aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2016-01-12 20:11:47 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2016-01-12 20:11:47 -0500
commit33caf82acf4dc420bf0f0136b886f7b27ecf90c5 (patch)
treeb24b0b5c8f257ae7db3b8df939821a0856869895
parentca9706a282943899981e83604f2ed13e88ce4239 (diff)
parentbbddca8e8fac07ece3938e03526b5d00fa791a4c (diff)
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull misc vfs updates from Al Viro: "All kinds of stuff. That probably should've been 5 or 6 separate branches, but by the time I'd realized how large and mixed that bag had become it had been too close to -final to play with rebasing. Some fs/namei.c cleanups there, memdup_user_nul() introduction and switching open-coded instances, burying long-dead code, whack-a-mole of various kinds, several new helpers for ->llseek(), assorted cleanups and fixes from various people, etc. One piece probably deserves special mention - Neil's lookup_one_len_unlocked(). Similar to lookup_one_len(), but gets called without ->i_mutex and tries to avoid ever taking it. That, of course, means that it's not useful for any directory modifications, but things like getting inode attributes in nfds readdirplus are fine with that. I really should've asked for moratorium on lookup-related changes this cycle, but since I hadn't done that early enough... I *am* asking for that for the coming cycle, though - I'm going to try and get conversion of i_mutex to rwsem with ->lookup() done under lock taken shared. There will be a patch closer to the end of the window, along the lines of the one Linus had posted last May - mechanical conversion of ->i_mutex accesses to inode_lock()/inode_unlock()/inode_trylock()/ inode_is_locked()/inode_lock_nested(). To quote Linus back then: ----- | This is an automated patch using | | sed 's/mutex_lock(&\(.*\)->i_mutex)/inode_lock(\1)/' | sed 's/mutex_unlock(&\(.*\)->i_mutex)/inode_unlock(\1)/' | sed 's/mutex_lock_nested(&\(.*\)->i_mutex,[ ]*I_MUTEX_\([A-Z0-9_]*\))/inode_lock_nested(\1, I_MUTEX_\2)/' | sed 's/mutex_is_locked(&\(.*\)->i_mutex)/inode_is_locked(\1)/' | sed 's/mutex_trylock(&\(.*\)->i_mutex)/inode_trylock(\1)/' | | with a very few manual fixups ----- I'm going to send that once the ->i_mutex-affecting stuff in -next gets mostly merged (or when Linus says he's about to stop taking merges)" * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits) nfsd: don't hold i_mutex over userspace upcalls fs:affs:Replace time_t with time64_t fs/9p: use fscache mutex rather than spinlock proc: add a reschedule point in proc_readfd_common() logfs: constify logfs_block_ops structures fcntl: allow to set O_DIRECT flag on pipe fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE fs: xattr: Use kvfree() [s390] page_to_phys() always returns a multiple of PAGE_SIZE nbd: use ->compat_ioctl() fs: use block_device name vsprintf helper lib/vsprintf: add %*pg format specifier fs: use gendisk->disk_name where possible poll: plug an unused argument to do_poll amdkfd: don't open-code memdup_user() cdrom: don't open-code memdup_user() rsxx: don't open-code memdup_user() mtip32xx: don't open-code memdup_user() [um] mconsole: don't open-code memdup_user_nul() [um] hostaudio: don't open-code memdup_user() ...
Diffstat
-rw-r--r--Documentation/printk-formats.txt6
-rw-r--r--arch/blackfin/include/asm/uaccess.h6
-rw-r--r--arch/m68k/include/asm/uaccess_no.h4
-rw-r--r--arch/mips/lasat/picvue_proc.c18
-rw-r--r--arch/mn10300/include/asm/uaccess.h15
-rw-r--r--arch/powerpc/include/asm/uaccess.h15
-rw-r--r--arch/powerpc/kernel/nvram_64.c19
-rw-r--r--arch/s390/pci/pci_dma.c3
-rw-r--r--arch/sparc/include/asm/uaccess_32.h65
-rw-r--r--arch/sparc/include/asm/uaccess_64.h40
-rw-r--r--arch/sparc/kernel/mdesc.c20
-rw-r--r--arch/um/drivers/hostaudio_kern.c10
-rw-r--r--arch/um/drivers/mconsole_kern.c14
-rw-r--r--arch/x86/kernel/cpuid.c24
-rw-r--r--arch/x86/kernel/msr.c24
-rw-r--r--arch/xtensa/platforms/iss/simdisk.c12
-rw-r--r--drivers/block/cciss.c14
-rw-r--r--drivers/block/mtip32xx/mtip32xx.c23
-rw-r--r--drivers/block/nbd.c1
-rw-r--r--drivers/block/rsxx/core.c11
-rw-r--r--drivers/cdrom/cdrom.c10
-rw-r--r--drivers/char/generic_nvram.c21
-rw-r--r--drivers/char/mbcs.c28
-rw-r--r--drivers/char/nvram.c18
-rw-r--r--drivers/char/nwflash.c31
-rw-r--r--drivers/gpu/drm/amd/amdkfd/kfd_chardev.c33
-rw-r--r--drivers/gpu/vga/vgaarb.c7
-rw-r--r--drivers/md/bcache/util.c2
-rw-r--r--drivers/md/dm-bufio.c2
-rw-r--r--drivers/md/dm-io.c4
-rw-r--r--drivers/mtd/maps/pcmciamtd.c28
-rw-r--r--drivers/net/wireless/ath/wil6210/debugfs.c12
-rw-r--r--drivers/net/wireless/libertas/debugfs.c181
-rw-r--r--drivers/net/wireless/mwifiex/debugfs.c82
-rw-r--r--drivers/net/wireless/ti/wlcore/debugfs.c17
-rw-r--r--drivers/s390/char/vmcp.c11
-rw-r--r--drivers/s390/char/vmur.c15
-rw-r--r--drivers/s390/char/zcore.c13
-rw-r--r--drivers/sbus/char/openprom.c13
-rw-r--r--drivers/staging/lustre/lustre/llite/file.c2
-rw-r--r--drivers/staging/lustre/lustre/llite/llite_internal.h4
-rw-r--r--drivers/staging/lustre/lustre/llite/namei.c4
-rw-r--r--drivers/staging/lustre/lustre/llite/symlink.c2
-rw-r--r--drivers/usb/core/devices.c26
-rw-r--r--drivers/usb/core/devio.c26
-rw-r--r--drivers/usb/host/uhci-debug.c23
-rw-r--r--drivers/usb/misc/sisusbvga/sisusb.c16
-rw-r--r--fs/9p/cache.c8
-rw-r--r--fs/9p/v9fs.h2
-rw-r--r--fs/9p/vfs_inode.c2
-rw-r--r--fs/adfs/adfs.h6
-rw-r--r--fs/adfs/dir.c6
-rw-r--r--fs/adfs/dir_f.c2
-rw-r--r--fs/adfs/dir_fplus.c2
-rw-r--r--fs/affs/affs.h2
-rw-r--r--fs/affs/amigaffs.c13
-rw-r--r--fs/affs/super.c2
-rw-r--r--fs/afs/proc.c25
-rw-r--r--fs/bad_inode.c2
-rw-r--r--fs/block_dev.c12
-rw-r--r--fs/btrfs/super.c4
-rw-r--r--fs/buffer.c21
-rw-r--r--fs/cachefiles/daemon.c12
-rw-r--r--fs/compat.c21
-rw-r--r--fs/compat_ioctl.c11
-rw-r--r--fs/coredump.c8
-rw-r--r--fs/dcache.c14
-rw-r--r--fs/dlm/user.c11
-rw-r--r--fs/ecryptfs/inode.c4
-rw-r--r--fs/exec.c4
-rw-r--r--fs/ext2/xattr.c6
-rw-r--r--fs/ext4/page-io.c5
-rw-r--r--fs/ext4/xattr.c6
-rw-r--r--fs/f2fs/debug.c6
-rw-r--r--fs/f2fs/f2fs.h6
-rw-r--r--fs/fcntl.c3
-rw-r--r--fs/file.c6
-rw-r--r--fs/gfs2/ops_fstype.c4
-rw-r--r--fs/hfs/mdb.c4
-rw-r--r--fs/hpfs/map.c2
-rw-r--r--fs/internal.h2
-rw-r--r--fs/jbd2/transaction.c6
-rw-r--r--fs/jfs/jfs_logmgr.c9
-rw-r--r--fs/logfs/logfs.h4
-rw-r--r--fs/logfs/readwrite.c4
-rw-r--r--fs/logfs/segment.c2
-rw-r--r--fs/minix/itree_v1.c9
-rw-r--r--fs/minix/itree_v2.c9
-rw-r--r--fs/namei.c200
-rw-r--r--fs/namespace.c39
-rw-r--r--fs/nfsd/nfs3xdr.c2
-rw-r--r--fs/nfsd/nfs4xdr.c8
-rw-r--r--fs/nfsd/vfs.c23
-rw-r--r--fs/nilfs2/super.c6
-rw-r--r--fs/open.c5
-rw-r--r--fs/proc/base.c17
-rw-r--r--fs/proc/fd.c1
-rw-r--r--fs/proc_namespace.c27
-rw-r--r--fs/read_write.c39
-rw-r--r--fs/reiserfs/journal.c24
-rw-r--r--fs/reiserfs/prints.c9
-rw-r--r--fs/reiserfs/procfs.c5
-rw-r--r--fs/select.c6
-rw-r--r--fs/splice.c8
-rw-r--r--fs/squashfs/super.c7
-rw-r--r--fs/super.c4
-rw-r--r--fs/xattr.c38
-rw-r--r--fs/xfs/xfs_buf.c8
-rw-r--r--include/linux/fs.h14
-rw-r--r--include/linux/namei.h1
-rw-r--r--include/linux/string.h1
-rw-r--r--kernel/sysctl.c79
-rw-r--r--kernel/trace/blktrace.c12
-rw-r--r--kernel/trace/trace_events.c28
-rw-r--r--kernel/trace/trace_events_trigger.c15
-rw-r--r--kernel/user_namespace.c21
-rw-r--r--lib/dynamic_debug.c11
-rw-r--r--lib/vsprintf.c29
-rw-r--r--mm/util.c31
-rw-r--r--net/9p/trans_virtio.c16
-rw-r--r--net/rxrpc/ar-key.c24
-rw-r--r--security/integrity/iint.c11
-rw-r--r--security/selinux/selinuxfs.c114
-rw-r--r--security/smack/smackfs.c114
-rw-r--r--security/tomoyo/securityfs_if.c11
125 files changed, 792 insertions, 1478 deletions
diff --git a/Documentation/printk-formats.txt b/Documentation/printk-formats.txt
index b784c270105f..6389551bbad6 100644
--- a/Documentation/printk-formats.txt
+++ b/Documentation/printk-formats.txt
@@ -250,6 +250,12 @@ dentry names:
250 250
251 Passed by reference. 251 Passed by reference.
252 252
253block_device names:
254
255 %pg sda, sda1 or loop0p1
256
257 For printing name of block_device pointers.
258
253struct va_format: 259struct va_format:
254 260
255 %pV 261 %pV
diff --git a/arch/blackfin/include/asm/uaccess.h b/arch/blackfin/include/asm/uaccess.h
index 90612a7f2cf3..12f5d6851bbc 100644
--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -168,12 +168,6 @@ static inline int bad_user_access_length(void)
168#define __copy_to_user_inatomic __copy_to_user 168#define __copy_to_user_inatomic __copy_to_user
169#define __copy_from_user_inatomic __copy_from_user 169#define __copy_from_user_inatomic __copy_from_user
170 170
171#define copy_to_user_ret(to, from, n, retval) ({ if (copy_to_user(to, from, n))\
172 return retval; })
173
174#define copy_from_user_ret(to, from, n, retval) ({ if (copy_from_user(to, from, n))\
175 return retval; })
176
177static inline unsigned long __must_check 171static inline unsigned long __must_check
178copy_from_user(void *to, const void __user *from, unsigned long n) 172copy_from_user(void *to, const void __user *from, unsigned long n)
179{ 173{
diff --git a/arch/m68k/include/asm/uaccess_no.h b/arch/m68k/include/asm/uaccess_no.h
index 68bbe9b312f1..1bdf15263754 100644
--- a/arch/m68k/include/asm/uaccess_no.h
+++ b/arch/m68k/include/asm/uaccess_no.h
@@ -135,10 +135,6 @@ extern int __get_user_bad(void);
135#define __copy_to_user_inatomic __copy_to_user 135#define __copy_to_user_inatomic __copy_to_user
136#define __copy_from_user_inatomic __copy_from_user 136#define __copy_from_user_inatomic __copy_from_user
137 137
138#define copy_to_user_ret(to,from,n,retval) ({ if (copy_to_user(to,from,n)) return retval; })
139
140#define copy_from_user_ret(to,from,n,retval) ({ if (copy_from_user(to,from,n)) return retval; })
141
142/* 138/*
143 * Copy a null terminated string from userspace. 139 * Copy a null terminated string from userspace.
144 */ 140 */
diff --git a/arch/mips/lasat/picvue_proc.c b/arch/mips/lasat/picvue_proc.c
index 2bcd8391bc93..b42095880667 100644
--- a/arch/mips/lasat/picvue_proc.c
+++ b/arch/mips/lasat/picvue_proc.c
@@ -22,7 +22,6 @@
22static DEFINE_MUTEX(pvc_mutex); 22static DEFINE_MUTEX(pvc_mutex);
23static char pvc_lines[PVC_NLINES][PVC_LINELEN+1]; 23static char pvc_lines[PVC_NLINES][PVC_LINELEN+1];
24static int pvc_linedata[PVC_NLINES]; 24static int pvc_linedata[PVC_NLINES];
25static struct proc_dir_entry *pvc_display_dir;
26static char *pvc_linename[PVC_NLINES] = {"line1", "line2"}; 25static char *pvc_linename[PVC_NLINES] = {"line1", "line2"};
27#define DISPLAY_DIR_NAME "display" 26#define DISPLAY_DIR_NAME "display"
28static int scroll_dir, scroll_interval; 27static int scroll_dir, scroll_interval;
@@ -169,22 +168,17 @@ void pvc_proc_timerfunc(unsigned long data)
169 168
170static void pvc_proc_cleanup(void) 169static void pvc_proc_cleanup(void)
171{ 170{
172 int i; 171 remove_proc_subtree(DISPLAY_DIR_NAME, NULL);
173 for (i = 0; i < PVC_NLINES; i++)
174 remove_proc_entry(pvc_linename[i], pvc_display_dir);
175 remove_proc_entry("scroll", pvc_display_dir);
176 remove_proc_entry(DISPLAY_DIR_NAME, NULL);
177
178 del_timer_sync(&timer); 172 del_timer_sync(&timer);
179} 173}
180 174
181static int __init pvc_proc_init(void) 175static int __init pvc_proc_init(void)
182{ 176{
183 struct proc_dir_entry *proc_entry; 177 struct proc_dir_entry *dir, *proc_entry;
184 int i; 178 int i;
185 179
186 pvc_display_dir = proc_mkdir(DISPLAY_DIR_NAME, NULL); 180 dir = proc_mkdir(DISPLAY_DIR_NAME, NULL);
187 if (pvc_display_dir == NULL) 181 if (dir == NULL)
188 goto error; 182 goto error;
189 183
190 for (i = 0; i < PVC_NLINES; i++) { 184 for (i = 0; i < PVC_NLINES; i++) {
@@ -192,12 +186,12 @@ static int __init pvc_proc_init(void)
192 pvc_linedata[i] = i; 186 pvc_linedata[i] = i;
193 } 187 }
194 for (i = 0; i < PVC_NLINES; i++) { 188 for (i = 0; i < PVC_NLINES; i++) {
195 proc_entry = proc_create_data(pvc_linename[i], 0644, pvc_display_dir, 189 proc_entry = proc_create_data(pvc_linename[i], 0644, dir,
196 &pvc_line_proc_fops, &pvc_linedata[i]); 190 &pvc_line_proc_fops, &pvc_linedata[i]);
197 if (proc_entry == NULL) 191 if (proc_entry == NULL)
198 goto error; 192 goto error;
199 } 193 }
200 proc_entry = proc_create("scroll", 0644, pvc_display_dir, 194 proc_entry = proc_create("scroll", 0644, dir,
201 &pvc_scroll_proc_fops); 195 &pvc_scroll_proc_fops);
202 if (proc_entry == NULL) 196 if (proc_entry == NULL)
203 goto error; 197 goto error;
diff --git a/arch/mn10300/include/asm/uaccess.h b/arch/mn10300/include/asm/uaccess.h
index 537278746a15..20f7bf6de384 100644
--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -110,21 +110,6 @@ extern int fixup_exception(struct pt_regs *regs);
110#define __put_user(x, ptr) __put_user_nocheck((x), (ptr), sizeof(*(ptr))) 110#define __put_user(x, ptr) __put_user_nocheck((x), (ptr), sizeof(*(ptr)))
111#define __get_user(x, ptr) __get_user_nocheck((x), (ptr), sizeof(*(ptr))) 111#define __get_user(x, ptr) __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
112 112
113/*
114 * The "xxx_ret" versions return constant specified in third argument, if
115 * something bad happens. These macros can be optimized for the
116 * case of just returning from the function xxx_ret is used.
117 */
118
119#define put_user_ret(x, ptr, ret) \
120 ({ if (put_user((x), (ptr))) return (ret); })
121#define get_user_ret(x, ptr, ret) \
122 ({ if (get_user((x), (ptr))) return (ret); })
123#define __put_user_ret(x, ptr, ret) \
124 ({ if (__put_user((x), (ptr))) return (ret); })
125#define __get_user_ret(x, ptr, ret) \
126 ({ if (__get_user((x), (ptr))) return (ret); })
127
128struct __large_struct { unsigned long buf[100]; }; 113struct __large_struct { unsigned long buf[100]; };
129#define __m(x) (*(struct __large_struct *)(x)) 114#define __m(x) (*(struct __large_struct *)(x))
130 115
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 2a8ebae0936b..b7c20f0b8fbe 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -274,21 +274,6 @@ do { \
274 __gu_err; \ 274 __gu_err; \
275}) 275})
276 276
277#ifndef __powerpc64__
278#define __get_user64_nocheck(x, ptr, size) \
279({ \
280 long __gu_err; \
281 long long __gu_val; \
282 __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
283 __chk_user_ptr(ptr); \
284 if (!is_kernel_addr((unsigned long)__gu_addr)) \
285 might_fault(); \
286 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
287 (x) = (__force __typeof__(*(ptr)))__gu_val; \
288 __gu_err; \
289})
290#endif /* __powerpc64__ */
291
292#define __get_user_check(x, ptr, size) \ 277#define __get_user_check(x, ptr, size) \
293({ \ 278({ \
294 long __gu_err = -EFAULT; \ 279 long __gu_err = -EFAULT; \
diff --git a/arch/powerpc/kernel/nvram_64.c b/arch/powerpc/kernel/nvram_64.c
index 32e26526f7e4..0cab9e8c3794 100644
--- a/arch/powerpc/kernel/nvram_64.c
+++ b/arch/powerpc/kernel/nvram_64.c
@@ -27,6 +27,7 @@
27#include <linux/slab.h> 27#include <linux/slab.h>
28#include <linux/spinlock.h> 28#include <linux/spinlock.h>
29#include <linux/kmsg_dump.h> 29#include <linux/kmsg_dump.h>
30#include <linux/pagemap.h>
30#include <linux/pstore.h> 31#include <linux/pstore.h>
31#include <linux/zlib.h> 32#include <linux/zlib.h>
32#include <asm/uaccess.h> 33#include <asm/uaccess.h>
@@ -733,24 +734,10 @@ static void oops_to_nvram(struct kmsg_dumper *dumper,
733 734
734static loff_t dev_nvram_llseek(struct file *file, loff_t offset, int origin) 735static loff_t dev_nvram_llseek(struct file *file, loff_t offset, int origin)
735{ 736{
736 int size;
737
738 if (ppc_md.nvram_size == NULL) 737 if (ppc_md.nvram_size == NULL)
739 return -ENODEV; 738 return -ENODEV;
740 size = ppc_md.nvram_size(); 739 return generic_file_llseek_size(file, offset, origin, MAX_LFS_FILESIZE,
741 740 ppc_md.nvram_size());
742 switch (origin) {
743 case 1:
744 offset += file->f_pos;
745 break;
746 case 2:
747 offset += size;
748 break;
749 }
750 if (offset < 0)
751 return -EINVAL;
752 file->f_pos = offset;
753 return file->f_pos;
754} 741}
755 742
756 743
diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
index d348f2c09a1e..32da0a6ecec2 100644
--- a/arch/s390/pci/pci_dma.c
+++ b/arch/s390/pci/pci_dma.c
@@ -366,8 +366,7 @@ static void *s390_dma_alloc(struct device *dev, size_t size,
366 pa = page_to_phys(page); 366 pa = page_to_phys(page);
367 memset((void *) pa, 0, size); 367 memset((void *) pa, 0, size);
368 368
369 map = s390_dma_map_pages(dev, page, pa % PAGE_SIZE, 369 map = s390_dma_map_pages(dev, page, 0, size, DMA_BIDIRECTIONAL, NULL);
370 size, DMA_BIDIRECTIONAL, NULL);
371 if (dma_mapping_error(dev, map)) { 370 if (dma_mapping_error(dev, map)) {
372 free_pages(pa, get_order(size)); 371 free_pages(pa, get_order(size));
373 return NULL; 372 return NULL;
diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index 64ee103dc29d..57aca2792d29 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -205,31 +205,6 @@ int __put_user_bad(void);
205 __gu_ret; \ 205 __gu_ret; \
206}) 206})
207 207
208#define __get_user_check_ret(x, addr, size, type, retval) ({ \
209 register unsigned long __gu_val __asm__ ("l1"); \
210 if (__access_ok(addr, size)) { \
211 switch (size) { \
212 case 1: \
213 __get_user_asm_ret(__gu_val, ub, addr, retval); \
214 break; \
215 case 2: \
216 __get_user_asm_ret(__gu_val, uh, addr, retval); \
217 break; \
218 case 4: \
219 __get_user_asm_ret(__gu_val, , addr, retval); \
220 break; \
221 case 8: \
222 __get_user_asm_ret(__gu_val, d, addr, retval); \
223 break; \
224 default: \
225 if (__get_user_bad()) \
226 return retval; \
227 } \
228 x = (__force type) __gu_val; \
229 } else \
230 return retval; \
231})
232
233#define __get_user_nocheck(x, addr, size, type) ({ \ 208#define __get_user_nocheck(x, addr, size, type) ({ \
234 register int __gu_ret; \ 209 register int __gu_ret; \
235 register unsigned long __gu_val; \ 210 register unsigned long __gu_val; \
@@ -247,20 +222,6 @@ int __put_user_bad(void);
247 __gu_ret; \ 222 __gu_ret; \
248}) 223})
249 224
250#define __get_user_nocheck_ret(x, addr, size, type, retval) ({ \
251 register unsigned long __gu_val __asm__ ("l1"); \
252 switch (size) { \
253 case 1: __get_user_asm_ret(__gu_val, ub, addr, retval); break; \
254 case 2: __get_user_asm_ret(__gu_val, uh, addr, retval); break; \
255 case 4: __get_user_asm_ret(__gu_val, , addr, retval); break; \
256 case 8: __get_user_asm_ret(__gu_val, d, addr, retval); break; \
257 default: \
258 if (__get_user_bad()) \
259 return retval; \
260 } \
261 x = (__force type) __gu_val; \
262})
263
264#define __get_user_asm(x, size, addr, ret) \ 225#define __get_user_asm(x, size, addr, ret) \
265__asm__ __volatile__( \ 226__asm__ __volatile__( \
266 "/* Get user asm, inline. */\n" \ 227 "/* Get user asm, inline. */\n" \
@@ -281,32 +242,6 @@ __asm__ __volatile__( \
281 : "=&r" (ret), "=&r" (x) : "m" (*__m(addr)), \ 242 : "=&r" (ret), "=&r" (x) : "m" (*__m(addr)), \
282 "i" (-EFAULT)) 243 "i" (-EFAULT))
283 244
284#define __get_user_asm_ret(x, size, addr, retval) \
285if (__builtin_constant_p(retval) && retval == -EFAULT) \
286 __asm__ __volatile__( \
287 "/* Get user asm ret, inline. */\n" \
288 "1:\t" "ld"#size " %1, %0\n\n\t" \
289 ".section __ex_table,#alloc\n\t" \
290 ".align 4\n\t" \
291 ".word 1b,__ret_efault\n\n\t" \
292 ".previous\n\t" \
293 : "=&r" (x) : "m" (*__m(addr))); \
294else \
295 __asm__ __volatile__( \
296 "/* Get user asm ret, inline. */\n" \
297 "1:\t" "ld"#size " %1, %0\n\n\t" \
298 ".section .fixup,#alloc,#execinstr\n\t" \
299 ".align 4\n" \
300 "3:\n\t" \
301 "ret\n\t" \
302 " restore %%g0, %2, %%o0\n\n\t" \
303 ".previous\n\t" \
304 ".section __ex_table,#alloc\n\t" \
305 ".align 4\n\t" \
306 ".word 1b, 3b\n\n\t" \
307 ".previous\n\t" \
308 : "=&r" (x) : "m" (*__m(addr)), "i" (retval))
309
310int __get_user_bad(void); 245int __get_user_bad(void);
311 246
312unsigned long __copy_user(void __user *to, const void __user *from, unsigned long size); 247unsigned long __copy_user(void __user *to, const void __user *from, unsigned long size);
diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
index ea6e9a20f3ff..e9a51d64974d 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -179,20 +179,6 @@ int __put_user_bad(void);
179 __gu_ret; \ 179 __gu_ret; \
180}) 180})
181 181
182#define __get_user_nocheck_ret(data, addr, size, type, retval) ({ \
183 register unsigned long __gu_val __asm__ ("l1"); \
184 switch (size) { \
185 case 1: __get_user_asm_ret(__gu_val, ub, addr, retval); break; \
186 case 2: __get_user_asm_ret(__gu_val, uh, addr, retval); break; \
187 case 4: __get_user_asm_ret(__gu_val, uw, addr, retval); break; \
188 case 8: __get_user_asm_ret(__gu_val, x, addr, retval); break; \
189 default: \
190 if (__get_user_bad()) \
191 return retval; \
192 } \
193 data = (__force type) __gu_val; \
194})
195
196#define __get_user_asm(x, size, addr, ret) \ 182#define __get_user_asm(x, size, addr, ret) \
197__asm__ __volatile__( \ 183__asm__ __volatile__( \
198 "/* Get user asm, inline. */\n" \ 184 "/* Get user asm, inline. */\n" \
@@ -214,32 +200,6 @@ __asm__ __volatile__( \
214 : "=r" (ret), "=r" (x) : "r" (__m(addr)), \ 200 : "=r" (ret), "=r" (x) : "r" (__m(addr)), \
215 "i" (-EFAULT)) 201 "i" (-EFAULT))
216 202
217#define __get_user_asm_ret(x, size, addr, retval) \
218if (__builtin_constant_p(retval) && retval == -EFAULT) \
219 __asm__ __volatile__( \
220 "/* Get user asm ret, inline. */\n" \
221 "1:\t" "ld"#size "a [%1] %%asi, %0\n\n\t" \
222 ".section __ex_table,\"a\"\n\t" \
223 ".align 4\n\t" \
224 ".word 1b,__ret_efault\n\n\t" \
225 ".previous\n\t" \
226 : "=r" (x) : "r" (__m(addr))); \
227else \
228 __asm__ __volatile__( \
229 "/* Get user asm ret, inline. */\n" \
230 "1:\t" "ld"#size "a [%1] %%asi, %0\n\n\t" \
231 ".section .fixup,#alloc,#execinstr\n\t" \
232 ".align 4\n" \
233 "3:\n\t" \
234 "ret\n\t" \
235 " restore %%g0, %2, %%o0\n\n\t" \
236 ".previous\n\t" \
237 ".section __ex_table,\"a\"\n\t" \
238 ".align 4\n\t" \
239 ".word 1b, 3b\n\n\t" \
240 ".previous\n\t" \
241 : "=r" (x) : "r" (__m(addr)), "i" (retval))
242
243int __get_user_bad(void); 203int __get_user_bad(void);
244 204
245unsigned long __must_check ___copy_from_user(void *to, 205unsigned long __must_check ___copy_from_user(void *to,
diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
index 6f80936e0eea..11228861d9b4 100644
--- a/arch/sparc/kernel/mdesc.c
+++ b/arch/sparc/kernel/mdesc.c
@@ -1033,25 +1033,9 @@ static ssize_t mdesc_read(struct file *file, char __user *buf,
1033 1033
1034static loff_t mdesc_llseek(struct file *file, loff_t offset, int whence) 1034static loff_t mdesc_llseek(struct file *file, loff_t offset, int whence)
1035{ 1035{
1036 struct mdesc_handle *hp; 1036 struct mdesc_handle *hp = file->private_data;
1037
1038 switch (whence) {
1039 case SEEK_CUR:
1040 offset += file->f_pos;
1041 break;
1042 case SEEK_SET:
1043 break;
1044 default:
1045 return -EINVAL;
1046 }
1047
1048 hp = file->private_data;
1049 if (offset > hp->handle_size)
1050 return -EINVAL;
1051 else
1052 file->f_pos = offset;
1053 1037
1054 return offset; 1038 return no_seek_end_llseek_size(file, offset, whence, hp->handle_size);
1055} 1039}
1056 1040
1057/* mdesc_close() - /dev/mdesc is being closed, release the reference to 1041/* mdesc_close() - /dev/mdesc is being closed, release the reference to
diff --git a/arch/um/drivers/hostaudio_kern.c b/arch/um/drivers/hostaudio_kern.c
index f6b911cc3923..3a4b58730f5f 100644
--- a/arch/um/drivers/hostaudio_kern.c
+++ b/arch/um/drivers/hostaudio_kern.c
@@ -105,13 +105,9 @@ static ssize_t hostaudio_write(struct file *file, const char __user *buffer,
105 printk(KERN_DEBUG "hostaudio: write called, count = %d\n", count); 105 printk(KERN_DEBUG "hostaudio: write called, count = %d\n", count);
106#endif 106#endif
107 107
108 kbuf = kmalloc(count, GFP_KERNEL); 108 kbuf = memdup_user(buffer, count);
109 if (kbuf == NULL) 109 if (IS_ERR(kbuf))
110 return -ENOMEM; 110 return PTR_ERR(kbuf);
111
112 err = -EFAULT;
113 if (copy_from_user(kbuf, buffer, count))
114 goto out;
115 111
116 err = os_write_file(state->fd, kbuf, count); 112 err = os_write_file(state->fd, kbuf, count);
117 if (err < 0) 113 if (err < 0)
diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c
index 29880c9b324e..b821b13d343a 100644
--- a/arch/um/drivers/mconsole_kern.c
+++ b/arch/um/drivers/mconsole_kern.c
@@ -748,19 +748,11 @@ static ssize_t mconsole_proc_write(struct file *file,
748{ 748{
749 char *buf; 749 char *buf;
750 750
751 buf = kmalloc(count + 1, GFP_KERNEL); 751 buf = memdup_user_nul(buffer, count);
752 if (buf == NULL) 752 if (IS_ERR(buf))
753 return -ENOMEM; 753 return PTR_ERR(buf);
754
755 if (copy_from_user(buf, buffer, count)) {
756 count = -EFAULT;
757 goto out;
758 }
759
760 buf[count] = '\0';
761 754
762 mconsole_notify(notify_socket, MCONSOLE_USER_NOTIFY, buf, count); 755 mconsole_notify(notify_socket, MCONSOLE_USER_NOTIFY, buf, count);
763 out:
764 kfree(buf); 756 kfree(buf);
765 return count; 757 return count;
766} 758}
diff --git a/arch/x86/kernel/cpuid.c b/arch/x86/kernel/cpuid.c
index bd3507da39f0..2836de390f95 100644
--- a/arch/x86/kernel/cpuid.c
+++ b/arch/x86/kernel/cpuid.c
@@ -58,28 +58,6 @@ static void cpuid_smp_cpuid(void *cmd_block)
58 &cmd->eax, &cmd->ebx, &cmd->ecx, &cmd->edx); 58 &cmd->eax, &cmd->ebx, &cmd->ecx, &cmd->edx);
59} 59}
60 60
61static loff_t cpuid_seek(struct file *file, loff_t offset, int orig)
62{
63 loff_t ret;
64 struct inode *inode = file->f_mapping->host;
65
66 mutex_lock(&inode->i_mutex);
67 switch (orig) {
68 case 0:
69 file->f_pos = offset;
70 ret = file->f_pos;
71 break;
72 case 1:
73 file->f_pos += offset;
74 ret = file->f_pos;
75 break;
76 default:
77 ret = -EINVAL;
78 }
79 mutex_unlock(&inode->i_mutex);
80 return ret;
81}
82
83static ssize_t cpuid_read(struct file *file, char __user *buf, 61static ssize_t cpuid_read(struct file *file, char __user *buf,
84 size_t count, loff_t *ppos) 62 size_t count, loff_t *ppos)
85{ 63{
@@ -132,7 +110,7 @@ static int cpuid_open(struct inode *inode, struct file *file)
132 */ 110 */
133static const struct file_operations cpuid_fops = { 111static const struct file_operations cpuid_fops = {
134 .owner = THIS_MODULE, 112 .owner = THIS_MODULE,
135 .llseek = cpuid_seek, 113 .llseek = no_seek_end_llseek,
