tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'work.__copy_in_user' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull __copy_in_user removal from Al Viro:
"There used to be 6 places in the entire tree calling __copy_in_user(),
all of them bogus.

Four got killed off in work.drm branch, this takes care of the
remaining ones and kills the definition of that sucker"

* 'work.__copy_in_user' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
kill __copy_in_user()
sanitize do_i2c_smbus_ioctl()

Linus Torvalds 46ace66b cee37d83

+9 -16
+9 -10
fs/compat_ioctl.c
··· 739 739 unsigned int cmd, struct i2c_smbus_ioctl_data32 __user *udata) 740 740 { 741 741 struct i2c_smbus_ioctl_data __user *tdata; 742 - compat_caddr_t datap; 742 + union { 743 + /* beginnings of those have identical layouts */ 744 + struct i2c_smbus_ioctl_data32 data32; 745 + struct i2c_smbus_ioctl_data data; 746 + } v; 743 747 744 748 tdata = compat_alloc_user_space(sizeof(*tdata)); 745 749 if (tdata == NULL) 746 750 return -ENOMEM; 747 - if (!access_ok(VERIFY_WRITE, tdata, sizeof(*tdata))) 748 - return -EFAULT; 749 751 750 - if (!access_ok(VERIFY_READ, udata, sizeof(*udata))) 752 + memset(&v, 0, sizeof(v)); 753 + if (copy_from_user(&v.data32, udata, sizeof(v.data32))) 751 754 return -EFAULT; 755 + v.data.data = compat_ptr(v.data32.data); 752 756 753 - if (__copy_in_user(&tdata->read_write, &udata->read_write, 2 * sizeof(u8))) 754 - return -EFAULT; 755 - if (__copy_in_user(&tdata->size, &udata->size, 2 * sizeof(u32))) 756 - return -EFAULT; 757 - if (__get_user(datap, &udata->data) || 758 - __put_user(compat_ptr(datap), &tdata->data)) 757 + if (copy_to_user(tdata, &v.data, sizeof(v.data))) 759 758 return -EFAULT; 760 759 761 760 return do_ioctl(file, cmd, (unsigned long)tdata);
-6
include/linux/uaccess.h
··· 156 156 } 157 157 #ifdef CONFIG_COMPAT 158 158 static __always_inline unsigned long __must_check 159 - __copy_in_user(void __user *to, const void *from, unsigned long n) 160 - { 161 - might_fault(); 162 - return raw_copy_in_user(to, from, n); 163 - } 164 - static __always_inline unsigned long __must_check 165 159 copy_in_user(void __user *to, const void *from, unsigned long n) 166 160 { 167 161 might_fault();