict(t, ipv6_hdr(skb)))
                        goto tx_err;
 
                xfrm_decode_session(skb, &fl, AF_INET6);

diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 8276f1224f168d2c07278798dc436bd457e8e391..30337b38274b29f0f4816f9f0a3c7f6a1ffbf1cb 100644 (file)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -51,6 +51,7 @@
 #include <linux/export.h>
 #include <net/ip6_checksum.h>
 #include <linux/netconf.h>
+#include <net/ip_tunnels.h>
 
 #include <linux/nospec.h>
 
@@ -599,13 +600,12 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
                .flowi6_iif     = skb->skb_iif ? : LOOPBACK_IFINDEX,
                .flowi6_mark    = skb->mark,
        };
-       int err;
 
-       err = ip6mr_fib_lookup(net, &fl6, &mrt);
-       if (err < 0) {
-               kfree_skb(skb);
-               return err;
-       }
+       if (!pskb_inet_may_pull(skb))
+               goto tx_err;
+
+       if (ip6mr_fib_lookup(net, &fl6, &mrt) < 0)
+               goto tx_err;
 
        read_lock(&mrt_lock);
        dev->stats.tx_bytes += skb->len;
@@ -614,6 +614,11 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
        read_unlock(&mrt_lock);
        kfree_skb(skb);
        return NETDEV_TX_OK;
+
+tx_err:
+       dev->stats.tx_errors++;
+       kfree_skb(skb);
+       return NETDEV_TX_OK;
 }
 
 static int reg_vif_get_iflink(const struct net_device *dev)

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index a5bb59ee50acc4b813765a61dab5fd030ea089dd..36a3d8dc61f56ce5abe0239da51d0a48550af5d0 100644 (file)
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -210,7 +210,7 @@ found:
        if (next && next->ip_defrag_offset < end)
                goto discard_fq;
 
-       /* Note : skb->ip_defrag_offset and skb->dev share the same location */
+       /* Note : skb->ip_defrag_offset and skb->sk share the same location */
        dev = skb->dev;
        if (dev)
                fq->iif = dev->ifindex;

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 194bc162866d6986651b6133eeaf9a6706e495c2..40b225f87d5e1d9095bb7209bfb9581fb7cfe026 100644 (file)
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -210,7 +210,9 @@ struct neighbour *ip6_neigh_lookup(const struct in6_addr *gw,
        n = __ipv6_neigh_lookup(dev, daddr);
        if (n)
                return n;
-       return neigh_create(&nd_tbl, daddr, dev);
+
+       n = neigh_create(&nd_tbl, daddr, dev);
+       return IS_ERR(n) ? NULL : n;
 }
 
 static struct neighbour *ip6_dst_neigh_lookup(const struct dst_entry *dst,
@@ -5054,12 +5056,16 @@ int ipv6_sysctl_rtcache_flush(struct ctl_table *ctl, int write,
 {
        struct net *net;
        int delay;
+       int ret;
        if (!write)
                return -EINVAL;
 
        net = (struct net *)ctl->extra1;
        delay = net->ipv6.sysctl.flush_delay;
-       proc_dointvec(ctl, write, buffer, lenp, ppos);
+       ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
+       if (ret)
+               return ret;
+
        fib6_run_gc(delay <= 0 ? 0 : (unsigned long)delay, net, delay > 0);
        return 0;
 }

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 51c9f75f34b9bba7cf65d8c1e2e6032281ec6f30..1e03305c0549220550d1e940c66fce967062aa89 100644 (file)
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1021,6 +1021,9 @@ tx_error:
 static netdev_tx_t sit_tunnel_xmit(struct sk_buff *skb,
                                   struct net_device *dev)
 {
+       if (!pskb_inet_may_pull(skb))
+               goto tx_err;
+
        switch (skb->protocol) {
        case htons(ETH_P_IP):
                sit_tunnel_xmit__(skb, dev, IPPROTO_IPIP);

diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 9cd180bda0920304467165cef1365c7291575347..7554c56b2e63c8a7c1a53b9ce0b21b126d54b079 100644 (file)
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -33,12 +33,6 @@
 
 #define CONNCOUNT_SLOTS                256U
 
-#ifdef CONFIG_LOCKDEP
-#define CONNCOUNT_LOCK_SLOTS   8U
-#else
-#define CONNCOUNT_LOCK_SLOTS   256U
-#endif
-
 #define CONNCOUNT_GC_MAX_NODES 8
 #define MAX_KEYLEN             5
 
@@ -49,8 +43,6 @@ struct nf_conncount_tuple {
        struct nf_conntrack_zone        zone;
        int                             cpu;
        u32                             jiffies32;
-       bool                            dead;
-       struct rcu_head                 rcu_head;
 };
 
 struct nf_conncount_rb {
@@ -60,7 +52,7 @@ struct nf_conncount_rb {
        struct rcu_head rcu_head;
 };
 
-static spinlock_t nf_conncount_locks[CONNCOUNT_LOCK_SLOTS] __cacheline_aligned_in_smp;
+static spinlock_t nf_conncount_locks[CONNCOUNT_SLOTS] __cacheline_aligned_in_smp;
 
 struct nf_conncount_data {
        unsigned int keylen;
@@ -89,79 +81,25 @@ static int key_diff(const u32 *a, const u32 *b, unsigned int klen)
        return memcmp(a, b, klen * sizeof(u32));
 }
 
-enum nf_conncount_list_add
-nf_conncount_add(struct nf_conncount_list *list,
-                const struct nf_conntrack_tuple *tuple,
-                const struct nf_conntrack_zone *zone)
-{
-       struct nf_conncount_tuple *conn;
-
-       if (WARN_ON_ONCE(list->count > INT_MAX))
-               return NF_CONNCOUNT_ERR;
-
-       conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
-       if (conn == NULL)
-               return NF_CONNCOUNT_ERR;
-
-       conn->tuple = *tuple;
-       conn->zone = *zone;
-       conn->cpu = raw_smp_processor_id();
-       conn->jiffies32 = (u32)jiffies;
-       conn->dead = false;
-       spin_lock_bh(&list->list_lock);
-       if (list->dead == true) {
-               kmem_cache_free(conncount_conn_cachep, conn);
-               spin_unlock_bh(&list->list_lock);
-               return NF_CONNCOUNT_SKIP;
-       }
-       list_add_tail(&conn->node, &list->head);
-       list->count++;
-       spin_unlock_bh(&list->list_lock);
-       return NF_CONNCOUNT_ADDED;
-}
-EXPORT_SYMBOL_GPL(nf_conncount_add);
-
-static void __conn_free(struct rcu_head *h)
-{
-       struct nf_conncount_tuple *conn;
-
-       conn = container_of(h, struct nf_conncount_tuple, rcu_head);
-       kmem_cache_free(conncount_conn_cachep, conn);
-}
-
-static bool conn_free(struct nf_conncount_list *list,
+static void conn_free(struct nf_conncount_list *list,
                      struct nf_conncount_tuple *conn)
 {
-       bool free_entry = false;
-
-       spin_lock_bh(&list->list_lock);
-
-       if (conn->dead) {
-               spin_unlock_bh(&list->list_lock);
-               return free_entry;
-       }
+       lockdep_assert_held(&list->list_lock);
 
        list->count--;
-       conn->dead = true;
-       list_del_rcu(&conn->node);
-       if (list->count == 0) {
-               list->dead = true;
-               free_entry = true;
-       }
+       list_del(&conn->node);
 