136 .read = cpuid_read, 114 .read = cpuid_read,
137 .open = cpuid_open, 115 .open = cpuid_open,
138}; 116};
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 113e70784854..64f9616f93f1 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -45,28 +45,6 @@
45 45
46static struct class *msr_class; 46static struct class *msr_class;
47 47
48static loff_t msr_seek(struct file *file, loff_t offset, int orig)
49{
50 loff_t ret;
51 struct inode *inode = file_inode(file);
52
53 mutex_lock(&inode->i_mutex);
54 switch (orig) {
55 case SEEK_SET:
56 file->f_pos = offset;
57 ret = file->f_pos;
58 break;
59 case SEEK_CUR:
60 file->f_pos += offset;
61 ret = file->f_pos;
62 break;
63 default:
64 ret = -EINVAL;
65 }
66 mutex_unlock(&inode->i_mutex);
67 return ret;
68}
69
70static ssize_t msr_read(struct file *file, char __user *buf, 48static ssize_t msr_read(struct file *file, char __user *buf,
71 size_t count, loff_t *ppos) 49 size_t count, loff_t *ppos)
72{ 50{
@@ -194,7 +172,7 @@ static int msr_open(struct inode *inode, struct file *file)
194 */ 172 */
195static const struct file_operations msr_fops = { 173static const struct file_operations msr_fops = {
196 .owner = THIS_MODULE, 174 .owner = THIS_MODULE,
197 .llseek = msr_seek, 175 .llseek = no_seek_end_llseek,
198 .read = msr_read, 176 .read = msr_read,
199 .write = msr_write, 177 .write = msr_write,
200 .open = msr_open, 178 .open = msr_open,
diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c
index 3c3ace2c46b6..f58a4e6472cb 100644
--- a/arch/xtensa/platforms/iss/simdisk.c
+++ b/arch/xtensa/platforms/iss/simdisk.c
@@ -227,16 +227,12 @@ static ssize_t proc_read_simdisk(struct file *file, char __user *buf,
227static ssize_t proc_write_simdisk(struct file *file, const char __user *buf, 227static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
228 size_t count, loff_t *ppos) 228 size_t count, loff_t *ppos)
229{ 229{
230 char *tmp = kmalloc(count + 1, GFP_KERNEL); 230 char *tmp = memdup_user_nul(buf, count);
231 struct simdisk *dev = PDE_DATA(file_inode(file)); 231 struct simdisk *dev = PDE_DATA(file_inode(file));
232 int err; 232 int err;
233 233
234 if (tmp == NULL) 234 if (IS_ERR(tmp))
235 return -ENOMEM; 235 return PTR_ERR(tmp);
236 if (copy_from_user(tmp, buf, count)) {
237 err = -EFAULT;
238 goto out_free;
239 }
240 236
241 err = simdisk_detach(dev); 237 err = simdisk_detach(dev);
242 if (err != 0) 238 if (err != 0)
@@ -244,8 +240,6 @@ static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
244 240
245 if (count > 0 && tmp[count - 1] == '\n') 241 if (count > 0 && tmp[count - 1] == '\n')
246 tmp[count - 1] = 0; 242 tmp[count - 1] = 0;
247 else
248 tmp[count] = 0;
249 243
250 if (tmp[0]) 244 if (tmp[0])
251 err = simdisk_attach(dev, tmp); 245 err = simdisk_attach(dev, tmp);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 0422c47261c3..b38bd06d564c 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -514,14 +514,9 @@ cciss_proc_write(struct file *file, const char __user *buf,
514 if (!buf || length > PAGE_SIZE - 1) 514 if (!buf || length > PAGE_SIZE - 1)
515 return -EINVAL; 515 return -EINVAL;
516 516
517 buffer = (char *)__get_free_page(GFP_KERNEL); 517 buffer = memdup_user_nul(buf, length);
518 if (!buffer) 518 if (IS_ERR(buffer))
519 return -ENOMEM; 519 return PTR_ERR(buffer);
520
521 err = -EFAULT;
522 if (copy_from_user(buffer, buf, length))
523 goto out;
524 buffer[length] = '\0';
525 520
526#ifdef CONFIG_CISS_SCSI_TAPE 521#ifdef CONFIG_CISS_SCSI_TAPE
527 if (strncmp(ENGAGE_SCSI, buffer, sizeof ENGAGE_SCSI - 1) == 0) { 522 if (strncmp(ENGAGE_SCSI, buffer, sizeof ENGAGE_SCSI - 1) == 0) {
@@ -537,8 +532,7 @@ cciss_proc_write(struct file *file, const char __user *buf,
537 /* might be nice to have "disengage" too, but it's not 532 /* might be nice to have "disengage" too, but it's not
538 safely possible. (only 1 module use count, lock issues.) */ 533 safely possible. (only 1 module use count, lock issues.) */
539 534
540out: 535 kfree(buffer);
541 free_page((unsigned long)buffer);
542 return err; 536 return err;
543} 537}
544 538
diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 3457ac8c03e2..34997d8ecd64 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -2029,13 +2029,10 @@ static int exec_drive_taskfile(struct driver_data *dd,
2029 } 2029 }
2030 2030
2031 if (taskout) { 2031 if (taskout) {
2032 outbuf = kzalloc(taskout, GFP_KERNEL); 2032 outbuf = memdup_user(buf + outtotal, taskout);
2033 if (outbuf == NULL) { 2033 if (IS_ERR(outbuf)) {
2034 err = -ENOMEM; 2034 err = PTR_ERR(outbuf);
2035 goto abort; 2035 outbuf = NULL;
2036 }
2037 if (copy_from_user(outbuf, buf + outtotal, taskout)) {
2038 err = -EFAULT;
2039 goto abort; 2036 goto abort;
2040 } 2037 }
2041 outbuf_dma = pci_map_single(dd->pdev, 2038 outbuf_dma = pci_map_single(dd->pdev,
@@ -2050,14 +2047,10 @@ static int exec_drive_taskfile(struct driver_data *dd,
2050 } 2047 }
2051 2048
2052 if (taskin) { 2049 if (taskin) {
2053 inbuf = kzalloc(taskin, GFP_KERNEL); 2050 inbuf = memdup_user(buf + intotal, taskin);
2054 if (inbuf == NULL) { 2051 if (IS_ERR(inbuf)) {
2055 err = -ENOMEM; 2052 err = PTR_ERR(inbuf);
2056 goto abort; 2053 inbuf = NULL;
2057 }
2058
2059 if (copy_from_user(inbuf, buf + intotal, taskin)) {
2060 err = -EFAULT;
2061 goto abort; 2054 goto abort;
2062 } 2055 }
2063 inbuf_dma = pci_map_single(dd->pdev, 2056 inbuf_dma = pci_map_single(dd->pdev,
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 93b3f99b6865..e4c5cc107934 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -827,6 +827,7 @@ static const struct block_device_operations nbd_fops =
827{ 827{
828 .owner = THIS_MODULE, 828 .owner = THIS_MODULE,
829 .ioctl = nbd_ioctl, 829 .ioctl = nbd_ioctl,
830 .compat_ioctl = nbd_ioctl,
830}; 831};
831 832
832#if IS_ENABLED(CONFIG_DEBUG_FS) 833#if IS_ENABLED(CONFIG_DEBUG_FS)
diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index d8b2488aaade..34997df132e2 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -203,14 +203,11 @@ static ssize_t rsxx_cram_write(struct file *fp, const char __user *ubuf,
203 char *buf; 203 char *buf;
204 ssize_t st; 204 ssize_t st;
205 205
206 buf = kzalloc(cnt, GFP_KERNEL); 206 buf = memdup_user(ubuf, cnt);
207 if (!buf) 207 if (IS_ERR(buf))
208 return -ENOMEM; 208 return PTR_ERR(buf);
209 209
210 st = copy_from_user(buf, ubuf, cnt); 210 st = rsxx_creg_write(card, CREG_ADD_CRAM + (u32)*ppos, cnt, buf, 1);
211 if (!st)
212 st = rsxx_creg_write(card, CREG_ADD_CRAM + (u32)*ppos, cnt,
213 buf, 1);
214 kfree(buf); 211 kfree(buf);
215 if (st) 212 if (st)
216 return st; 213 return st;
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index c206ccda899b..1b257ea9776a 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -3186,15 +3186,11 @@ static noinline int mmc_ioctl_dvd_read_struct(struct cdrom_device_info *cdi,
3186 if (!CDROM_CAN(CDC_DVD)) 3186 if (!CDROM_CAN(CDC_DVD))
3187 return -ENOSYS; 3187 return -ENOSYS;
3188 3188
3189 s = kmalloc(size, GFP_KERNEL); 3189 s = memdup_user(arg, size);
3190 if (!s) 3190 if (IS_ERR(s))
3191 return -ENOMEM; 3191 return PTR_ERR(s);
3192 3192
3193 cd_dbg(CD_DO_IOCTL, "entering DVD_READ_STRUCT\n"); 3193 cd_dbg(CD_DO_IOCTL, "entering DVD_READ_STRUCT\n");
3194 if (copy_from_user(s, arg, size)) {
3195 kfree(s);
3196 return -EFAULT;
3197 }
3198 3194
3199 ret = dvd_read_struct(cdi, s, cgc); 3195 ret = dvd_read_struct(cdi, s, cgc);
3200 if (ret) 3196 if (ret)
diff --git a/drivers/char/generic_nvram.c b/drivers/char/generic_nvram.c
index 6c4f4b5a9dd3..073db9558379 100644
--- a/drivers/char/generic_nvram.c
+++ b/drivers/char/generic_nvram.c
@@ -20,6 +20,7 @@
20#include <linux/fcntl.h> 20#include <linux/fcntl.h>
21#include <linux/init.h> 21#include <linux/init.h>
22#include <linux/mutex.h> 22#include <linux/mutex.h>
23#include <linux/pagemap.h>
23#include <asm/uaccess.h> 24#include <asm/uaccess.h>
24#include <asm/nvram.h> 25#include <asm/nvram.h>
25#ifdef CONFIG_PPC_PMAC 26#ifdef CONFIG_PPC_PMAC
@@ -33,24 +34,8 @@ static ssize_t nvram_len;
33 34
34static loff_t nvram_llseek(struct file *file, loff_t offset, int origin) 35static loff_t nvram_llseek(struct file *file, loff_t offset, int origin)
35{ 36{
36 switch (origin) { 37 return generic_file_llseek_size(file, offset, origin,
37 case 0: 38 MAX_LFS_FILESIZE, nvram_len);
38 break;
39 case 1:
40 offset += file->f_pos;
41 break;
42 case 2:
43 offset += nvram_len;
44 break;
45 default:
46 offset = -1;
47 }
48 if (offset < 0)
49 return -EINVAL;
50
51 file->f_pos = offset;
52
53 return file->f_pos;
54} 39}
55 40
56static ssize_t read_nvram(struct file *file, char __user *buf, 41static ssize_t read_nvram(struct file *file, char __user *buf,
diff --git a/drivers/char/mbcs.c b/drivers/char/mbcs.c
index e5d3e3f7a49b..67d426470e53 100644
--- a/drivers/char/mbcs.c
+++ b/drivers/char/mbcs.c
@@ -26,6 +26,7 @@
26#include <linux/uio.h> 26#include <linux/uio.h>
27#include <linux/mutex.h> 27#include <linux/mutex.h>
28#include <linux/slab.h> 28#include <linux/slab.h>
29#include <linux/pagemap.h>
29#include <asm/io.h> 30#include <asm/io.h>
30#include <asm/uaccess.h> 31#include <asm/uaccess.h>
31#include <asm/pgtable.h> 32#include <asm/pgtable.h>
@@ -451,31 +452,8 @@ mbcs_sram_write(struct file * fp, const char __user *buf, size_t len, loff_t * o
451 452
452static loff_t mbcs_sram_llseek(struct file * filp, loff_t off, int whence) 453static loff_t mbcs_sram_llseek(struct file * filp, loff_t off, int whence)
453{ 454{
454 loff_t newpos; 455 return generic_file_llseek_size(filp, off, whence, MAX_LFS_FILESIZE,
455 456 MBCS_SRAM_SIZE);
456 switch (whence) {
457 case SEEK_SET:
458 newpos = off;
459 break;
460
461 case SEEK_CUR:
462 newpos = filp->f_pos + off;
463 break;
464
465 case SEEK_END:
466 newpos = MBCS_SRAM_SIZE + off;
467 break;
468
469 default: /* can't happen */
470 return -EINVAL;
471 }
472
473 if (newpos < 0)
474 return -EINVAL;
475
476 filp->f_pos = newpos;
477
478 return newpos;
479} 457}
480 458
481static uint64_t mbcs_pioaddr(struct mbcs_soft *soft, uint64_t offset) 459static uint64_t mbcs_pioaddr(struct mbcs_soft *soft, uint64_t offset)
diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
index 97c2d8d433d6..01292328a456 100644
--- a/drivers/char/nvram.c
+++ b/drivers/char/nvram.c
@@ -110,6 +110,7 @@
110#include <linux/io.h> 110#include <linux/io.h>
111#include <linux/uaccess.h> 111#include <linux/uaccess.h>
112#include <linux/mutex.h> 112#include <linux/mutex.h>
113#include <linux/pagemap.h>
113 114
114 115
115static DEFINE_MUTEX(nvram_mutex); 116static DEFINE_MUTEX(nvram_mutex);
@@ -213,21 +214,8 @@ void nvram_set_checksum(void)
213 214
214static loff_t nvram_llseek(struct file *file, loff_t offset, int origin) 215static loff_t nvram_llseek(struct file *file, loff_t offset, int origin)
215{ 216{
216 switch (origin) { 217 return generic_file_llseek_size(file, offset, origin, MAX_LFS_FILESIZE,
217 case 0: 218 NVRAM_BYTES);
218 /* nothing to do */
219 break;
220 case 1:
221 offset += file->f_pos;
222 break;
223 case 2:
224 offset += NVRAM_BYTES;
225 break;
226 default:
227 return -EINVAL;
228 }
229
230 return (offset >= 0) ? (file->f_pos = offset) : -EINVAL;
231} 219}
232 220
233static ssize_t nvram_read(struct file *file, char __user *buf, 221static ssize_t nvram_read(struct file *file, char __user *buf,
diff --git a/drivers/char/nwflash.c b/drivers/char/nwflash.c
index e371480d3639..dbe598de9b74 100644
--- a/drivers/char/nwflash.c
+++ b/drivers/char/nwflash.c
@@ -277,36 +277,7 @@ static loff_t flash_llseek(struct file *file, loff_t offset, int orig)
277 printk(KERN_DEBUG "flash_llseek: offset=0x%X, orig=0x%X.\n", 277 printk(KERN_DEBUG "flash_llseek: offset=0x%X, orig=0x%X.\n",
278 (unsigned int) offset, orig); 278 (unsigned int) offset, orig);
279 279
280 switch (orig) { 280 ret = no_seek_end_llseek_size(file, offset, orig, gbFlashSize);
281 case 0:
282 if (offset < 0) {
283 ret = -EINVAL;
284 break;
285 }
286
287 if ((unsigned int) offset > gbFlashSize) {
288 ret = -EINVAL;
289 break;
290 }
291
292 file->f_pos = (unsigned int) offset;
293 ret = file->f_pos;
294 break;
295 case 1:
296 if ((file->f_pos + offset) > gbFlashSize) {
297 ret = -EINVAL;
298 break;
299 }
300 if ((file->f_pos + offset) < 0) {
301 ret = -EINVAL;
302 break;
303 }
304 file->f_pos += offset;
305 ret = file->f_pos;
306 break;
307 default:
308 ret = -EINVAL;
309 }
310 mutex_unlock(&flash_mutex); 281 mutex_unlock(&flash_mutex);
311 return ret; 282 return ret;
312} 283}
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index c6a1b4cc6458..d321222fd92e 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -559,19 +559,10 @@ static int kfd_ioctl_dbg_address_watch(struct file *filep,
559 559
560 /* this is the actual buffer to work with */ 560 /* this is the actual buffer to work with */
561 561
562 args_buff = kmalloc(args->buf_size_in_bytes - 562 args_buff = memdup_user(args_buff,
563 sizeof(*args), GFP_KERNEL);
564 if (args_buff == NULL)
565 return -ENOMEM;
566
567 status = copy_from_user(args_buff, cmd_from_user,
568 args->buf_size_in_bytes - sizeof(*args)); 563 args->buf_size_in_bytes - sizeof(*args));
569 564 if (IS_ERR(args_buff))
570 if (status != 0) { 565 return PTR_ERR(args_buff);
571 pr_debug("Failed to copy address watch user data\n");
572 kfree(args_buff);
573 return -EINVAL;
574 }
575 566
576 aw_info.process = p; 567 aw_info.process = p;
577 568
@@ -677,22 +668,12 @@ static int kfd_ioctl_dbg_wave_control(struct file *filep,
677 if (cmd_from_user == NULL) 668 if (cmd_from_user == NULL)
678 return -EINVAL; 669 return -EINVAL;
679 670
680 /* this is the actual buffer to work with */ 671 /* copy the entire buffer from user */
681 672
682 args_buff = kmalloc(args->buf_size_in_bytes - sizeof(*args), 673 args_buff = memdup_user(cmd_from_user,
683 GFP_KERNEL);
684
685 if (args_buff == NULL)
686 return -ENOMEM;
687
688 /* Now copy the entire buffer from user */
689 status = copy_from_user(args_buff, cmd_from_user,
690 args->buf_size_in_bytes - sizeof(*args)); 674 args->buf_size_in_bytes - sizeof(*args));
691 if (status != 0) { 675 if (IS_ERR(args_buff))
692 pr_debug("Failed to copy wave control user data\n"); 676 return PTR_ERR(args_buff);
693 kfree(args_buff);
694 return -EINVAL;
695 }
696 677
697 /* move ptr to the start of the "pay-load" area */ 678 /* move ptr to the start of the "pay-load" area */
698 wac_info.process = p; 679 wac_info.process = p;
diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
index 9abcaa53bd25..f17cb0431833 100644
--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -1163,12 +1163,8 @@ done:
1163 1163
1164static unsigned int vga_arb_fpoll(struct file *file, poll_table *wait) 1164static unsigned int vga_arb_fpoll(struct file *file, poll_table *wait)
1165{ 1165{
1166 struct vga_arb_private *priv = file->private_data;
1167
1168 pr_debug("%s\n", __func__); 1166 pr_debug("%s\n", __func__);
1169 1167
1170 if (priv == NULL)
1171 return -ENODEV;
1172 poll_wait(file, &vga_wait_queue, wait); 1168 poll_wait(file, &vga_wait_queue, wait);
1173 return POLLIN; 1169 return POLLIN;
1174} 1170}
@@ -1209,9 +1205,6 @@ static int vga_arb_release(struct inode *inode, struct file *file)
1209 1205
1210 pr_debug("%s\n", __func__); 1206 pr_debug("%s\n", __func__);
1211 1207
1212 if (priv == NULL)
1213 return -ENODEV;
1214
1215 spin_lock_irqsave(&vga_user_lock, flags); 1208 spin_lock_irqsave(&vga_user_lock, flags);
1216 list_del(&priv->list); 1209 list_del(&priv->list);
1217 for (i = 0; i < MAX_USER_CARDS; i++) { 1210 for (i = 0; i < MAX_USER_CARDS; i++) {
diff --git a/drivers/md/bcache/util.c b/drivers/md/bcache/util.c
index db3ae4c2b223..dde6172f3f10 100644
--- a/drivers/md/bcache/util.c
+++ b/drivers/md/bcache/util.c
@@ -230,7 +230,7 @@ void bch_bio_map(struct bio *bio, void *base)
230 BUG_ON(!bio->bi_iter.bi_size); 230 BUG_ON(!bio->bi_iter.bi_size);
231 BUG_ON(bio->bi_vcnt); 231 BUG_ON(bio->bi_vcnt);
232 232
233 bv->bv_offset = base ? ((unsigned long) base) % PAGE_SIZE : 0; 233 bv->bv_offset = base ? offset_in_page(base) : 0;
234 goto start; 234 goto start;
235 235
236 for (; size; bio->bi_vcnt++, bv++) { 236 for (; size; bio->bi_vcnt++, bv++) {
diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
index 6b832e06580d..cd77216beff1 100644
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -650,7 +650,7 @@ static void use_inline_bio(struct dm_buffer *b, int rw, sector_t block,
650 do { 650 do {
651 if (!bio_add_page(&b->bio, virt_to_page(ptr), 651 if (!bio_add_page(&b->bio, virt_to_page(ptr),
652 len < PAGE_SIZE ? len : PAGE_SIZE, 652 len < PAGE_SIZE ? len : PAGE_SIZE,
653 virt_to_phys(ptr) & (PAGE_SIZE - 1))) { 653 offset_in_page(ptr))) {
654 BUG_ON(b->c->block_size <= PAGE_SIZE); 654 BUG_ON(b->c->block_size <= PAGE_SIZE);
655 use_dmio(b, rw, block, end_io); 655 use_dmio(b, rw, block, end_io);
656 return; 656 return;
diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
index 81c5e1a1f363..06d426eb5a30 100644
--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -246,7 +246,7 @@ static void vm_dp_init(struct dpages *dp, void *data)
246{ 246{
247 dp->get_page = vm_get_page; 247 dp->get_page = vm_get_page;
248 dp->next_page = vm_next_page; 248 dp->next_page = vm_next_page;
249 dp->context_u = ((unsigned long) data) & (PAGE_SIZE - 1); 249 dp->context_u = offset_in_page(data);
250 dp->context_ptr = data; 250 dp->context_ptr = data;
251} 251}
252 252
@@ -271,7 +271,7 @@ static void km_dp_init(struct dpages *dp, void *data)
271{ 271{
272 dp->get_page = km_get_page; 272 dp->get_page = km_get_page;
273 dp->next_page = km_next_page; 273 dp->next_page = km_next_page;
274 dp->context_u = ((unsigned long) data) & (PAGE_SIZE - 1); 274 dp->context_u = offset_in_page(data);
275 dp->context_ptr = data; 275 dp->context_ptr = data;
276} 276}
277 277
diff --git a/drivers/mtd/maps/pcmciamtd.c b/drivers/mtd/maps/pcmciamtd.c
index 3dad2111b7e3..70bb403f69f7 100644
--- a/drivers/mtd/maps/pcmciamtd.c
+++ b/drivers/mtd/maps/pcmciamtd.c
@@ -30,7 +30,7 @@
30 30
31struct pcmciamtd_dev { 31struct pcmciamtd_dev {
32 struct pcmcia_device *p_dev; 32 struct pcmcia_device *p_dev;
33 caddr_t win_base; /* ioremapped address of PCMCIA window */ 33 void __iomem *win_base; /* ioremapped address of PCMCIA window */
34 unsigned int win_size; /* size of window */ 34 unsigned int win_size; /* size of window */
35 unsigned int offset; /* offset into card the window currently points at */ 35 unsigned int offset; /* offset into card the window currently points at */
36 struct map_info pcmcia_map; 36 struct map_info pcmcia_map;
@@ -80,7 +80,7 @@ MODULE_PARM_DESC(mem_type, "Set Memory type (0=Flash, 1=RAM, 2=ROM, default=0)")
80/* read/write{8,16} copy_{from,to} routines with window remapping 80/* read/write{8,16} copy_{from,to} routines with window remapping
81 * to access whole card 81 * to access whole card
82 */ 82 */
83static caddr_t remap_window(struct map_info *map, unsigned long to) 83static void __iomem *remap_window(struct map_info *map, unsigned long to)
84{ 84{
85 struct pcmciamtd_dev *dev = (struct pcmciamtd_dev *)map->map_priv_1; 85 struct pcmciamtd_dev *dev = (struct pcmciamtd_dev *)map->map_priv_1;
86 struct resource *win = (struct resource *) map->map_priv_2; 86 struct resource *win = (struct resource *) map->map_priv_2;
@@ -107,7 +107,7 @@ static caddr_t remap_window(struct map_info *map, unsigned long to)
107 107
108static map_word pcmcia_read8_remap(struct map_info *map, unsigned long ofs) 108static map_word pcmcia_read8_remap(struct map_info *map, unsigned long ofs)
109{ 109{
110 caddr_t addr; 110 void __iomem *addr;
111 map_word d = {{0}}; 111 map_word d = {{0}};
112 112
113 addr = remap_window(map, ofs); 113 addr = remap_window(map, ofs);
@@ -122,7 +122,7 @@ static map_word pcmcia_read8_remap(struct map_info *map, unsigned long ofs)
122 122
123static map_word pcmcia_read16_remap(struct map_info *map, unsigned long ofs) 123static map_word pcmcia_read16_remap(struct map_info *map, unsigned long ofs)
124{ 124{
125 caddr_t addr; 125 void __iomem *addr;
126 map_word d = {{0}}; 126 map_word d = {{0}};
127 127
128 addr = remap_window(map, ofs); 128 addr = remap_window(map, ofs);
@@ -143,7 +143,7 @@ static void pcmcia_copy_from_remap(struct map_info *map, void *to, unsigned long
143 pr_debug("to = %p from = %lu len = %zd\n", to, from, len); 143 pr_debug("to = %p from = %lu len = %zd\n", to, from, len);
144 while(len) { 144 while(len) {
145 int toread = win_size - (from & (win_size-1)); 145 int toread = win_size - (from & (win_size-1));
146 caddr_t addr; 146 void __iomem *addr;
147 147
148 if(toread > len) 148 if(toread > len)
149 toread = len; 149 toread = len;
@@ -163,7 +163,7 @@ static void pcmcia_copy_from_remap(struct map_info *map, void *to, unsigned long
163 163
164static void pcmcia_write8_remap(struct map_info *map, map_word d, unsigned long adr) 164static void pcmcia_write8_remap(struct map_info *map, map_word d, unsigned long adr)
165{ 165{
166 caddr_t addr = remap_window(map, adr); 166 void __iomem *addr = remap_window(map, adr);
167 167
168 if(!addr) 168 if(!addr)
169 return; 169 return;
@@ -175,7 +175,7 @@ static void pcmcia_write8_remap(struct map_info *map, map_word d, unsigned long
175 175
176static void pcmcia_write16_remap(struct map_info *map, map_word d, unsigned long adr) 176static void pcmcia_write16_remap(struct map_info *map, map_word d, unsigned long adr)
177{ 177{
178 caddr_t addr = remap_window(map, adr); 178 void __iomem *addr = remap_window(map, adr);
179 if(!addr) 179 if(!addr)
180 return; 180 return;
181 181
@@ -192,7 +192,7 @@ static void pcmcia_copy_to_remap(struct map_info *map, unsigned long to, const v
192 pr_debug("to = %lu from = %p len = %zd\n", to, from, len); 192 pr_debug("to = %lu from = %p len = %zd\n", to, from, len);
193 while(len) { 193 while(len) {
194 int towrite = win_size - (to & (win_size-1)); 194 int towrite = win_size - (to & (win_size-1));
195 caddr_t addr; 195 void __iomem *addr;
196 196
197 if(towrite > len) 197 if(towrite > len)
198 towrite = len; 198 towrite = len;
@@ -216,7 +216,7 @@ static void pcmcia_copy_to_remap(struct map_info *map, unsigned long to, const v
216 216
217static map_word pcmcia_read8(struct map_info *map, unsigned long ofs) 217static map_word pcmcia_read8(struct map_info *map, unsigned long ofs)
218{ 218{
219 caddr_t win_base = (caddr_t)map->map_priv_2; 219 void __iomem *win_base = (void __iomem *)map->map_priv_2;
220 map_word d = {{0}}; 220 map_word d = {{0}};
221 221
222 if(DEV_REMOVED(map)) 222 if(DEV_REMOVED(map))
@@ -231,7 +231,7 @@ static map_word pcmcia_read8(struct map_info *map, unsigned long ofs)
231 231
232static map_word pcmcia_read16(struct map_info *map, unsigned long ofs) 232static map_word pcmcia_read16(struct map_info *map, unsigned long ofs)
233{ 233{
234 caddr_t win_base = (caddr_t)map->map_priv_2; 234 void __iomem *win_base = (void __iomem *)map->map_priv_2;
235 map_word d = {{0}}; 235 map_word d = {{0}};
236 236
237 if(DEV_REMOVED(map)) 237 if(DEV_REMOVED(map))
@@ -246,7 +246,7 @@ static map_word pcmcia_read16(struct map_info *map, unsigned long ofs)
246 246
247static void pcmcia_copy_from(struct map_info *map, void *to, unsigned long from, ssize_t len) 247static void pcmcia_copy_from(struct map_info *map, void *to, unsigned long from, ssize_t len)
248{ 248{
249 caddr_t win_base = (caddr_t)map->map_priv_2; 249 void __iomem *win_base = (void __iomem *)map->map_priv_2;
250 250
251 if(DEV_REMOVED(map)) 251 if(DEV_REMOVED(map))
252 return; 252 return;
@@ -258,7 +258,7 @@ static void pcmcia_copy_from(struct map_info *map, void *to, unsigned long from,
258 258
259static void pcmcia_write8(struct map_info *map, map_word d, unsigned long adr) 259static void pcmcia_write8(struct map_info *map, map_word d, unsigned long adr)
260{ 260{
261 caddr_t win_base = (caddr_t)map->map_priv_2; 261 void __iomem *win_base = (void __iomem *)map->map_priv_2;
262 262
263 if(DEV_REMOVED(map)) 263 if(DEV_REMOVED(map))
264 return; 264 return;
@@ -271,7 +271,7 @@ static void pcmcia_write8(struct map_info *map, map_word d, unsigned long adr)
271 271
272static void pcmcia_write16(struct map_info *map, map_word d, unsigned long adr) 272static void pcmcia_write16(struct map_info *map, map_word d, unsigned long adr)
273{ 273{
274 caddr_t win_base = (caddr_t)map->map_priv_2; 274 void __iomem *win_base = (void __iomem *)map->map_priv_2;
275 275
276 if(DEV_REMOVED(map)) 276 if(DEV_REMOVED(map))
277 return; 277 return;
@@ -284,7 +284,7 @@ static void pcmcia_write16(struct map_info *map, map_word d, unsigned long adr)
284 284
285static void pcmcia_copy_to(struct map_info *map, unsigned long to, const void *from, ssize_t len) 285static void pcmcia_copy_to(struct map_info *map, unsigned long to, const void *from, ssize_t len)
286{ 286{
287 caddr_t win_base = (caddr_t)map->map_priv_2; 287 void __iomem *win_base = (void __iomem *)map->map_priv_2;
288 288
289 if(DEV_REMOVED(map)) 289 if(DEV_REMOVED(map))
290 return; 290 return;
diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index 97bc186f9728..a1d10b85989f 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -580,16 +580,10 @@ static ssize_t wil_write_file_rxon(struct file *file, const char __user *buf,
580 long channel; 580 long channel;
581 bool on; 581 bool on;
582 582
583 char *kbuf = kmalloc(len + 1, GFP_KERNEL); 583 char *kbuf = memdup_user_nul(buf, len);
584
585 if (!kbuf)
586 return -ENOMEM;
587 if (copy_from_user(kbuf, buf, len)) {
588 kfree(kbuf);
589 return -EIO;
590 }
591 584
592 kbuf[len] = '\0'; 585 if (IS_ERR(kbuf))
586 return PTR_ERR(kbuf);
593 rc = kstrtol(kbuf, 0, &channel); 587 rc = kstrtol(kbuf, 0, &channel);
594 kfree(kbuf); 588 kfree(kbuf);
595 if (rc) 589 if (rc)
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
index 26cbf1dcc662..faed1823c58e 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -56,19 +56,15 @@ static ssize_t lbs_sleepparams_write(struct file *file,
56 loff_t *ppos) 56 loff_t *ppos)
57{ 57{
58 struct lbs_private *priv = file->private_data; 58 struct lbs_private *priv = file->private_data;
59 ssize_t buf_size, ret; 59 ssize_t ret;
60 struct sleep_params sp; 60 struct sleep_params sp;
