4.7-stable patches

added patches:
	ia64-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch
	ppc32-fix-copy_from_user.patch
	sparc32-fix-copy_from_user.patch

diff --git a/queue-4.7/ia64-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch b/queue-4.7/ia64-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch
new file mode 100644 (file)
index 0000000..8bef010
--- /dev/null
+++ b/queue-4.7/ia64-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch
@@ -0,0 +1,45 @@
+From a5e541f796f17228793694d64b507f5f57db4cd7 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 21:31:41 -0400
+Subject: ia64: copy_from_user() should zero the destination on access_ok() failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/ia64/include/asm/uaccess.h |   20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+--- a/arch/ia64/include/asm/uaccess.h
++++ b/arch/ia64/include/asm/uaccess.h
+@@ -263,17 +263,15 @@ __copy_from_user (void *to, const void _
+       __cu_len;                                                                       \
+ })
+ 
+-#define copy_from_user(to, from, n)                                                   \
+-({                                                                                    \
+-      void *__cu_to = (to);                                                           \
+-      const void __user *__cu_from = (from);                                          \
+-      long __cu_len = (n);                                                            \
+-                                                                                      \
+-      __chk_user_ptr(__cu_from);                                                      \
+-      if (__access_ok(__cu_from, __cu_len, get_fs()))                                 \
+-              __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len);   \
+-      __cu_len;                                                                       \
+-})
++static inline unsigned long
++copy_from_user(void *to, const void __user *from, unsigned long n)
++{
++      if (likely(__access_ok(from, n, get_fs())))
++              n = __copy_user((__force void __user *) to, from, n);
++      else
++              memset(to, 0, n);
++      return n;
++}
+ 
+ #define __copy_in_user(to, from, size)        __copy_user((to), (from), (size))
+ 

diff --git a/queue-4.7/ppc32-fix-copy_from_user.patch b/queue-4.7/ppc32-fix-copy_from_user.patch
new file mode 100644 (file)
index 0000000..c2410e5
--- /dev/null
+++ b/queue-4.7/ppc32-fix-copy_from_user.patch
@@ -0,0 +1,65 @@
+From 224264657b8b228f949b42346e09ed8c90136a8e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 19:16:26 -0400
+Subject: ppc32: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 224264657b8b228f949b42346e09ed8c90136a8e upstream.
+
+should clear on access_ok() failures.  Also remove the useless
+range truncation logics.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/uaccess.h |   21 ++-------------------
+ 1 file changed, 2 insertions(+), 19 deletions(-)
+
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -308,30 +308,17 @@ extern unsigned long __copy_tofrom_user(
+ static inline unsigned long copy_from_user(void *to,
+               const void __user *from, unsigned long n)
+ {
+-      unsigned long over;
+-
+-      if (access_ok(VERIFY_READ, from, n))
++      if (likely(access_ok(VERIFY_READ, from, n)))
+               return __copy_tofrom_user((__force void __user *)to, from, n);
+-      if ((unsigned long)from < TASK_SIZE) {
+-              over = (unsigned long)from + n - TASK_SIZE;
+-              return __copy_tofrom_user((__force void __user *)to, from,
+-                              n - over) + over;
+-      }
+++     memset(to, 0, n);
+       return n;
+ }
+ 
+ static inline unsigned long copy_to_user(void __user *to,
+               const void *from, unsigned long n)
+ {
+-      unsigned long over;
+-
+       if (access_ok(VERIFY_WRITE, to, n))
+               return __copy_tofrom_user(to, (__force void __user *)from, n);
+-      if ((unsigned long)to < TASK_SIZE) {
+-              over = (unsigned long)to + n - TASK_SIZE;
+-              return __copy_tofrom_user(to, (__force void __user *)from,
+-                              n - over) + over;
+-      }
+       return n;
+ }
+ 
+@@ -422,10 +409,6 @@ static inline unsigned long clear_user(v
+       might_fault();
+       if (likely(access_ok(VERIFY_WRITE, addr, size)))
+               return __clear_user(addr, size);
+-      if ((unsigned long)addr < TASK_SIZE) {
+-              unsigned long over = (unsigned long)addr + size - TASK_SIZE;
+-              return __clear_user(addr, size - over) + over;
+-      }
+       return size;
+ }
+ 

diff --git a/queue-4.7/series b/queue-4.7/series
index 8a52ecfe165403ec12f83f2c374d6f4133f79e95..c47c43aa54dafcd60000aa9f2cd1c1a9c09ede36 100644 (file)
--- a/queue-4.7/series
+++ b/queue-4.7/series
@@ -176,3 +176,6 @@ parisc-fix-copy_from_user.patch
 openrisc-fix-copy_from_user.patch
 nios2-copy_from_user-should-zero-the-tail-of-destination.patch
 mn10300-copy_from_user-should-zero-on-access_ok-failure.patch
+sparc32-fix-copy_from_user.patch
+ppc32-fix-copy_from_user.patch
+ia64-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch

diff --git a/queue-4.7/sparc32-fix-copy_from_user.patch b/queue-4.7/sparc32-fix-copy_from_user.patch
new file mode 100644 (file)
index 0000000..586702f
--- /dev/null
+++ b/queue-4.7/sparc32-fix-copy_from_user.patch
@@ -0,0 +1,31 @@
+From 917400cecb4b52b5cde5417348322bb9c8272fa6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 22 Aug 2016 00:23:07 -0400
+Subject: sparc32: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream.
+
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sparc/include/asm/uaccess_32.h |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/include/asm/uaccess_32.h
++++ b/arch/sparc/include/asm/uaccess_32.h
+@@ -263,8 +263,10 @@ static inline unsigned long copy_from_us
+ {
+       if (n && __access_ok((unsigned long) from, n))
+               return __copy_user((__force void __user *) to, from, n);
+-      else
++      else {
++              memset(to, 0, n);
+               return n;
++      }
+ }
+ 
+ static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)