-       spin_unlock_bh(&list->list_lock);
-       call_rcu(&conn->rcu_head, __conn_free);
-       return free_entry;
+       kmem_cache_free(conncount_conn_cachep, conn);
 }
 
 static const struct nf_conntrack_tuple_hash *
 find_or_evict(struct net *net, struct nf_conncount_list *list,
-             struct nf_conncount_tuple *conn, bool *free_entry)
+             struct nf_conncount_tuple *conn)
 {
        const struct nf_conntrack_tuple_hash *found;
        unsigned long a, b;
        int cpu = raw_smp_processor_id();
-       __s32 age;
+       u32 age;
 
        found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
        if (found)
@@ -176,52 +114,45 @@ find_or_evict(struct net *net, struct nf_conncount_list *list,
         */
        age = a - b;
        if (conn->cpu == cpu || age >= 2) {
-               *free_entry = conn_free(list, conn);
+               conn_free(list, conn);
                return ERR_PTR(-ENOENT);
        }
 
        return ERR_PTR(-EAGAIN);
 }
 
-void nf_conncount_lookup(struct net *net,
-                        struct nf_conncount_list *list,
-                        const struct nf_conntrack_tuple *tuple,
-                        const struct nf_conntrack_zone *zone,
-                        bool *addit)
+static int __nf_conncount_add(struct net *net,
+                             struct nf_conncount_list *list,
+                             const struct nf_conntrack_tuple *tuple,
+                             const struct nf_conntrack_zone *zone)
 {
        const struct nf_conntrack_tuple_hash *found;
        struct nf_conncount_tuple *conn, *conn_n;
        struct nf_conn *found_ct;
        unsigned int collect = 0;
-       bool free_entry = false;
-
-       /* best effort only */
-       *addit = tuple ? true : false;
 
        /* check the saved connections */
        list_for_each_entry_safe(conn, conn_n, &list->head, node) {
                if (collect > CONNCOUNT_GC_MAX_NODES)
                        break;
 
-               found = find_or_evict(net, list, conn, &free_entry);
+               found = find_or_evict(net, list, conn);
                if (IS_ERR(found)) {
                        /* Not found, but might be about to be confirmed */
                        if (PTR_ERR(found) == -EAGAIN) {
-                               if (!tuple)
-                                       continue;
-
                                if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
                                    nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
                                    nf_ct_zone_id(zone, zone->dir))
-                                       *addit = false;
-                       } else if (PTR_ERR(found) == -ENOENT)
+                                       return 0; /* already exists */
+                       } else {
                                collect++;
+                       }
                        continue;
                }
 
                found_ct = nf_ct_tuplehash_to_ctrack(found);
 
-               if (tuple && nf_ct_tuple_equal(&conn->tuple, tuple) &&
+               if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
                    nf_ct_zone_equal(found_ct, zone, zone->dir)) {
                        /*
                         * We should not see tuples twice unless someone hooks
@@ -229,7 +160,8 @@ void nf_conncount_lookup(struct net *net,
                         *
                         * Attempt to avoid a re-add in this case.
                         */
-                       *addit = false;
+                       nf_ct_put(found_ct);
+                       return 0;
                } else if (already_closed(found_ct)) {
                        /*
                         * we do not care about connections which are
@@ -243,19 +175,48 @@ void nf_conncount_lookup(struct net *net,
 
                nf_ct_put(found_ct);
        }
+
+       if (WARN_ON_ONCE(list->count > INT_MAX))
+               return -EOVERFLOW;
+
+       conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
+       if (conn == NULL)
+               return -ENOMEM;
+
+       conn->tuple = *tuple;
+       conn->zone = *zone;
+       conn->cpu = raw_smp_processor_id();
+       conn->jiffies32 = (u32)jiffies;
+       list_add_tail(&conn->node, &list->head);
+       list->count++;
+       return 0;
 }
-EXPORT_SYMBOL_GPL(nf_conncount_lookup);
+
+int nf_conncount_add(struct net *net,
+                    struct nf_conncount_list *list,
+                    const struct nf_conntrack_tuple *tuple,
+                    const struct nf_conntrack_zone *zone)
+{
+       int ret;
+
+       /* check the saved connections */
+       spin_lock_bh(&list->list_lock);
+       ret = __nf_conncount_add(net, list, tuple, zone);
+       spin_unlock_bh(&list->list_lock);
+
+       return ret;
+}
+EXPORT_SYMBOL_GPL(nf_conncount_add);
 
 void nf_conncount_list_init(struct nf_conncount_list *list)
 {
        spin_lock_init(&list->list_lock);
        INIT_LIST_HEAD(&list->head);
        list->count = 0;
-       list->dead = false;
 }
 EXPORT_SYMBOL_GPL(nf_conncount_list_init);
 
-/* Return true if the list is empty */
+/* Return true if the list is empty. Must be called with BH disabled. */
 bool nf_conncount_gc_list(struct net *net,
                          struct nf_conncount_list *list)
 {
@@ -263,17 +224,17 @@ bool nf_conncount_gc_list(struct net *net,
        struct nf_conncount_tuple *conn, *conn_n;
        struct nf_conn *found_ct;
        unsigned int collected = 0;
-       bool free_entry = false;
        bool ret = false;
 
+       /* don't bother if other cpu is already doing GC */
+       if (!spin_trylock(&list->list_lock))
+               return false;
+
        list_for_each_entry_safe(conn, conn_n, &list->head, node) {
-               found = find_or_evict(net, list, conn, &free_entry);
+               found = find_or_evict(net, list, conn);
                if (IS_ERR(found)) {
-                       if (PTR_ERR(found) == -ENOENT)  {
-                               if (free_entry)
-                                       return true;
+                       if (PTR_ERR(found) == -ENOENT)
                                collected++;
-                       }
                        continue;
                }
 
@@ -284,23 +245,19 @@ bool nf_conncount_gc_list(struct net *net,
                         * closed already -> ditch it
                         */
                        nf_ct_put(found_ct);
-                       if (conn_free(list, conn))
-                               return true;
+                       conn_free(list, conn);
                        collected++;
                        continue;
                }
 
                nf_ct_put(found_ct);
                if (collected > CONNCOUNT_GC_MAX_NODES)
-                       return false;
+                       break;
        }
 
-       spin_lock_bh(&list->list_lock);
-       if (!list->count) {
-               list->dead = true;
+       if (!list->count)
                ret = true;
-       }
-       spin_unlock_bh(&list->list_lock);
+       spin_unlock(&list->list_lock);
 
        return ret;
 }
@@ -314,6 +271,7 @@ static void __tree_nodes_free(struct rcu_head *h)
        kmem_cache_free(conncount_rb_cachep, rbconn);
 }
 