61 int p1, p2, p3, p4, p5, p6; 61 int p1, p2, p3, p4, p5, p6;
62 unsigned long addr = get_zeroed_page(GFP_KERNEL); 62 char *buf;
63 char *buf = (char *)addr; 63
64 if (!buf) 64 buf = memdup_user_nul(user_buf, min(count, len - 1));
65 return -ENOMEM; 65 if (IS_ERR(buf))
66 return PTR_ERR(buf);
66 67
67 buf_size = min(count, len - 1);
68 if (copy_from_user(buf, user_buf, buf_size)) {
69 ret = -EFAULT;
70 goto out_unlock;
71 }
72 ret = sscanf(buf, "%d %d %d %d %d %d", &p1, &p2, &p3, &p4, &p5, &p6); 68 ret = sscanf(buf, "%d %d %d %d %d %d", &p1, &p2, &p3, &p4, &p5, &p6);
73 if (ret != 6) { 69 if (ret != 6) {
74 ret = -EINVAL; 70 ret = -EINVAL;
@@ -88,7 +84,7 @@ static ssize_t lbs_sleepparams_write(struct file *file,
88 ret = -EINVAL; 84 ret = -EINVAL;
89 85
90out_unlock: 86out_unlock:
91 free_page(addr); 87 kfree(buf);
92 return ret; 88 return ret;
93} 89}
94 90
@@ -125,18 +121,14 @@ static ssize_t lbs_host_sleep_write(struct file *file,
125 loff_t *ppos) 121 loff_t *ppos)
126{ 122{
127 struct lbs_private *priv = file->private_data; 123 struct lbs_private *priv = file->private_data;
128 ssize_t buf_size, ret; 124 ssize_t ret;
129 int host_sleep; 125 int host_sleep;
130 unsigned long addr = get_zeroed_page(GFP_KERNEL); 126 char *buf;
131 char *buf = (char *)addr; 127
132 if (!buf) 128 buf = memdup_user_nul(user_buf, min(count, len - 1));
133 return -ENOMEM; 129 if (IS_ERR(buf))
130 return PTR_ERR(buf);
134 131
135 buf_size = min(count, len - 1);
136 if (copy_from_user(buf, user_buf, buf_size)) {
137 ret = -EFAULT;
138 goto out_unlock;
139 }
140 ret = sscanf(buf, "%d", &host_sleep); 132 ret = sscanf(buf, "%d", &host_sleep);
141 if (ret != 1) { 133 if (ret != 1) {
142 ret = -EINVAL; 134 ret = -EINVAL;
@@ -162,7 +154,7 @@ static ssize_t lbs_host_sleep_write(struct file *file,
162 ret = count; 154 ret = count;
163 155
164out_unlock: 156out_unlock:
165 free_page(addr); 157 kfree(buf);
166 return ret; 158 return ret;
167} 159}
168 160
@@ -281,21 +273,15 @@ static ssize_t lbs_threshold_write(uint16_t tlv_type, uint16_t event_mask,
281 struct cmd_ds_802_11_subscribe_event *events; 273 struct cmd_ds_802_11_subscribe_event *events;
282 struct mrvl_ie_thresholds *tlv; 274 struct mrvl_ie_thresholds *tlv;
283 struct lbs_private *priv = file->private_data; 275 struct lbs_private *priv = file->private_data;
284 ssize_t buf_size;
285 int value, freq, new_mask; 276 int value, freq, new_mask;
286 uint16_t curr_mask; 277 uint16_t curr_mask;
287 char *buf; 278 char *buf;
288 int ret; 279 int ret;
289 280
290 buf = (char *)get_zeroed_page(GFP_KERNEL); 281 buf = memdup_user_nul(userbuf, min(count, len - 1));
291 if (!buf) 282 if (IS_ERR(buf))
292 return -ENOMEM; 283 return PTR_ERR(buf);
293 284
294 buf_size = min(count, len - 1);
295 if (copy_from_user(buf, userbuf, buf_size)) {
296 ret = -EFAULT;
297 goto out_page;
298 }
299 ret = sscanf(buf, "%d %d %d", &value, &freq, &new_mask); 285 ret = sscanf(buf, "%d %d %d", &value, &freq, &new_mask);
300 if (ret != 3) { 286 if (ret != 3) {
301 ret = -EINVAL; 287 ret = -EINVAL;
@@ -343,7 +329,7 @@ static ssize_t lbs_threshold_write(uint16_t tlv_type, uint16_t event_mask,
343 out_events: 329 out_events:
344 kfree(events); 330 kfree(events);
345 out_page: 331 out_page:
346 free_page((unsigned long)buf); 332 kfree(buf);
347 return ret; 333 return ret;
348} 334}
349 335
@@ -472,22 +458,15 @@ static ssize_t lbs_rdmac_write(struct file *file,
472 size_t count, loff_t *ppos) 458 size_t count, loff_t *ppos)
473{ 459{
474 struct lbs_private *priv = file->private_data; 460 struct lbs_private *priv = file->private_data;
475 ssize_t res, buf_size; 461 char *buf;
476 unsigned long addr = get_zeroed_page(GFP_KERNEL); 462
477 char *buf = (char *)addr; 463 buf = memdup_user_nul(userbuf, min(count, len - 1));
478 if (!buf) 464 if (IS_ERR(buf))
479 return -ENOMEM; 465 return PTR_ERR(buf);
480 466
481 buf_size = min(count, len - 1);
482 if (copy_from_user(buf, userbuf, buf_size)) {
483 res = -EFAULT;
484 goto out_unlock;
485 }
486 priv->mac_offset = simple_strtoul(buf, NULL, 16); 467 priv->mac_offset = simple_strtoul(buf, NULL, 16);
487 res = count; 468 kfree(buf);
488out_unlock: 469 return count;
489 free_page(addr);
490 return res;
491} 470}
492 471
493static ssize_t lbs_wrmac_write(struct file *file, 472static ssize_t lbs_wrmac_write(struct file *file,
@@ -496,18 +475,14 @@ static ssize_t lbs_wrmac_write(struct file *file,
496{ 475{
497 476
498 struct lbs_private *priv = file->private_data; 477 struct lbs_private *priv = file->private_data;
499 ssize_t res, buf_size; 478 ssize_t res;
500 u32 offset, value; 479 u32 offset, value;
501 unsigned long addr = get_zeroed_page(GFP_KERNEL); 480 char *buf;
502 char *buf = (char *)addr; 481
503 if (!buf) 482 buf = memdup_user_nul(userbuf, min(count, len - 1));
504 return -ENOMEM; 483 if (IS_ERR(buf))
484 return PTR_ERR(buf);
505 485
506 buf_size = min(count, len - 1);
507 if (copy_from_user(buf, userbuf, buf_size)) {
508 res = -EFAULT;
509 goto out_unlock;
510 }
511 res = sscanf(buf, "%x %x", &offset, &value); 486 res = sscanf(buf, "%x %x", &offset, &value);
512 if (res != 2) { 487 if (res != 2) {
513 res = -EFAULT; 488 res = -EFAULT;
@@ -520,7 +495,7 @@ static ssize_t lbs_wrmac_write(struct file *file,
520 if (!res) 495 if (!res)
521 res = count; 496 res = count;
522out_unlock: 497out_unlock:
523 free_page(addr); 498 kfree(buf);
524 return res; 499 return res;
525} 500}
526 501
@@ -554,22 +529,16 @@ static ssize_t lbs_rdbbp_write(struct file *file,
554 size_t count, loff_t *ppos) 529 size_t count, loff_t *ppos)
555{ 530{
556 struct lbs_private *priv = file->private_data; 531 struct lbs_private *priv = file->private_data;
557 ssize_t res, buf_size; 532 char *buf;
558 unsigned long addr = get_zeroed_page(GFP_KERNEL); 533
559 char *buf = (char *)addr; 534 buf = memdup_user_nul(userbuf, min(count, len - 1));
560 if (!buf) 535 if (IS_ERR(buf))
561 return -ENOMEM; 536 return PTR_ERR(buf);
562 537
563 buf_size = min(count, len - 1);
564 if (copy_from_user(buf, userbuf, buf_size)) {
565 res = -EFAULT;
566 goto out_unlock;
567 }
568 priv->bbp_offset = simple_strtoul(buf, NULL, 16); 538 priv->bbp_offset = simple_strtoul(buf, NULL, 16);
569 res = count; 539 kfree(buf);
570out_unlock: 540
571 free_page(addr); 541 return count;
572 return res;
573} 542}
574 543
575static ssize_t lbs_wrbbp_write(struct file *file, 544static ssize_t lbs_wrbbp_write(struct file *file,
@@ -578,18 +547,14 @@ static ssize_t lbs_wrbbp_write(struct file *file,
578{ 547{
579 548
580 struct lbs_private *priv = file->private_data; 549 struct lbs_private *priv = file->private_data;
581 ssize_t res, buf_size; 550 ssize_t res;
582 u32 offset, value; 551 u32 offset, value;
583 unsigned long addr = get_zeroed_page(GFP_KERNEL); 552 char *buf;
584 char *buf = (char *)addr; 553
585 if (!buf) 554 buf = memdup_user_nul(userbuf, min(count, len - 1));
586 return -ENOMEM; 555 if (IS_ERR(buf))
556 return PTR_ERR(buf);
587 557
588 buf_size = min(count, len - 1);
589 if (copy_from_user(buf, userbuf, buf_size)) {
590 res = -EFAULT;
591 goto out_unlock;
592 }
593 res = sscanf(buf, "%x %x", &offset, &value); 558 res = sscanf(buf, "%x %x", &offset, &value);
594 if (res != 2) { 559 if (res != 2) {
595 res = -EFAULT; 560 res = -EFAULT;
@@ -602,7 +567,7 @@ static ssize_t lbs_wrbbp_write(struct file *file,
602 if (!res) 567 if (!res)
603 res = count; 568 res = count;
604out_unlock: 569out_unlock:
605 free_page(addr); 570 kfree(buf);
606 return res; 571 return res;
607} 572}
608 573
@@ -636,22 +601,15 @@ static ssize_t lbs_rdrf_write(struct file *file,
636 size_t count, loff_t *ppos) 601 size_t count, loff_t *ppos)
637{ 602{
638 struct lbs_private *priv = file->private_data; 603 struct lbs_private *priv = file->private_data;
639 ssize_t res, buf_size; 604 char *buf;
640 unsigned long addr = get_zeroed_page(GFP_KERNEL); 605
641 char *buf = (char *)addr; 606 buf = memdup_user_nul(userbuf, min(count, len - 1));
642 if (!buf) 607 if (IS_ERR(buf))
643 return -ENOMEM; 608 return PTR_ERR(buf);
644 609
645 buf_size = min(count, len - 1);
646 if (copy_from_user(buf, userbuf, buf_size)) {
647 res = -EFAULT;
648 goto out_unlock;
649 }
650 priv->rf_offset = simple_strtoul(buf, NULL, 16); 610 priv->rf_offset = simple_strtoul(buf, NULL, 16);
651 res = count; 611 kfree(buf);
652out_unlock: 612 return count;
653 free_page(addr);
654 return res;
655} 613}
656 614
657static ssize_t lbs_wrrf_write(struct file *file, 615static ssize_t lbs_wrrf_write(struct file *file,
@@ -660,18 +618,14 @@ static ssize_t lbs_wrrf_write(struct file *file,
660{ 618{
661 619
662 struct lbs_private *priv = file->private_data; 620 struct lbs_private *priv = file->private_data;
663 ssize_t res, buf_size; 621 ssize_t res;
664 u32 offset, value; 622 u32 offset, value;
665 unsigned long addr = get_zeroed_page(GFP_KERNEL); 623 char *buf;
666 char *buf = (char *)addr; 624
667 if (!buf) 625 buf = memdup_user_nul(userbuf, min(count, len - 1));
668 return -ENOMEM; 626 if (IS_ERR(buf))
627 return PTR_ERR(buf);
669 628
670 buf_size = min(count, len - 1);
671 if (copy_from_user(buf, userbuf, buf_size)) {
672 res = -EFAULT;
673 goto out_unlock;
674 }
675 res = sscanf(buf, "%x %x", &offset, &value); 629 res = sscanf(buf, "%x %x", &offset, &value);
676 if (res != 2) { 630 if (res != 2) {
677 res = -EFAULT; 631 res = -EFAULT;
@@ -684,7 +638,7 @@ static ssize_t lbs_wrrf_write(struct file *file,
684 if (!res) 638 if (!res)
685 res = count; 639 res = count;
686out_unlock: 640out_unlock:
687 free_page(addr); 641 kfree(buf);
688 return res; 642 return res;
689} 643}
690 644
@@ -915,16 +869,9 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
915 if (cnt == 0) 869 if (cnt == 0)
916 return 0; 870 return 0;
917 871
918 pdata = kmalloc(cnt + 1, GFP_KERNEL); 872 pdata = memdup_user_nul(buf, cnt);
919 if (pdata == NULL) 873 if (IS_ERR(pdata))
920 return 0; 874 return PTR_ERR(pdata);
921
922 if (copy_from_user(pdata, buf, cnt)) {
923 lbs_deb_debugfs("Copy from user failed\n");
924 kfree(pdata);
925 return 0;
926 }
927 pdata[cnt] = '\0';
928 875
929 p0 = pdata; 876 p0 = pdata;
930 for (i = 0; i < num_of_items; i++) { 877 for (i = 0; i < num_of_items; i++) {
diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
index 9824d8dd2b44..241e1c3fbf08 100644
--- a/drivers/net/wireless/mwifiex/debugfs.c
+++ b/drivers/net/wireless/mwifiex/debugfs.c
@@ -447,20 +447,13 @@ static ssize_t
447mwifiex_regrdwr_write(struct file *file, 447mwifiex_regrdwr_write(struct file *file,
448 const char __user *ubuf, size_t count, loff_t *ppos) 448 const char __user *ubuf, size_t count, loff_t *ppos)
449{ 449{
450 unsigned long addr = get_zeroed_page(GFP_KERNEL); 450 char *buf;
451 char *buf = (char *) addr;
452 size_t buf_size = min_t(size_t, count, PAGE_SIZE - 1);
453 int ret; 451 int ret;
454 u32 reg_type = 0, reg_offset = 0, reg_value = UINT_MAX; 452 u32 reg_type = 0, reg_offset = 0, reg_value = UINT_MAX;
455 453
456 if (!buf) 454 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
457 return -ENOMEM; 455 if (IS_ERR(buf))
458 456 return PTR_ERR(buf);
459
460 if (copy_from_user(buf, ubuf, buf_size)) {
461 ret = -EFAULT;
462 goto done;
463 }
464 457
465 sscanf(buf, "%u %x %x", &reg_type, &reg_offset, &reg_value); 458 sscanf(buf, "%u %x %x", &reg_type, &reg_offset, &reg_value);
466 459
@@ -474,7 +467,7 @@ mwifiex_regrdwr_write(struct file *file,
474 ret = count; 467 ret = count;
475 } 468 }
476done: 469done:
477 free_page(addr); 470 kfree(buf);
478 return ret; 471 return ret;
479} 472}
480 473
@@ -572,17 +565,11 @@ mwifiex_debug_mask_write(struct file *file, const char __user *ubuf,
572 int ret; 565 int ret;
573 unsigned long debug_mask; 566 unsigned long debug_mask;
574 struct mwifiex_private *priv = (void *)file->private_data; 567 struct mwifiex_private *priv = (void *)file->private_data;
575 unsigned long addr = get_zeroed_page(GFP_KERNEL); 568 char *buf;
576 char *buf = (void *)addr;
577 size_t buf_size = min(count, (size_t)(PAGE_SIZE - 1));
578 569
579 if (!buf) 570 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
580 return -ENOMEM; 571 if (IS_ERR(buf))
581 572 return PTR_ERR(buf);
582 if (copy_from_user(buf, ubuf, buf_size)) {
583 ret = -EFAULT;
584 goto done;
585 }
586 573
587 if (kstrtoul(buf, 0, &debug_mask)) { 574 if (kstrtoul(buf, 0, &debug_mask)) {
588 ret = -EINVAL; 575 ret = -EINVAL;
@@ -592,7 +579,7 @@ mwifiex_debug_mask_write(struct file *file, const char __user *ubuf,
592 priv->adapter->debug_mask = debug_mask; 579 priv->adapter->debug_mask = debug_mask;
593 ret = count; 580 ret = count;
594done: 581done:
595 free_page(addr); 582 kfree(buf);
596 return ret; 583 return ret;
597} 584}
598 585
@@ -609,17 +596,11 @@ mwifiex_memrw_write(struct file *file, const char __user *ubuf, size_t count,
609 struct mwifiex_ds_mem_rw mem_rw; 596 struct mwifiex_ds_mem_rw mem_rw;
610 u16 cmd_action; 597 u16 cmd_action;
611 struct mwifiex_private *priv = (void *)file->private_data; 598 struct mwifiex_private *priv = (void *)file->private_data;
612 unsigned long addr = get_zeroed_page(GFP_KERNEL); 599 char *buf;
613 char *buf = (void *)addr;
614 size_t buf_size = min(count, (size_t)(PAGE_SIZE - 1));
615
616 if (!buf)
617 return -ENOMEM;
618 600
619 if (copy_from_user(buf, ubuf, buf_size)) { 601 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
620 ret = -EFAULT; 602 if (IS_ERR(buf))
621 goto done; 603 return PTR_ERR(buf);
622 }
623 604
624 ret = sscanf(buf, "%c %x %x", &cmd, &mem_rw.addr, &mem_rw.value); 605 ret = sscanf(buf, "%c %x %x", &cmd, &mem_rw.addr, &mem_rw.value);
625 if (ret != 3) { 606 if (ret != 3) {
@@ -645,7 +626,7 @@ mwifiex_memrw_write(struct file *file, const char __user *ubuf, size_t count,
645 ret = count; 626 ret = count;
646 627
647done: 628done:
648 free_page(addr); 629 kfree(buf);
649 return ret; 630 return ret;
650} 631}
651 632
@@ -686,20 +667,13 @@ static ssize_t
686mwifiex_rdeeprom_write(struct file *file, 667mwifiex_rdeeprom_write(struct file *file,
687 const char __user *ubuf, size_t count, loff_t *ppos) 668 const char __user *ubuf, size_t count, loff_t *ppos)
688{ 669{
689 unsigned long addr = get_zeroed_page(GFP_KERNEL); 670 char *buf;
690 char *buf = (char *) addr;
691 size_t buf_size = min_t(size_t, count, PAGE_SIZE - 1);
692 int ret = 0; 671 int ret = 0;
693 int offset = -1, bytes = -1; 672 int offset = -1, bytes = -1;
694 673
695 if (!buf) 674 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
696 return -ENOMEM; 675 if (IS_ERR(buf))
697 676 return PTR_ERR(buf);
698
699 if (copy_from_user(buf, ubuf, buf_size)) {
700 ret = -EFAULT;
701 goto done;
702 }
703 677
704 sscanf(buf, "%d %d", &offset, &bytes); 678 sscanf(buf, "%d %d", &offset, &bytes);
705 679
@@ -712,7 +686,7 @@ mwifiex_rdeeprom_write(struct file *file,
712 ret = count; 686 ret = count;
713 } 687 }
714done: 688done:
715 free_page(addr); 689 kfree(buf);
716 return ret; 690 return ret;
717} 691}
718 692
@@ -771,21 +745,15 @@ mwifiex_hscfg_write(struct file *file, const char __user *ubuf,
771 size_t count, loff_t *ppos) 745 size_t count, loff_t *ppos)
772{ 746{
773 struct mwifiex_private *priv = (void *)file->private_data; 747 struct mwifiex_private *priv = (void *)file->private_data;
774 unsigned long addr = get_zeroed_page(GFP_KERNEL); 748 char *buf;
775 char *buf = (char *)addr;
776 size_t buf_size = min_t(size_t, count, PAGE_SIZE - 1);
777 int ret, arg_num; 749 int ret, arg_num;
778 struct mwifiex_ds_hs_cfg hscfg; 750 struct mwifiex_ds_hs_cfg hscfg;
779 int conditions = HS_CFG_COND_DEF; 751 int conditions = HS_CFG_COND_DEF;
780 u32 gpio = HS_CFG_GPIO_DEF, gap = HS_CFG_GAP_DEF; 752 u32 gpio = HS_CFG_GPIO_DEF, gap = HS_CFG_GAP_DEF;
781 753
782 if (!buf) 754 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
783 return -ENOMEM; 755 if (IS_ERR(buf))
784 756 return PTR_ERR(buf);
785 if (copy_from_user(buf, ubuf, buf_size)) {
786 ret = -EFAULT;
787 goto done;
788 }
789 757
790 arg_num = sscanf(buf, "%d %x %x", &conditions, &gpio, &gap); 758 arg_num = sscanf(buf, "%d %x %x", &conditions, &gpio, &gap);
791 759
@@ -823,7 +791,7 @@ mwifiex_hscfg_write(struct file *file, const char __user *ubuf,
823 priv->adapter->hs_enabling = false; 791 priv->adapter->hs_enabling = false;
824 ret = count; 792 ret = count;
825done: 793done:
826 free_page(addr); 794 kfree(buf);
827 return ret; 795 return ret;
828} 796}
829 797
diff --git a/drivers/net/wireless/ti/wlcore/debugfs.c b/drivers/net/wireless/ti/wlcore/debugfs.c
index eb43f94a1597..be72306f8c69 100644
--- a/drivers/net/wireless/ti/wlcore/debugfs.c
+++ b/drivers/net/wireless/ti/wlcore/debugfs.c
@@ -1205,26 +1205,11 @@ err_out:
1205 1205
1206static loff_t dev_mem_seek(struct file *file, loff_t offset, int orig) 1206static loff_t dev_mem_seek(struct file *file, loff_t offset, int orig)
1207{ 1207{
1208 loff_t ret;
1209
1210 /* only requests of dword-aligned size and offset are supported */ 1208 /* only requests of dword-aligned size and offset are supported */
1211 if (offset % 4) 1209 if (offset % 4)
1212 return -EINVAL; 1210 return -EINVAL;
1213 1211
1214 switch (orig) { 1212 return no_seek_end_llseek(file, offset, orig);
1215 case SEEK_SET:
1216 file->f_pos = offset;
1217 ret = file->f_pos;
1218 break;
1219 case SEEK_CUR:
1220 file->f_pos += offset;
1221 ret = file->f_pos;
1222 break;
1223 default:
1224 ret = -EINVAL;
1225 }
1226
1227 return ret;
1228} 1213}
1229 1214
1230static const struct file_operations dev_mem_ops = { 1215static const struct file_operations dev_mem_ops = {
diff --git a/drivers/s390/char/vmcp.c b/drivers/s390/char/vmcp.c
index 0fdedadff7bc..2a67b496a9e2 100644
--- a/drivers/s390/char/vmcp.c
+++ b/drivers/s390/char/vmcp.c
@@ -88,14 +88,9 @@ vmcp_write(struct file *file, const char __user *buff, size_t count,
88 88
89 if (count > 240) 89 if (count > 240)
90 return -EINVAL; 90 return -EINVAL;
91 cmd = kmalloc(count + 1, GFP_KERNEL); 91 cmd = memdup_user_nul(buff, count);
92 if (!cmd) 92 if (IS_ERR(cmd))
93 return -ENOMEM; 93 return PTR_ERR(cmd);
94 if (copy_from_user(cmd, buff, count)) {
95 kfree(cmd);
96 return -EFAULT;
97 }
98 cmd[count] = '\0';
99 session = file->private_data; 94 session = file->private_data;
100 if (mutex_lock_interruptible(&session->mutex)) { 95 if (mutex_lock_interruptible(&session->mutex)) {
101 kfree(cmd); 96 kfree(cmd);
diff --git a/drivers/s390/char/vmur.c b/drivers/s390/char/vmur.c
index 0efb27f6f199..6c30e93ab8fa 100644
--- a/drivers/s390/char/vmur.c
+++ b/drivers/s390/char/vmur.c
@@ -782,24 +782,11 @@ static int ur_release(struct inode *inode, struct file *file)
782 782
783static loff_t ur_llseek(struct file *file, loff_t offset, int whence) 783static loff_t ur_llseek(struct file *file, loff_t offset, int whence)
784{ 784{
785 loff_t newpos;
786
787 if ((file->f_flags & O_ACCMODE) != O_RDONLY) 785 if ((file->f_flags & O_ACCMODE) != O_RDONLY)
788 return -ESPIPE; /* seek allowed only for reader */ 786 return -ESPIPE; /* seek allowed only for reader */
789 if (offset % PAGE_SIZE) 787 if (offset % PAGE_SIZE)
790 return -ESPIPE; /* only multiples of 4K allowed */ 788 return -ESPIPE; /* only multiples of 4K allowed */
791 switch (whence) { 789 return no_seek_end_llseek(file, offset, whence);
792 case 0: /* SEEK_SET */
793 newpos = offset;
794 break;
795 case 1: /* SEEK_CUR */
796 newpos = file->f_pos + offset;
797 break;
798 default:
799 return -EINVAL;
800 }
801 file->f_pos = newpos;
802 return newpos;
803} 790}
804 791
805static const struct file_operations ur_fops = { 792static const struct file_operations ur_fops = {
diff --git a/drivers/s390/char/zcore.c b/drivers/s390/char/zcore.c
index 823f41fc4bbd..3339b862ec17 100644
--- a/drivers/s390/char/zcore.c
+++ b/drivers/s390/char/zcore.c
@@ -385,18 +385,7 @@ static loff_t zcore_lseek(struct file *file, loff_t offset, int orig)
385 loff_t rc; 385 loff_t rc;
386 386
387 mutex_lock(&zcore_mutex); 387 mutex_lock(&zcore_mutex);
388 switch (orig) { 388 rc = no_seek_end_llseek(file, offset, orig);
389 case 0:
390 file->f_pos = offset;
391 rc = file->f_pos;
392 break;
393 case 1:
394 file->f_pos += offset;
395 rc = file->f_pos;
396 break;
397 default:
398 rc = -EINVAL;
399 }
400 mutex_unlock(&zcore_mutex); 389 mutex_unlock(&zcore_mutex);
401 return rc; 390 return rc;
402} 391}
diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 5843288f64bc..e077ebd89319 100644
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -390,16 +390,9 @@ static int copyin_string(char __user *user, size_t len, char **ptr)
390 if ((ssize_t)len < 0 || (ssize_t)(len + 1) < 0) 390 if ((ssize_t)len < 0 || (ssize_t)(len + 1) < 0)
391 return -EINVAL; 391 return -EINVAL;
392 392
393 tmp = kmalloc(len + 1, GFP_KERNEL); 393 tmp = memdup_user_nul(user, len);
394 if (!tmp) 394 if (IS_ERR(tmp))
395 return -ENOMEM; 395 return PTR_ERR(tmp);
396
397 if (copy_from_user(tmp, user, len)) {
398 kfree(tmp);
399 return -EFAULT;
400 }
401
402 tmp[len] = '\0';
403 396
404 *ptr = tmp; 397 *ptr = tmp;
405 398
diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c
index 02f27593013e..31cd6b323a39 100644
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -3139,7 +3139,7 @@ struct file_operations ll_file_operations_noflock = {
3139 .lock = ll_file_noflock 3139 .lock = ll_file_noflock
3140}; 3140};
3141 3141
3142struct inode_operations ll_file_inode_operations = { 3142const struct inode_operations ll_file_inode_operations = {
3143 .setattr = ll_setattr, 3143 .setattr = ll_setattr,
3144 .getattr = ll_getattr, 3144 .getattr = ll_getattr,
3145 .permission = ll_inode_permission, 3145 .permission = ll_inode_permission,
diff --git a/drivers/staging/lustre/lustre/llite/llite_internal.h b/drivers/staging/lustre/lustre/llite/llite_internal.h
index 9096d311e45d..6102b29dbf30 100644
--- a/drivers/staging/lustre/lustre/llite/llite_internal.h
+++ b/drivers/staging/lustre/lustre/llite/llite_internal.h
@@ -705,7 +705,7 @@ extern const struct address_space_operations ll_aops;
705extern struct file_operations ll_file_operations; 705extern struct file_operations ll_file_operations;
706extern struct file_operations ll_file_operations_flock; 706extern struct file_operations ll_file_operations_flock;
707extern struct file_operations ll_file_operations_noflock; 707extern struct file_operations ll_file_operations_noflock;
708extern struct inode_operations ll_file_inode_operations; 708extern const struct inode_operations ll_file_inode_operations;
709int ll_have_md_lock(struct inode *inode, __u64 *bits, 709int ll_have_md_lock(struct inode *inode, __u64 *bits,
710 ldlm_mode_t l_req_mode); 710 ldlm_mode_t l_req_mode);
711ldlm_mode_t ll_take_md_lock(struct inode *inode, __u64 bits, 711ldlm_mode_t ll_take_md_lock(struct inode *inode, __u64 bits,
@@ -805,7 +805,7 @@ struct inode *search_inode_for_lustre(struct super_block *sb,
805 const struct lu_fid *fid); 805 const struct lu_fid *fid);
806 806
807/* llite/symlink.c */ 807/* llite/symlink.c */
808extern struct inode_operations ll_fast_symlink_inode_operations; 808extern const struct inode_operations ll_fast_symlink_inode_operations;
809 809
810/* llite/llite_close.c */ 810/* llite/llite_close.c */
811struct ll_close_queue { 811struct ll_close_queue {
diff --git a/drivers/staging/lustre/lustre/llite/namei.c b/drivers/staging/lustre/lustre/llite/namei.c
index 2ca22001a534..64db5e86672f 100644
--- a/drivers/staging/lustre/lustre/llite/namei.c
+++ b/drivers/staging/lustre/lustre/llite/namei.c
@@ -126,9 +126,7 @@ struct inode *ll_iget(struct super_block *sb, ino_t hash,
126 rc = cl_file_inode_init(inode, md); 126 rc = cl_file_inode_init(inode, md);
127 } 127 }
128 if (rc != 0) { 128 if (rc != 0) {
129 make_bad_inode(inode); 129 iget_failed(inode);
130 unlock_new_inode(inode);
131 iput(inode);
132 inode = ERR_PTR(rc); 130 inode = ERR_PTR(rc);
133 } else 131 } else
134 unlock_new_inode(inode); 132 unlock_new_inode(inode);
diff --git a/drivers/staging/lustre/lustre/llite/symlink.c b/drivers/staging/lustre/lustre/llite/symlink.c
index e489a3271f06..2610348f6c72 100644
--- a/drivers/staging/lustre/lustre/llite/symlink.c
+++ b/drivers/staging/lustre/lustre/llite/symlink.c
@@ -149,7 +149,7 @@ static const char *ll_get_link(struct dentry *dentry,
149 return symname; 149 return symname;
150} 150}
151 151
152struct inode_operations ll_fast_symlink_inode_operations = { 152const struct inode_operations ll_fast_symlink_inode_operations = {
153 .readlink = generic_readlink, 153 .readlink = generic_readlink,
154 .setattr = ll_setattr, 154 .setattr = ll_setattr,
155 .get_link = ll_get_link, 155 .get_link = ll_get_link,
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index 2a3bbdf7eb94..cffa0a0d7de2 100644
--- a/drivers/usb/core/devices.c
+++ b/drivers/usb/core/devices.c
@@ -661,32 +661,8 @@ static unsigned int usb_device_poll(struct file *file,
661 return 0; 661 return 0;
662} 662}
663 663
664static loff_t usb_device_lseek(struct file *file, loff_t offset, int orig)
665{
666 loff_t ret;
667
668 mutex_lock(&file_inode(file)->i_mutex);
669
670 switch (orig) {
671 case 0:
672 file->f_pos = offset;
673 ret = file->f_pos;
674 break;
675 case 1:
676 file->f_pos += offset;
677 ret = file->f_pos;
678 break;
679 case 2:
680 default:
681 ret = -EINVAL;
682 }
683
684 mutex_unlock(&file_inode(file)->i_mutex);
685 return ret;
686}
687
688const struct file_operations usbfs_devices_fops = { 664const struct file_operations usbfs_devices_fops = {
689 .llseek = usb_device_lseek, 665 .llseek = no_seek_end_llseek,
690 .read = usb_device_read, 666 .read = usb_device_read,
691 .poll = usb_device_poll, 667 .poll = usb_device_poll,
692}; 668};
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 38ae877c46e3..dbc3e143453a 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -157,30 +157,6 @@ static int connected(struct usb_dev_state *ps)
157 ps->dev->state != USB_STATE_NOTATTACHED); 157 ps->dev->state != USB_STATE_NOTATTACHED);
158} 158}
159 159
160static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig)
161{
162 loff_t ret;
163
164 mutex_lock(&file_inode(file)->i_mutex);
165
166 switch (orig) {
167 case 0:
168 file->f_pos = offset;
169 ret = file->f_pos;
170 break;
171 case 1:
172 file->f_pos += offset;
