From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:53026 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934187AbcIVPnJ (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 22 Sep 2016 11:43:09 -0400
Subject: Patch "score: fix copy_from_user() and friends" has been added to the 4.4-stable tree
To: viro@zeniv.linux.org.uk, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Thu, 22 Sep 2016 17:42:22 +0200
Message-ID: <147455894216156@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    score: fix copy_from_user() and friends

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     score-fix-copy_from_user-and-friends.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From b615e3c74621e06cd97f86373ca90d43d6d998aa Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun, 21 Aug 2016 22:30:44 -0400
Subject: score: fix copy_from_user() and friends

From: Al Viro <viro@zeniv.linux.org.uk>

commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/score/include/asm/uaccess.h |   41 +++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 21 deletions(-)

--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -301,35 +301,34 @@ extern int __copy_tofrom_user(void *to,
 static inline unsigned long
 copy_from_user(void *to, const void *from, unsigned long len)
 {
-	unsigned long over;
+	unsigned long res = len;
 
-	if (access_ok(VERIFY_READ, from, len))
-		return __copy_tofrom_user(to, from, len);
+	if (likely(access_ok(VERIFY_READ, from, len)))
+		res = __copy_tofrom_user(to, from, len);
 
-	if ((unsigned long)from < TASK_SIZE) {
-		over = (unsigned long)from + len - TASK_SIZE;
-		return __copy_tofrom_user(to, from, len - over) + over;
-	}
-	return len;
+	if (unlikely(res))
+		memset(to + (len - res), 0, res);
+
+	return res;
 }
 
 static inline unsigned long
 copy_to_user(void *to, const void *from, unsigned long len)
 {
-	unsigned long over;
-
-	if (access_ok(VERIFY_WRITE, to, len))
-		return __copy_tofrom_user(to, from, len);
+	if (likely(access_ok(VERIFY_WRITE, to, len)))
+		len = __copy_tofrom_user(to, from, len);
 
-	if ((unsigned long)to < TASK_SIZE) {
-		over = (unsigned long)to + len - TASK_SIZE;
-		return __copy_tofrom_user(to, from, len - over) + over;
-	}
 	return len;
 }
 
-#define __copy_from_user(to, from, len)	\
-		__copy_tofrom_user((to), (from), (len))
+static inline unsigned long
+__copy_from_user(void *to, const void *from, unsigned long len)
+{
+	unsigned long left = __copy_tofrom_user(to, from, len);
+	if (unlikely(left))
+		memset(to + (len - left), 0, left);
+	return left;
+}
 
 #define __copy_to_user(to, from, len)		\
 		__copy_tofrom_user((to), (from), (len))
@@ -343,17 +342,17 @@ __copy_to_user_inatomic(void *to, const
 static inline unsigned long
 __copy_from_user_inatomic(void *to, const void *from, unsigned long len)
 {
-	return __copy_from_user(to, from, len);
+	return __copy_tofrom_user(to, from, len);
 }
 
-#define __copy_in_user(to, from, len)	__copy_from_user(to, from, len)
+#define __copy_in_user(to, from, len)	__copy_tofrom_user(to, from, len)
 
 static inline unsigned long
 copy_in_user(void *to, const void *from, unsigned long len)
 {
 	if (access_ok(VERIFY_READ, from, len) &&
 		      access_ok(VERFITY_WRITE, to, len))
-		return copy_from_user(to, from, len);
+		return __copy_tofrom_user(to, from, len);
 }
 
 /*


Patches currently in stable-queue which might be from viro@zeniv.linux.org.uk are

queue-4.4/nios2-copy_from_user-should-zero-the-tail-of-destination.patch
queue-4.4/m32r-fix-__get_user.patch
queue-4.4/microblaze-fix-copy_from_user.patch
queue-4.4/cris-buggered-copy_from_user-copy_to_user-clear_user.patch
queue-4.4/asm-generic-make-copy_from_user-zero-the-destination-properly.patch
queue-4.4/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch
queue-4.4/score-fix-__get_user-get_user.patch
queue-4.4/parisc-fix-copy_from_user.patch
queue-4.4/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch
queue-4.4/alpha-fix-copy_from_user.patch
queue-4.4/mn10300-failing-__get_user-and-get_user-should-zero.patch
queue-4.4/openrisc-fix-copy_from_user.patch
queue-4.4/avr32-fix-copy_from_user.patch
queue-4.4/score-fix-copy_from_user-and-friends.patch
queue-4.4/sh64-failing-__get_user-should-zero.patch
queue-4.4/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch
queue-4.4/hexagon-fix-strncpy_from_user-error-return.patch
queue-4.4/frv-fix-clear_user.patch
queue-4.4/fix-minor-infoleak-in-get_user_ex.patch
queue-4.4/asm-generic-make-get_user-clear-the-destination-on-errors.patch
queue-4.4/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch
queue-4.4/s390-get_user-should-zero-on-failure.patch
queue-4.4/microblaze-fix-__get_user.patch
queue-4.4/blackfin-fix-copy_from_user.patch
queue-4.4/fix-iov_iter_fault_in_readable.patch
queue-4.4/nios2-fix-__get_user.patch
queue-4.4/sh-fix-copy_from_user.patch