+/* caller must hold tree nf_conncount_locks[] lock */
 static void tree_nodes_free(struct rb_root *root,
                            struct nf_conncount_rb *gc_nodes[],
                            unsigned int gc_count)
@@ -323,8 +281,10 @@ static void tree_nodes_free(struct rb_root *root,
        while (gc_count) {
                rbconn = gc_nodes[--gc_count];
                spin_lock(&rbconn->list.list_lock);
-               rb_erase(&rbconn->node, root);
-               call_rcu(&rbconn->rcu_head, __tree_nodes_free);
+               if (!rbconn->list.count) {
+                       rb_erase(&rbconn->node, root);
+                       call_rcu(&rbconn->rcu_head, __tree_nodes_free);
+               }
                spin_unlock(&rbconn->list.list_lock);
        }
 }
@@ -341,20 +301,19 @@ insert_tree(struct net *net,
            struct rb_root *root,
            unsigned int hash,
            const u32 *key,
-           u8 keylen,
            const struct nf_conntrack_tuple *tuple,
            const struct nf_conntrack_zone *zone)
 {
-       enum nf_conncount_list_add ret;
        struct nf_conncount_rb *gc_nodes[CONNCOUNT_GC_MAX_NODES];
        struct rb_node **rbnode, *parent;
        struct nf_conncount_rb *rbconn;
        struct nf_conncount_tuple *conn;
        unsigned int count = 0, gc_count = 0;
-       bool node_found = false;
-
-       spin_lock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
+       u8 keylen = data->keylen;
+       bool do_gc = true;
 
+       spin_lock_bh(&nf_conncount_locks[hash]);
+restart:
        parent = NULL;
        rbnode = &(root->rb_node);
        while (*rbnode) {
@@ -368,45 +327,32 @@ insert_tree(struct net *net,
                } else if (diff > 0) {
                        rbnode = &((*rbnode)->rb_right);
                } else {
-                       /* unlikely: other cpu added node already */
-                       node_found = true;
-                       ret = nf_conncount_add(&rbconn->list, tuple, zone);
-                       if (ret == NF_CONNCOUNT_ERR) {
+                       int ret;
+
+                       ret = nf_conncount_add(net, &rbconn->list, tuple, zone);
+                       if (ret)
                                count = 0; /* hotdrop */
-                       } else if (ret == NF_CONNCOUNT_ADDED) {
+                       else
                                count = rbconn->list.count;
-                       } else {
-                               /* NF_CONNCOUNT_SKIP, rbconn is already
-                                * reclaimed by gc, insert a new tree node
-                                */
-                               node_found = false;
-                       }
-                       break;
+                       tree_nodes_free(root, gc_nodes, gc_count);
+                       goto out_unlock;
                }
 
                if (gc_count >= ARRAY_SIZE(gc_nodes))
                        continue;
 
-               if (nf_conncount_gc_list(net, &rbconn->list))
+               if (do_gc && nf_conncount_gc_list(net, &rbconn->list))
                        gc_nodes[gc_count++] = rbconn;
        }
 
        if (gc_count) {
                tree_nodes_free(root, gc_nodes, gc_count);
-               /* tree_node_free before new allocation permits
-                * allocator to re-use newly free'd object.
-                *
-                * This is a rare event; in most cases we will find
-                * existing node to re-use. (or gc_count is 0).
-                */
-
-               if (gc_count >= ARRAY_SIZE(gc_nodes))
-                       schedule_gc_worker(data, hash);
+               schedule_gc_worker(data, hash);
+               gc_count = 0;
+               do_gc = false;
+               goto restart;
        }
 
-       if (node_found)
-               goto out_unlock;
-
        /* expected case: match, insert new node */
        rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
        if (rbconn == NULL)
@@ -430,7 +376,7 @@ insert_tree(struct net *net,
        rb_link_node_rcu(&rbconn->node, parent, rbnode);
        rb_insert_color(&rbconn->node, root);
 out_unlock:
-       spin_unlock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
+       spin_unlock_bh(&nf_conncount_locks[hash]);
        return count;
 }
 
@@ -441,7 +387,6 @@ count_tree(struct net *net,
           const struct nf_conntrack_tuple *tuple,
           const struct nf_conntrack_zone *zone)
 {
-       enum nf_conncount_list_add ret;
        struct rb_root *root;
        struct rb_node *parent;
        struct nf_conncount_rb *rbconn;
@@ -454,7 +399,6 @@ count_tree(struct net *net,
        parent = rcu_dereference_raw(root->rb_node);
        while (parent) {
                int diff;
-               bool addit;
 
                rbconn = rb_entry(parent, struct nf_conncount_rb, node);
 
@@ -464,31 +408,36 @@ count_tree(struct net *net,
                } else if (diff > 0) {
                        parent = rcu_dereference_raw(parent->rb_right);
                } else {
-                       /* same source network -> be counted! */
-                       nf_conncount_lookup(net, &rbconn->list, tuple, zone,
-                                           &addit);
+                       int ret;
 
-                       if (!addit)
+                       if (!tuple) {
+                               nf_conncount_gc_list(net, &rbconn->list);
                                return rbconn->list.count;
+                       }
 
-                       ret = nf_conncount_add(&rbconn->list, tuple, zone);
-                       if (ret == NF_CONNCOUNT_ERR) {
-                               return 0; /* hotdrop */
-                       } else if (ret == NF_CONNCOUNT_ADDED) {
-                               return rbconn->list.count;
-                       } else {
-                               /* NF_CONNCOUNT_SKIP, rbconn is already
-                                * reclaimed by gc, insert a new tree node
-                                */
+                       spin_lock_bh(&rbconn->list.list_lock);
+                       /* Node might be about to be free'd.
+                        * We need to defer to insert_tree() in this case.
+                        */
+                       if (rbconn->list.count == 0) {
+                               spin_unlock_bh(&rbconn->list.list_lock);
                                break;
                        }
+
+                       /* same source network -> be counted! */
+                       ret = __nf_conncount_add(net, &rbconn->list, tuple, zone);
+                       spin_unlock_bh(&rbconn->list.list_lock);
+                       if (ret)
+                               return 0; /* hotdrop */
+                       else
+                               return rbconn->list.count;
                }
        }
 
        if (!tuple)
                return 0;
 
-       return insert_tree(net, data, root, hash, key, keylen, tuple, zone);
+       return insert_tree(net, data, root, hash, key, tuple, zone);
 }
 
 static void tree_gc_worker(struct work_struct *work)
@@ -499,27 +448,47 @@ static void tree_gc_worker(struct work_struct *work)
        struct rb_node *node;
        unsigned int tree, next_tree, gc_count = 0;
 
-       tree = data->gc_tree % CONNCOUNT_LOCK_SLOTS;
+       tree = data->gc_tree % CONNCOUNT_SLOTS;
        root = &data->root[tree];
 
+       local_bh_disable();
        rcu_read_lock();
        for (node = rb_first(root); node != NULL; node = rb_next(node)) {
                rbconn = rb_entry(node, struct nf_conncount_rb, node);
                if (nf_conncount_gc_list(data->net, &rbconn->list))
-                       gc_nodes[gc_count++] = rbconn;
+                       gc_count++;
        }
        rcu_read_unlock();
+       local_bh_enable();
+
+       cond_resched();
 
        spin_lock_bh(&nf_conncount_locks[tree]);
+       if (gc_count < ARRAY_SIZE(gc_nodes))
+               goto next; /* do not bother */
 
-       if (gc_count) {
-               tree_nodes_free(root, gc_nodes, gc_count);
+       gc_count = 0;
+       node = rb_first(root);
+       while (node != NULL) {
+               rbconn = rb_entry(node, struct nf_conncount_rb, node);
+               node = rb_next(node);
+
+               if (rbconn->list.count > 0)
+                       continue;
+
+               gc_nodes[gc_count++] = rbconn;
+               if (gc_count >= ARRAY_SIZE(gc_nodes)) {
+                       tree_nodes_free(root, gc_nodes, gc_count);
+                       gc_count = 0;
+               }
        }
 