173 ret = file->f_pos;
174 break;
175 case 2:
176 default:
177 ret = -EINVAL;
178 }
179
180 mutex_unlock(&file_inode(file)->i_mutex);
181 return ret;
182}
183
184static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, 160static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
185 loff_t *ppos) 161 loff_t *ppos)
186{ 162{
@@ -2366,7 +2342,7 @@ static unsigned int usbdev_poll(struct file *file,
2366 2342
2367const struct file_operations usbdev_file_operations = { 2343const struct file_operations usbdev_file_operations = {
2368 .owner = THIS_MODULE, 2344 .owner = THIS_MODULE,
2369 .llseek = usbdev_lseek, 2345 .llseek = no_seek_end_llseek,
2370 .read = usbdev_read, 2346 .read = usbdev_read,
2371 .poll = usbdev_poll, 2347 .poll = usbdev_poll,
2372 .unlocked_ioctl = usbdev_ioctl, 2348 .unlocked_ioctl = usbdev_ioctl,
diff --git a/drivers/usb/host/uhci-debug.c b/drivers/usb/host/uhci-debug.c
index 1b28a000d5c6..9c6635d43db0 100644
--- a/drivers/usb/host/uhci-debug.c
+++ b/drivers/usb/host/uhci-debug.c
@@ -584,27 +584,8 @@ static int uhci_debug_open(struct inode *inode, struct file *file)
584 584
585static loff_t uhci_debug_lseek(struct file *file, loff_t off, int whence) 585static loff_t uhci_debug_lseek(struct file *file, loff_t off, int whence)
586{ 586{
587 struct uhci_debug *up; 587 struct uhci_debug *up = file->private_data;
588 loff_t new = -1; 588 return no_seek_end_llseek_size(file, off, whence, up->size);
589
590 up = file->private_data;
591
592 /*
593 * XXX: atomic 64bit seek access, but that needs to be fixed in the VFS
594 */
595 switch (whence) {
596 case 0:
597 new = off;
598 break;
599 case 1:
600 new = file->f_pos + off;
601 break;
602 }
603
604 if (new < 0 || new > up->size)
605 return -EINVAL;
606
607 return (file->f_pos = new);
608} 589}
609 590
610static ssize_t uhci_debug_read(struct file *file, char __user *buf, 591static ssize_t uhci_debug_read(struct file *file, char __user *buf,
diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c
index 306d6852ebc7..8efbabacc84e 100644
--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -2825,21 +2825,7 @@ sisusb_lseek(struct file *file, loff_t offset, int orig)
2825 return -ENODEV; 2825 return -ENODEV;
2826 } 2826 }
2827 2827
2828 switch (orig) { 2828 ret = no_seek_end_llseek(file, offset, orig);
2829 case 0:
2830 file->f_pos = offset;
2831 ret = file->f_pos;
2832 /* never negative, no force_successful_syscall needed */
2833 break;
2834 case 1:
2835 file->f_pos += offset;
2836 ret = file->f_pos;
2837 /* never negative, no force_successful_syscall needed */
2838 break;
2839 default:
2840 /* seeking relative to "end of file" is not supported */
2841 ret = -EINVAL;
2842 }
2843 2829
2844 mutex_unlock(&sisusb->lock); 2830 mutex_unlock(&sisusb->lock);
2845 return ret; 2831 return ret;
diff --git a/fs/9p/cache.c b/fs/9p/cache.c
index a69260f27555..103ca5e1267b 100644
--- a/fs/9p/cache.c
+++ b/fs/9p/cache.c
@@ -243,14 +243,14 @@ void v9fs_cache_inode_set_cookie(struct inode *inode, struct file *filp)
243 if (!v9inode->fscache) 243 if (!v9inode->fscache)
244 return; 244 return;
245 245
246 spin_lock(&v9inode->fscache_lock); 246 mutex_lock(&v9inode->fscache_lock);
247 247
248 if ((filp->f_flags & O_ACCMODE) != O_RDONLY) 248 if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
249 v9fs_cache_inode_flush_cookie(inode); 249 v9fs_cache_inode_flush_cookie(inode);
250 else 250 else
251 v9fs_cache_inode_get_cookie(inode); 251 v9fs_cache_inode_get_cookie(inode);
252 252
253 spin_unlock(&v9inode->fscache_lock); 253 mutex_unlock(&v9inode->fscache_lock);
254} 254}
255 255
256void v9fs_cache_inode_reset_cookie(struct inode *inode) 256void v9fs_cache_inode_reset_cookie(struct inode *inode)
@@ -264,7 +264,7 @@ void v9fs_cache_inode_reset_cookie(struct inode *inode)
264 264
265 old = v9inode->fscache; 265 old = v9inode->fscache;
266 266
267 spin_lock(&v9inode->fscache_lock); 267 mutex_lock(&v9inode->fscache_lock);
268 fscache_relinquish_cookie(v9inode->fscache, 1); 268 fscache_relinquish_cookie(v9inode->fscache, 1);
269 269
270 v9ses = v9fs_inode2v9ses(inode); 270 v9ses = v9fs_inode2v9ses(inode);
@@ -274,7 +274,7 @@ void v9fs_cache_inode_reset_cookie(struct inode *inode)
274 p9_debug(P9_DEBUG_FSC, "inode %p revalidating cookie old %p new %p\n", 274 p9_debug(P9_DEBUG_FSC, "inode %p revalidating cookie old %p new %p\n",
275 inode, old, v9inode->fscache); 275 inode, old, v9inode->fscache);
276 276
277 spin_unlock(&v9inode->fscache_lock); 277 mutex_unlock(&v9inode->fscache_lock);
278} 278}
279 279
280int __v9fs_fscache_release_page(struct page *page, gfp_t gfp) 280int __v9fs_fscache_release_page(struct page *page, gfp_t gfp)
diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
index 0923f2cf3c80..6877050384a1 100644
--- a/fs/9p/v9fs.h
+++ b/fs/9p/v9fs.h
@@ -123,7 +123,7 @@ struct v9fs_session_info {
123 123
124struct v9fs_inode { 124struct v9fs_inode {
125#ifdef CONFIG_9P_FSCACHE 125#ifdef CONFIG_9P_FSCACHE
126 spinlock_t fscache_lock; 126 struct mutex fscache_lock;
127 struct fscache_cookie *fscache; 127 struct fscache_cookie *fscache;
128#endif 128#endif
129 struct p9_qid qid; 129 struct p9_qid qid;
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index c7cc7c30f0c8..3a08b3e6ff1d 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -244,7 +244,7 @@ struct inode *v9fs_alloc_inode(struct super_block *sb)
244 return NULL; 244 return NULL;
245#ifdef CONFIG_9P_FSCACHE 245#ifdef CONFIG_9P_FSCACHE
246 v9inode->fscache = NULL; 246 v9inode->fscache = NULL;
247 spin_lock_init(&v9inode->fscache_lock); 247 mutex_init(&v9inode->fscache_lock);
248#endif 248#endif
249 v9inode->writeback_fid = NULL; 249 v9inode->writeback_fid = NULL;
250 v9inode->cache_validity = 0; 250 v9inode->cache_validity = 0;
diff --git a/fs/adfs/adfs.h b/fs/adfs/adfs.h
index 24575d9d882d..ea4aba56f29d 100644
--- a/fs/adfs/adfs.h
+++ b/fs/adfs/adfs.h
@@ -45,7 +45,7 @@ struct adfs_dir_ops;
45struct adfs_sb_info { 45struct adfs_sb_info {
46 union { struct { 46 union { struct {
47 struct adfs_discmap *s_map; /* bh list containing map */ 47 struct adfs_discmap *s_map; /* bh list containing map */
48 struct adfs_dir_ops *s_dir; /* directory operations */ 48 const struct adfs_dir_ops *s_dir; /* directory operations */
49 }; 49 };
50 struct rcu_head rcu; /* used only at shutdown time */ 50 struct rcu_head rcu; /* used only at shutdown time */
51 }; 51 };
@@ -168,8 +168,8 @@ void __adfs_error(struct super_block *sb, const char *function,
168extern const struct inode_operations adfs_dir_inode_operations; 168extern const struct inode_operations adfs_dir_inode_operations;
169extern const struct file_operations adfs_dir_operations; 169extern const struct file_operations adfs_dir_operations;
170extern const struct dentry_operations adfs_dentry_operations; 170extern const struct dentry_operations adfs_dentry_operations;
171extern struct adfs_dir_ops adfs_f_dir_ops; 171extern const struct adfs_dir_ops adfs_f_dir_ops;
172extern struct adfs_dir_ops adfs_fplus_dir_ops; 172extern const struct adfs_dir_ops adfs_fplus_dir_ops;
173 173
174extern int adfs_dir_update(struct super_block *sb, struct object_info *obj, 174extern int adfs_dir_update(struct super_block *sb, struct object_info *obj,
175 int wait); 175 int wait);
diff --git a/fs/adfs/dir.c b/fs/adfs/dir.c
index 51c279a29845..fd4cf2c48e48 100644
--- a/fs/adfs/dir.c
+++ b/fs/adfs/dir.c
@@ -21,7 +21,7 @@ adfs_readdir(struct file *file, struct dir_context *ctx)
21{ 21{
22 struct inode *inode = file_inode(file); 22 struct inode *inode = file_inode(file);
23 struct super_block *sb = inode->i_sb; 23 struct super_block *sb = inode->i_sb;
24 struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir; 24 const struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir;
25 struct object_info obj; 25 struct object_info obj;
26 struct adfs_dir dir; 26 struct adfs_dir dir;
27 int ret = 0; 27 int ret = 0;
@@ -69,7 +69,7 @@ adfs_dir_update(struct super_block *sb, struct object_info *obj, int wait)
69{ 69{
70 int ret = -EINVAL; 70 int ret = -EINVAL;
71#ifdef CONFIG_ADFS_FS_RW 71#ifdef CONFIG_ADFS_FS_RW
72 struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir; 72 const struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir;
73 struct adfs_dir dir; 73 struct adfs_dir dir;
74 74
75 printk(KERN_INFO "adfs_dir_update: object %06X in dir %06X\n", 75 printk(KERN_INFO "adfs_dir_update: object %06X in dir %06X\n",
@@ -129,7 +129,7 @@ static int
129adfs_dir_lookup_byname(struct inode *inode, struct qstr *name, struct object_info *obj) 129adfs_dir_lookup_byname(struct inode *inode, struct qstr *name, struct object_info *obj)
130{ 130{
131 struct super_block *sb = inode->i_sb; 131 struct super_block *sb = inode->i_sb;
132 struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir; 132 const struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir;
133 struct adfs_dir dir; 133 struct adfs_dir dir;
134 int ret; 134 int ret;
135 135
diff --git a/fs/adfs/dir_f.c b/fs/adfs/dir_f.c
index 4bbe853ee50a..0fbfd0b04ae0 100644
--- a/fs/adfs/dir_f.c
+++ b/fs/adfs/dir_f.c
@@ -476,7 +476,7 @@ adfs_f_free(struct adfs_dir *dir)
476 dir->sb = NULL; 476 dir->sb = NULL;
477} 477}
478 478
479struct adfs_dir_ops adfs_f_dir_ops = { 479const struct adfs_dir_ops adfs_f_dir_ops = {
480 .read = adfs_f_read, 480 .read = adfs_f_read,
481 .setpos = adfs_f_setpos, 481 .setpos = adfs_f_setpos,
482 .getnext = adfs_f_getnext, 482 .getnext = adfs_f_getnext,
diff --git a/fs/adfs/dir_fplus.c b/fs/adfs/dir_fplus.c
index 82d14cdf70f9..c92cfb638c18 100644
--- a/fs/adfs/dir_fplus.c
+++ b/fs/adfs/dir_fplus.c
@@ -256,7 +256,7 @@ adfs_fplus_free(struct adfs_dir *dir)
256 dir->sb = NULL; 256 dir->sb = NULL;
257} 257}
258 258
259struct adfs_dir_ops adfs_fplus_dir_ops = { 259const struct adfs_dir_ops adfs_fplus_dir_ops = {
260 .read = adfs_fplus_read, 260 .read = adfs_fplus_read,
261 .setpos = adfs_fplus_setpos, 261 .setpos = adfs_fplus_setpos,
262 .getnext = adfs_fplus_getnext, 262 .getnext = adfs_fplus_getnext,
diff --git a/fs/affs/affs.h b/fs/affs/affs.h
index c69a87eaf57d..cc2b2efc9211 100644
--- a/fs/affs/affs.h
+++ b/fs/affs/affs.h
@@ -138,7 +138,7 @@ extern int affs_remove_hash(struct inode *dir, struct buffer_head *rem_bh);
138extern int affs_remove_header(struct dentry *dentry); 138extern int affs_remove_header(struct dentry *dentry);
139extern u32 affs_checksum_block(struct super_block *sb, struct buffer_head *bh); 139extern u32 affs_checksum_block(struct super_block *sb, struct buffer_head *bh);
140extern void affs_fix_checksum(struct super_block *sb, struct buffer_head *bh); 140extern void affs_fix_checksum(struct super_block *sb, struct buffer_head *bh);
141extern void secs_to_datestamp(time_t secs, struct affs_date *ds); 141extern void secs_to_datestamp(time64_t secs, struct affs_date *ds);
142extern umode_t prot_to_mode(u32 prot); 142extern umode_t prot_to_mode(u32 prot);
143extern void mode_to_prot(struct inode *inode); 143extern void mode_to_prot(struct inode *inode);
144__printf(3, 4) 144__printf(3, 4)
diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c
index 5fa92bc790ef..d6c7a51c93e4 100644
--- a/fs/affs/amigaffs.c
+++ b/fs/affs/amigaffs.c
@@ -8,6 +8,7 @@
8 * Please send bug reports to: hjw@zvw.de 8 * Please send bug reports to: hjw@zvw.de
9 */ 9 */
10 10
11#include <linux/math64.h>
11#include "affs.h" 12#include "affs.h"
12 13
13/* 14/*
@@ -366,22 +367,22 @@ affs_fix_checksum(struct super_block *sb, struct buffer_head *bh)
366} 367}
367 368
368void 369void
369secs_to_datestamp(time_t secs, struct affs_date *ds) 370secs_to_datestamp(time64_t secs, struct affs_date *ds)
370{ 371{
371 u32 days; 372 u32 days;
372 u32 minute; 373 u32 minute;
374 s32 rem;
373 375
374 secs -= sys_tz.tz_minuteswest * 60 + ((8 * 365 + 2) * 24 * 60 * 60); 376 secs -= sys_tz.tz_minuteswest * 60 + ((8 * 365 + 2) * 24 * 60 * 60);
375 if (secs < 0) 377 if (secs < 0)
376 secs = 0; 378 secs = 0;
377 days = secs / 86400; 379 days = div_s64_rem(secs, 86400, &rem);
378 secs -= days * 86400; 380 minute = rem / 60;
379 minute = secs / 60; 381 rem -= minute * 60;
380 secs -= minute * 60;
381 382
382 ds->days = cpu_to_be32(days); 383 ds->days = cpu_to_be32(days);
383 ds->mins = cpu_to_be32(minute); 384 ds->mins = cpu_to_be32(minute);
384 ds->ticks = cpu_to_be32(secs * 50); 385 ds->ticks = cpu_to_be32(rem * 50);
385} 386}
386 387
387umode_t 388umode_t
diff --git a/fs/affs/super.c b/fs/affs/super.c
index 5b50c4ca43a7..8836df5f1e11 100644
--- a/fs/affs/super.c
+++ b/fs/affs/super.c
@@ -32,7 +32,7 @@ affs_commit_super(struct super_block *sb, int wait)
32 struct affs_root_tail *tail = AFFS_ROOT_TAIL(sb, bh); 32 struct affs_root_tail *tail = AFFS_ROOT_TAIL(sb, bh);
33 33
34 lock_buffer(bh); 34 lock_buffer(bh);
35 secs_to_datestamp(get_seconds(), &tail->disk_change); 35 secs_to_datestamp(ktime_get_real_seconds(), &tail->disk_change);
36 affs_fix_checksum(sb, bh); 36 affs_fix_checksum(sb, bh);
37 unlock_buffer(bh); 37 unlock_buffer(bh);
38 38
diff --git a/fs/afs/proc.c b/fs/afs/proc.c
index 24a905b076fd..2853b4095344 100644
--- a/fs/afs/proc.c
+++ b/fs/afs/proc.c
@@ -230,14 +230,9 @@ static ssize_t afs_proc_cells_write(struct file *file, const char __user *buf,
230 if (size <= 1 || size >= PAGE_SIZE) 230 if (size <= 1 || size >= PAGE_SIZE)
231 return -EINVAL; 231 return -EINVAL;
232 232
233 kbuf = kmalloc(size + 1, GFP_KERNEL); 233 kbuf = memdup_user_nul(buf, size);
234 if (!kbuf) 234 if (IS_ERR(kbuf))
235 return -ENOMEM; 235 return PTR_ERR(kbuf);
236
237 ret = -EFAULT;
238 if (copy_from_user(kbuf, buf, size) != 0)
239 goto done;
240 kbuf[size] = 0;
241 236
242 /* trim to first NL */ 237 /* trim to first NL */
243 name = memchr(kbuf, '\n', size); 238 name = memchr(kbuf, '\n', size);
@@ -315,15 +310,9 @@ static ssize_t afs_proc_rootcell_write(struct file *file,
315 if (size <= 1 || size >= PAGE_SIZE) 310 if (size <= 1 || size >= PAGE_SIZE)
316 return -EINVAL; 311 return -EINVAL;
317 312
318 ret = -ENOMEM; 313 kbuf = memdup_user_nul(buf, size);
319 kbuf = kmalloc(size + 1, GFP_KERNEL); 314 if (IS_ERR(kbuf))
320 if (!kbuf) 315 return PTR_ERR(kbuf);
321 goto nomem;
322
323 ret = -EFAULT;
324 if (copy_from_user(kbuf, buf, size) != 0)
325 goto infault;
326 kbuf[size] = 0;
327 316
328 /* trim to first NL */ 317 /* trim to first NL */
329 s = memchr(kbuf, '\n', size); 318 s = memchr(kbuf, '\n', size);
@@ -337,9 +326,7 @@ static ssize_t afs_proc_rootcell_write(struct file *file,
337 if (ret >= 0) 326 if (ret >= 0)
338 ret = size; /* consume everything, always */ 327 ret = size; /* consume everything, always */
339 328
340infault:
341 kfree(kbuf); 329 kfree(kbuf);
342nomem:
343 _leave(" = %d", ret); 330 _leave(" = %d", ret);
344 return ret; 331 return ret;
345} 332}
diff --git a/fs/bad_inode.c b/fs/bad_inode.c
index 861b1e1c4777..103f5d7c3083 100644
--- a/fs/bad_inode.c
+++ b/fs/bad_inode.c
@@ -192,7 +192,7 @@ EXPORT_SYMBOL(make_bad_inode);
192 * Returns true if the inode in question has been marked as bad. 192 * Returns true if the inode in question has been marked as bad.
193 */ 193 */
194 194
195int is_bad_inode(struct inode *inode) 195bool is_bad_inode(struct inode *inode)
196{ 196{
197 return (inode->i_op == &bad_inode_ops); 197 return (inode->i_op == &bad_inode_ops);
198} 198}
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 44d4a1e9244e..01b8e0d4b4ff 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1042,12 +1042,9 @@ EXPORT_SYMBOL_GPL(bd_unlink_disk_holder);
1042static void flush_disk(struct block_device *bdev, bool kill_dirty) 1042static void flush_disk(struct block_device *bdev, bool kill_dirty)
1043{ 1043{
1044 if (__invalidate_device(bdev, kill_dirty)) { 1044 if (__invalidate_device(bdev, kill_dirty)) {
1045 char name[BDEVNAME_SIZE] = "";
1046
1047 if (bdev->bd_disk)
1048 disk_name(bdev->bd_disk, 0, name);
1049 printk(KERN_WARNING "VFS: busy inodes on changed media or " 1045 printk(KERN_WARNING "VFS: busy inodes on changed media or "
1050 "resized disk %s\n", name); 1046 "resized disk %s\n",
1047 bdev->bd_disk ? bdev->bd_disk->disk_name : "");
1051 } 1048 }
1052 1049
1053 if (!bdev->bd_disk) 1050 if (!bdev->bd_disk)
@@ -1071,12 +1068,9 @@ void check_disk_size_change(struct gendisk *disk, struct block_device *bdev)
1071 disk_size = (loff_t)get_capacity(disk) << 9; 1068 disk_size = (loff_t)get_capacity(disk) << 9;
1072 bdev_size = i_size_read(bdev->bd_inode); 1069 bdev_size = i_size_read(bdev->bd_inode);
1073 if (disk_size != bdev_size) { 1070 if (disk_size != bdev_size) {
1074 char name[BDEVNAME_SIZE];
1075
1076 disk_name(disk, 0, name);
1077 printk(KERN_INFO 1071 printk(KERN_INFO
1078 "%s: detected capacity change from %lld to %lld\n", 1072 "%s: detected capacity change from %lld to %lld\n",
1079 name, bdev_size, disk_size); 1073 disk->disk_name, bdev_size, disk_size);
1080 i_size_write(bdev->bd_inode, disk_size); 1074 i_size_write(bdev->bd_inode, disk_size);
1081 flush_disk(bdev, false); 1075 flush_disk(bdev, false);
1082 } 1076 }
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 24154e422945..a0434c179ea9 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1514,9 +1514,7 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags,
1514 if ((flags ^ s->s_flags) & MS_RDONLY) 1514 if ((flags ^ s->s_flags) & MS_RDONLY)
1515 error = -EBUSY; 1515 error = -EBUSY;
1516 } else { 1516 } else {
1517 char b[BDEVNAME_SIZE]; 1517 snprintf(s->s_id, sizeof(s->s_id), "%pg", bdev);
1518
1519 strlcpy(s->s_id, bdevname(bdev, b), sizeof(s->s_id));
1520 btrfs_sb(s)->bdev_holder = fs_type; 1518 btrfs_sb(s)->bdev_holder = fs_type;
1521 error = btrfs_fill_super(s, fs_devices, data, 1519 error = btrfs_fill_super(s, fs_devices, data,
1522 flags & MS_SILENT ? 1 : 0); 1520 flags & MS_SILENT ? 1 : 0);
diff --git a/fs/buffer.c b/fs/buffer.c
index 4f4cd959da7c..e1632abb4ca9 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -134,13 +134,10 @@ __clear_page_buffers(struct page *page)
134 134
135static void buffer_io_error(struct buffer_head *bh, char *msg) 135static void buffer_io_error(struct buffer_head *bh, char *msg)
136{ 136{
137 char b[BDEVNAME_SIZE];
138
139 if (!test_bit(BH_Quiet, &bh->b_state)) 137 if (!test_bit(BH_Quiet, &bh->b_state))
140 printk_ratelimited(KERN_ERR 138 printk_ratelimited(KERN_ERR
141 "Buffer I/O error on dev %s, logical block %llu%s\n", 139 "Buffer I/O error on dev %pg, logical block %llu%s\n",
142 bdevname(bh->b_bdev, b), 140 bh->b_bdev, (unsigned long long)bh->b_blocknr, msg);
143 (unsigned long long)bh->b_blocknr, msg);
144} 141}
145 142
146/* 143/*
@@ -237,15 +234,13 @@ __find_get_block_slow(struct block_device *bdev, sector_t block)
237 * elsewhere, don't buffer_error if we had some unmapped buffers 234 * elsewhere, don't buffer_error if we had some unmapped buffers
238 */ 235 */
239 if (all_mapped) { 236 if (all_mapped) {
240 char b[BDEVNAME_SIZE];
241
242 printk("__find_get_block_slow() failed. " 237 printk("__find_get_block_slow() failed. "
243 "block=%llu, b_blocknr=%llu\n", 238 "block=%llu, b_blocknr=%llu\n",
244 (unsigned long long)block, 239 (unsigned long long)block,
245 (unsigned long long)bh->b_blocknr); 240 (unsigned long long)bh->b_blocknr);
246 printk("b_state=0x%08lx, b_size=%zu\n", 241 printk("b_state=0x%08lx, b_size=%zu\n",
247 bh->b_state, bh->b_size); 242 bh->b_state, bh->b_size);
248 printk("device %s blocksize: %d\n", bdevname(bdev, b), 243 printk("device %pg blocksize: %d\n", bdev,
249 1 << bd_inode->i_blkbits); 244 1 << bd_inode->i_blkbits);
250 } 245 }
251out_unlock: 246out_unlock:
@@ -531,10 +526,8 @@ repeat:
531 526
532static void do_thaw_one(struct super_block *sb, void *unused) 527static void do_thaw_one(struct super_block *sb, void *unused)
533{ 528{
534 char b[BDEVNAME_SIZE];
535 while (sb->s_bdev && !thaw_bdev(sb->s_bdev, sb)) 529 while (sb->s_bdev && !thaw_bdev(sb->s_bdev, sb))
536 printk(KERN_WARNING "Emergency Thaw on %s\n", 530 printk(KERN_WARNING "Emergency Thaw on %pg\n", sb->s_bdev);
537 bdevname(sb->s_bdev, b));
538} 531}
539 532
540static void do_thaw_all(struct work_struct *work) 533static void do_thaw_all(struct work_struct *work)
@@ -1074,12 +1067,10 @@ grow_buffers(struct block_device *bdev, sector_t block, int size, gfp_t gfp)
1074 * pagecache index. (this comparison is done using sector_t types). 1067 * pagecache index. (this comparison is done using sector_t types).
1075 */ 1068 */
1076 if (unlikely(index != block >> sizebits)) { 1069 if (unlikely(index != block >> sizebits)) {
1077 char b[BDEVNAME_SIZE];
1078
1079 printk(KERN_ERR "%s: requested out-of-range block %llu for " 1070 printk(KERN_ERR "%s: requested out-of-range block %llu for "
1080 "device %s\n", 1071 "device %pg\n",
1081 __func__, (unsigned long long)block, 1072 __func__, (unsigned long long)block,
1082 bdevname(bdev, b)); 1073 bdev);
1083 return -EIO; 1074 return -EIO;
1084 } 1075 }
1085 1076
diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
index f601def05bdf..452e98dd7560 100644
--- a/fs/cachefiles/daemon.c
+++ b/fs/cachefiles/daemon.c
@@ -226,15 +226,9 @@ static ssize_t cachefiles_daemon_write(struct file *file,
226 return -EOPNOTSUPP; 226 return -EOPNOTSUPP;
227 227
228 /* drag the command string into the kernel so we can parse it */ 228 /* drag the command string into the kernel so we can parse it */
229 data = kmalloc(datalen + 1, GFP_KERNEL); 229 data = memdup_user_nul(_data, datalen);
230 if (!data) 230 if (IS_ERR(data))
231 return -ENOMEM; 231 return PTR_ERR(data);
232
233 ret = -EFAULT;
234 if (copy_from_user(data, _data, datalen) != 0)
235 goto error;
236
237 data[datalen] = '\0';
238 232
239 ret = -EINVAL; 233 ret = -EINVAL;
240 if (memchr(data, '\0', datalen)) 234 if (memchr(data, '\0', datalen))
diff --git a/fs/compat.c b/fs/compat.c
index 6fd272d455e4..a71936a3f4cb 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -792,7 +792,7 @@ COMPAT_SYSCALL_DEFINE5(mount, const char __user *, dev_name,
792 const void __user *, data) 792 const void __user *, data)
793{ 793{
794 char *kernel_type; 794 char *kernel_type;
795 unsigned long data_page; 795 void *options;
796 char *kernel_dev; 796 char *kernel_dev;
797 int retval; 797 int retval;
798 798
@@ -806,26 +806,25 @@ COMPAT_SYSCALL_DEFINE5(mount, const char __user *, dev_name,
806 if (IS_ERR(kernel_dev)) 806 if (IS_ERR(kernel_dev))
807 goto out1; 807 goto out1;
808 808
809 retval = copy_mount_options(data, &data_page); 809 options = copy_mount_options(data);
810 if (retval < 0) 810 retval = PTR_ERR(options);
811 if (IS_ERR(options))
811 goto out2; 812 goto out2;
812 813
813 retval = -EINVAL; 814 if (kernel_type && options) {
814
815 if (kernel_type && data_page) {
816 if (!strcmp(kernel_type, NCPFS_NAME)) { 815 if (!strcmp(kernel_type, NCPFS_NAME)) {
817 do_ncp_super_data_conv((void *)data_page); 816 do_ncp_super_data_conv(options);
818 } else if (!strcmp(kernel_type, NFS4_NAME)) { 817 } else if (!strcmp(kernel_type, NFS4_NAME)) {
819 if (do_nfs4_super_data_conv((void *) data_page)) 818 retval = -EINVAL;
819 if (do_nfs4_super_data_conv(options))
820 goto out3; 820 goto out3;
821 } 821 }
822 } 822 }
823 823
824 retval = do_mount(kernel_dev, dir_name, kernel_type, 824 retval = do_mount(kernel_dev, dir_name, kernel_type, flags, options);
825 flags, (void*)data_page);
826 825
827 out3: 826 out3:
828 free_page(data_page); 827 kfree(options);
829 out2: 828 out2:
830 kfree(kernel_dev); 829 kfree(kernel_dev);
831 out1: 830 out1:
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index 647ee0b03dc0..a5b8eb69a8f4 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -1305,12 +1305,6 @@ COMPATIBLE_IOCTL(PCIIOC_CONTROLLER)
1305COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_IO) 1305COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_IO)
1306COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_MEM) 1306COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_MEM)
1307COMPATIBLE_IOCTL(PCIIOC_WRITE_COMBINE) 1307COMPATIBLE_IOCTL(PCIIOC_WRITE_COMBINE)
1308/* NBD */
1309COMPATIBLE_IOCTL(NBD_DO_IT)
1310COMPATIBLE_IOCTL(NBD_CLEAR_SOCK)
1311COMPATIBLE_IOCTL(NBD_CLEAR_QUE)
1312COMPATIBLE_IOCTL(NBD_PRINT_DEBUG)
1313COMPATIBLE_IOCTL(NBD_DISCONNECT)
1314/* i2c */ 1308/* i2c */
1315COMPATIBLE_IOCTL(I2C_SLAVE) 1309COMPATIBLE_IOCTL(I2C_SLAVE)
1316COMPATIBLE_IOCTL(I2C_SLAVE_FORCE) 1310COMPATIBLE_IOCTL(I2C_SLAVE_FORCE)
@@ -1529,11 +1523,6 @@ static long do_ioctl_trans(unsigned int cmd,
1529 case KDSKBMETA: 1523 case KDSKBMETA:
1530 case KDSKBLED: 1524 case KDSKBLED:
1531 case KDSETLED: 1525 case KDSETLED:
1532 /* NBD */
1533 case NBD_SET_SOCK:
1534 case NBD_SET_BLKSIZE:
1535 case NBD_SET_SIZE:
1536 case NBD_SET_SIZE_BLOCKS:
1537 return vfs_ioctl(file, cmd, arg); 1526 return vfs_ioctl(file, cmd, arg);
1538 } 1527 }
1539 1528
diff --git a/fs/coredump.c b/fs/coredump.c
index 1777331eee76..b3c153ca435d 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -32,6 +32,7 @@
32#include <linux/pipe_fs_i.h> 32#include <linux/pipe_fs_i.h>
33#include <linux/oom.h> 33#include <linux/oom.h>
34#include <linux/compat.h> 34#include <linux/compat.h>
35#include <linux/timekeeping.h>
35 36
36#include <asm/uaccess.h> 37#include <asm/uaccess.h>
37#include <asm/mmu_context.h> 38#include <asm/mmu_context.h>
@@ -232,9 +233,10 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm)
232 break; 233 break;
233 /* UNIX time of coredump */ 234 /* UNIX time of coredump */
234 case 't': { 235 case 't': {
235 struct timeval tv; 236 time64_t time;
236 do_gettimeofday(&tv); 237
237 err = cn_printf(cn, "%lu", tv.tv_sec); 238 time = ktime_get_real_seconds();
239 err = cn_printf(cn, "%lld", time);
238 break; 240 break;
239 } 241 }
240 /* hostname */ 242 /* hostname */
diff --git a/fs/dcache.c b/fs/dcache.c
index d27f0909d9f6..8d38cd07b207 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3303,18 +3303,18 @@ out:
3303 * @new_dentry: new dentry 3303 * @new_dentry: new dentry
3304 * @old_dentry: old dentry 3304 * @old_dentry: old dentry
3305 * 3305 *
3306 * Returns 1 if new_dentry is a subdirectory of the parent (at any depth). 3306 * Returns true if new_dentry is a subdirectory of the parent (at any depth).
3307 * Returns 0 otherwise. 3307 * Returns false otherwise.
3308 * Caller must ensure that "new_dentry" is pinned before calling is_subdir() 3308 * Caller must ensure that "new_dentry" is pinned before calling is_subdir()
3309 */ 3309 */
3310 3310
3311int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry) 3311bool is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
3312{ 3312{
3313 int result; 3313 bool result;
3314 unsigned seq; 3314 unsigned seq;
3315 3315
3316 if (new_dentry == old_dentry) 3316 if (new_dentry == old_dentry)
3317 return 1; 3317 return true;
3318 3318
3319 do { 3319 do {
3320 /* for restarting inner loop in case of seq retry */ 3320 /* for restarting inner loop in case of seq retry */
@@ -3325,9 +3325,9 @@ int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
3325 */ 3325 */
3326 rcu_read_lock(); 3326 rcu_read_lock();
3327 if (d_ancestor(old_dentry, new_dentry)) 3327 if (d_ancestor(old_dentry, new_dentry))
3328 result = 1; 3328 result = true;
3329 else 3329 else
3330 result = 0; 3330 result = false;
3331 rcu_read_unlock(); 3331 rcu_read_unlock();
3332 } while (read_seqretry(&rename_lock, seq)); 3332 } while (read_seqretry(&rename_lock, seq));
3333 3333
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 173b3873a4f4..1925d6d222b8 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -515,14 +515,9 @@ static ssize_t device_write(struct file *file, const char __user *buf,
515 if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN) 515 if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
516 return -EINVAL; 516 return -EINVAL;
517 517
518 kbuf = kzalloc(count + 1, GFP_NOFS); 518 kbuf = memdup_user_nul(buf, count);
519 if (!kbuf) 519 if (!IS_ERR(kbuf))
520 return -ENOMEM; 520 return PTR_ERR(kbuf);
521
522 if (copy_from_user(kbuf, buf, count)) {
523 error = -EFAULT;
524 goto out_free;
525 }
526 521
527 if (check_version(kbuf)) { 522 if (check_version(kbuf)) {
528 error = -EBADE; 523 error = -EBADE;
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index a4dddc61594c..040aa879d634 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -282,9 +282,7 @@ ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry,
282 if (rc) { 282 if (rc) {
283 ecryptfs_do_unlink(directory_inode, ecryptfs_dentry, 283 ecryptfs_do_unlink(directory_inode, ecryptfs_dentry,
284 ecryptfs_inode); 284 ecryptfs_inode);
285 make_bad_inode(ecryptfs_inode); 285 iget_failed(ecryptfs_inode);
286 unlock_new_inode(ecryptfs_inode);
287 iput(ecryptfs_inode);
288 goto out; 286 goto out;
289 } 287 }
290 unlock_new_inode(ecryptfs_inode); 288 unlock_new_inode(ecryptfs_inode);
diff --git a/fs/exec.c b/fs/exec.c
index b06623a9347f..828ec5f07de0 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -119,7 +119,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
119 int error = PTR_ERR(tmp); 119 int error = PTR_ERR(tmp);
120 static const struct open_flags uselib_flags = { 120 static const struct open_flags uselib_flags = {
121 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 121 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
122 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN, 122 .acc_mode = MAY_READ | MAY_EXEC,
123 .intent = LOOKUP_OPEN, 123 .intent = LOOKUP_OPEN,
124 .lookup_flags = LOOKUP_FOLLOW, 124 .lookup_flags = LOOKUP_FOLLOW,
125 }; 125 };
@@ -763,7 +763,7 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
763 int err; 763 int err;
764 struct open_flags open_exec_flags = { 764 struct open_flags open_exec_flags = {
765 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 765 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
766 .acc_mode = MAY_EXEC | MAY_OPEN, 766 .acc_mode = MAY_EXEC,
767 .intent = LOOKUP_OPEN, 767 .intent = LOOKUP_OPEN,
768 .lookup_flags = LOOKUP_FOLLOW, 768 .lookup_flags = LOOKUP_FOLLOW,
769 }; 769 };
diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
index cd95d14f9cc2..f57a7aba32eb 100644
--- a/fs/ext2/xattr.c
+++ b/fs/ext2/xattr.c
@@ -77,10 +77,8 @@
77 printk("\n"); \ 77 printk("\n"); \
78 } while (0) 78 } while (0)
79# define ea_bdebug(bh, f...) do { \ 79# define ea_bdebug(bh, f...) do { \
80 char b[BDEVNAME_SIZE]; \ 80 printk(KERN_DEBUG "block %pg:%lu: ", \
81 printk(KERN_DEBUG "block %s:%lu: ", \ 81 bh->b_bdev, (unsigned long) bh->b_blocknr); \
82 bdevname(bh->b_bdev, b), \
83 (unsigned long) bh->b_blocknr); \
84 printk(f); \ 82 printk(f); \
85 printk("\n"); \ 83 printk("\n"); \
86 } while (0) 84 } while (0)
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index 17fbe3882b8e..090b3498638e 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -52,9 +52,8 @@ void ext4_exit_pageio(void)
52 */ 52 */
53static void buffer_io_error(struct buffer_head *bh) 53static void buffer_io_error(struct buffer_head *bh)
54{ 54{
55 char b[BDEVNAME_SIZE]; 55 printk_ratelimited(KERN_ERR "Buffer I/O error on device %pg, logical block %llu\n",
56 printk_ratelimited(KERN_ERR "Buffer I/O error on device %s, logical block %llu\n", 56 bh->b_bdev,
57 bdevname(bh->b_bdev, b),
58 (unsigned long long)bh->b_blocknr); 57 (unsigned long long)bh->b_blocknr);
59} 58}
60 59
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index e9b9afdd1d96..a95151e875bd 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -68,10 +68,8 @@
68 printk("\n"); \ 68 printk("\n"); \
69 } while (0) 69 } while (0)
70# define ea_bdebug(bh, f...) do { \ 70# define ea_bdebug(bh, f...) do { \
71 char b[BDEVNAME_SIZE]; \ 71 printk(KERN_DEBUG "block %pg:%lu: ", \
72 printk(KERN_DEBUG "block %s:%lu: ", \ 72 bh->b_bdev, (unsigned long) bh->b_blocknr); \
73 bdevname(bh->b_bdev, b), \
74 (unsigned long) bh->b_blocknr); \
75 printk(f); \ 73 printk(f); \
76 printk("\n"); \ 74 printk("\n"); \
77 } while (0) 75 } while (0)
diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
index 478e5d54154f..ad1b18a7705b 100644
--- a/fs/f2fs/debug.c
+++ b/fs/f2fs/debug.c
@@ -211,12 +211,10 @@ static int stat_show(struct seq_file *s, void *v)
211 211
212 mutex_lock(&f2fs_stat_mutex); 212 mutex_lock(&f2fs_stat_mutex);
213 list_for_each_entry(si, &f2fs_stat_list, stat_list) { 213 list_for_each_entry(si, &f2fs_stat_list, stat_list) {
214 char devname[BDEVNAME_SIZE];
215
216 update_general_status(si->sbi); 214 update_general_status(si->sbi);
217 215
218 seq_printf(s, "\n=====[ partition info(%s). #%d ]=====\n", 216 seq_printf(s, "\n=====[ partition info(%pg). #%d ]=====\n",
219 bdevname(si->sbi->sb->s_bdev, devname), i++); 217 si->sbi->sb->s_bdev, i++);
220 seq_printf(s, "[SB: 1] [CP: 2] [SIT: %d] [NAT: %d] ", 218 seq_printf(s, "[SB: 1] [CP: 2] [SIT: %d] [NAT: %d] ",
221 si->sit_area_segs, si->nat_area_segs); 219 si->sit_area_segs, si->nat_area_segs);
222 seq_printf(s, "[SSA: %d] [MAIN: %d", 220 seq_printf(s, "[SSA: %d] [MAIN: %d",
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 9db5500d63d9..ec6067c33a3f 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1602,13 +1602,11 @@ static inline bool is_dot_dotdot(const struct qstr *str)
1602 1602
1603static inline bool f2fs_may_extent_tree(struct inode *inode) 1603static inline bool f2fs_may_extent_tree(struct inode *inode)
1604{ 1604{
1605 mode_t mode = inode->i_mode;
1606
1607 if (!test_opt(F2FS_I_SB(inode), EXTENT_CACHE) || 1605 if (!test_opt(F2FS_I_SB(inode), EXTENT_CACHE) ||
1608 is_inode_flag_set(F2FS_I(inode), FI_NO_EXTENT)) 1606 is_inode_flag_set(F2FS_I(inode), FI_NO_EXTENT))
1609 return false; 1607 return false;
1610 1608
1611 return S_ISREG(mode); 1609 return S_ISREG(inode->i_mode);
1612} 1610}
1613 1611
1614static inline void *f2fs_kvmalloc(size_t size, gfp_t flags) 1612static inline void *f2fs_kvmalloc(size_t size, gfp_t flags)
@@ -2121,7 +2119,7 @@ static inline int f2fs_sb_has_crypto(struct super_block *sb)
2121static inline bool f2fs_may_encrypt(struct inode *inode) 2119static inline bool f2fs_may_encrypt(struct inode *inode)
2122{ 2120{
2123#ifdef CONFIG_F2FS_FS_ENCRYPTION 2121#ifdef CONFIG_F2FS_FS_ENCRYPTION
2124 mode_t mode = inode->i_mode; 2122 umode_t mode = inode->i_mode;
2125 2123
2126 return (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)); 2124 return (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode));
2127#else 2125#else
diff --git a/fs/fcntl.c b/fs/fcntl.c
index ee85cd4e136a..350a2c8cfd28 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -51,7 +51,8 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
51 if (arg & O_NDELAY) 51 if (arg & O_NDELAY)
52 arg |= O_NONBLOCK; 52 arg |= O_NONBLOCK;
53 53
54 if (arg & O_DIRECT) { 54 /* Pipe packetized mode is controlled by O_DIRECT flag */
55 if (!S_ISFIFO(filp->f_inode->i_mode) && (arg & O_DIRECT)) {
55 if (!filp->f_mapping || !filp->f_mapping->a_ops || 56 if (!filp->f_mapping || !filp->f_mapping->a_ops ||
56 !filp->f_mapping->a_ops->direct_IO) 57 !filp->f_mapping->a_ops->direct_IO)
57 return -EINVAL; 58 return -EINVAL;
diff --git a/fs/file.c b/fs/file.c
index 39f8f15921da..1aed0add16a2 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -25,9 +25,9 @@
25 25
26int sysctl_nr_open __read_mostly = 1024*1024; 26int sysctl_nr_open __read_mostly = 1024*1024;
27int sysctl_nr_open_min = BITS_PER_LONG; 27int sysctl_nr_open_min = BITS_PER_LONG;
28/* our max() is unusable in constant expressions ;-/ */ 28/* our min() is unusable in constant expressions ;-/ */
29#define __const_max(x, y) ((x) < (y) ? (x) : (y)) 29#define __const_min(x, y) ((x) < (y) ? (x) : (y))
30int sysctl_nr_open_max = __const_max(INT_MAX, ~(size_t)0/sizeof(void *)) & 30int sysctl_nr_open_max = __const_min(INT_MAX, ~(size_t)0/sizeof(void *)) &
31 -BITS_PER_LONG; 31 -BITS_PER_LONG;
32 32
33static void *alloc_fdmem(size_t size) 33static void *alloc_fdmem(size_t size)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index baab99b69d8a..001c66641243 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1315,9 +1315,7 @@ static struct dentry *gfs2_mount(struct file_system_type *fs_type, int flags,
1315 if ((flags ^ s->s_flags) & MS_RDONLY) 1315 if ((flags ^ s->s_flags) & MS_RDONLY)
1316 goto error_super; 1316 goto error_super;
1317 } else { 1317 } else {
1318 char b[BDEVNAME_SIZE]; 1318 snprintf(s->s_id, sizeof(s->s_id), "%pg", bdev);
1319
1320 strlcpy(s->s_id, bdevname(bdev, b), sizeof(s->s_id));
1321 sb_set_blocksize(s, block_size(bdev)); 1319 sb_set_blocksize(s, block_size(bdev));
1322 error = fill_super(s, &args, flags & MS_SILENT ? 1 : 0); 1320 error = fill_super(s, &args, flags & MS_SILENT ? 1 : 0);
1323 if (error) 1321 if (error)
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index aa3f0d6d043c..a3ec3ae7d347 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -166,7 +166,7 @@ int hfs_mdb_get(struct super_block *sb)
166 pr_warn("continuing without an alternate MDB\n"); 166 pr_warn("continuing without an alternate MDB\n");
167 } 167 }
168 168
169 HFS_SB(sb)->bitmap = (__be32 *)__get_free_pages(GFP_KERNEL, PAGE_SIZE < 8192 ? 1 : 0); 169 HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
170 if (!HFS_SB(sb)->bitmap) 170 if (!HFS_SB(sb)->bitmap)
171 goto out; 171 goto out;
172 172
@@ -360,7 +360,7 @@ void hfs_mdb_put(struct super_block *sb)
360 unload_nls(HFS_SB(sb)->nls_io); 360 unload_nls(HFS_SB(sb)->nls_io);
361 unload_nls(HFS_SB(sb)->nls_disk); 361 unload_nls(HFS_SB(sb)->nls_disk);
362 362
363 free_pages((unsigned long)HFS_SB(sb)->bitmap, PAGE_SIZE < 8192 ? 1 : 0); 363 kfree(HFS_SB(sb)->bitmap);
364 kfree(HFS_SB(sb)); 364 kfree(HFS_SB(sb));
365 sb->s_fs_info = NULL; 365 sb->s_fs_info = NULL;
366} 366}
diff --git a/fs/hpfs/map.c b/fs/hpfs/map.c
index a69bbc1e87f8..a136929189f0 100644
--- a/fs/hpfs/map.c
+++ b/fs/hpfs/map.c
@@ -133,7 +133,7 @@ __le32 *hpfs_load_bitmap_directory(struct super_block *s, secno bmp)
133void hpfs_load_hotfix_map(struct super_block *s, struct hpfs_spare_block *spareblock) 133void hpfs_load_hotfix_map(struct super_block *s, struct hpfs_spare_block *spareblock)
134{ 134{
135 struct quad_buffer_head qbh; 135 struct quad_buffer_head qbh;
136 u32 *directory; 136 __le32 *directory;
137 u32 n_hotfixes, n_used_hotfixes; 137 u32 n_hotfixes, n_used_hotfixes;
138 unsigned i; 138 unsigned i;
139 139
diff --git a/fs/internal.h b/fs/internal.h
index e38c08ca437d..b71deeecea17 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -55,7 +55,7 @@ extern int vfs_path_lookup(struct dentry *, struct vfsmount *,
55/* 55/*
56 * namespace.c 56 * namespace.c
57 */ 57 */
58extern int copy_mount_options(const void __user *, unsigned long *); 58extern void *copy_mount_options(const void __user *);
59extern char *copy_mount_string(const void __user *); 59extern char *copy_mount_string(const void __user *);
60 60
61extern struct vfsmount *lookup_mnt(struct path *); 61extern struct vfsmount *lookup_mnt(struct path *);
diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
index ca181e81c765..081dff087fc0 100644
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -764,13 +764,11 @@ void jbd2_journal_unlock_updates (journal_t *journal)
764 764
765static void warn_dirty_buffer(struct buffer_head *bh) 765static void warn_dirty_buffer(struct buffer_head *bh)
766{ 766{
767 char b[BDEVNAME_SIZE];
768
769 printk(KERN_WARNING 767 printk(KERN_WARNING
770 "JBD2: Spotted dirty metadata buffer (dev = %s, blocknr = %llu). " 768 "JBD2: Spotted dirty metadata buffer (dev = %pg, blocknr = %llu). "
771 "There's a risk of filesystem corruption in case of system " 769 "There's a risk of filesystem corruption in case of system "
772 "crash.\n", 770 "crash.\n",
773 bdevname(bh->b_bdev, b), (unsigned long long)bh->b_blocknr); 771 bh->b_bdev, (unsigned long long)bh->b_blocknr);
774} 772}
775 773
776/* Call t_frozen trigger and copy buffer data into jh->b_frozen_data. */ 774/* Call t_frozen trigger and copy buffer data into jh->b_frozen_data. */
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index a69bdf2a1085..a270cb7ff4e0 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1835,17 +1835,16 @@ static int lbmLogInit(struct jfs_log * log)
1835 for (i = 0; i < LOGPAGES;) { 1835 for (i = 0; i < LOGPAGES;) {
1836 char *buffer; 1836 char *buffer;
1837 uint offset; 1837 uint offset;
1838 struct page *page; 1838 struct page *page = alloc_page(GFP_KERNEL | __GFP_ZERO);
1839 1839
1840 buffer = (char *) get_zeroed_page(GFP_KERNEL); 1840 if (!page)
1841 if (buffer == NULL)
1842 goto error; 1841 goto error;
1843 page = virt_to_page(buffer); 1842 buffer = page_address(page);
1844 for (offset = 0; offset < PAGE_SIZE; offset += LOGPSIZE) { 1843 for (offset = 0; offset < PAGE_SIZE; offset += LOGPSIZE) {
1845 lbuf = kmalloc(sizeof(struct lbuf), GFP_KERNEL); 1844 lbuf = kmalloc(sizeof(struct lbuf), GFP_KERNEL);
1846 if (lbuf == NULL) { 1845 if (lbuf == NULL) {
1847 if (offset == 0) 1846 if (offset == 0)
1848 free_page((unsigned long) buffer); 1847 __free_page(page);
1849 goto error; 1848 goto error;
1850 } 1849 }
1851 if (offset) /* we already have one reference */ 1850 if (offset) /* we already have one reference */
diff --git a/fs/logfs/logfs.h b/fs/logfs/logfs.h
index 209a26d84c38..39d91f86cd35 100644
--- a/fs/logfs/logfs.h
+++ b/fs/logfs/logfs.h
@@ -302,7 +302,7 @@ struct logfs_block {
302 struct inode *inode; 302 struct inode *inode;
303 struct logfs_transaction *ta; 303 struct logfs_transaction *ta;
304 unsigned long alias_map[LOGFS_BLOCK_FACTOR / BITS_PER_LONG]; 304 unsigned long alias_map[LOGFS_BLOCK_FACTOR / BITS_PER_LONG];
305 struct logfs_block_ops *ops; 305 const struct logfs_block_ops *ops;
306 int full; 306 int full;
307 int partial; 307 int partial;
308 int reserved_bytes; 308 int reserved_bytes;
@@ -578,7 +578,7 @@ int logfs_exist_block(struct inode *inode, u64 bix);
578int get_page_reserve(struct inode *inode, struct page *page); 578int get_page_reserve(struct inode *inode, struct page *page);
579void logfs_get_wblocks(struct super_block *sb, struct page *page, int lock); 579void logfs_get_wblocks(struct super_block *sb, struct page *page, int lock);
580void logfs_put_wblocks(struct super_block *sb, struct page *page, int lock); 580void logfs_put_wblocks(struct super_block *sb, struct page *page, int lock);
581extern struct logfs_block_ops indirect_block_ops; 581extern const struct logfs_block_ops indirect_block_ops;
582 582
583/* segment.c */ 583/* segment.c */
584int logfs_erase_segment(struct super_block *sb, u32 ofs, int ensure_erase); 584int logfs_erase_segment(struct super_block *sb, u32 ofs, int ensure_erase);
diff --git a/fs/logfs/readwrite.c b/fs/logfs/readwrite.c
index 380d86e1ab45..20973c9e52f8 100644
--- a/fs/logfs/readwrite.c
+++ b/fs/logfs/readwrite.c
@@ -569,13 +569,13 @@ static void indirect_free_block(struct super_block *sb,
569} 569}
570 570
571 571
572static struct logfs_block_ops inode_block_ops = { 572static const struct logfs_block_ops inode_block_ops = {
573 .write_block = inode_write_block, 573 .write_block = inode_write_block,
574 .free_block = inode_free_block, 574 .free_block = inode_free_block,
575 .write_alias = inode_write_alias, 575 .write_alias = inode_write_alias,
576}; 576};
577 577
578struct logfs_block_ops indirect_block_ops = { 578const struct logfs_block_ops indirect_block_ops = {
579 .write_block = indirect_write_block, 579 .write_block = indirect_write_block,
580 .free_block = indirect_free_block, 580 .free_block = indirect_free_block,
581 .write_alias = indirect_write_alias, 581 .write_alias = indirect_write_alias,
diff --git a/fs/logfs/segment.c b/fs/logfs/segment.c
index 6de0fbfc6c00..d270e4b2ab6b 100644
--- a/fs/logfs/segment.c
+++ b/fs/logfs/segment.c
@@ -197,7 +197,7 @@ static int btree_write_alias(struct super_block *sb, struct logfs_block *block,
197 return 0; 197 return 0;
198} 198}
199 199
200static struct logfs_block_ops btree_block_ops = { 200static const struct logfs_block_ops btree_block_ops = {
201 .write_block = btree_write_block, 201 .write_block = btree_write_block,
202 .free_block = __free_block, 202 .free_block = __free_block,
203 .write_alias = btree_write_alias, 203 .write_alias = btree_write_alias,
diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c
index 282e15ad8cd8..46ca39d6c735 100644
--- a/fs/minix/itree_v1.c
+++ b/fs/minix/itree_v1.c
@@ -24,16 +24,15 @@ static inline block_t *i_data(struct inode *inode)
24static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) 24static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
25{ 25{
26 int n = 0; 26 int n = 0;
27 char b[BDEVNAME_SIZE];
28 27
29 if (block < 0) { 28 if (block < 0) {
30 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", 29 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
31 block, bdevname(inode->i_sb->s_bdev, b)); 30 block, inode->i_sb->s_bdev);
32 } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { 31 } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
33 if (printk_ratelimit()) 32 if (printk_ratelimit())
34 printk("MINIX-fs: block_to_path: " 33 printk("MINIX-fs: block_to_path: "
35 "block %ld too big on dev %s\n", 34 "block %ld too big on dev %pg\n",
36 block, bdevname(inode->i_sb->s_bdev, b)); 35 block, inode->i_sb->s_bdev);
37 } else if (block < 7) { 36 } else if (block < 7) {
38 offsets[n++] = block; 37 offsets[n++] = block;
39 } else if ((block -= 7) < 512) { 38 } else if ((block -= 7) < 512) {
diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c
index 78e2d93e5c83..1ee101352586 100644
--- a/fs/minix/itree_v2.c
+++ b/fs/minix/itree_v2.c
@@ -26,18 +26,17 @@ static inline block_t *i_data(struct inode *inode)
26static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) 26static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
27{ 27{
28 int n = 0; 28 int n = 0;
29 char b[BDEVNAME_SIZE];
30 struct super_block *sb = inode->i_sb; 29 struct super_block *sb = inode->i_sb;
31 30
32 if (block < 0) { 31 if (block < 0) {
33 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", 32 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
34 block, bdevname(sb->s_bdev, b)); 33 block, sb->s_bdev);
35 } else if ((u64)block * (u64)sb->s_blocksize >= 34 } else if ((u64)block * (u64)sb->s_blocksize >=
36 minix_sb(sb)->s_max_size) { 35 minix_sb(sb)->s_max_size) {
37 if (printk_ratelimit()) 36 if (printk_ratelimit())
38 printk("MINIX-fs: block_to_path: " 37 printk("MINIX-fs: block_to_path: "
39 "block %ld too big on dev %s\n", 38 "block %ld too big on dev %pg\n",
40 block, bdevname(sb->s_bdev, b)); 39 block, sb->s_bdev);
41 } else if (block < DIRCOUNT) { 40 } else if (block < DIRCOUNT) {
42 offsets[n++] = block; 41 offsets[n++] = block;
43 } else if ((block -= DIRCOUNT) < INDIRCOUNT(sb)) { 42 } else if ((block -= DIRCOUNT) < INDIRCOUNT(sb)) {
diff --git a/fs/namei.c b/fs/namei.c
index 3c909aebef70..bceefd5588a2 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -534,10 +534,8 @@ static void restore_nameidata(void)
534 current->nameidata = old; 534 current->nameidata = old;
535 if (old) 535 if (old)
536 old->total_link_count = now->total_link_count; 536 old->total_link_count = now->total_link_count;
537 if (now->stack != now->internal) { 537 if (now->stack != now->internal)
538 kfree(now->stack); 538 kfree(now->stack);
539 now->stack = now->internal;
540 }
541} 539}
542 540
543static int __nd_alloc_stack(struct nameidata *nd) 541static int __nd_alloc_stack(struct nameidata *nd)
@@ -654,7 +652,7 @@ static bool legitimize_links(struct nameidata *nd)
654 * Path walking has 2 modes, rcu-walk and ref-walk (see 652 * Path walking has 2 modes, rcu-walk and ref-walk (see
655 * Documentation/filesystems/path-lookup.txt). In situations when we can't 653 * Documentation/filesystems/path-lookup.txt). In situations when we can't
656 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab 654 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab
657 * normal reference counts on dentries and vfsmounts to transition to rcu-walk 655 * normal reference counts on dentries and vfsmounts to transition to ref-walk
658 * mode. Refcounts are grabbed at the last known good point before rcu-walk 656 * mode. Refcounts are grabbed at the last known good point before rcu-walk
659 * got stuck, so ref-walk may continue from there. If this is not successful 657 * got stuck, so ref-walk may continue from there. If this is not successful
660 * (eg. a seqcount has changed), then failure is returned and it's up to caller 658 * (eg. a seqcount has changed), then failure is returned and it's up to caller
@@ -804,19 +802,19 @@ static int complete_walk(struct nameidata *nd)
804 802
805static void set_root(struct nameidata *nd) 803static void set_root(struct nameidata *nd)
806{ 804{
807 get_fs_root(current->fs, &nd->root);
808}
809
810static void set_root_rcu(struct nameidata *nd)
811{
812 struct fs_struct *fs = current->fs; 805 struct fs_struct *fs = current->fs;
813 unsigned seq;
814 806
815 do { 807 if (nd->flags & LOOKUP_RCU) {
816 seq = read_seqcount_begin(&fs->seq); 808 unsigned seq;
817 nd->root = fs->root; 809
818 nd->root_seq = __read_seqcount_begin(&nd->root.dentry->d_seq); 810 do {
819 } while (read_seqcount_retry(&fs->seq, seq)); 811 seq = read_seqcount_begin(&fs->seq);
812 nd->root = fs->root;
813 nd->root_seq = __read_seqcount_begin(&nd->root.dentry->d_seq);
814 } while (read_seqcount_retry(&fs->seq, seq));
815 } else {
816 get_fs_root(fs, &nd->root);
817 }
820} 818}
821 819
822static void path_put_conditional(struct path *path, struct nameidata *nd) 820static void path_put_conditional(struct path *path, struct nameidata *nd)
@@ -838,6 +836,26 @@ static inline void path_to_nameidata(const struct path *path,
838 nd->path.dentry = path->dentry; 836 nd->path.dentry = path->dentry;
839} 837}
840 838
839static int nd_jump_root(struct nameidata *nd)
840{
841 if (nd->flags & LOOKUP_RCU) {
842 struct dentry *d;
843 nd->path = nd->root;
844 d = nd->path.dentry;
845 nd->inode = d->d_inode;
846 nd->seq = nd->root_seq;
847 if (unlikely(read_seqcount_retry(&d->d_seq, nd->seq)))
848 return -ECHILD;
849 } else {
850 path_put(&nd->path);
851 nd->path = nd->root;
852 path_get(&nd->path);
853 nd->inode = nd->path.dentry->d_inode;
854 }
855 nd->flags |= LOOKUP_JUMPED;
856 return 0;
857}
858
841/* 859/*
842 * Helper to directly jump to a known parsed path from ->get_link, 860 * Helper to directly jump to a known parsed path from ->get_link,
843 * caller must have taken a reference to path beforehand. 861 * caller must have taken a reference to path beforehand.
@@ -1016,25 +1034,10 @@ const char *get_link(struct nameidata *nd)
1016 return res; 1034 return res;
1017 } 1035 }
1018 if (*res == '/') { 1036 if (*res == '/') {
1019 if (nd->flags & LOOKUP_RCU) { 1037 if (!nd->root.mnt)
1020 struct dentry *d; 1038 set_root(nd);
1021 if (!nd->root.mnt) 1039 if (unlikely(nd_jump_root(nd)))
1022 set_root_rcu(nd); 1040 return ERR_PTR(-ECHILD);
1023 nd->path = nd->root;
1024 d = nd->path.dentry;
1025 nd->inode = d->d_inode;
1026 nd->seq = nd->root_seq;
1027 if (unlikely(read_seqcount_retry(&d->d_seq, nd->seq)))
1028 return ERR_PTR(-ECHILD);
1029 } else {
1030 if (!nd->root.mnt)
1031 set_root(nd);
1032 path_put(&nd->path);
1033 nd->path = nd->root;
1034 path_get(&nd->root);
1035 nd->inode = nd->path.dentry->d_inode;
1036 }
1037 nd->flags |= LOOKUP_JUMPED;
1038 while (unlikely(*++res == '/')) 1041 while (unlikely(*++res == '/'))
1039 ; 1042 ;
1040 } 1043 }
@@ -1295,8 +1298,6 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
1295static int follow_dotdot_rcu(struct nameidata *nd) 1298static int follow_dotdot_rcu(struct nameidata *nd)
1296{ 1299{
1297 struct inode *inode = nd->inode; 1300 struct inode *inode = nd->inode;
1298 if (!nd->root.mnt)
1299 set_root_rcu(nd);
1300 1301
1301 while (1) { 1302 while (1) {
1302 if (path_equal(&nd->path, &nd->root)) 1303 if (path_equal(&nd->path, &nd->root))
@@ -1416,9 +1417,6 @@ static void follow_mount(struct path *path)
1416 1417
1417static int follow_dotdot(struct nameidata *nd) 1418static int follow_dotdot(struct nameidata *nd)
1418{ 1419{
1419 if (!nd->root.mnt)
1420 set_root(nd);
1421
1422 while(1) { 1420 while(1) {
1423 struct dentry *old = nd->path.dentry; 1421 struct dentry *old = nd->path.dentry;
1424 1422
@@ -1656,6 +1654,8 @@ static inline int may_lookup(struct nameidata *nd)
1656static inline int handle_dots(struct nameidata *nd, int type) 1654static inline int handle_dots(struct nameidata *nd, int type)
1657{ 1655{
1658 if (type == LAST_DOTDOT) { 1656 if (type == LAST_DOTDOT) {
1657 if (!nd->root.mnt)
1658 set_root(nd);
1659 if (nd->flags & LOOKUP_RCU) { 1659 if (nd->flags & LOOKUP_RCU) {
1660 return follow_dotdot_rcu(nd); 1660 return follow_dotdot_rcu(nd);
1661 } else 1661 } else
@@ -2021,18 +2021,19 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
2021 } 2021 }
2022 2022
2023 nd->root.mnt = NULL; 2023 nd->root.mnt = NULL;
2024 nd->path.mnt = NULL;
2025 nd->path.dentry = NULL;
2024 2026
2025 nd->m_seq = read_seqbegin(&mount_lock); 2027 nd->m_seq = read_seqbegin(&mount_lock);
2026 if (*s == '/') { 2028 if (*s == '/') {
2027 if (flags & LOOKUP_RCU) { 2029 if (flags & LOOKUP_RCU)
2028 rcu_read_lock(); 2030 rcu_read_lock();
2029 set_root_rcu(nd); 2031 set_root(nd);
2030 nd->seq = nd->root_seq; 2032 if (likely(!nd_jump_root(nd)))
2031 } else { 2033 return s;
2032 set_root(nd); 2034 nd->root.mnt = NULL;
2033 path_get(&nd->root); 2035 rcu_read_unlock();
2034 } 2036 return ERR_PTR(-ECHILD);
2035 nd->path = nd->root;
2036 } else if (nd->dfd == AT_FDCWD) { 2037 } else if (nd->dfd == AT_FDCWD) {
2037 if (flags & LOOKUP_RCU) { 2038 if (flags & LOOKUP_RCU) {
2038 struct fs_struct *fs = current->fs; 2039 struct fs_struct *fs = current->fs;
@@ -2043,11 +2044,14 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
2043 do { 2044 do {
2044 seq = read_seqcount_begin(&fs->seq); 2045 seq = read_seqcount_begin(&fs->seq);
2045 nd->path = fs->pwd; 2046 nd->path = fs->pwd;
2047 nd->inode = nd->path.dentry->d_inode;
2046 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq); 2048 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
2047 } while (read_seqcount_retry(&fs->seq, seq)); 2049 } while (read_seqcount_retry(&fs->seq, seq));
2048 } else { 2050 } else {
2049 get_fs_pwd(current->fs, &nd->path); 2051 get_fs_pwd(current->fs, &nd->path);
2052 nd->inode = nd->path.dentry->d_inode;
2050 } 2053 }
2054 return s;
2051 } else { 2055 } else {
2052 /* Caller must check execute permissions on the starting path component */ 2056 /* Caller must check execute permissions on the starting path component */
2053 struct fd f = fdget_raw(nd->dfd); 2057 struct fd f = fdget_raw(nd->dfd);
@@ -2077,16 +2081,6 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
2077 fdput(f); 2081 fdput(f);
2078 return s; 2082 return s;
2079 } 2083 }
2080
2081 nd->inode = nd->path.dentry->d_inode;
2082 if (!(flags & LOOKUP_RCU))
2083 return s;
2084 if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq)))
2085 return s;
2086 if (!(nd->flags & LOOKUP_ROOT))
2087 nd->root.mnt = NULL;
2088 rcu_read_unlock();
2089 return ERR_PTR(-ECHILD);
2090} 2084}
2091 2085
2092static const char *trailing_symlink(struct nameidata *nd) 2086static const char *trailing_symlink(struct nameidata *nd)
@@ -2279,6 +2273,8 @@ EXPORT_SYMBOL(vfs_path_lookup);
2279 * 2273 *
2280 * Note that this routine is purely a helper for filesystem usage and should 2274 * Note that this routine is purely a helper for filesystem usage and should
2281 * not be called by generic code. 2275 * not be called by generic code.
2276 *
2277 * The caller must hold base->i_mutex.
2282 */ 2278 */
2283struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) 2279struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2284{ 2280{
@@ -2322,6 +2318,75 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2322} 2318}
2323EXPORT_SYMBOL(lookup_one_len); 2319EXPORT_SYMBOL(lookup_one_len);
2324 2320
2321/**
2322 * lookup_one_len_unlocked - filesystem helper to lookup single pathname component
2323 * @name: pathname component to lookup
2324 * @base: base directory to lookup from
2325 * @len: maximum length @len should be interpreted to
2326 *
2327 * Note that this routine is purely a helper for filesystem usage and should
2328 * not be called by generic code.
2329 *
2330 * Unlike lookup_one_len, it should be called without the parent
2331 * i_mutex held, and will take the i_mutex itself if necessary.
2332 */
2333struct dentry *lookup_one_len_unlocked(const char *name,
2334 struct dentry *base, int len)
2335{
2336 struct qstr this;
2337 unsigned int c;
2338 int err;
2339 struct dentry *ret;
2340
2341 this.name = name;
2342 this.len = len;
2343 this.hash = full_name_hash(name, len);
2344 if (!len)
2345 return ERR_PTR(-EACCES);
2346
2347 if (unlikely(name[0] == '.')) {
2348 if (len < 2 || (len == 2 && name[1] == '.'))