+       tree_nodes_free(root, gc_nodes, gc_count);
+next:
        clear_bit(tree, data->pending_trees);
 
        next_tree = (tree + 1) % CONNCOUNT_SLOTS;
-       next_tree = find_next_bit(data->pending_trees, next_tree, CONNCOUNT_SLOTS);
+       next_tree = find_next_bit(data->pending_trees, CONNCOUNT_SLOTS, next_tree);
 
        if (next_tree < CONNCOUNT_SLOTS) {
                data->gc_tree = next_tree;
@@ -621,10 +590,7 @@ static int __init nf_conncount_modinit(void)
 {
        int i;
 
-       BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS);
-       BUILD_BUG_ON((CONNCOUNT_SLOTS % CONNCOUNT_LOCK_SLOTS) != 0);
-
-       for (i = 0; i < CONNCOUNT_LOCK_SLOTS; ++i)
+       for (i = 0; i < CONNCOUNT_SLOTS; ++i)
                spin_lock_init(&nf_conncount_locks[i]);
 
        conncount_conn_cachep = kmem_cache_create("nf_conncount_tuple",

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fec814dace5a6e05a397020a4f42c35548f942e2..2b0a93300dd712f24f80567da1548f34b1eff44c 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5727,6 +5727,8 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
                goto nla_put_failure;
 
        nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
+       if (!nest)
+               goto nla_put_failure;
        if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
            nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
                goto nla_put_failure;

diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index b90d96ba4a12933a1832c0836a01cc406530edb3..af1497ab9464236b3875aeb536ae32e244e99141 100644 (file)
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -30,7 +30,6 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
        enum ip_conntrack_info ctinfo;
        const struct nf_conn *ct;
        unsigned int count;
-       bool addit;
 
        tuple_ptr = &tuple;
 
@@ -44,19 +43,12 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
                return;
        }
 
-       nf_conncount_lookup(nft_net(pkt), &priv->list, tuple_ptr, zone,
-                           &addit);
-       count = priv->list.count;
-
-       if (!addit)
-               goto out;
-
-       if (nf_conncount_add(&priv->list, tuple_ptr, zone) == NF_CONNCOUNT_ERR) {
+       if (nf_conncount_add(nft_net(pkt), &priv->list, tuple_ptr, zone)) {
                regs->verdict.code = NF_DROP;
                return;
        }
-       count++;
-out:
+
+       count = priv->list.count;
 
        if ((count > priv->limit) ^ priv->invert) {
                regs->verdict.code = NFT_BREAK;

diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 03f37c4e64fe44cd822952225736084ad151b2e8..1d3144d1990352f4eb8942220e03e225e01af19f 100644 (file)
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr)
        sk_for_each(s, &nr_list)
                if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
                    s->sk_state == TCP_LISTEN) {
-                       bh_lock_sock(s);
+                       sock_hold(s);
                        goto found;
                }
        s = NULL;
@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id)
                struct nr_sock *nr = nr_sk(s);
 
                if (nr->my_index == index && nr->my_id == id) {
-                       bh_lock_sock(s);
+                       sock_hold(s);
                        goto found;
                }
        }
@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id,
 
                if (nr->your_index == index && nr->your_id == id &&
                    !ax25cmp(&nr->dest_addr, dest)) {
-                       bh_lock_sock(s);
+                       sock_hold(s);
                        goto found;
                }
        }
@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void)
                if (i != 0 && j != 0) {
                        if ((sk=nr_find_socket(i, j)) == NULL)
                                break;
-                       bh_unlock_sock(sk);
+                       sock_put(sk);
                }
 
                id++;
@@ -920,6 +920,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
        }
 
        if (sk != NULL) {
+               bh_lock_sock(sk);
                skb_reset_transport_header(skb);
 
                if (frametype == NR_CONNACK && skb->len == 22)
@@ -929,6 +930,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
 
                ret = nr_process_rx_frame(sk, skb);
                bh_unlock_sock(sk);
+               sock_put(sk);
                return ret;
        }
 
@@ -960,10 +962,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
            (make = nr_make_new(sk)) == NULL) {
                nr_transmit_refusal(skb, 0);
                if (sk)
-                       bh_unlock_sock(sk);
+                       sock_put(sk);
                return 0;
        }
 
+       bh_lock_sock(sk);
+
        window = skb->data[20];
 
        skb->sk             = make;
@@ -1016,6 +1020,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
                sk->sk_data_ready(sk);
 
        bh_unlock_sock(sk);
+       sock_put(sk);
 
        nr_insert_socket(make);
 

diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index b9bbcf3d6c63976912433109d5c450830fb779f4..c16f0a362c32c302cf71d810b854ba335603848b 100644 (file)
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -623,7 +623,7 @@ static void __net_exit rds_tcp_exit_net(struct net *net)
        if (rtn->rds_tcp_sysctl)
                unregister_net_sysctl_table(rtn->rds_tcp_sysctl);
 
-       if (net != &init_net && rtn->ctl_table)
+       if (net != &init_net)
                kfree(rtn->ctl_table);
 }
 

diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index c7ae1ed5324f3068af5621ee3eac7a77ebbe0910..a6a060925e5d185f72be35e61485b1bf6355f573 100644 (file)
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -542,7 +542,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
                /* Don't enable netstamp, sunrpc doesn't
                   need that much accuracy */
        }
-       svsk->sk_sk->sk_stamp = skb->tstamp;
+       sock_write_timestamp(svsk->sk_sk, skb->tstamp);
        set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
 
        len  = skb->len;

diff --git a/net/sunrpc/sysctl.c b/net/sunrpc/sysctl.c
index 8c3936403fea40826f6bd24200cbaf095c947ff0..0bea8ff8b0d389e4bb991ce1d3e4de7ea7545fca 100644 (file)
--- a/net/sunrpc/sysctl.c
+++ b/net/sunrpc/sysctl.c
@@ -89,7 +89,7 @@ proc_dodebug(struct ctl_table *table, int write,
        left = *lenp;
 
        if (write) {
-               if (!access_ok(VERIFY_READ, buffer, left))
+               if (!access_ok(buffer, left))
                        return -EFAULT;
                p = buffer;
                while (left && __get_user(c, p) >= 0 && isspace(c))

diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index fb2c0d8f359f604938e198c040c8cd032206b028..d27f30a9a01d8d34b3f46d6fc12f2d192d6f3494 100644 (file)
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -319,7 +319,6 @@ static int tipc_enable_bearer(struct net *net, const char *name,
        res = tipc_disc_create(net, b, &b->bcast_addr, &skb);
        if (res) {
                bearer_disable(net, b);
-               kfree(b);
                errstr = "failed to create discoverer";
                goto rejected;
        }

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 21f6ccc8940195de27a181a1ec40af0c03956efa..40f5cae623a77d73a34f05f1974c8a3292c18f83 100644 (file)
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -904,6 +904,8 @@ static int tipc_nl_compat_publ_dump(struct tipc_nl_compat_msg *msg, u32 sock)
 
        hdr = genlmsg_put(args, 0, 0, &tipc_genl_family, NLM_F_MULTI,
                          TIPC_NL_PUBL_GET);
+       if (!hdr)
+               return -EMSGSIZE;
 
        nest = nla_nest_start(args, TIPC_NLA_SOCK);
        if (!nest) {

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 9b38f94b5dd09e1670b1a17e47454cc36f7614dc..c598aa00d5e3170206eca0914216eec52ee3fef9 100644 (file)
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2591,7 +2591,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
        int idx;
        if (!head->write)
                return -ENOSYS;
-       if (!access_ok(VERIFY_READ, buffer, buffer_len))
+       if (!access_ok(buffer, buffer_len))
                return -EFAULT;
        if (mutex_lock_interruptible(&head->io_sem))
                return -EINTR;

diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 92e6524a3a9d965fca88364e83a4defe137433c7..7d4640d1fe9fb8a8ab8eecf045798497cb3e38f3 100644 (file)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -393,7 +393,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count,
        if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_INPUT))
                return -ENXIO;
 