2349 return ERR_PTR(-EACCES);
2350 }
2351
2352 while (len--) {
2353 c = *(const unsigned char *)name++;
2354 if (c == '/' || c == '\0')
2355 return ERR_PTR(-EACCES);
2356 }
2357 /*
2358 * See if the low-level filesystem might want
2359 * to use its own hash..
2360 */
2361 if (base->d_flags & DCACHE_OP_HASH) {
2362 int err = base->d_op->d_hash(base, &this);
2363 if (err < 0)
2364 return ERR_PTR(err);
2365 }
2366
2367 err = inode_permission(base->d_inode, MAY_EXEC);
2368 if (err)
2369 return ERR_PTR(err);
2370
2371 /*
2372 * __d_lookup() is used to try to get a quick answer and avoid the
2373 * mutex. A false-negative does no harm.
2374 */
2375 ret = __d_lookup(base, &this);
2376 if (ret && unlikely(ret->d_flags & DCACHE_OP_REVALIDATE)) {
2377 dput(ret);
2378 ret = NULL;
2379 }
2380 if (ret)
2381 return ret;
2382
2383 mutex_lock(&base->d_inode->i_mutex);
2384 ret = __lookup_hash(&this, base, 0);
2385 mutex_unlock(&base->d_inode->i_mutex);
2386 return ret;
2387}
2388EXPORT_SYMBOL(lookup_one_len_unlocked);
2389
2325int user_path_at_empty(int dfd, const char __user *name, unsigned flags, 2390int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
2326 struct path *path, int *empty) 2391 struct path *path, int *empty)
2327{ 2392{
@@ -2670,10 +2735,6 @@ static int may_open(struct path *path, int acc_mode, int flag)
2670 struct inode *inode = dentry->d_inode; 2735 struct inode *inode = dentry->d_inode;
2671 int error; 2736 int error;
2672 2737
2673 /* O_PATH? */
2674 if (!acc_mode)
2675 return 0;
2676
2677 if (!inode) 2738 if (!inode)
2678 return -ENOENT; 2739 return -ENOENT;
2679 2740
@@ -2695,7 +2756,7 @@ static int may_open(struct path *path, int acc_mode, int flag)
2695 break; 2756 break;
2696 } 2757 }
2697 2758
2698 error = inode_permission(inode, acc_mode); 2759 error = inode_permission(inode, MAY_OPEN | acc_mode);
2699 if (error) 2760 if (error)
2700 return error; 2761 return error;
2701 2762
@@ -2887,7 +2948,7 @@ static int atomic_open(struct nameidata *nd, struct dentry *dentry,
2887 if (*opened & FILE_CREATED) { 2948 if (*opened & FILE_CREATED) {
2888 WARN_ON(!(open_flag & O_CREAT)); 2949 WARN_ON(!(open_flag & O_CREAT));
2889 fsnotify_create(dir, dentry); 2950 fsnotify_create(dir, dentry);
2890 acc_mode = MAY_OPEN; 2951 acc_mode = 0;
2891 } 2952 }
2892 error = may_open(&file->f_path, acc_mode, open_flag); 2953 error = may_open(&file->f_path, acc_mode, open_flag);
2893 if (error) 2954 if (error)
@@ -3100,7 +3161,7 @@ retry_lookup:
3100 /* Don't check for write permission, don't truncate */ 3161 /* Don't check for write permission, don't truncate */
3101 open_flag &= ~O_TRUNC; 3162 open_flag &= ~O_TRUNC;
3102 will_truncate = false; 3163 will_truncate = false;
3103 acc_mode = MAY_OPEN; 3164 acc_mode = 0;
3104 path_to_nameidata(&path, nd); 3165 path_to_nameidata(&path, nd);
3105 goto finish_open_created; 3166 goto finish_open_created;
3106 } 3167 }
@@ -3184,10 +3245,11 @@ finish_open:
3184 got_write = true; 3245 got_write = true;
3185 } 3246 }
3186finish_open_created: 3247finish_open_created:
3187 error = may_open(&nd->path, acc_mode, open_flag); 3248 if (likely(!(open_flag & O_PATH))) {
3188 if (error) 3249 error = may_open(&nd->path, acc_mode, open_flag);
3189 goto out; 3250 if (error)
3190 3251 goto out;
3252 }
3191 BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */ 3253 BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
3192 error = vfs_open(&nd->path, file, current_cred()); 3254 error = vfs_open(&nd->path, file, current_cred());
3193 if (!error) { 3255 if (!error) {
@@ -3274,7 +3336,7 @@ static int do_tmpfile(struct nameidata *nd, unsigned flags,
3274 goto out2; 3336 goto out2;
3275 audit_inode(nd->name, child, 0); 3337 audit_inode(nd->name, child, 0);
3276 /* Don't check for other permissions, the inode was just created */ 3338 /* Don't check for other permissions, the inode was just created */
3277 error = may_open(&path, MAY_OPEN, op->open_flag); 3339 error = may_open(&path, 0, op->open_flag);
3278 if (error) 3340 if (error)
3279 goto out2; 3341 goto out2;
3280 file->f_path.mnt = path.mnt; 3342 file->f_path.mnt = path.mnt;
diff --git a/fs/namespace.c b/fs/namespace.c
index 4d2c8f64b7bf..a830e1463704 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2609,18 +2609,18 @@ static long exact_copy_from_user(void *to, const void __user * from,
2609 return n; 2609 return n;
2610} 2610}
2611 2611
2612int copy_mount_options(const void __user * data, unsigned long *where) 2612void *copy_mount_options(const void __user * data)
2613{ 2613{
2614 int i; 2614 int i;
2615 unsigned long page;
2616 unsigned long size; 2615 unsigned long size;
2616 char *copy;
2617 2617
2618 *where = 0;
2619 if (!data) 2618 if (!data)
2620 return 0; 2619 return NULL;
2621 2620
2622 if (!(page = __get_free_page(GFP_KERNEL))) 2621 copy = kmalloc(PAGE_SIZE, GFP_KERNEL);
2623 return -ENOMEM; 2622 if (!copy)
2623 return ERR_PTR(-ENOMEM);
2624 2624
2625 /* We only care that *some* data at the address the user 2625 /* We only care that *some* data at the address the user
2626 * gave us is valid. Just in case, we'll zero 2626 * gave us is valid. Just in case, we'll zero
@@ -2631,15 +2631,14 @@ int copy_mount_options(const void __user * data, unsigned long *where)
2631 if (size > PAGE_SIZE) 2631 if (size > PAGE_SIZE)
2632 size = PAGE_SIZE; 2632 size = PAGE_SIZE;
2633 2633
2634 i = size - exact_copy_from_user((void *)page, data, size); 2634 i = size - exact_copy_from_user(copy, data, size);
2635 if (!i) { 2635 if (!i) {
2636 free_page(page); 2636 kfree(copy);
2637 return -EFAULT; 2637 return ERR_PTR(-EFAULT);
2638 } 2638 }
2639 if (i != PAGE_SIZE) 2639 if (i != PAGE_SIZE)
2640 memset((char *)page + i, 0, PAGE_SIZE - i); 2640 memset(copy + i, 0, PAGE_SIZE - i);
2641 *where = page; 2641 return copy;
2642 return 0;
2643} 2642}
2644 2643
2645char *copy_mount_string(const void __user *data) 2644char *copy_mount_string(const void __user *data)
@@ -2906,7 +2905,7 @@ SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
2906 int ret; 2905 int ret;
2907 char *kernel_type; 2906 char *kernel_type;
2908 char *kernel_dev; 2907 char *kernel_dev;
2909 unsigned long data_page; 2908 void *options;
2910 2909
2911 kernel_type = copy_mount_string(type); 2910 kernel_type = copy_mount_string(type);
2912 ret = PTR_ERR(kernel_type); 2911 ret = PTR_ERR(kernel_type);
@@ -2918,14 +2917,14 @@ SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
2918 if (IS_ERR(kernel_dev)) 2917 if (IS_ERR(kernel_dev))
2919 goto out_dev; 2918 goto out_dev;
2920 2919
2921 ret = copy_mount_options(data, &data_page); 2920 options = copy_mount_options(data);
2922 if (ret < 0) 2921 ret = PTR_ERR(options);
2922 if (IS_ERR(options))
2923 goto out_data; 2923 goto out_data;
2924 2924
2925 ret = do_mount(kernel_dev, dir_name, kernel_type, flags, 2925 ret = do_mount(kernel_dev, dir_name, kernel_type, flags, options);
2926 (void *) data_page);
2927 2926
2928 free_page(data_page); 2927 kfree(options);
2929out_data: 2928out_data:
2930 kfree(kernel_dev); 2929 kfree(kernel_dev);
2931out_dev: 2930out_dev:
@@ -2949,9 +2948,9 @@ bool is_path_reachable(struct mount *mnt, struct dentry *dentry,
2949 return &mnt->mnt == root->mnt && is_subdir(dentry, root->dentry); 2948 return &mnt->mnt == root->mnt && is_subdir(dentry, root->dentry);
2950} 2949}
2951 2950
2952int path_is_under(struct path *path1, struct path *path2) 2951bool path_is_under(struct path *path1, struct path *path2)
2953{ 2952{
2954 int res; 2953 bool res;
2955 read_seqlock_excl(&mount_lock); 2954 read_seqlock_excl(&mount_lock);
2956 res = is_path_reachable(real_mount(path1->mnt), path1->dentry, path2); 2955 res = is_path_reachable(real_mount(path1->mnt), path1->dentry, path2);
2957 read_sequnlock_excl(&mount_lock); 2956 read_sequnlock_excl(&mount_lock);
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index 00575d776d91..2246454dec76 100644
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -823,7 +823,7 @@ compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp,
823 } else 823 } else
824 dchild = dget(dparent); 824 dchild = dget(dparent);
825 } else 825 } else
826 dchild = lookup_one_len(name, dparent, namlen); 826 dchild = lookup_one_len_unlocked(name, dparent, namlen);
827 if (IS_ERR(dchild)) 827 if (IS_ERR(dchild))
828 return rv; 828 return rv;
829 if (d_mountpoint(dchild)) 829 if (d_mountpoint(dchild))
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 924416f91fdd..d6ef0955a979 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2858,14 +2858,14 @@ nfsd4_encode_dirent_fattr(struct xdr_stream *xdr, struct nfsd4_readdir *cd,
2858 __be32 nfserr; 2858 __be32 nfserr;
2859 int ignore_crossmnt = 0; 2859 int ignore_crossmnt = 0;
2860 2860
2861 dentry = lookup_one_len(name, cd->rd_fhp->fh_dentry, namlen); 2861 dentry = lookup_one_len_unlocked(name, cd->rd_fhp->fh_dentry, namlen);
2862 if (IS_ERR(dentry)) 2862 if (IS_ERR(dentry))
2863 return nfserrno(PTR_ERR(dentry)); 2863 return nfserrno(PTR_ERR(dentry));
2864 if (d_really_is_negative(dentry)) { 2864 if (d_really_is_negative(dentry)) {
2865 /* 2865 /*
2866 * nfsd_buffered_readdir drops the i_mutex between 2866 * we're not holding the i_mutex here, so there's
2867 * readdir and calling this callback, leaving a window 2867 * a window where this directory entry could have gone
2868 * where this directory entry could have gone away. 2868 * away.
2869 */ 2869 */
2870 dput(dentry); 2870 dput(dentry);
2871 return nfserr_noent; 2871 return nfserr_noent;
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 5411bf09b810..d41c149fae75 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -218,10 +218,16 @@ nfsd_lookup_dentry(struct svc_rqst *rqstp, struct svc_fh *fhp,
218 host_err = PTR_ERR(dentry); 218 host_err = PTR_ERR(dentry);
219 if (IS_ERR(dentry)) 219 if (IS_ERR(dentry))
220 goto out_nfserr; 220 goto out_nfserr;
221 /*
222 * check if we have crossed a mount point ...
223 */
224 if (nfsd_mountpoint(dentry, exp)) { 221 if (nfsd_mountpoint(dentry, exp)) {
222 /*
223 * We don't need the i_mutex after all. It's
224 * still possible we could open this (regular
225 * files can be mountpoints too), but the
226 * i_mutex is just there to prevent renames of
227 * something that we might be about to delegate,
228 * and a mountpoint won't be renamed:
229 */
230 fh_unlock(fhp);
225 if ((host_err = nfsd_cross_mnt(rqstp, &dentry, &exp))) { 231 if ((host_err = nfsd_cross_mnt(rqstp, &dentry, &exp))) {
226 dput(dentry); 232 dput(dentry);
227 goto out_nfserr; 233 goto out_nfserr;
@@ -1817,7 +1823,6 @@ static __be32 nfsd_buffered_readdir(struct file *file, nfsd_filldir_t func,
1817 offset = *offsetp; 1823 offset = *offsetp;
1818 1824
1819 while (1) { 1825 while (1) {
1820 struct inode *dir_inode = file_inode(file);
1821 unsigned int reclen; 1826 unsigned int reclen;
1822 1827
1823 cdp->err = nfserr_eof; /* will be cleared on successful read */ 1828 cdp->err = nfserr_eof; /* will be cleared on successful read */
@@ -1836,15 +1841,6 @@ static __be32 nfsd_buffered_readdir(struct file *file, nfsd_filldir_t func,
1836 if (!size) 1841 if (!size)
1837 break; 1842 break;
1838 1843
1839 /*
1840 * Various filldir functions may end up calling back into
1841 * lookup_one_len() and the file system's ->lookup() method.
1842 * These expect i_mutex to be held, as it would within readdir.
1843 */
1844 host_err = mutex_lock_killable(&dir_inode->i_mutex);
1845 if (host_err)
1846 break;
1847
1848 de = (struct buffered_dirent *)buf.dirent; 1844 de = (struct buffered_dirent *)buf.dirent;
1849 while (size > 0) { 1845 while (size > 0) {
1850 offset = de->offset; 1846 offset = de->offset;
@@ -1861,7 +1857,6 @@ static __be32 nfsd_buffered_readdir(struct file *file, nfsd_filldir_t func,
1861 size -= reclen; 1857 size -= reclen;
1862 de = (struct buffered_dirent *)((char *)de + reclen); 1858 de = (struct buffered_dirent *)((char *)de + reclen);
1863 } 1859 }
1864 mutex_unlock(&dir_inode->i_mutex);
1865 if (size > 0) /* We bailed out early */ 1860 if (size > 0) /* We bailed out early */
1866 break; 1861 break;
1867 1862
diff --git a/fs/nilfs2/super.c b/fs/nilfs2/super.c
index 354013ea22ec..c7343844e6b6 100644
--- a/fs/nilfs2/super.c
+++ b/fs/nilfs2/super.c
@@ -1316,13 +1316,11 @@ nilfs_mount(struct file_system_type *fs_type, int flags,
1316 } 1316 }
1317 1317
1318 if (!s->s_root) { 1318 if (!s->s_root) {
1319 char b[BDEVNAME_SIZE]; 1319 s_new = true;
1320
1321 s_new = true;
1322 1320
1323 /* New superblock instance created */ 1321 /* New superblock instance created */
1324 s->s_mode = mode; 1322 s->s_mode = mode;
1325 strlcpy(s->s_id, bdevname(sd.bdev, b), sizeof(s->s_id)); 1323 snprintf(s->s_id, sizeof(s->s_id), "%pg", sd.bdev);
1326 sb_set_blocksize(s, block_size(sd.bdev)); 1324 sb_set_blocksize(s, block_size(sd.bdev));
1327 1325
1328 err = nilfs_fill_super(s, data, flags & MS_SILENT ? 1 : 0); 1326 err = nilfs_fill_super(s, data, flags & MS_SILENT ? 1 : 0);
diff --git a/fs/open.c b/fs/open.c
index b6f1e96a7c0b..b25b1542c530 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -887,7 +887,7 @@ EXPORT_SYMBOL(dentry_open);
887static inline int build_open_flags(int flags, umode_t mode, struct open_flags *op) 887static inline int build_open_flags(int flags, umode_t mode, struct open_flags *op)
888{ 888{
889 int lookup_flags = 0; 889 int lookup_flags = 0;
890 int acc_mode; 890 int acc_mode = ACC_MODE(flags);
891 891
892 if (flags & (O_CREAT | __O_TMPFILE)) 892 if (flags & (O_CREAT | __O_TMPFILE))
893 op->mode = (mode & S_IALLUGO) | S_IFREG; 893 op->mode = (mode & S_IALLUGO) | S_IFREG;
@@ -909,7 +909,6 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o
909 if (flags & __O_TMPFILE) { 909 if (flags & __O_TMPFILE) {
910 if ((flags & O_TMPFILE_MASK) != O_TMPFILE) 910 if ((flags & O_TMPFILE_MASK) != O_TMPFILE)
911 return -EINVAL; 911 return -EINVAL;
912 acc_mode = MAY_OPEN | ACC_MODE(flags);
913 if (!(acc_mode & MAY_WRITE)) 912 if (!(acc_mode & MAY_WRITE))
914 return -EINVAL; 913 return -EINVAL;
915 } else if (flags & O_PATH) { 914 } else if (flags & O_PATH) {
@@ -919,8 +918,6 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o
919 */ 918 */
920 flags &= O_DIRECTORY | O_NOFOLLOW | O_PATH; 919 flags &= O_DIRECTORY | O_NOFOLLOW | O_PATH;
921 acc_mode = 0; 920 acc_mode = 0;
922 } else {
923 acc_mode = MAY_OPEN | ACC_MODE(flags);
924 } 921 }
925 922
926 op->open_flag = flags; 923 op->open_flag = flags;
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 55e01f88eac9..2cf5d7e37375 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2365,7 +2365,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
2365 size_t count, loff_t *ppos) 2365 size_t count, loff_t *ppos)
2366{ 2366{
2367 struct inode * inode = file_inode(file); 2367 struct inode * inode = file_inode(file);
2368 char *page; 2368 void *page;
2369 ssize_t length; 2369 ssize_t length;
2370 struct task_struct *task = get_proc_task(inode); 2370 struct task_struct *task = get_proc_task(inode);
2371 2371
@@ -2380,14 +2380,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
2380 if (*ppos != 0) 2380 if (*ppos != 0)
2381 goto out; 2381 goto out;
2382 2382
2383 length = -ENOMEM; 2383 page = memdup_user(buf, count);
2384 page = (char*)__get_free_page(GFP_TEMPORARY); 2384 if (IS_ERR(page)) {
2385 if (!page) 2385 length = PTR_ERR(page);
2386 goto out; 2386 goto out;
2387 2387 }
2388 length = -EFAULT;
2389 if (copy_from_user(page, buf, count))
2390 goto out_free;
2391 2388
2392 /* Guard against adverse ptrace interaction */ 2389 /* Guard against adverse ptrace interaction */
2393 length = mutex_lock_interruptible(&task->signal->cred_guard_mutex); 2390 length = mutex_lock_interruptible(&task->signal->cred_guard_mutex);
@@ -2396,10 +2393,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
2396 2393
2397 length = security_setprocattr(task, 2394 length = security_setprocattr(task,
2398 (char*)file->f_path.dentry->d_name.name, 2395 (char*)file->f_path.dentry->d_name.name,
2399 (void*)page, count); 2396 page, count);
2400 mutex_unlock(&task->signal->cred_guard_mutex); 2397 mutex_unlock(&task->signal->cred_guard_mutex);
2401out_free: 2398out_free:
2402 free_page((unsigned long) page); 2399 kfree(page);
2403out: 2400out:
2404 put_task_struct(task); 2401 put_task_struct(task);
2405out_no_task: 2402out_no_task:
diff --git a/fs/proc/fd.c b/fs/proc/fd.c
index 3c2a915c695a..56afa5ef08f2 100644
--- a/fs/proc/fd.c
+++ b/fs/proc/fd.c
@@ -258,6 +258,7 @@ static int proc_readfd_common(struct file *file, struct dir_context *ctx,
258 name, len, instantiate, p, 258 name, len, instantiate, p,
259 (void *)(unsigned long)fd)) 259 (void *)(unsigned long)fd))
260 goto out_fd_loop; 260 goto out_fd_loop;
261 cond_resched();
261 rcu_read_lock(); 262 rcu_read_lock();
262 } 263 }
263 rcu_read_unlock(); 264 rcu_read_unlock();
diff --git a/fs/proc_namespace.c b/fs/proc_namespace.c
index 8ebd9a334085..2256e7e23e67 100644
--- a/fs/proc_namespace.c
+++ b/fs/proc_namespace.c
@@ -95,9 +95,9 @@ static int show_vfsmnt(struct seq_file *m, struct vfsmount *mnt)
95{ 95{
96 struct proc_mounts *p = m->private; 96 struct proc_mounts *p = m->private;
97 struct mount *r = real_mount(mnt); 97 struct mount *r = real_mount(mnt);
98 int err = 0;
99 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt }; 98 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt };
100 struct super_block *sb = mnt_path.dentry->d_sb; 99 struct super_block *sb = mnt_path.dentry->d_sb;
100 int err;
101 101
102 if (sb->s_op->show_devname) { 102 if (sb->s_op->show_devname) {
103 err = sb->s_op->show_devname(m, mnt_path.dentry); 103 err = sb->s_op->show_devname(m, mnt_path.dentry);
@@ -131,16 +131,17 @@ static int show_mountinfo(struct seq_file *m, struct vfsmount *mnt)
131 struct mount *r = real_mount(mnt); 131 struct mount *r = real_mount(mnt);
132 struct super_block *sb = mnt->mnt_sb; 132 struct super_block *sb = mnt->mnt_sb;
133 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt }; 133 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt };
134 int err = 0; 134 int err;
135 135
136 seq_printf(m, "%i %i %u:%u ", r->mnt_id, r->mnt_parent->mnt_id, 136 seq_printf(m, "%i %i %u:%u ", r->mnt_id, r->mnt_parent->mnt_id,
137 MAJOR(sb->s_dev), MINOR(sb->s_dev)); 137 MAJOR(sb->s_dev), MINOR(sb->s_dev));
138 if (sb->s_op->show_path) 138 if (sb->s_op->show_path) {
139 err = sb->s_op->show_path(m, mnt->mnt_root); 139 err = sb->s_op->show_path(m, mnt->mnt_root);
140 else 140 if (err)
141 goto out;
142 } else {
141 seq_dentry(m, mnt->mnt_root, " \t\n\\"); 143 seq_dentry(m, mnt->mnt_root, " \t\n\\");
142 if (err) 144 }
143 goto out;
144 seq_putc(m, ' '); 145 seq_putc(m, ' ');
145 146
146 /* mountpoints outside of chroot jail will give SEQ_SKIP on this */ 147 /* mountpoints outside of chroot jail will give SEQ_SKIP on this */
@@ -168,12 +169,13 @@ static int show_mountinfo(struct seq_file *m, struct vfsmount *mnt)
168 seq_puts(m, " - "); 169 seq_puts(m, " - ");
169 show_type(m, sb); 170 show_type(m, sb);
170 seq_putc(m, ' '); 171 seq_putc(m, ' ');
171 if (sb->s_op->show_devname) 172 if (sb->s_op->show_devname) {
172 err = sb->s_op->show_devname(m, mnt->mnt_root); 173 err = sb->s_op->show_devname(m, mnt->mnt_root);
173 else 174 if (err)
175 goto out;
176 } else {
174 mangle(m, r->mnt_devname ? r->mnt_devname : "none"); 177 mangle(m, r->mnt_devname ? r->mnt_devname : "none");
175 if (err) 178 }
176 goto out;
177 seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw"); 179 seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw");
178 err = show_sb_opts(m, sb); 180 err = show_sb_opts(m, sb);
179 if (err) 181 if (err)
@@ -191,7 +193,7 @@ static int show_vfsstat(struct seq_file *m, struct vfsmount *mnt)
191 struct mount *r = real_mount(mnt); 193 struct mount *r = real_mount(mnt);
192 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt }; 194 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt };
193 struct super_block *sb = mnt_path.dentry->d_sb; 195 struct super_block *sb = mnt_path.dentry->d_sb;
194 int err = 0; 196 int err;
195 197
196 /* device */ 198 /* device */
197 if (sb->s_op->show_devname) { 199 if (sb->s_op->show_devname) {
@@ -220,8 +222,7 @@ static int show_vfsstat(struct seq_file *m, struct vfsmount *mnt)
220 /* optional statistics */ 222 /* optional statistics */
221 if (sb->s_op->show_stats) { 223 if (sb->s_op->show_stats) {
222 seq_putc(m, ' '); 224 seq_putc(m, ' ');
223 if (!err) 225 err = sb->s_op->show_stats(m, mnt_path.dentry);
224 err = sb->s_op->show_stats(m, mnt_path.dentry);
225 } 226 }
226 227
227 seq_putc(m, '\n'); 228 seq_putc(m, '\n');
diff --git a/fs/read_write.c b/fs/read_write.c
index 2116e74a83d3..06b07d5a08fe 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -172,6 +172,45 @@ loff_t fixed_size_llseek(struct file *file, loff_t offset, int whence, loff_t si
172EXPORT_SYMBOL(fixed_size_llseek); 172EXPORT_SYMBOL(fixed_size_llseek);
173 173
174/** 174/**
175 * no_seek_end_llseek - llseek implementation for fixed-sized devices
176 * @file: file structure to seek on
177 * @offset: file offset to seek to
178 * @whence: type of seek
179 *
180 */
181loff_t no_seek_end_llseek(struct file *file, loff_t offset, int whence)
182{
183 switch (whence) {
184 case SEEK_SET: case SEEK_CUR:
185 return generic_file_llseek_size(file, offset, whence,
186 ~0ULL, 0);
187 default:
188 return -EINVAL;
189 }
190}
191EXPORT_SYMBOL(no_seek_end_llseek);
192
193/**
194 * no_seek_end_llseek_size - llseek implementation for fixed-sized devices
195 * @file: file structure to seek on
196 * @offset: file offset to seek to
197 * @whence: type of seek
198 * @size: maximal offset allowed
199 *
200 */
201loff_t no_seek_end_llseek_size(struct file *file, loff_t offset, int whence, loff_t size)
202{
203 switch (whence) {
204 case SEEK_SET: case SEEK_CUR:
205 return generic_file_llseek_size(file, offset, whence,
206 size, 0);
207 default:
208 return -EINVAL;
209 }
210}
211EXPORT_SYMBOL(no_seek_end_llseek_size);
212
213/**
175 * noop_llseek - No Operation Performed llseek implementation 214 * noop_llseek - No Operation Performed llseek implementation
176 * @file: file structure to seek on 215 * @file: file structure to seek on
177 * @offset: file offset to seek to 216 * @offset: file offset to seek to
diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index 9d6486d416a3..44c2bdced1c8 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -618,12 +618,10 @@ static void release_buffer_page(struct buffer_head *bh)
618 618
619static void reiserfs_end_buffer_io_sync(struct buffer_head *bh, int uptodate) 619static void reiserfs_end_buffer_io_sync(struct buffer_head *bh, int uptodate)
620{ 620{
621 char b[BDEVNAME_SIZE];
622
623 if (buffer_journaled(bh)) { 621 if (buffer_journaled(bh)) {
624 reiserfs_warning(NULL, "clm-2084", 622 reiserfs_warning(NULL, "clm-2084",
625 "pinned buffer %lu:%s sent to disk", 623 "pinned buffer %lu:%pg sent to disk",
626 bh->b_blocknr, bdevname(bh->b_bdev, b)); 624 bh->b_blocknr, bh->b_bdev);
627 } 625 }
628 if (uptodate) 626 if (uptodate)
629 set_buffer_uptodate(bh); 627 set_buffer_uptodate(bh);
@@ -2387,11 +2385,10 @@ static int journal_read(struct super_block *sb)
2387 int replay_count = 0; 2385 int replay_count = 0;
2388 int continue_replay = 1; 2386 int continue_replay = 1;
2389 int ret; 2387 int ret;
2390 char b[BDEVNAME_SIZE];
2391 2388
2392 cur_dblock = SB_ONDISK_JOURNAL_1st_BLOCK(sb); 2389 cur_dblock = SB_ONDISK_JOURNAL_1st_BLOCK(sb);
2393 reiserfs_info(sb, "checking transaction log (%s)\n", 2390 reiserfs_info(sb, "checking transaction log (%pg)\n",
2394 bdevname(journal->j_dev_bd, b)); 2391 journal->j_dev_bd);
2395 start = get_seconds(); 2392 start = get_seconds();
2396 2393
2397 /* 2394 /*
@@ -2651,8 +2648,8 @@ static int journal_init_dev(struct super_block *super,
2651 2648
2652 set_blocksize(journal->j_dev_bd, super->s_blocksize); 2649 set_blocksize(journal->j_dev_bd, super->s_blocksize);
2653 reiserfs_info(super, 2650 reiserfs_info(super,
2654 "journal_init_dev: journal device: %s\n", 2651 "journal_init_dev: journal device: %pg\n",
2655 bdevname(journal->j_dev_bd, b)); 2652 journal->j_dev_bd);
2656 return 0; 2653 return 0;
2657} 2654}
2658 2655
@@ -2724,7 +2721,6 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
2724 struct reiserfs_journal_header *jh; 2721 struct reiserfs_journal_header *jh;
2725 struct reiserfs_journal *journal; 2722 struct reiserfs_journal *journal;
2726 struct reiserfs_journal_list *jl; 2723 struct reiserfs_journal_list *jl;
2727 char b[BDEVNAME_SIZE];
2728 int ret; 2724 int ret;
2729 2725
2730 journal = SB_JOURNAL(sb) = vzalloc(sizeof(struct reiserfs_journal)); 2726 journal = SB_JOURNAL(sb) = vzalloc(sizeof(struct reiserfs_journal));
@@ -2794,10 +2790,10 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
2794 && (le32_to_cpu(jh->jh_journal.jp_journal_magic) != 2790 && (le32_to_cpu(jh->jh_journal.jp_journal_magic) !=
2795 sb_jp_journal_magic(rs))) { 2791 sb_jp_journal_magic(rs))) {
2796 reiserfs_warning(sb, "sh-460", 2792 reiserfs_warning(sb, "sh-460",
2797 "journal header magic %x (device %s) does " 2793 "journal header magic %x (device %pg) does "
2798 "not match to magic found in super block %x", 2794 "not match to magic found in super block %x",
2799 jh->jh_journal.jp_journal_magic, 2795 jh->jh_journal.jp_journal_magic,
2800 bdevname(journal->j_dev_bd, b), 2796 journal->j_dev_bd,
2801 sb_jp_journal_magic(rs)); 2797 sb_jp_journal_magic(rs));
2802 brelse(bhjh); 2798 brelse(bhjh);
2803 goto free_and_return; 2799 goto free_and_return;
@@ -2818,10 +2814,10 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
2818 journal->j_max_trans_age = commit_max_age; 2814 journal->j_max_trans_age = commit_max_age;
2819 } 2815 }
2820 2816
2821 reiserfs_info(sb, "journal params: device %s, size %u, " 2817 reiserfs_info(sb, "journal params: device %pg, size %u, "
2822 "journal first block %u, max trans len %u, max batch %u, " 2818 "journal first block %u, max trans len %u, max batch %u, "
2823 "max commit age %u, max trans age %u\n", 2819 "max commit age %u, max trans age %u\n",
2824 bdevname(journal->j_dev_bd, b), 2820 journal->j_dev_bd,
2825 SB_ONDISK_JOURNAL_SIZE(sb), 2821 SB_ONDISK_JOURNAL_SIZE(sb),
2826 SB_ONDISK_JOURNAL_1st_BLOCK(sb), 2822 SB_ONDISK_JOURNAL_1st_BLOCK(sb),
2827 journal->j_trans_max, 2823 journal->j_trans_max,
diff --git a/fs/reiserfs/prints.c b/fs/reiserfs/prints.c
index ae1dc841db3a..4f3f928076f3 100644
--- a/fs/reiserfs/prints.c
+++ b/fs/reiserfs/prints.c
@@ -139,11 +139,9 @@ static void sprintf_block_head(char *buf, struct buffer_head *bh)
139 139
140static void sprintf_buffer_head(char *buf, struct buffer_head *bh) 140static void sprintf_buffer_head(char *buf, struct buffer_head *bh)
141{ 141{
142 char b[BDEVNAME_SIZE];
143
144 sprintf(buf, 142 sprintf(buf,
145 "dev %s, size %zd, blocknr %llu, count %d, state 0x%lx, page %p, (%s, %s, %s)", 143 "dev %pg, size %zd, blocknr %llu, count %d, state 0x%lx, page %p, (%s, %s, %s)",
146 bdevname(bh->b_bdev, b), bh->b_size, 144 bh->b_bdev, bh->b_size,
147 (unsigned long long)bh->b_blocknr, atomic_read(&(bh->b_count)), 145 (unsigned long long)bh->b_blocknr, atomic_read(&(bh->b_count)),
148 bh->b_state, bh->b_page, 146 bh->b_state, bh->b_page,
149 buffer_uptodate(bh) ? "UPTODATE" : "!UPTODATE", 147 buffer_uptodate(bh) ? "UPTODATE" : "!UPTODATE",
@@ -530,7 +528,6 @@ static int print_super_block(struct buffer_head *bh)
530 (struct reiserfs_super_block *)(bh->b_data); 528 (struct reiserfs_super_block *)(bh->b_data);
531 int skipped, data_blocks; 529 int skipped, data_blocks;
532 char *version; 530 char *version;
533 char b[BDEVNAME_SIZE];
534 531
535 if (is_reiserfs_3_5(rs)) { 532 if (is_reiserfs_3_5(rs)) {
536 version = "3.5"; 533 version = "3.5";
@@ -543,7 +540,7 @@ static int print_super_block(struct buffer_head *bh)
543 return 1; 540 return 1;
544 } 541 }
545 542
546 printk("%s\'s super block is in block %llu\n", bdevname(bh->b_bdev, b), 543 printk("%pg\'s super block is in block %llu\n", bh->b_bdev,
547 (unsigned long long)bh->b_blocknr); 544 (unsigned long long)bh->b_blocknr);
548 printk("Reiserfs version %s\n", version); 545 printk("Reiserfs version %s\n", version);
549 printk("Block count %u\n", sb_block_count(rs)); 546 printk("Block count %u\n", sb_block_count(rs));
diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
index 621b9f381fe1..fe999157dd97 100644
--- a/fs/reiserfs/procfs.c
+++ b/fs/reiserfs/procfs.c
@@ -303,11 +303,10 @@ static int show_journal(struct seq_file *m, void *unused)
303 struct reiserfs_sb_info *r = REISERFS_SB(sb); 303 struct reiserfs_sb_info *r = REISERFS_SB(sb);
304 struct reiserfs_super_block *rs = r->s_rs; 304 struct reiserfs_super_block *rs = r->s_rs;
305 struct journal_params *jp = &rs->s_v1.s_journal; 305 struct journal_params *jp = &rs->s_v1.s_journal;
306 char b[BDEVNAME_SIZE];
307 306
308 seq_printf(m, /* on-disk fields */ 307 seq_printf(m, /* on-disk fields */
309 "jp_journal_1st_block: \t%i\n" 308 "jp_journal_1st_block: \t%i\n"
310 "jp_journal_dev: \t%s[%x]\n" 309 "jp_journal_dev: \t%pg[%x]\n"
311 "jp_journal_size: \t%i\n" 310 "jp_journal_size: \t%i\n"
312 "jp_journal_trans_max: \t%i\n" 311 "jp_journal_trans_max: \t%i\n"
313 "jp_journal_magic: \t%i\n" 312 "jp_journal_magic: \t%i\n"
@@ -348,7 +347,7 @@ static int show_journal(struct seq_file *m, void *unused)
348 "prepare: \t%12lu\n" 347 "prepare: \t%12lu\n"
349 "prepare_retry: \t%12lu\n", 348 "prepare_retry: \t%12lu\n",
350 DJP(jp_journal_1st_block), 349 DJP(jp_journal_1st_block),
351 bdevname(SB_JOURNAL(sb)->j_dev_bd, b), 350 SB_JOURNAL(sb)->j_dev_bd,
352 DJP(jp_journal_dev), 351 DJP(jp_journal_dev),
353 DJP(jp_journal_size), 352 DJP(jp_journal_size),
354 DJP(jp_journal_trans_max), 353 DJP(jp_journal_trans_max),
diff --git a/fs/select.c b/fs/select.c
index 015547330e88..79d0d4953cad 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -778,8 +778,8 @@ static inline unsigned int do_pollfd(struct pollfd *pollfd, poll_table *pwait,
778 return mask; 778 return mask;
779} 779}
780 780
781static int do_poll(unsigned int nfds, struct poll_list *list, 781static int do_poll(struct poll_list *list, struct poll_wqueues *wait,
782 struct poll_wqueues *wait, struct timespec *end_time) 782 struct timespec *end_time)
783{ 783{
784 poll_table* pt = &wait->pt; 784 poll_table* pt = &wait->pt;
785 ktime_t expire, *to = NULL; 785 ktime_t expire, *to = NULL;
@@ -908,7 +908,7 @@ int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
908 } 908 }
909 909
910 poll_initwait(&table); 910 poll_initwait(&table);
911 fdcount = do_poll(nfds, head, &table, end_time); 911 fdcount = do_poll(head, &table, end_time);
912 poll_freewait(&table); 912 poll_freewait(&table);
913 913
914 for (walk = head; walk; walk = walk->next) { 914 for (walk = head; walk; walk = walk->next) {
diff --git a/fs/splice.c b/fs/splice.c
index 4cf700d50b40..82bc0d64fc38 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -415,6 +415,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos,
415 */ 415 */
416 if (!page->mapping) { 416 if (!page->mapping) {
417 unlock_page(page); 417 unlock_page(page);
418retry_lookup:
418 page = find_or_create_page(mapping, index, 419 page = find_or_create_page(mapping, index,
419 mapping_gfp_mask(mapping)); 420 mapping_gfp_mask(mapping));
420 421
@@ -439,13 +440,10 @@ __generic_file_splice_read(struct file *in, loff_t *ppos,
439 error = mapping->a_ops->readpage(in, page); 440 error = mapping->a_ops->readpage(in, page);
440 if (unlikely(error)) { 441 if (unlikely(error)) {
441 /* 442 /*
442 * We really should re-lookup the page here, 443 * Re-lookup the page
443 * but it complicates things a lot. Instead
444 * lets just do what we already stored, and
445 * we'll get it the next time we are called.
446 */ 444 */
447 if (error == AOP_TRUNCATED_PAGE) 445 if (error == AOP_TRUNCATED_PAGE)
448 error = 0; 446 goto retry_lookup;
449 447
450 break; 448 break;
451 } 449 }
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
index 5056babe00df..dded920cbc8f 100644
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -80,7 +80,6 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
80{ 80{
81 struct squashfs_sb_info *msblk; 81 struct squashfs_sb_info *msblk;
82 struct squashfs_super_block *sblk = NULL; 82 struct squashfs_super_block *sblk = NULL;
83 char b[BDEVNAME_SIZE];
84 struct inode *root; 83 struct inode *root;
85 long long root_inode; 84 long long root_inode;
86 unsigned short flags; 85 unsigned short flags;
@@ -124,8 +123,8 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
124 sb->s_magic = le32_to_cpu(sblk->s_magic); 123 sb->s_magic = le32_to_cpu(sblk->s_magic);
125 if (sb->s_magic != SQUASHFS_MAGIC) { 124 if (sb->s_magic != SQUASHFS_MAGIC) {
126 if (!silent) 125 if (!silent)
127 ERROR("Can't find a SQUASHFS superblock on %s\n", 126 ERROR("Can't find a SQUASHFS superblock on %pg\n",
128 bdevname(sb->s_bdev, b)); 127 sb->s_bdev);
129 goto failed_mount; 128 goto failed_mount;
130 } 129 }
131 130
@@ -178,7 +177,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
178 msblk->inodes = le32_to_cpu(sblk->inodes); 177 msblk->inodes = le32_to_cpu(sblk->inodes);
179 flags = le16_to_cpu(sblk->flags); 178 flags = le16_to_cpu(sblk->flags);
180 179
181 TRACE("Found valid superblock on %s\n", bdevname(sb->s_bdev, b)); 180 TRACE("Found valid superblock on %pg\n", sb->s_bdev);
182 TRACE("Inodes are %scompressed\n", SQUASHFS_UNCOMPRESSED_INODES(flags) 181 TRACE("Inodes are %scompressed\n", SQUASHFS_UNCOMPRESSED_INODES(flags)
183 ? "un" : ""); 182 ? "un" : "");
184 TRACE("Data is %scompressed\n", SQUASHFS_UNCOMPRESSED_DATA(flags) 183 TRACE("Data is %scompressed\n", SQUASHFS_UNCOMPRESSED_DATA(flags)
diff --git a/fs/super.c b/fs/super.c
index 954aeb80e202..cc658a20a29e 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1012,10 +1012,8 @@ struct dentry *mount_bdev(struct file_system_type *fs_type,
1012 blkdev_put(bdev, mode); 1012 blkdev_put(bdev, mode);
1013 down_write(&s->s_umount); 1013 down_write(&s->s_umount);
1014 } else { 1014 } else {
1015 char b[BDEVNAME_SIZE];
1016
1017 s->s_mode = mode; 1015 s->s_mode = mode;
1018 strlcpy(s->s_id, bdevname(bdev, b), sizeof(s->s_id)); 1016 snprintf(s->s_id, sizeof(s->s_id), "%pg", bdev);
1019 sb_set_blocksize(s, block_size(bdev)); 1017 sb_set_blocksize(s, block_size(bdev));
1020 error = fill_super(s, data, flags & MS_SILENT ? 1 : 0); 1018 error = fill_super(s, data, flags & MS_SILENT ? 1 : 0);
1021 if (error) { 1019 if (error) {
diff --git a/fs/xattr.c b/fs/xattr.c
index d7f5037a17b5..d5dd6c8b82a7 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -305,7 +305,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
305{ 305{
306 int error; 306 int error;
307 void *kvalue = NULL; 307 void *kvalue = NULL;
308 void *vvalue = NULL; /* If non-NULL, we used vmalloc() */
309 char kname[XATTR_NAME_MAX + 1]; 308 char kname[XATTR_NAME_MAX + 1];
310 309
311 if (flags & ~(XATTR_CREATE|XATTR_REPLACE)) 310 if (flags & ~(XATTR_CREATE|XATTR_REPLACE))
@@ -322,10 +321,9 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
322 return -E2BIG; 321 return -E2BIG;
323 kvalue = kmalloc(size, GFP_KERNEL | __GFP_NOWARN); 322 kvalue = kmalloc(size, GFP_KERNEL | __GFP_NOWARN);
324 if (!kvalue) { 323 if (!kvalue) {
325 vvalue = vmalloc(size); 324 kvalue = vmalloc(size);
326 if (!vvalue) 325 if (!kvalue)
327 return -ENOMEM; 326 return -ENOMEM;
328 kvalue = vvalue;
329 } 327 }
330 if (copy_from_user(kvalue, value, size)) { 328 if (copy_from_user(kvalue, value, size)) {
331 error = -EFAULT; 329 error = -EFAULT;
@@ -338,10 +336,8 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
338 336
339 error = vfs_setxattr(d, kname, kvalue, size, flags); 337 error = vfs_setxattr(d, kname, kvalue, size, flags);
340out: 338out:
341 if (vvalue) 339 kvfree(kvalue);
342 vfree(vvalue); 340
343 else
344 kfree(kvalue);
345 return error; 341 return error;
346} 342}
347 343
@@ -409,7 +405,6 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
409{ 405{
410 ssize_t error; 406 ssize_t error;
411 void *kvalue = NULL; 407 void *kvalue = NULL;
412 void *vvalue = NULL;
413 char kname[XATTR_NAME_MAX + 1]; 408 char kname[XATTR_NAME_MAX + 1];
414 409
415 error = strncpy_from_user(kname, name, sizeof(kname)); 410 error = strncpy_from_user(kname, name, sizeof(kname));
@@ -423,10 +418,9 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
423 size = XATTR_SIZE_MAX; 418 size = XATTR_SIZE_MAX;
424 kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); 419 kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
425 if (!kvalue) { 420 if (!kvalue) {
426 vvalue = vmalloc(size); 421 kvalue = vmalloc(size);
427 if (!vvalue) 422 if (!kvalue)
428 return -ENOMEM; 423 return -ENOMEM;
429 kvalue = vvalue;
430 } 424 }
431 } 425 }
432 426
@@ -442,10 +436,9 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
442 than XATTR_SIZE_MAX bytes. Not possible. */ 436 than XATTR_SIZE_MAX bytes. Not possible. */
443 error = -E2BIG; 437 error = -E2BIG;
444 } 438 }
445 if (vvalue) 439
446 vfree(vvalue); 440 kvfree(kvalue);
447 else 441
448 kfree(kvalue);
449 return error; 442 return error;
450} 443}
451 444
@@ -502,17 +495,15 @@ listxattr(struct dentry *d, char __user *list, size_t size)
502{ 495{
503 ssize_t error; 496 ssize_t error;
504 char *klist = NULL; 497 char *klist = NULL;
505 char *vlist = NULL; /* If non-NULL, we used vmalloc() */
506 498
507 if (size) { 499 if (size) {
508 if (size > XATTR_LIST_MAX) 500 if (size > XATTR_LIST_MAX)
509 size = XATTR_LIST_MAX; 501 size = XATTR_LIST_MAX;
510 klist = kmalloc(size, __GFP_NOWARN | GFP_KERNEL); 502 klist = kmalloc(size, __GFP_NOWARN | GFP_KERNEL);
511 if (!klist) { 503 if (!klist) {
512 vlist = vmalloc(size); 504 klist = vmalloc(size);
513 if (!vlist) 505 if (!klist)
514 return -ENOMEM; 506 return -ENOMEM;
515 klist = vlist;
516 } 507 }
517 } 508 }
518 509
@@ -525,10 +516,9 @@ listxattr(struct dentry *d, char __user *list, size_t size)
525 than XATTR_LIST_MAX bytes. Not possible. */ 516 than XATTR_LIST_MAX bytes. Not possible. */
526 error = -E2BIG; 517 error = -E2BIG;
527 } 518 }
528 if (vlist) 519
529 vfree(vlist); 520 kvfree(klist);
530 else 521
531 kfree(klist);
532 return error; 522 return error;
533} 523}
534 524
diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index 3243cdf97f33..ace91e7c713e 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -1632,13 +1632,9 @@ xfs_setsize_buftarg(
1632 btp->bt_meta_sectormask = sectorsize - 1; 1632 btp->bt_meta_sectormask = sectorsize - 1;
1633 1633
1634 if (set_blocksize(btp->bt_bdev, sectorsize)) { 1634 if (set_blocksize(btp->bt_bdev, sectorsize)) {
1635 char name[BDEVNAME_SIZE];
1636
1637 bdevname(btp->bt_bdev, name);
1638
1639 xfs_warn(btp->bt_mount, 1635 xfs_warn(btp->bt_mount,
1640 "Cannot set_blocksize to %u on device %s", 1636 "Cannot set_blocksize to %u on device %pg",
1641 sectorsize, name); 1637 sectorsize, btp->bt_bdev);
1642 return -EINVAL; 1638 return -EINVAL;
1643 } 1639 }
1644 1640
diff --git a/include/linux/fs.h b/include/linux/fs.h
index ec43a24bf63d..731262c3fbb7 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2307,9 +2307,9 @@ static inline void iterate_bdevs(void (*f)(struct block_device *, void *), void
2307{ 2307{
2308} 2308}
2309 2309
2310static inline int sb_is_blkdev_sb(struct super_block *sb) 2310static inline bool sb_is_blkdev_sb(struct super_block *sb)
2311{ 2311{
2312 return 0; 2312 return false;
2313} 2313}
2314#endif 2314#endif
2315extern int sync_filesystem(struct super_block *); 2315extern int sync_filesystem(struct super_block *);
@@ -2387,7 +2387,7 @@ extern void init_special_inode(struct inode *, umode_t, dev_t);
2387 2387
2388/* Invalid inode operations -- fs/bad_inode.c */ 2388/* Invalid inode operations -- fs/bad_inode.c */
2389extern void make_bad_inode(struct inode *); 2389extern void make_bad_inode(struct inode *);
2390extern int is_bad_inode(struct inode *); 2390extern bool is_bad_inode(struct inode *);
2391 2391
2392#ifdef CONFIG_BLOCK 2392#ifdef CONFIG_BLOCK
2393/* 2393/*
@@ -2548,8 +2548,8 @@ extern ssize_t __kernel_write(struct file *, const char *, size_t, loff_t *);
2548extern struct file * open_exec(const char *); 2548extern struct file * open_exec(const char *);
2549 2549
2550/* fs/dcache.c -- generic fs support functions */ 2550/* fs/dcache.c -- generic fs support functions */
2551extern int is_subdir(struct dentry *, struct dentry *); 2551extern bool is_subdir(struct dentry *, struct dentry *);
2552extern int path_is_under(struct path *, struct path *); 2552extern bool path_is_under(struct path *, struct path *);
2553 2553
2554extern char *file_path(struct file *, char *, int); 2554extern char *file_path(struct file *, char *, int);
2555 2555
@@ -2676,6 +2676,8 @@ extern loff_t generic_file_llseek_size(struct file *file, loff_t offset,
2676 int whence, loff_t maxsize, loff_t eof); 2676 int whence, loff_t maxsize, loff_t eof);
2677extern loff_t fixed_size_llseek(struct file *file, loff_t offset, 2677extern loff_t fixed_size_llseek(struct file *file, loff_t offset,
2678 int whence, loff_t size); 2678 int whence, loff_t size);
2679extern loff_t no_seek_end_llseek_size(struct file *, loff_t, int, loff_t);
2680extern loff_t no_seek_end_llseek(struct file *, loff_t, int);
2679extern int generic_file_open(struct inode * inode, struct file * filp); 2681extern int generic_file_open(struct inode * inode, struct file * filp);
2680extern int nonseekable_open(struct inode * inode, struct file * filp); 2682extern int nonseekable_open(struct inode * inode, struct file * filp);
2681 2683
@@ -2978,7 +2980,7 @@ int __init get_filesystem_list(char *buf);
2978#define OPEN_FMODE(flag) ((__force fmode_t)(((flag + 1) & O_ACCMODE) | \ 2980#define OPEN_FMODE(flag) ((__force fmode_t)(((flag + 1) & O_ACCMODE) | \
2979 (flag & __FMODE_NONOTIFY))) 2981 (flag & __FMODE_NONOTIFY)))
2980 2982
2981static inline int is_sxid(umode_t mode) 2983static inline bool is_sxid(umode_t mode)
2982{ 2984{
2983 return (mode & S_ISUID) || ((mode & S_ISGID) && (mode & S_IXGRP)); 2985 return (mode & S_ISUID) || ((mode & S_ISGID) && (mode & S_IXGRP));
2984} 2986}
diff --git a/include/linux/namei.h b/include/linux/namei.h
index d8c6334cd150..d0f25d81b46a 100644
--- a/include/linux/namei.h
+++ b/include/linux/namei.h
@@ -77,6 +77,7 @@ extern struct dentry *kern_path_locked(const char *, struct path *);
77extern int kern_path_mountpoint(int, const char *, struct path *, unsigned int); 77extern int kern_path_mountpoint(int, const char *, struct path *, unsigned int);
78 78
79extern struct dentry *lookup_one_len(const char *, struct dentry *, int); 79extern struct dentry *lookup_one_len(const char *, struct dentry *, int);
80extern struct dentry *lookup_one_len_unlocked(const char *, struct dentry *, int);
80 81
81extern int follow_down_one(struct path *); 82extern int follow_down_one(struct path *);
82extern int follow_down(struct path *); 83extern int follow_down(struct path *);
diff --git a/include/linux/string.h b/include/linux/string.h
index 9ef7795e65e4..9eebc66d957a 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -10,6 +10,7 @@
10 10
11extern char *strndup_user(const char __user *, long); 11extern char *strndup_user(const char __user *, long);
12extern void *memdup_user(const void __user *, size_t); 12extern void *memdup_user(const void __user *, size_t);
13extern void *memdup_user_nul(const void __user *, size_t);
13 14
14/* 15/*
15 * Include machine specific inline routines 16 * Include machine specific inline routines
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index dc6858d6639e..5faf89ac9ec0 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2047,9 +2047,8 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2047 void *data) 2047 void *data)
2048{ 2048{
2049 int *i, vleft, first = 1, err = 0; 2049 int *i, vleft, first = 1, err = 0;
2050 unsigned long page = 0;
2051 size_t left; 2050 size_t left;
2052 char *kbuf; 2051 char *kbuf = NULL, *p;
2053 2052
2054 if (!tbl_data || !table->maxlen || !*lenp || (*ppos && !write)) { 2053 if (!tbl_data || !table->maxlen || !*lenp || (*ppos && !write)) {
2055 *lenp = 0; 2054 *lenp = 0;
@@ -2078,15 +2077,9 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2078 2077
2079 if (left > PAGE_SIZE - 1) 2078 if (left > PAGE_SIZE - 1)
2080 left = PAGE_SIZE - 1; 2079 left = PAGE_SIZE - 1;
2081 page = __get_free_page(GFP_TEMPORARY); 2080 p = kbuf = memdup_user_nul(buffer, left);
2082 kbuf = (char *) page; 2081 if (IS_ERR(kbuf))
2083 if (!kbuf) 2082 return PTR_ERR(kbuf);
2084 return -ENOMEM;
2085 if (copy_from_user(kbuf, buffer, left)) {
2086 err = -EFAULT;
2087 goto free;
2088 }
2089 kbuf[left] = 0;
2090 } 2083 }
2091 2084
2092 for (; left && vleft--; i++, first=0) { 2085 for (; left && vleft--; i++, first=0) {
@@ -2094,11 +2087,11 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2094 bool neg; 2087 bool neg;
2095 2088
2096 if (write) { 2089 if (write) {
2097 left -= proc_skip_spaces(&kbuf); 2090 left -= proc_skip_spaces(&p);
2098 2091
2099 if (!left) 2092 if (!left)
2100 break; 2093 break;
2101 err = proc_get_long(&kbuf, &left, &lval, &neg, 2094 err = proc_get_long(&p, &left, &lval, &neg,
2102 proc_wspace_sep, 2095 proc_wspace_sep,
2103 sizeof(proc_wspace_sep), NULL); 2096 sizeof(proc_wspace_sep), NULL);
2104 if (err) 2097 if (err)
@@ -2125,10 +2118,9 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2125 if (!write && !first && left && !err) 2118 if (!write && !first && left && !err)
2126 err = proc_put_char(&buffer, &left, '\n'); 2119 err = proc_put_char(&buffer, &left, '\n');
2127 if (write && !err && left) 2120 if (write && !err && left)
2128 left -= proc_skip_spaces(&kbuf); 2121 left -= proc_skip_spaces(&p);
2129free:
2130 if (write) { 2122 if (write) {
2131 free_page(page); 2123 kfree(kbuf);
2132 if (first) 2124 if (first)
2133 return err ? : -EINVAL; 2125 return err ? : -EINVAL;
2134 } 2126 }
@@ -2310,9 +2302,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2310{ 2302{
2311 unsigned long *i, *min, *max; 2303 unsigned long *i, *min, *max;
2312 int vleft, first = 1, err = 0; 2304 int vleft, first = 1, err = 0;
2313 unsigned long page = 0;
2314 size_t left; 2305 size_t left;
2315 char *kbuf; 2306 char *kbuf = NULL, *p;
2316 2307
2317 if (!data || !table->maxlen || !*lenp || (*ppos && !write)) { 2308 if (!data || !table->maxlen || !*lenp || (*ppos && !write)) {
2318 *lenp = 0; 2309 *lenp = 0;
@@ -2340,15 +2331,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2340 2331
2341 if (left > PAGE_SIZE - 1) 2332 if (left > PAGE_SIZE - 1)
2342 left = PAGE_SIZE - 1; 2333 left = PAGE_SIZE - 1;
2343 page = __get_free_page(GFP_TEMPORARY); 2334 p = kbuf = memdup_user_nul(buffer, left);
2344 kbuf = (char *) page; 2335 if (IS_ERR(kbuf))
2345 if (!kbuf) 2336 return PTR_ERR(kbuf);
2346 return -ENOMEM;
2347 if (copy_from_user(kbuf, buffer, left)) {
2348 err = -EFAULT;
2349 goto free;
2350 }
2351 kbuf[left] = 0;
2352 } 2337 }
2353 2338
2354 for (; left && vleft--; i++, first = 0) { 2339 for (; left && vleft--; i++, first = 0) {
@@ -2357,9 +2342,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2357 if (write) { 2342 if (write) {
2358 bool neg; 2343 bool neg;
2359 2344
2360 left -= proc_skip_spaces(&kbuf); 2345 left -= proc_skip_spaces(&p);
2361 2346
2362 err = proc_get_long(&kbuf, &left, &val, &neg, 2347 err = proc_get_long(&p, &left, &val, &neg,
2363 proc_wspace_sep, 2348 proc_wspace_sep,
2364 sizeof(proc_wspace_sep), NULL); 2349 sizeof(proc_wspace_sep), NULL);
2365 if (err) 2350 if (err)
@@ -2385,10 +2370,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2385 if (!write && !first && left && !err) 2370 if (!write && !first && left && !err)
2386 err = proc_put_char(&buffer, &left, '\n'); 2371 err = proc_put_char(&buffer, &left, '\n');
2387 if (write && !err) 2372 if (write && !err)
2388 left -= proc_skip_spaces(&kbuf); 2373 left -= proc_skip_spaces(&p);
2389free:
2390 if (write) { 2374 if (write) {
2391 free_page(page); 2375 kfree(kbuf);
2392 if (first) 2376 if (first)
2393 return err ? : -EINVAL; 2377 return err ? : -EINVAL;
2394 } 2378 }
@@ -2650,34 +2634,27 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
2650 } 2634 }
2651 2635
2652 if (write) { 2636 if (write) {
2653 unsigned long page = 0; 2637 char *kbuf, *p;
2654 char *kbuf;
2655 2638
2656 if (left > PAGE_SIZE - 1) 2639 if (left > PAGE_SIZE - 1)
2657 left = PAGE_SIZE - 1; 2640 left = PAGE_SIZE - 1;
2658 2641
2659 page = __get_free_page(GFP_TEMPORARY); 2642 p = kbuf = memdup_user_nul(buffer, left);
2660 kbuf = (char *) page; 2643 if (IS_ERR(kbuf))
2661 if (!kbuf) 2644 return PTR_ERR(kbuf);
2662 return -ENOMEM;
2663 if (copy_from_user(kbuf, buffer, left)) {
2664 free_page(page);
2665 return -EFAULT;
2666 }
2667 kbuf[left] = 0;
2668 2645
2669 tmp_bitmap = kzalloc(BITS_TO_LONGS(bitmap_len) * sizeof(unsigned long), 2646 tmp_bitmap = kzalloc(BITS_TO_LONGS(bitmap_len) * sizeof(unsigned long),
2670 GFP_KERNEL); 2647 GFP_KERNEL);
2671 if (!tmp_bitmap) { 2648 if (!tmp_bitmap) {
2672 free_page(page); 2649 kfree(kbuf);
2673 return -ENOMEM; 2650 return -ENOMEM;
2674 } 2651 }
2675 proc_skip_char(&kbuf, &left, '\n'); 2652 proc_skip_char(&p, &left, '\n');
2676 while (!err && left) { 2653 while (!err && left) {
2677 unsigned long val_a, val_b; 2654 unsigned long val_a, val_b;
2678 bool neg; 2655 bool neg;
2679 2656
2680 err = proc_get_long(&kbuf, &left, &val_a, &neg, tr_a, 2657 err = proc_get_long(&p, &left, &val_a, &neg, tr_a,
2681 sizeof(tr_a), &c); 2658 sizeof(tr_a), &c);
2682 if (err) 2659 if (err)
2683 break; 2660 break;
@@ -2688,12 +2665,12 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
2688 2665
2689 val_b = val_a; 2666 val_b = val_a;
2690 if (left) { 2667 if (left) {
2691 kbuf++; 2668 p++;
2692 left--; 2669 left--;
2693 } 2670 }
2694 2671
2695 if (c == '-') { 2672 if (c == '-') {
2696 err = proc_get_long(&kbuf, &left, &val_b, 2673 err = proc_get_long(&p, &left, &val_b,
2697 &neg, tr_b, sizeof(tr_b), 2674 &neg, tr_b, sizeof(tr_b),
2698 &c); 2675 &c);
2699 if (err) 2676 if (err)
@@ -2704,16 +2681,16 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
2704 break; 2681 break;
2705 } 2682 }
2706 if (left) { 2683 if (left) {
2707 kbuf++; 2684 p++;
2708 left--; 2685 left--;
2709 } 2686 }
2710 } 2687 }
2711 2688
2712 bitmap_set(tmp_bitmap, val_a, val_b - val_a + 1); 2689 bitmap_set(tmp_bitmap, val_a, val_b - val_a + 1);
2713 first = 0; 2690 first = 0;
2714 proc_skip_char(&kbuf, &left, '\n'); 2691 proc_skip_char(&p, &left, '\n');
2715 } 2692 }
2716 free_page(page); 2693 kfree(kbuf);
2717 } else { 2694 } else {
2718 unsigned long bit_a, bit_b = 0; 2695 unsigned long bit_a, bit_b = 0;
2719 2696
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index a990824c8604..2aeb6ffc0a1e 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -349,16 +349,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
349 if (count >= BLK_TN_MAX_MSG) 349 if (count >= BLK_TN_MAX_MSG)
350 return -EINVAL; 350 return -EINVAL;
351 351
352 msg = kmalloc(count + 1, GFP_KERNEL); 352 msg = memdup_user_nul(buffer, count);
353 if (msg == NULL) 353 if (IS_ERR(msg))
354 return -ENOMEM; 354 return PTR_ERR(msg);
355
356 if (copy_from_user(msg, buffer, count)) {
357 kfree(msg);
358 return -EFAULT;
359 }
360 355
361 msg[count] = '\0';
362 bt = filp->private_data; 356 bt = filp->private_data;
363 __trace_note_message(bt, "%s", msg); 357 __trace_note_message(bt, "%s", msg);
364 kfree(msg); 358 kfree(msg);
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 4f6ef6912e00..f333e57c4614 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -1340,15 +1340,9 @@ event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,
1340 if (cnt >= PAGE_SIZE) 1340 if (cnt >= PAGE_SIZE)
1341 return -EINVAL; 1341 return -EINVAL;
1342 1342
1343 buf = (char *)__get_free_page(GFP_TEMPORARY); 1343 buf = memdup_user_nul(ubuf, cnt);
1344 if (!buf) 1344 if (IS_ERR(buf))
1345 return -ENOMEM; 1345 return PTR_ERR(buf);
1346
1347 if (copy_from_user(buf, ubuf, cnt)) {
1348 free_page((unsigned long) buf);
1349 return -EFAULT;
1350 }
1351 buf[cnt] = '\0';
1352 1346
1353 mutex_lock(&event_mutex); 1347 mutex_lock(&event_mutex);
1354 file = event_file_data(filp); 1348 file = event_file_data(filp);
@@ -1356,7 +1350,7 @@ event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,
1356 err = apply_event_filter(file, buf); 1350 err = apply_event_filter(file, buf);
1357 mutex_unlock(&event_mutex); 1351 mutex_unlock(&event_mutex);
1358 1352
1359 free_page((unsigned long) buf); 1353 kfree(buf);
1360 if (err < 0) 1354 if (err < 0)
1361 return err; 1355 return err;
1362 1356
@@ -1507,18 +1501,12 @@ subsystem_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,
1507 if (cnt >= PAGE_SIZE) 1501 if (cnt >= PAGE_SIZE)
1508 return -EINVAL; 1502 return -EINVAL;
1509 1503
1510 buf = (char *)__get_free_page(GFP_TEMPORARY); 1504 buf = memdup_user_nul(ubuf, cnt);
1511 if (!buf) 1505 if (IS_ERR(buf))
1512 return -ENOMEM; 1506 return PTR_ERR(buf);
1513
1514 if (copy_from_user(buf, ubuf, cnt)) {
1515 free_page((unsigned long) buf);
1516 return -EFAULT;
1517 }
1518 buf[cnt] = '\0';
1519 1507
1520 err = apply_subsystem_event_filter(dir, buf); 1508 err = apply_subsystem_event_filter(dir, buf);
1521 free_page((unsigned long) buf); 1509 kfree(buf);
1522 if (err < 0) 1510 if (err < 0)
1523 return err; 1511 return err;
1524 1512
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 42a4009fd75a..4b5e8ed68d77 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -237,28 +237,23 @@ static ssize_t event_trigger_regex_write(struct file *file,
237 if (cnt >= PAGE_SIZE) 237 if (cnt >= PAGE_SIZE)
238 return -EINVAL; 238 return -EINVAL;
239 239
240 buf = (char *)__get_free_page(GFP_TEMPORARY); 240 buf = memdup_user_nul(ubuf, cnt);
241 if (!buf) 241 if (IS_ERR(buf))
242 return -ENOMEM; 242 return PTR_ERR(buf);
243 243
244 if (copy_from_user(buf, ubuf, cnt)) {
245 free_page((unsigned long)buf);
246 return -EFAULT;
247 }
248 buf[cnt] = '\0';
249 strim(buf); 244 strim(buf);
250 245
251 mutex_lock(&event_mutex); 246 mutex_lock(&event_mutex);
252 event_file = event_file_data(file); 247 event_file = event_file_data(file);
253 if (unlikely(!event_file)) { 248 if (unlikely(!event_file)) {
254 mutex_unlock(&event_mutex); 249 mutex_unlock(&event_mutex);
255 free_page((unsigned long)buf); 250 kfree(buf);
256 return -ENODEV; 251 return -ENODEV;
257 } 252 }
258 ret = trigger_process_regex(event_file, buf); 253 ret = trigger_process_regex(event_file, buf);
259 mutex_unlock(&event_mutex); 254 mutex_unlock(&event_mutex);
260 255
261 free_page((unsigned long)buf); 256 kfree(buf);
262 if (ret < 0) 257 if (ret < 0)
263 goto out; 258 goto out;
264 259
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 88fefa68c516..9bafc211930c 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -602,8 +602,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
602 struct uid_gid_map new_map; 602 struct uid_gid_map new_map;
603 unsigned idx; 603 unsigned idx;
604 struct uid_gid_extent *extent = NULL; 604 struct uid_gid_extent *extent = NULL;
605 unsigned long page = 0; 605 char *kbuf = NULL, *pos, *next_line;
606 char *kbuf, *pos, *next_line;
607 ssize_t ret = -EINVAL; 606 ssize_t ret = -EINVAL;
608 607
609 /* 608 /*
@@ -638,23 +637,18 @@ static ssize_t map_write(struct file *file, const char __user *buf,
638 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN)) 637 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
639 goto out; 638 goto out;
640 639
641 /* Get a buffer */
642 ret = -ENOMEM;
643 page = __get_free_page(GFP_TEMPORARY);
644 kbuf = (char *) page;
645 if (!page)
646 goto out;
647
648 /* Only allow < page size writes at the beginning of the file */ 640 /* Only allow < page size writes at the beginning of the file */
649 ret = -EINVAL; 641 ret = -EINVAL;
650 if ((*ppos != 0) || (count >= PAGE_SIZE)) 642 if ((*ppos != 0) || (count >= PAGE_SIZE))
651 goto out; 643 goto out;
652 644
653 /* Slurp in the user data */ 645 /* Slurp in the user data */
654 ret = -EFAULT; 646 kbuf = memdup_user_nul(buf, count);
655 if (copy_from_user(kbuf, buf, count)) 647 if (IS_ERR(kbuf)) {
648 ret = PTR_ERR(kbuf);
649 kbuf = NULL;
656 goto out; 650 goto out;
657 kbuf[count] = '\0'; 651 }
658 652
659 /* Parse the user data */ 653 /* Parse the user data */
660 ret = -EINVAL; 654 ret = -EINVAL;
@@ -756,8 +750,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
756 ret = count; 750 ret = count;
757out: 751out:
758 mutex_unlock(&userns_state_mutex); 752 mutex_unlock(&userns_state_mutex);
759 if (page) 753 kfree(kbuf);
760 free_page(page);
761 return ret; 754 return ret;
762} 755}
763 756
diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
index e3952e9c8ec0..fe42b6ec3f0c 100644
--- a/lib/dynamic_debug.c
+++ b/lib/dynamic_debug.c
@@ -657,14 +657,9 @@ static ssize_t ddebug_proc_write(struct file *file, const char __user *ubuf,
657 pr_warn("expected <%d bytes into control\n", USER_BUF_PAGE); 657 pr_warn("expected <%d bytes into control\n", USER_BUF_PAGE);
658 return -E2BIG; 658 return -E2BIG;
659 } 659 }
660 tmpbuf = kmalloc(len + 1, GFP_KERNEL); 660 tmpbuf = memdup_user_nul(ubuf, len);
661 if (!tmpbuf) 661 if (IS_ERR(tmpbuf))
662 return -ENOMEM; 662 return PTR_ERR(tmpbuf);
663 if (copy_from_user(tmpbuf, ubuf, len)) {
664 kfree(tmpbuf);
665 return -EFAULT;
666 }
667 tmpbuf[len] = '\0';
668 vpr_info("read %d bytes from userspace\n", (int)len); 663 vpr_info("read %d bytes from userspace\n", (int)len);
669 664
670 ret = ddebug_exec_queries(tmpbuf, NULL); 665 ret = ddebug_exec_queries(tmpbuf, NULL);
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index f9cee8e1233c..ac3f9476b776 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -31,6 +31,9 @@
31#include <linux/dcache.h> 31#include <linux/dcache.h>
32#include <linux/cred.h> 32#include <linux/cred.h>
33#include <net/addrconf.h> 33#include <net/addrconf.h>
34#ifdef CONFIG_BLOCK
35#include <linux/blkdev.h>
36#endif
34 37
35#include <asm/page.h> /* for PAGE_SIZE */ 38#include <asm/page.h> /* for PAGE_SIZE */
36#include <asm/sections.h> /* for dereference_function_descriptor() */ 39#include <asm/sections.h> /* for dereference_function_descriptor() */
@@ -613,6 +616,26 @@ char *dentry_name(char *buf, char *end, const struct dentry *d, struct printf_sp
613 return buf; 616 return buf;
614} 617}
615 618
619#ifdef CONFIG_BLOCK
620static noinline_for_stack
621char *bdev_name(char *buf, char *end, struct block_device *bdev,
622 struct printf_spec spec, const char *fmt)
623{
624 struct gendisk *hd = bdev->bd_disk;
625
626 buf = string(buf, end, hd->disk_name, spec);
627 if (bdev->bd_part->partno) {
628 if (isdigit(hd->disk_name[strlen(hd->disk_name)-1])) {
629 if (buf < end)
630 *buf = 'p';
631 buf++;
632 }
633 buf = number(buf, end, bdev->bd_part->partno, spec);
634 }
635 return buf;
636}
637#endif
638
616static noinline_for_stack 639static noinline_for_stack
617char *symbol_string(char *buf, char *end, void *ptr, 640char *symbol_string(char *buf, char *end, void *ptr,
618 struct printf_spec spec, const char *fmt) 641 struct printf_spec spec, const char *fmt)
@@ -1443,6 +1466,7 @@ int kptr_restrict __read_mostly;
1443 * (default assumed to be phys_addr_t, passed by reference) 1466 * (default assumed to be phys_addr_t, passed by reference)
1444 * - 'd[234]' For a dentry name (optionally 2-4 last components) 1467 * - 'd[234]' For a dentry name (optionally 2-4 last components)
1445 * - 'D[234]' Same as 'd' but for a struct file 1468 * - 'D[234]' Same as 'd' but for a struct file
1469 * - 'g' For block_device name (gendisk + partition number)
1446 * - 'C' For a clock, it prints the name (Common Clock Framework) or address 1470 * - 'C' For a clock, it prints the name (Common Clock Framework) or address
1447 * (legacy clock framework) of the clock 1471 * (legacy clock framework) of the clock
1448 * - 'Cn' For a clock, it prints the name (Common Clock Framework) or address 1472 * - 'Cn' For a clock, it prints the name (Common Clock Framework) or address
@@ -1600,6 +1624,11 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
1600 return dentry_name(buf, end, 1624 return dentry_name(buf, end,
1601 ((const struct file *)ptr)->f_path.dentry, 1625 ((const struct file *)ptr)->f_path.dentry,
1602 spec, fmt); 1626 spec, fmt);
1627#ifdef CONFIG_BLOCK
1628 case 'g':
1629 return bdev_name(buf, end, ptr, spec, fmt);
1630#endif
1631
1603 } 1632 }
1604 spec.flags |= SMALL; 1633 spec.flags |= SMALL;
1605 if (spec.field_width == -1) { 1634 if (spec.field_width == -1) {
diff --git a/mm/util.c b/mm/util.c
index 9af1c12b310c..2d28f7930043 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -176,6 +176,37 @@ char *strndup_user(const char __user *s, long n)
176} 176}
177EXPORT_SYMBOL(strndup_user); 177EXPORT_SYMBOL(strndup_user);
178 178
179/**
180 * memdup_user_nul - duplicate memory region from user space and NUL-terminate
181 *
182 * @src: source address in user space
183 * @len: number of bytes to copy
184 *
185 * Returns an ERR_PTR() on failure.