-       if (!access_ok(VERIFY_WRITE, buf, count))
+       if (!access_ok(buf, count))
                return -EFAULT;
 
        /* check client structures are in place */

diff --git a/sound/isa/sb/emu8000_patch.c b/sound/isa/sb/emu8000_patch.c
index d45a6b9d6437bea97abd5d65dd829c3c92c475f0..3d44c358c4b3b0d2ff9a30cd7c2c20436a014de9 100644 (file)
--- a/sound/isa/sb/emu8000_patch.c
+++ b/sound/isa/sb/emu8000_patch.c
@@ -183,10 +183,10 @@ snd_emu8000_sample_new(struct snd_emux *rec, struct snd_sf_sample *sp,
        }
 
        if (sp->v.mode_flags & SNDRV_SFNT_SAMPLE_8BITS) {
-               if (!access_ok(VERIFY_READ, data, sp->v.size))
+               if (!access_ok(data, sp->v.size))
                        return -EFAULT;
        } else {
-               if (!access_ok(VERIFY_READ, data, sp->v.size * 2))
+               if (!access_ok(data, sp->v.size * 2))
                        return -EFAULT;
        }
 

diff --git a/sound/pci/hda/Kconfig b/sound/pci/hda/Kconfig
index 0d38c006e1824795eba8f8427f27e0fec9db5a00..4235907b785891326a479023f3433d2afd9b231e 100644 (file)
--- a/sound/pci/hda/Kconfig
+++ b/sound/pci/hda/Kconfig
@@ -226,68 +226,6 @@ config SND_HDA_POWER_SAVE_DEFAULT
          The default time-out value in seconds for HD-audio automatic
          power-save mode.  0 means to disable the power-save mode.
 
-if SND_HDA_INTEL
-
-# The options below should not be enabled by distributions or
-# users. They are selected by Intel/Skylake or SOF drivers when they
-# register for a PCI ID which is also handled by the HDAudio legacy
-# driver. When this option is selected and the DSP is detected based on
-# the PCI class/subclass/prog-if, the probe of the HDAudio legacy
-# aborts. This mechanism removes the need for distributions to use
-# blacklists. It can be bypassed with module parameters should the
-# Intel/Skylake or SOF drivers fail to handle a specific platform.
-
-config SND_HDA_INTEL_DSP_DETECTION_SKL
-       bool
-       help
-         This option is selected by SOF or SST drivers, not users or distros.
-         It enables DSP detection based on PCI class information for
-         Skylake machines.
-
-config SND_HDA_INTEL_DSP_DETECTION_APL
-       bool
-       help
-         This option is selected by SOF or SST drivers, not users or distros.
-         It enables DSP detection based on PCI class information for
-         Broxton/ApolloLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_KBL
-       bool
-       help
-         This option is selected by SOF or SST drivers, not users or distros.
-         It enables DSP detection based on PCI class information for
-         KabyLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_GLK
-       bool
-       help
-         This option is selected by SOF or SST drivers, not users or distros.
-         It enables DSP detection based on PCI class information for
-         GeminiLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_CNL
-       bool
-       help
-         This option is selected by SOF or SST drivers, not users or distros.
-         It enables DSP detection based on PCI class information for
-         CannonLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_CFL
-       bool
-       help
-         This option is selected by SOF or SST drivers, not users or distros.
-         It enables DSP detection based on PCI class information for
-         CoffeeLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_ICL
-       bool
-       help
-         This option is selected by SOF or SST drivers, not users or distros.
-         It enables DSP detection based on PCI class information for
-         IceLake machines
-
-endif ## SND_HDA_INTEL
-
 endif
 
 endmenu

diff --git a/sound/pci/hda/hda_controller.h b/sound/pci/hda/hda_controller.h
index e0c3fcbaa02843586feed1db7dd10bc32d48b55f..7185ed574b412fc8786a2ca15316347925e3c1d7 100644 (file)
--- a/sound/pci/hda/hda_controller.h
+++ b/sound/pci/hda/hda_controller.h
@@ -37,7 +37,7 @@
 #else
 #define AZX_DCAPS_I915_COMPONENT 0             /* NOP */
 #endif
-#define AZX_DCAPS_INTEL_SHARED (1 << 14)       /* shared with ASoC */
+/* 14 unused */
 #define AZX_DCAPS_CTX_WORKAROUND (1 << 15)     /* X-Fi workaround */
 #define AZX_DCAPS_POSFIX_LPIB  (1 << 16)       /* Use LPIB as default */
 /* 17 unused */

diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index e42cc22309771c5ccca02437cc2f6d911abbacd9..e784130ea4e0eb2d7fec5357fb86872fb44292fc 100644 (file)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -172,9 +172,6 @@ module_param_array(beep_mode, bool, NULL, 0444);
 MODULE_PARM_DESC(beep_mode, "Select HDA Beep registration mode "
                            "(0=off, 1=on) (default=1).");
 #endif
-static int skl_pci_binding;
-module_param_named(pci_binding, skl_pci_binding, int, 0444);
-MODULE_PARM_DESC(pci_binding, "PCI binding (0=auto, 1=only legacy, 2=only asoc");
 
 #ifdef CONFIG_PM
 static int param_set_xint(const char *val, const struct kernel_param *kp);
@@ -360,7 +357,6 @@ enum {
         AZX_DCAPS_NO_64BIT |\
         AZX_DCAPS_4K_BDLE_BOUNDARY | AZX_DCAPS_SNOOP_OFF)
 
-#define AZX_DCAPS_INTEL_DSP_DETECTION(conf) (IS_ENABLED(CONFIG_SND_HDA_INTEL_DSP_DETECTION_##conf) ? AZX_DCAPS_INTEL_SHARED : 0)
 /*
  * vga_switcheroo support
  */
@@ -2052,28 +2048,6 @@ static int azx_probe(struct pci_dev *pci,
        bool schedule_probe;
        int err;
 