186 */
187void *memdup_user_nul(const void __user *src, size_t len)
188{
189 char *p;
190
191 /*
192 * Always use GFP_KERNEL, since copy_from_user() can sleep and
193 * cause pagefault, which makes it pointless to use GFP_NOFS
194 * or GFP_ATOMIC.
195 */
196 p = kmalloc_track_caller(len + 1, GFP_KERNEL);
197 if (!p)
198 return ERR_PTR(-ENOMEM);
199
200 if (copy_from_user(p, src, len)) {
201 kfree(p);
202 return ERR_PTR(-EFAULT);
203 }
204 p[len] = '\0';
205
206 return p;
207}
208EXPORT_SYMBOL(memdup_user_nul);
209
179void __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma, 210void __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma,
180 struct vm_area_struct *prev, struct rb_node *rb_parent) 211 struct vm_area_struct *prev, struct rb_node *rb_parent)
181{ 212{
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 6e70ddb158b4..199bc76202d2 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -105,7 +105,7 @@ static struct list_head virtio_chan_list;
105/* How many bytes left in this page. */ 105/* How many bytes left in this page. */
106static unsigned int rest_of_page(void *data) 106static unsigned int rest_of_page(void *data)
107{ 107{
108 return PAGE_SIZE - ((unsigned long)data % PAGE_SIZE); 108 return PAGE_SIZE - offset_in_page(data);
109} 109}
110 110
111/** 111/**
@@ -143,7 +143,6 @@ static void p9_virtio_close(struct p9_client *client)
143static void req_done(struct virtqueue *vq) 143static void req_done(struct virtqueue *vq)
144{ 144{
145 struct virtio_chan *chan = vq->vdev->priv; 145 struct virtio_chan *chan = vq->vdev->priv;
146 struct p9_fcall *rc;
147 unsigned int len; 146 unsigned int len;
148 struct p9_req_t *req; 147 struct p9_req_t *req;
149 unsigned long flags; 148 unsigned long flags;
@@ -152,8 +151,8 @@ static void req_done(struct virtqueue *vq)
152 151
153 while (1) { 152 while (1) {
154 spin_lock_irqsave(&chan->lock, flags); 153 spin_lock_irqsave(&chan->lock, flags);
155 rc = virtqueue_get_buf(chan->vq, &len); 154 req = virtqueue_get_buf(chan->vq, &len);
156 if (rc == NULL) { 155 if (req == NULL) {
157 spin_unlock_irqrestore(&chan->lock, flags); 156 spin_unlock_irqrestore(&chan->lock, flags);
158 break; 157 break;
159 } 158 }
@@ -161,9 +160,6 @@ static void req_done(struct virtqueue *vq)
161 spin_unlock_irqrestore(&chan->lock, flags); 160 spin_unlock_irqrestore(&chan->lock, flags);
162 /* Wakeup if anyone waiting for VirtIO ring space. */ 161 /* Wakeup if anyone waiting for VirtIO ring space. */
163 wake_up(chan->vc_wq); 162 wake_up(chan->vc_wq);
164 p9_debug(P9_DEBUG_TRANS, ": rc %p\n", rc);
165 p9_debug(P9_DEBUG_TRANS, ": lookup tag %d\n", rc->tag);
166 req = p9_tag_lookup(chan->client, rc->tag);
167 p9_client_cb(chan->client, req, REQ_STATUS_RCVD); 163 p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
168 } 164 }
169} 165}
@@ -284,7 +280,7 @@ req_retry:
284 if (in) 280 if (in)
285 sgs[out_sgs + in_sgs++] = chan->sg + out; 281 sgs[out_sgs + in_sgs++] = chan->sg + out;
286 282
287 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req->tc, 283 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req,
288 GFP_ATOMIC); 284 GFP_ATOMIC);
289 if (err < 0) { 285 if (err < 0) {
290 if (err == -ENOSPC) { 286 if (err == -ENOSPC) {
@@ -369,7 +365,7 @@ static int p9_get_mapped_pages(struct virtio_chan *chan,
369 return -ENOMEM; 365 return -ENOMEM;
370 366
371 *need_drop = 0; 367 *need_drop = 0;
372 p -= (*offs = (unsigned long)p % PAGE_SIZE); 368 p -= (*offs = offset_in_page(p));
373 for (index = 0; index < nr_pages; index++) { 369 for (index = 0; index < nr_pages; index++) {
374 if (is_vmalloc_addr(p)) 370 if (is_vmalloc_addr(p))
375 (*pages)[index] = vmalloc_to_page(p); 371 (*pages)[index] = vmalloc_to_page(p);
@@ -469,7 +465,7 @@ req_retry_pinned:
469 } 465 }
470 466
471 BUG_ON(out_sgs + in_sgs > ARRAY_SIZE(sgs)); 467 BUG_ON(out_sgs + in_sgs > ARRAY_SIZE(sgs));
472 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req->tc, 468 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req,
473 GFP_ATOMIC); 469 GFP_ATOMIC);
474 if (err < 0) { 470 if (err < 0) {
475 if (err == -ENOSPC) { 471 if (err == -ENOSPC) {
diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
index da3cc09f683e..3f6571651d32 100644
--- a/net/rxrpc/ar-key.c
+++ b/net/rxrpc/ar-key.c
@@ -896,15 +896,9 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
896 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 896 if (optlen <= 0 || optlen > PAGE_SIZE - 1)
897 return -EINVAL; 897 return -EINVAL;
898 898
899 description = kmalloc(optlen + 1, GFP_KERNEL); 899 description = memdup_user_nul(optval, optlen);
900 if (!description) 900 if (IS_ERR(description))
901 return -ENOMEM; 901 return PTR_ERR(description);
902
903 if (copy_from_user(description, optval, optlen)) {
904 kfree(description);
905 return -EFAULT;
906 }
907 description[optlen] = 0;
908 902
909 key = request_key(&key_type_rxrpc, description, NULL); 903 key = request_key(&key_type_rxrpc, description, NULL);
910 if (IS_ERR(key)) { 904 if (IS_ERR(key)) {
@@ -933,15 +927,9 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval,
933 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 927 if (optlen <= 0 || optlen > PAGE_SIZE - 1)
934 return -EINVAL; 928 return -EINVAL;
935 929
936 description = kmalloc(optlen + 1, GFP_KERNEL); 930 description = memdup_user_nul(optval, optlen);
937 if (!description) 931 if (IS_ERR(description))
938 return -ENOMEM; 932 return PTR_ERR(description);
939
940 if (copy_from_user(description, optval, optlen)) {
941 kfree(description);
942 return -EFAULT;
943 }
944 description[optlen] = 0;
945 933
946 key = request_key(&key_type_keyring, description, NULL); 934 key = request_key(&key_type_keyring, description, NULL);
947 if (IS_ERR(key)) { 935 if (IS_ERR(key)) {
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 3d2f5b45c8cb..c2e3ccd4b510 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -234,12 +234,13 @@ int __init integrity_read_file(const char *path, char **data)
234 } 234 }
235 235
236 rc = integrity_kernel_read(file, 0, buf, size); 236 rc = integrity_kernel_read(file, 0, buf, size);
237 if (rc < 0) 237 if (rc == size) {
238 kfree(buf);
239 else if (rc != size)
240 rc = -EIO;
241 else
242 *data = buf; 238 *data = buf;
239 } else {
240 kfree(buf);
241 if (rc >= 0)
242 rc = -EIO;
243 }
243out: 244out:
244 fput(file); 245 fput(file);
245 return rc; 246 return rc;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c02da25d7b63..73c60baa90a4 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -147,23 +147,16 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
147 ssize_t length; 147 ssize_t length;
148 int new_value; 148 int new_value;
149 149
150 length = -ENOMEM;
151 if (count >= PAGE_SIZE) 150 if (count >= PAGE_SIZE)
152 goto out; 151 return -ENOMEM;
153 152
154 /* No partial writes. */ 153 /* No partial writes. */
155 length = -EINVAL;
156 if (*ppos != 0) 154 if (*ppos != 0)
157 goto out; 155 return -EINVAL;
158
159 length = -ENOMEM;
160 page = (char *)get_zeroed_page(GFP_KERNEL);
161 if (!page)
162 goto out;
163 156
164 length = -EFAULT; 157 page = memdup_user_nul(buf, count);
165 if (copy_from_user(page, buf, count)) 158 if (IS_ERR(page))
166 goto out; 159 return PTR_ERR(page);
167 160
168 length = -EINVAL; 161 length = -EINVAL;
169 if (sscanf(page, "%d", &new_value) != 1) 162 if (sscanf(page, "%d", &new_value) != 1)
@@ -186,7 +179,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
186 } 179 }
187 length = count; 180 length = count;
188out: 181out:
189 free_page((unsigned long) page); 182 kfree(page);
190 return length; 183 return length;
191} 184}
192#else 185#else
@@ -275,27 +268,20 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
275 size_t count, loff_t *ppos) 268 size_t count, loff_t *ppos)
276 269
277{ 270{
278 char *page = NULL; 271 char *page;
279 ssize_t length; 272 ssize_t length;
280 int new_value; 273 int new_value;
281 274
282 length = -ENOMEM;
283 if (count >= PAGE_SIZE) 275 if (count >= PAGE_SIZE)
284 goto out; 276 return -ENOMEM;
285 277
286 /* No partial writes. */ 278 /* No partial writes. */
287 length = -EINVAL;
288 if (*ppos != 0) 279 if (*ppos != 0)
289 goto out; 280 return -EINVAL;
290
291 length = -ENOMEM;
292 page = (char *)get_zeroed_page(GFP_KERNEL);
293 if (!page)
294 goto out;
295 281
296 length = -EFAULT; 282 page = memdup_user_nul(buf, count);
297 if (copy_from_user(page, buf, count)) 283 if (IS_ERR(page))
298 goto out; 284 return PTR_ERR(page);
299 285
300 length = -EINVAL; 286 length = -EINVAL;
301 if (sscanf(page, "%d", &new_value) != 1) 287 if (sscanf(page, "%d", &new_value) != 1)
@@ -313,7 +299,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
313 299
314 length = count; 300 length = count;
315out: 301out:
316 free_page((unsigned long) page); 302 kfree(page);
317 return length; 303 return length;
318} 304}
319#else 305#else
@@ -611,31 +597,24 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
611static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, 597static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
612 size_t count, loff_t *ppos) 598 size_t count, loff_t *ppos)
613{ 599{
614 char *page = NULL; 600 char *page;
615 ssize_t length; 601 ssize_t length;
616 unsigned int new_value; 602 unsigned int new_value;
617 603
618 length = task_has_security(current, SECURITY__SETCHECKREQPROT); 604 length = task_has_security(current, SECURITY__SETCHECKREQPROT);
619 if (length) 605 if (length)
620 goto out; 606 return length;
621 607
622 length = -ENOMEM;
623 if (count >= PAGE_SIZE) 608 if (count >= PAGE_SIZE)
624 goto out; 609 return -ENOMEM;
625 610
626 /* No partial writes. */ 611 /* No partial writes. */
627 length = -EINVAL;
628 if (*ppos != 0) 612 if (*ppos != 0)
629 goto out; 613 return -EINVAL;
630
631 length = -ENOMEM;
632 page = (char *)get_zeroed_page(GFP_KERNEL);
633 if (!page)
634 goto out;
635 614
636 length = -EFAULT; 615 page = memdup_user_nul(buf, count);
637 if (copy_from_user(page, buf, count)) 616 if (IS_ERR(page))
638 goto out; 617 return PTR_ERR(page);
639 618
640 length = -EINVAL; 619 length = -EINVAL;
641 if (sscanf(page, "%u", &new_value) != 1) 620 if (sscanf(page, "%u", &new_value) != 1)
@@ -644,7 +623,7 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
644 selinux_checkreqprot = new_value ? 1 : 0; 623 selinux_checkreqprot = new_value ? 1 : 0;
645 length = count; 624 length = count;
646out: 625out:
647 free_page((unsigned long) page); 626 kfree(page);
648 return length; 627 return length;
649} 628}
650static const struct file_operations sel_checkreqprot_ops = { 629static const struct file_operations sel_checkreqprot_ops = {
@@ -1100,14 +1079,12 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
1100 if (*ppos != 0) 1079 if (*ppos != 0)
1101 goto out; 1080 goto out;
1102 1081
1103 length = -ENOMEM; 1082 page = memdup_user_nul(buf, count);
1104 page = (char *)get_zeroed_page(GFP_KERNEL); 1083 if (IS_ERR(page)) {
1105 if (!page) 1084 length = PTR_ERR(page);
1106 goto out; 1085 page = NULL;
1107
1108 length = -EFAULT;
1109 if (copy_from_user(page, buf, count))
1110 goto out; 1086 goto out;
1087 }
1111 1088
1112 length = -EINVAL; 1089 length = -EINVAL;
1113 if (sscanf(page, "%d", &new_value) != 1) 1090 if (sscanf(page, "%d", &new_value) != 1)
@@ -1121,7 +1098,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
1121 1098
1122out: 1099out:
1123 mutex_unlock(&sel_mutex); 1100 mutex_unlock(&sel_mutex);
1124 free_page((unsigned long) page); 1101 kfree(page);
1125 return length; 1102 return length;
1126} 1103}
1127 1104
@@ -1154,14 +1131,12 @@ static ssize_t sel_commit_bools_write(struct file *filep,
1154 if (*ppos != 0) 1131 if (*ppos != 0)
1155 goto out; 1132 goto out;
1156 1133
1157 length = -ENOMEM; 1134 page = memdup_user_nul(buf, count);
1158 page = (char *)get_zeroed_page(GFP_KERNEL); 1135 if (IS_ERR(page)) {
1159 if (!page) 1136 length = PTR_ERR(page);
1160 goto out; 1137 page = NULL;
1161
1162 length = -EFAULT;
1163 if (copy_from_user(page, buf, count))
1164 goto out; 1138 goto out;
1139 }
1165 1140
1166 length = -EINVAL; 1141 length = -EINVAL;
1167 if (sscanf(page, "%d", &new_value) != 1) 1142 if (sscanf(page, "%d", &new_value) != 1)
@@ -1176,7 +1151,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
1176 1151
1177out: 1152out:
1178 mutex_unlock(&sel_mutex); 1153 mutex_unlock(&sel_mutex);
1179 free_page((unsigned long) page); 1154 kfree(page);
1180 return length; 1155 return length;
1181} 1156}
1182 1157
@@ -1292,31 +1267,24 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
1292 size_t count, loff_t *ppos) 1267 size_t count, loff_t *ppos)
1293 1268
1294{ 1269{
1295 char *page = NULL; 1270 char *page;
1296 ssize_t ret; 1271 ssize_t ret;
1297 int new_value; 1272 int new_value;
1298 1273
1299 ret = task_has_security(current, SECURITY__SETSECPARAM); 1274 ret = task_has_security(current, SECURITY__SETSECPARAM);
1300 if (ret) 1275 if (ret)
1301 goto out; 1276 return ret;
1302 1277
1303 ret = -ENOMEM;
1304 if (count >= PAGE_SIZE) 1278 if (count >= PAGE_SIZE)
1305 goto out; 1279 return -ENOMEM;
1306 1280
1307 /* No partial writes. */ 1281 /* No partial writes. */
1308 ret = -EINVAL;
1309 if (*ppos != 0) 1282 if (*ppos != 0)
1310 goto out; 1283 return -EINVAL;
1311
1312 ret = -ENOMEM;
1313 page = (char *)get_zeroed_page(GFP_KERNEL);
1314 if (!page)
1315 goto out;
1316 1284
1317 ret = -EFAULT; 1285 page = memdup_user_nul(buf, count);
1318 if (copy_from_user(page, buf, count)) 1286 if (IS_ERR(page))
1319 goto out; 1287 return PTR_ERR(page);
1320 1288
1321 ret = -EINVAL; 1289 ret = -EINVAL;
1322 if (sscanf(page, "%u", &new_value) != 1) 1290 if (sscanf(page, "%u", &new_value) != 1)
@@ -1326,7 +1294,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
1326 1294
1327 ret = count; 1295 ret = count;
1328out: 1296out:
1329 free_page((unsigned long)page); 1297 kfree(page);
1330 return ret; 1298 return ret;
1331} 1299}
1332 1300
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 94bd9e41c9ec..e249a66db533 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -497,14 +497,9 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
497 } 497 }
498 } 498 }
499 499
500 data = kmalloc(count + 1, GFP_KERNEL); 500 data = memdup_user_nul(buf, count);
501 if (data == NULL) 501 if (IS_ERR(data))
502 return -ENOMEM; 502 return PTR_ERR(data);
503
504 if (copy_from_user(data, buf, count) != 0) {
505 rc = -EFAULT;
506 goto out;
507 }
508 503
509 /* 504 /*
510 * In case of parsing only part of user buf, 505 * In case of parsing only part of user buf,
@@ -884,16 +879,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
884 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) 879 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
885 return -EINVAL; 880 return -EINVAL;
886 881
887 data = kzalloc(count + 1, GFP_KERNEL); 882 data = memdup_user_nul(buf, count);
888 if (data == NULL) 883 if (IS_ERR(data))
889 return -ENOMEM; 884 return PTR_ERR(data);
890
891 if (copy_from_user(data, buf, count) != 0) {
892 rc = -EFAULT;
893 goto unlockedout;
894 }
895 885
896 data[count] = '\0';
897 rule = data; 886 rule = data;
898 /* 887 /*
899 * Only allow one writer at a time. Writes should be 888 * Only allow one writer at a time. Writes should be
@@ -946,7 +935,6 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
946 935
947out: 936out:
948 mutex_unlock(&smack_cipso_lock); 937 mutex_unlock(&smack_cipso_lock);
949unlockedout:
950 kfree(data); 938 kfree(data);
951 return rc; 939 return rc;
952} 940}
@@ -1187,14 +1175,9 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
1187 if (count < SMK_NETLBLADDRMIN) 1175 if (count < SMK_NETLBLADDRMIN)
1188 return -EINVAL; 1176 return -EINVAL;
1189 1177
1190 data = kzalloc(count + 1, GFP_KERNEL); 1178 data = memdup_user_nul(buf, count);
1191 if (data == NULL) 1179 if (IS_ERR(data))
1192 return -ENOMEM; 1180 return PTR_ERR(data);
1193
1194 if (copy_from_user(data, buf, count) != 0) {
1195 rc = -EFAULT;
1196 goto free_data_out;
1197 }
1198 1181
1199 smack = kzalloc(count + 1, GFP_KERNEL); 1182 smack = kzalloc(count + 1, GFP_KERNEL);
1200 if (smack == NULL) { 1183 if (smack == NULL) {
@@ -1202,8 +1185,6 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
1202 goto free_data_out; 1185 goto free_data_out;
1203 } 1186 }
1204 1187
1205 data[count] = '\0';
1206
1207 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s", 1188 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
1208 &host[0], &host[1], &host[2], &host[3], &masks, smack); 1189 &host[0], &host[1], &host[2], &host[3], &masks, smack);
1209 if (rc != 6) { 1190 if (rc != 6) {
@@ -1454,14 +1435,9 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
1454 if (count < SMK_NETLBLADDRMIN) 1435 if (count < SMK_NETLBLADDRMIN)
1455 return -EINVAL; 1436 return -EINVAL;
1456 1437
1457 data = kzalloc(count + 1, GFP_KERNEL); 1438 data = memdup_user_nul(buf, count);
1458 if (data == NULL) 1439 if (IS_ERR(data))
1459 return -ENOMEM; 1440 return PTR_ERR(data);
1460
1461 if (copy_from_user(data, buf, count) != 0) {
1462 rc = -EFAULT;
1463 goto free_data_out;
1464 }
1465 1441
1466 smack = kzalloc(count + 1, GFP_KERNEL); 1442 smack = kzalloc(count + 1, GFP_KERNEL);
1467 if (smack == NULL) { 1443 if (smack == NULL) {
@@ -1469,8 +1445,6 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
1469 goto free_data_out; 1445 goto free_data_out;
1470 } 1446 }
1471 1447
1472 data[count] = '\0';
1473
1474 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s", 1448 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s",
1475 &scanned[0], &scanned[1], &scanned[2], &scanned[3], 1449 &scanned[0], &scanned[1], &scanned[2], &scanned[3],
1476 &scanned[4], &scanned[5], &scanned[6], &scanned[7], 1450 &scanned[4], &scanned[5], &scanned[6], &scanned[7],
@@ -1865,14 +1839,9 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1865 if (!smack_privileged(CAP_MAC_ADMIN)) 1839 if (!smack_privileged(CAP_MAC_ADMIN))
1866 return -EPERM; 1840 return -EPERM;
1867 1841
1868 data = kzalloc(count + 1, GFP_KERNEL); 1842 data = memdup_user_nul(buf, count);
1869 if (data == NULL) 1843 if (IS_ERR(data))
1870 return -ENOMEM; 1844 return PTR_ERR(data);
1871
1872 if (copy_from_user(data, buf, count) != 0) {
1873 rc = -EFAULT;
1874 goto out;
1875 }
1876 1845
1877 skp = smk_import_entry(data, count); 1846 skp = smk_import_entry(data, count);
1878 if (IS_ERR(skp)) { 1847 if (IS_ERR(skp)) {
@@ -2041,14 +2010,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
2041 if (!smack_privileged(CAP_MAC_ADMIN)) 2010 if (!smack_privileged(CAP_MAC_ADMIN))
2042 return -EPERM; 2011 return -EPERM;
2043 2012
2044 data = kzalloc(count + 1, GFP_KERNEL); 2013 data = memdup_user_nul(buf, count);
2045 if (data == NULL) 2014 if (IS_ERR(data))
2046 return -ENOMEM; 2015 return PTR_ERR(data);
2047
2048 if (copy_from_user(data, buf, count) != 0) {
2049 kfree(data);
2050 return -EFAULT;
2051 }
2052 2016
2053 rc = smk_parse_label_list(data, &list_tmp); 2017 rc = smk_parse_label_list(data, &list_tmp);
2054 kfree(data); 2018 kfree(data);
@@ -2133,14 +2097,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
2133 if (!smack_privileged(CAP_MAC_ADMIN)) 2097 if (!smack_privileged(CAP_MAC_ADMIN))
2134 return -EPERM; 2098 return -EPERM;
2135 2099
2136 data = kzalloc(count + 1, GFP_KERNEL); 2100 data = memdup_user_nul(buf, count);
2137 if (data == NULL) 2101 if (IS_ERR(data))
2138 return -ENOMEM; 2102 return PTR_ERR(data);
2139
2140 if (copy_from_user(data, buf, count) != 0) {
2141 rc = -EFAULT;
2142 goto freeout;
2143 }
2144 2103
2145 /* 2104 /*
2146 * Clear the smack_unconfined on invalid label errors. This means 2105 * Clear the smack_unconfined on invalid label errors. This means
@@ -2696,19 +2655,15 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
2696 if (!smack_privileged(CAP_MAC_ADMIN)) 2655 if (!smack_privileged(CAP_MAC_ADMIN))
2697 return -EPERM; 2656 return -EPERM;
2698 2657
2699 data = kzalloc(count + 1, GFP_KERNEL); 2658 data = memdup_user_nul(buf, count);
2700 if (data == NULL) 2659 if (IS_ERR(data))
2701 return -ENOMEM; 2660 return PTR_ERR(data);
2702 2661
2703 if (copy_from_user(data, buf, count) != 0) 2662 skp = smk_import_entry(data, count);
2704 rc = -EFAULT; 2663 if (IS_ERR(skp))
2705 else { 2664 rc = PTR_ERR(skp);
2706 skp = smk_import_entry(data, count); 2665 else
2707 if (IS_ERR(skp)) 2666 smack_syslog_label = skp;
2708 rc = PTR_ERR(skp);
2709 else
2710 smack_syslog_label = skp;
2711 }
2712 2667
2713 kfree(data); 2668 kfree(data);
2714 return rc; 2669 return rc;
@@ -2798,14 +2753,9 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
2798 if (*ppos != 0) 2753 if (*ppos != 0)
2799 return -EINVAL; 2754 return -EINVAL;
2800 2755
2801 data = kzalloc(count + 1, GFP_KERNEL); 2756 data = memdup_user_nul(buf, count);
2802 if (data == NULL) 2757 if (IS_ERR(data))
2803 return -ENOMEM; 2758 return PTR_ERR(data);
2804
2805 if (copy_from_user(data, buf, count) != 0) {
2806 kfree(data);
2807 return -EFAULT;
2808 }
2809 2759
2810 rc = smk_parse_label_list(data, &list_tmp); 2760 rc = smk_parse_label_list(data, &list_tmp);
2811 kfree(data); 2761 kfree(data);
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 179a955b319d..06ab41b1ff28 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -43,13 +43,9 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
43 int error; 43 int error;
44 if (!count || count >= TOMOYO_EXEC_TMPSIZE - 10) 44 if (!count || count >= TOMOYO_EXEC_TMPSIZE - 10)
45 return -ENOMEM; 45 return -ENOMEM;
46 data = kzalloc(count + 1, GFP_NOFS); 46 data = memdup_user_nul(buf, count);
47 if (!data) 47 if (IS_ERR(data))
48 return -ENOMEM; 48 return PTR_ERR(data);
49 if (copy_from_user(data, buf, count)) {
50 error = -EFAULT;
51 goto out;
52 }
53 tomoyo_normalize_line(data); 49 tomoyo_normalize_line(data);
54 if (tomoyo_correct_domain(data)) { 50 if (tomoyo_correct_domain(data)) {
55 const int idx = tomoyo_read_lock(); 51 const int idx = tomoyo_read_lock();
@@ -87,7 +83,6 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
87 tomoyo_read_unlock(idx); 83 tomoyo_read_unlock(idx);
88 } else 84 } else
89 error = -EINVAL; 85 error = -EINVAL;
90out:
91 kfree(data); 86 kfree(data);
92 return error ? error : count; 87 return error ? error : count;
93} 88}
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-14 23:38:50 -0400