-       /* check if this driver can be used on SKL+ Intel platforms */
-       if (pci_id->driver_data & AZX_DCAPS_INTEL_SHARED) {
-               switch (skl_pci_binding) {
-               case SND_SKL_PCI_BIND_AUTO:
-                       if (pci->class != 0x040300) {
-                               dev_info(&pci->dev, "The DSP is enabled on this platform, aborting probe\n");
-                               return -ENODEV;
-                       }
-                       dev_info(&pci->dev, "No DSP detected, continuing HDaudio legacy probe\n");
-                       break;
-               case SND_SKL_PCI_BIND_LEGACY:
-                       dev_info(&pci->dev, "Module parameter forced binding with HDaudio legacy, bypassed detection logic\n");
-                       break;
-               case SND_SKL_PCI_BIND_ASOC:
-                       dev_info(&pci->dev, "Module parameter forced binding with SKL+ ASoC driver, aborting probe\n");
-                       return -ENODEV;
-               default:
-                       dev_err(&pci->dev, "invalid value for skl_pci_binding module parameter, ignored\n");
-                       break;
-               }
-       }
-
        if (dev >= SNDRV_CARDS)
                return -ENODEV;
        if (!enable[dev]) {
@@ -2380,48 +2354,34 @@ static const struct pci_device_id azx_ids[] = {
          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
        /* Sunrise Point-LP */
        { PCI_DEVICE(0x8086, 0x9d70),
-         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-         AZX_DCAPS_INTEL_DSP_DETECTION(SKL)
-       },
+         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
        /* Kabylake */
        { PCI_DEVICE(0x8086, 0xa171),
          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
        /* Kabylake-LP */
        { PCI_DEVICE(0x8086, 0x9d71),
-         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-         AZX_DCAPS_INTEL_DSP_DETECTION(KBL)
-       },
+         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
        /* Kabylake-H */
        { PCI_DEVICE(0x8086, 0xa2f0),
          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
        /* Coffelake */
        { PCI_DEVICE(0x8086, 0xa348),
-         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-         AZX_DCAPS_INTEL_DSP_DETECTION(CFL)
-       },
+         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
        /* Cannonlake */
        { PCI_DEVICE(0x8086, 0x9dc8),
-         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-         AZX_DCAPS_INTEL_DSP_DETECTION(CNL)
-       },
+         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
        /* Icelake */
        { PCI_DEVICE(0x8086, 0x34c8),
-         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-         AZX_DCAPS_INTEL_DSP_DETECTION(ICL)
-       },
+         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
        /* Broxton-P(Apollolake) */
        { PCI_DEVICE(0x8086, 0x5a98),
-         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON |
-         AZX_DCAPS_INTEL_DSP_DETECTION(APL)
-       },
+         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON },
        /* Broxton-T */
        { PCI_DEVICE(0x8086, 0x1a98),
          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON },
        /* Gemini-Lake */
        { PCI_DEVICE(0x8086, 0x3198),
-         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON |
-         AZX_DCAPS_INTEL_DSP_DETECTION(GLK)
-       },
+         .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON },
        /* Haswell */
        { PCI_DEVICE(0x8086, 0x0a0c),
          .driver_data = AZX_DRIVER_HDMI | AZX_DCAPS_INTEL_HASWELL },

diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
index 83befd8d43e83fb399836b9ef094a2306740ac32..97a176d817a0cbd7feb49283f24415f1e9196b27 100644 (file)
--- a/sound/pci/hda/hda_tegra.c
+++ b/sound/pci/hda/hda_tegra.c
@@ -234,10 +234,12 @@ static int hda_tegra_suspend(struct device *dev)
        struct snd_card *card = dev_get_drvdata(dev);
        struct azx *chip = card->private_data;
        struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
+       struct hdac_bus *bus = azx_bus(chip);
 
        snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
 
        azx_stop_chip(chip);
+       synchronize_irq(bus->irq);
        azx_enter_link_reset(chip);
        hda_tegra_disable_clocks(hda);
 

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index a4f4a9dd488df28a6f1aee4548d1ae68aa61c7cd..aee4cbd29d53cd4aaff517a11126c9177e4a41fc 100644 (file)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6501,7 +6501,7 @@ static const struct hda_fixup alc269_fixups[] = {
        [ALC294_FIXUP_ASUS_HEADSET_MIC] = {
                .type = HDA_FIXUP_PINS,
                .v.pins = (const struct hda_pintbl[]) {
-                       { 0x19, 0x01a1113c }, /* use as headset mic, without its own jack detect */
+                       { 0x19, 0x01a1103c }, /* use as headset mic */
                        { }
                },
                .chained = true,

diff --git a/sound/soc/intel/Kconfig b/sound/soc/intel/Kconfig
index 2fd1b61e8331dd68d0c1ffa1d81420b6a9e71d37..99a62ba409df83424bc84031f067e4e70a0db03d 100644 (file)
--- a/sound/soc/intel/Kconfig
+++ b/sound/soc/intel/Kconfig
@@ -188,12 +188,6 @@ config SND_SOC_INTEL_SKYLAKE_COMMON
        select SND_SOC_TOPOLOGY
        select SND_SOC_INTEL_SST
        select SND_SOC_HDAC_HDA if SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC
-       select SND_HDA_INTEL_DSP_DETECTION_SKL if SND_SOC_INTEL_SKL
-       select SND_HDA_INTEL_DSP_DETECTION_APL if SND_SOC_INTEL_APL
-       select SND_HDA_INTEL_DSP_DETECTION_KBL if SND_SOC_INTEL_KBL
-       select SND_HDA_INTEL_DSP_DETECTION_GLK if SND_SOC_INTEL_GLK
-       select SND_HDA_INTEL_DSP_DETECTION_CNL if SND_SOC_INTEL_CNL
-       select SND_HDA_INTEL_DSP_DETECTION_CFL if SND_SOC_INTEL_CFL
        select SND_SOC_ACPI_INTEL_MATCH
        help
          If you have a Intel Skylake/Broxton/ApolloLake/KabyLake/

diff --git a/tools/perf/util/include/asm/uaccess.h b/tools/perf/util/include/asm/uaccess.h
index 6a6f4b990547ecebac9b64420ec4aed1e9dd970c..548100315710de1e84bb77f1b12d58218adaa226 100644 (file)
--- a/tools/perf/util/include/asm/uaccess.h
+++ b/tools/perf/util/include/asm/uaccess.h
@@ -10,6 +10,6 @@
 
 #define get_user       __get_user
 
-#define access_ok(type, addr, size)    1
+#define access_ok(addr, size)  1
 
 #endif

diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
index 9c79ee017df3bf15ac704e765188a4c2a56bf862..e2b9eee3718734492a4ef2b2c92b8cfd31ec8554 100644 (file)
--- a/tools/testing/selftests/bpf/test_maps.c
+++ b/tools/testing/selftests/bpf/test_maps.c
@@ -510,7 +510,7 @@ static void test_devmap(int task, void *data)
        fd = bpf_create_map(BPF_MAP_TYPE_DEVMAP, sizeof(key), sizeof(value),
                            2, 0);
        if (fd < 0) {
-               printf("Failed to create arraymap '%s'!\n", strerror(errno));
+               printf("Failed to create devmap '%s'!\n", strerror(errno));
                exit(1);
        }
 

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 33f7d38849b8279355bbcfc86c8af8bd23456db3..10d44446e8013a19d8c01e5e15a94a919bae94cb 100644 (file)
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -23,6 +23,7 @@
 #include <stdbool.h>
 #include <sched.h>
 #include <limits.h>
+#include <assert.h>
 
 #include <sys/capability.h>
 
@@ -2577,6 +2578,7 @@ static struct bpf_test tests[] = {
                },
                .result = REJECT,
                .errstr = "invalid stack off=-79992 size=8",
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
        },
        {
                "PTR_TO_STACK store/load - out of bounds high",
@@ -3104,6 +3106,8 @@ static struct bpf_test tests[] = {
                        BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
                        BPF_EXIT_INSN(),
                },
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+               .result_unpriv = REJECT,
                .result = ACCEPT,
        },
        {
@@ -3205,6 +3209,243 @@ static struct bpf_test tests[] = {
                /* Verifier rewrite for unpriv skips tail call here. */
                .retval_unpriv = 2,
        },
+       {
+               "PTR_TO_STACK check high 1",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 42,
+       },
+       {
+               "PTR_TO_STACK check high 2",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 42,
+       },
+       {
+               "PTR_TO_STACK check high 3",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
+                       BPF_EXIT_INSN(),
+               },
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+               .result_unpriv = REJECT,
+               .result = ACCEPT,
+               .retval = 42,
+       },
+       {
+               "PTR_TO_STACK check high 4",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+               .errstr = "invalid stack off=0 size=1",
+               .result = REJECT,
+       },
+       {
+               "PTR_TO_STACK check high 5",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .result = REJECT,
+               .errstr = "invalid stack off",
+       },
+       {
+               "PTR_TO_STACK check high 6",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
+                       BPF_EXIT_INSN(),
+               },
+               .result = REJECT,
+               .errstr = "invalid stack off",
+       },
+       {
+               "PTR_TO_STACK check high 7",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
+                       BPF_EXIT_INSN(),
+               },
+               .result = REJECT,
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+               .errstr = "fp pointer offset",
+       },
+       {
+               "PTR_TO_STACK check low 1",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 42,
+       },
+       {
+               "PTR_TO_STACK check low 2",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+               .result = ACCEPT,
+               .retval = 42,
+       },
+       {
+               "PTR_TO_STACK check low 3",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+               .errstr = "invalid stack off=-513 size=1",
+               .result = REJECT,
+       },
+       {
+               "PTR_TO_STACK check low 4",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .result = REJECT,
+               .errstr = "math between fp pointer",
+       },
+       {
+               "PTR_TO_STACK check low 5",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .result = REJECT,
+               .errstr = "invalid stack off",
+       },
+       {
+               "PTR_TO_STACK check low 6",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
+                       BPF_EXIT_INSN(),
+               },
+               .result = REJECT,
+               .errstr = "invalid stack off",
+       },
+       {
+               "PTR_TO_STACK check low 7",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
+                       BPF_EXIT_INSN(),
+               },
+               .result = REJECT,
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+               .errstr = "fp pointer offset",
+       },
+       {
+               "PTR_TO_STACK mixed reg/k, 1",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
+                       BPF_MOV64_IMM(BPF_REG_2, -3),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 42,
+       },
+       {
+               "PTR_TO_STACK mixed reg/k, 2",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
+                       BPF_MOV64_IMM(BPF_REG_2, -3),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 42,
+       },
+       {
+               "PTR_TO_STACK mixed reg/k, 3",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
+                       BPF_MOV64_IMM(BPF_REG_2, -3),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = -3,
+       },
+       {
+               "PTR_TO_STACK reg",
+               .insns = {
+                       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                       BPF_MOV64_IMM(BPF_REG_2, -3),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                       BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "invalid stack off=0 size=1",
+               .result = ACCEPT,
+               .retval = 42,
+       },
        {
                "stack pointer arithmetic",
                .insns = {
@@ -6610,7 +6851,446 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_TRACEPOINT,
        },
        {
-               "map access: known scalar += value_ptr",
+               "map access: known scalar += value_ptr from different maps",
+               .insns = {
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                   offsetof(struct __sk_buff, len)),
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_hash_16b = { 5 },
+               .fixup_map_array_48b = { 8 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R1 tried to add from different maps",
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr -= known scalar from different maps",
+               .insns = {
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                   offsetof(struct __sk_buff, len)),
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_hash_16b = { 5 },
+               .fixup_map_array_48b = { 8 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 min value is outside of the array range",
+               .retval = 1,
+       },
+       {
+               "map access: known scalar += value_ptr from different maps, but same value properties",
+               .insns = {
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                   offsetof(struct __sk_buff, len)),
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_hash_48b = { 5 },
+               .fixup_map_array_48b = { 8 },
+               .result = ACCEPT,
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr += known scalar, upper oob arith, test 1",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                       BPF_MOV64_IMM(BPF_REG_1, 48),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr += known scalar, upper oob arith, test 2",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                       BPF_MOV64_IMM(BPF_REG_1, 49),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr += known scalar, upper oob arith, test 3",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                       BPF_MOV64_IMM(BPF_REG_1, 47),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr -= known scalar, lower oob arith, test 1",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+                       BPF_MOV64_IMM(BPF_REG_1, 47),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, 48),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = REJECT,
+               .errstr = "R0 min value is outside of the array range",
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+       },
+       {
+               "map access: value_ptr -= known scalar, lower oob arith, test 2",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+                       BPF_MOV64_IMM(BPF_REG_1, 47),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, 48),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, 1),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr -= known scalar, lower oob arith, test 3",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+                       BPF_MOV64_IMM(BPF_REG_1, 47),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, 47),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+               .retval = 1,
+       },
+       {
+               "map access: known scalar += value_ptr",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr += known scalar, 1",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr += known scalar, 2",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                       BPF_MOV64_IMM(BPF_REG_1, 49),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = REJECT,
+               .errstr = "invalid access to map value",
+       },
+       {
+               "map access: value_ptr += known scalar, 3",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                       BPF_MOV64_IMM(BPF_REG_1, -1),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = REJECT,
+               .errstr = "invalid access to map value",
+       },
+       {
+               "map access: value_ptr += known scalar, 4",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+                       BPF_MOV64_IMM(BPF_REG_1, 5),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, -2),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, -1),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+               .retval = 1,
+       },
+       {
+               "map access: value_ptr += known scalar, 5",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                       BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .retval = 0xabcdef12,
+       },
+       {
+               "map access: value_ptr += known scalar, 6",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+                       BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .retval = 0xabcdef12,
+       },
+       {
+               "map access: unknown scalar += value_ptr, 1",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .retval = 1,
+       },
+       {
+               "map access: unknown scalar += value_ptr, 2",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .retval = 0xabcdef12,
+       },
+       {
+               "map access: unknown scalar += value_ptr, 3",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+                       BPF_MOV64_IMM(BPF_REG_1, -1),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_MOV64_IMM(BPF_REG_1, 1),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_array_48b = { 3 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+               .retval = 0xabcdef12,
+       },
+       {
+               "map access: unknown scalar += value_ptr, 4",
                .insns = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -6618,19 +7298,22 @@ static struct bpf_test tests[] = {
                        BPF_LD_MAP_FD(BPF_REG_1, 0),
                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
                                     BPF_FUNC_map_lookup_elem),
-                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
-                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+                       BPF_MOV64_IMM(BPF_REG_1, 19),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
-                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
-                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
                        BPF_EXIT_INSN(),
                },
                .fixup_map_array_48b = { 3 },
-               .result = ACCEPT,
-               .retval = 1,
+               .result = REJECT,
+               .errstr = "R1 max value is outside of the array range",
+               .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
        },
        {
-               "map access: value_ptr += known scalar",
+               "map access: value_ptr += unknown scalar, 1",
                .insns = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -6638,8 +7321,9 @@ static struct bpf_test tests[] = {
                        BPF_LD_MAP_FD(BPF_REG_1, 0),
                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
                                     BPF_FUNC_map_lookup_elem),
-                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
-                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
                        BPF_MOV64_IMM(BPF_REG_0, 1),
@@ -6650,7 +7334,7 @@ static struct bpf_test tests[] = {
                .retval = 1,
        },
        {
-               "map access: unknown scalar += value_ptr",
+               "map access: value_ptr += unknown scalar, 2",
                .insns = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -6659,19 +7343,18 @@ static struct bpf_test tests[] = {
                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
                                     BPF_FUNC_map_lookup_elem),
                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
-                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
-                       BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
-                       BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
-                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
-                       BPF_MOV64_IMM(BPF_REG_0, 1),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
                        BPF_EXIT_INSN(),
                },
                .fixup_map_array_48b = { 3 },
                .result = ACCEPT,
-               .retval = 1,
+               .retval = 0xabcdef12,
        },
        {
-               "map access: value_ptr += unknown scalar",
+               "map access: value_ptr += unknown scalar, 3",
                .insns = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -6679,13 +7362,20 @@ static struct bpf_test tests[] = {
                        BPF_LD_MAP_FD(BPF_REG_1, 0),
                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
                                     BPF_FUNC_map_lookup_elem),
-                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
-                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
+                       BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
+                       BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
                        BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
-                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
-                       BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                       BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
+                       BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
+                       BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
                        BPF_MOV64_IMM(BPF_REG_0, 1),
                        BPF_EXIT_INSN(),
+                       BPF_MOV64_IMM(BPF_REG_0, 2),
+                       BPF_JMP_IMM(BPF_JA, 0, 0, -3),
                },
                .fixup_map_array_48b = { 3 },
                .result = ACCEPT,
@@ -6770,6 +7460,8 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_array_48b = { 3 },
                .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                .retval = 1,
        },
        {
@@ -6837,6 +7529,8 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_array_48b = { 3 },
                .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                .retval = 1,
        },
        {
@@ -8376,6 +9070,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8400,6 +9095,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8426,6 +9122,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8451,6 +9148,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8499,6 +9197,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8570,6 +9269,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8621,6 +9321,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8648,6 +9349,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8674,6 +9376,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8703,6 +9406,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8733,6 +9437,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 4 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
        {
@@ -8761,6 +9466,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "unbounded min value",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
                .result_unpriv = REJECT,
        },
@@ -8813,8 +9519,38 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
+               .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                .result = REJECT,
        },
+       {
+               "check subtraction on pointers for unpriv",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_0, 0),
+                       BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                       BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
+                       BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0),
+                       BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                       BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
+                       BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                       BPF_EXIT_INSN(),
+                       BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
+                       BPF_MOV64_IMM(BPF_REG_0, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_hash_8b = { 1, 9 },
+               .result = ACCEPT,
+               .result_unpriv = REJECT,
+               .errstr_unpriv = "R9 pointer -= pointer prohibited",
+       },
        {
                "bounds check based on zero-extended MOV",
                .insns = {
@@ -9145,6 +9881,36 @@ static struct bpf_test tests[] = {
                .errstr = "R0 unbounded memory access",
                .result = REJECT
        },
+       {
+               "bounds check after 32-bit right shift with 64-bit input",
+               .insns = {
+                       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_LD_MAP_FD(BPF_REG_1, 0),
+                       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                    BPF_FUNC_map_lookup_elem),
+                       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+                       /* r1 = 2 */
+                       BPF_MOV64_IMM(BPF_REG_1, 2),
+                       /* r1 = 1<<32 */
+                       BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31),
+                       /* r1 = 0 (NOT 2!) */
+                       BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
+                       /* r1 = 0xffff'fffe (NOT 0!) */
+                       BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
+                       /* computes OOB pointer */
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                       /* OOB access */
+                       BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                       /* exit */
+                       BPF_MOV64_IMM(BPF_REG_0, 0),
+                       BPF_EXIT_INSN(),
+               },
+               .fixup_map_hash_8b = { 3 },
+               .errstr = "R0 invalid mem access",
+               .result = REJECT,
+       },
        {
                "bounds check map access with off+size signed 32bit overflow. test1",
                .insns = {
@@ -9185,6 +9951,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "pointer offset 1073741822",
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                .result = REJECT
        },
        {
@@ -9206,6 +9973,7 @@ static struct bpf_test tests[] = {
                },
                .fixup_map_hash_8b = { 3 },
                .errstr = "pointer offset -1073741822",
+               .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                .result = REJECT
        },
        {
@@ -9377,6 +10145,7 @@ static struct bpf_test tests[] = {
                        BPF_EXIT_INSN()
                },
                .errstr = "fp pointer offset 1073741822",
+               .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
                .result = REJECT
        },
        {
@@ -13718,6 +14487,328 @@ static struct bpf_test tests[] = {
                .result_unpriv = ACCEPT,
                .insn_processed = 15,
        },
+       {
+               "masking, test out of bounds 1",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 5),
+                       BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 2",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 1),
+                       BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 3",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
+                       BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 4",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
+                       BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 5",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, -1),
+                       BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 6",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, -1),
+                       BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 7",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_1, 5),
+                       BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 8",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_1, 1),
+                       BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 9",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
+                       BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 10",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
+                       BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 11",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_1, -1),
+                       BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test out of bounds 12",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_1, -1),
+                       BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test in bounds 1",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 4),
+                       BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 4,
+       },
+       {
+               "masking, test in bounds 2",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 0),
+                       BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test in bounds 3",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 0xfffffffe),
+                       BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0xfffffffe,
+       },
+       {
+               "masking, test in bounds 4",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 0xabcde),
+                       BPF_MOV32_IMM(BPF_REG_2, 0xabcdef - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0xabcde,
+       },
+       {
+               "masking, test in bounds 5",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 0),
+                       BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
+       {
+               "masking, test in bounds 6",
+               .insns = {
+                       BPF_MOV32_IMM(BPF_REG_1, 46),
+                       BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 46,
+       },
+       {
+               "masking, test in bounds 7",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_3, -46),
+                       BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
+                       BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 46,
+       },
+       {
+               "masking, test in bounds 8",
+               .insns = {
+                       BPF_MOV64_IMM(BPF_REG_3, -47),
+                       BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
+                       BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
+                       BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
+                       BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
+                       BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                       BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                       BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
+                       BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
+                       BPF_EXIT_INSN(),
+               },
+               .result = ACCEPT,
+               .retval = 0,
+       },
        {
                "reference tracking in call: free reference in subprog and outside",
                .insns = {
@@ -14413,6 +15504,16 @@ static int create_map(uint32_t type, uint32_t size_key,
        return fd;
 }
 
+static void update_map(int fd, int index)
+{
+       struct test_val value = {
+               .index = (6 + 1) * sizeof(int),
+               .foo[6] = 0xabcdef12,
+       };
+
+       assert(!bpf_map_update_elem(fd, &index, &value, 0));
+}
+
 static int create_prog_dummy1(enum bpf_prog_type prog_type)
 {
        struct bpf_insn prog[] = {
@@ -14564,6 +15665,7 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
        if (*fixup_map_array_48b) {
                map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
                                        sizeof(struct test_val), 1);
+               update_map(map_fds[3], 0);
                do {
                        prog[*fixup_map_array_48b].imm = map_fds[3];
                        fixup_map_array_48b++;

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 666d0155662debc3e1ce7390f0e5ca4603cfa77e..1f888a103f78841267f3ca032f83381ed0eeff0d 100644 (file)
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -939,8 +939,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
        /* We can read the guest memory with __xxx_user() later on. */
        if ((id < KVM_USER_MEM_SLOTS) &&
            ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
-            !access_ok(VERIFY_WRITE,
-                       (void __user *)(unsigned long)mem->userspace_addr,
+            !access_ok((void __user *)(unsigned long)mem->userspace_addr,
                        mem->memory_size)))
                goto out;
        if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM)