aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-01-03 21:57:57 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2019-01-03 21:57:57 -0500
commit96d4f267e40f9509e8a66e2b39e8b95655617693 (patch)
treedf03d142d405652392707b1b80c284d68d6ea6ab
parent135143b2cac43d2a1ec73b53033b9473fbbcce6d (diff)
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument of the user address range verification function since we got rid of the old racy i386-only code to walk page tables by hand. It existed because the original 80386 would not honor the write protect bit when in kernel mode, so you had to do COW by hand before doing any user access. But we haven't supported that in a long time, and these days the 'type' argument is a purely historical artifact. A discussion about extending 'user_access_begin()' to do the range checking resulted this patch, because there is no way we're going to move the old VERIFY_xyz interface to that model. And it's best done at the end of the merge window when I've done most of my merges, so let's just get this done once and for all. This patch was mostly done with a sed-script, with manual fix-ups for the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form. There were a couple of notable cases: - csky still had the old "verify_area()" name as an alias. - the iter_iov code had magical hardcoded knowledge of the actual values of VERIFY_{READ,WRITE} (not that they mattered, since nothing really used it) - microblaze used the type argument for a debug printout but other than those oddities this should be a total no-op patch. I tried to fix up all architectures, did fairly extensive grepping for access_ok() uses, and the changes are trivial, but I may have missed something. Any missed conversion should be trivially fixable, though. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat
-rw-r--r--arch/alpha/include/asm/futex.h2
-rw-r--r--arch/alpha/include/asm/uaccess.h2
-rw-r--r--arch/alpha/kernel/signal.c12
-rw-r--r--arch/alpha/lib/csum_partial_copy.c2
-rw-r--r--arch/arc/include/asm/futex.h2
-rw-r--r--arch/arc/kernel/process.c2
-rw-r--r--arch/arc/kernel/signal.c4
-rw-r--r--arch/arm/include/asm/futex.h4
-rw-r--r--arch/arm/include/asm/uaccess.h4
-rw-r--r--arch/arm/kernel/perf_callchain.c2
-rw-r--r--arch/arm/kernel/signal.c6
-rw-r--r--arch/arm/kernel/swp_emulate.c2
-rw-r--r--arch/arm/kernel/sys_oabi-compat.c4
-rw-r--r--arch/arm/kernel/traps.c2
-rw-r--r--arch/arm/oprofile/common.c2
-rw-r--r--arch/arm64/include/asm/futex.h2
-rw-r--r--arch/arm64/include/asm/uaccess.h8
-rw-r--r--arch/arm64/kernel/armv8_deprecated.c2
-rw-r--r--arch/arm64/kernel/perf_callchain.c4
-rw-r--r--arch/arm64/kernel/signal.c6
-rw-r--r--arch/arm64/kernel/signal32.c6
-rw-r--r--arch/arm64/kernel/sys_compat.c2
-rw-r--r--arch/c6x/kernel/signal.c4
-rw-r--r--arch/csky/abiv1/alignment.c4
-rw-r--r--arch/csky/include/asm/uaccess.h16
-rw-r--r--arch/csky/kernel/signal.c2
-rw-r--r--arch/csky/lib/usercopy.c8
-rw-r--r--arch/h8300/kernel/signal.c4
-rw-r--r--arch/hexagon/include/asm/futex.h2
-rw-r--r--arch/hexagon/include/asm/uaccess.h3
-rw-r--r--arch/hexagon/kernel/signal.c4
-rw-r--r--arch/hexagon/mm/uaccess.c2
-rw-r--r--arch/ia64/include/asm/futex.h2
-rw-r--r--arch/ia64/include/asm/uaccess.h2
-rw-r--r--arch/ia64/kernel/ptrace.c4
-rw-r--r--arch/ia64/kernel/signal.c4
-rw-r--r--arch/m68k/include/asm/uaccess_mm.h2
-rw-r--r--arch/m68k/include/asm/uaccess_no.h2
-rw-r--r--arch/m68k/kernel/signal.c4
-rw-r--r--arch/microblaze/include/asm/futex.h2
-rw-r--r--arch/microblaze/include/asm/uaccess.h23
-rw-r--r--arch/microblaze/kernel/signal.c4
-rw-r--r--arch/mips/include/asm/checksum.h4
-rw-r--r--arch/mips/include/asm/futex.h2
-rw-r--r--arch/mips/include/asm/termios.h4
-rw-r--r--arch/mips/include/asm/uaccess.h12
-rw-r--r--arch/mips/kernel/mips-r2-to-r6-emul.c24
-rw-r--r--arch/mips/kernel/ptrace.c12
-rw-r--r--arch/mips/kernel/signal.c12
-rw-r--r--arch/mips/kernel/signal32.c4
-rw-r--r--arch/mips/kernel/signal_n32.c4
-rw-r--r--arch/mips/kernel/signal_o32.c8
-rw-r--r--arch/mips/kernel/syscall.c2
-rw-r--r--arch/mips/kernel/unaligned.c98
-rw-r--r--arch/mips/math-emu/cp1emu.c16
-rw-r--r--arch/mips/mm/cache.c2
-rw-r--r--arch/mips/mm/gup.c3
-rw-r--r--arch/mips/oprofile/backtrace.c2
-rw-r--r--arch/mips/sibyte/common/sb_tbprof.c2
-rw-r--r--arch/nds32/include/asm/futex.h2
-rw-r--r--arch/nds32/include/asm/uaccess.h11
-rw-r--r--arch/nds32/kernel/perf_event_cpu.c11
-rw-r--r--arch/nds32/kernel/signal.c4
-rw-r--r--arch/nds32/mm/alignment.c8
-rw-r--r--arch/nios2/include/asm/uaccess.h8
-rw-r--r--arch/nios2/kernel/signal.c2
-rw-r--r--arch/openrisc/include/asm/futex.h2
-rw-r--r--arch/openrisc/include/asm/uaccess.h8
-rw-r--r--arch/openrisc/kernel/signal.c6
-rw-r--r--arch/parisc/include/asm/futex.h2
-rw-r--r--arch/parisc/include/asm/uaccess.h2
-rw-r--r--arch/powerpc/include/asm/futex.h2
-rw-r--r--arch/powerpc/include/asm/uaccess.h8
-rw-r--r--arch/powerpc/kernel/align.c3
-rw-r--r--arch/powerpc/kernel/rtas_flash.c2
-rw-r--r--arch/powerpc/kernel/rtasd.c2
-rw-r--r--arch/powerpc/kernel/signal.c2
-rw-r--r--arch/powerpc/kernel/signal_32.c12
-rw-r--r--arch/powerpc/kernel/signal_64.c13
-rw-r--r--arch/powerpc/kernel/syscalls.c2
-rw-r--r--arch/powerpc/kernel/traps.c2
-rw-r--r--arch/powerpc/kvm/book3s_64_mmu_hv.c4
-rw-r--r--arch/powerpc/lib/checksum_wrappers.c4
-rw-r--r--arch/powerpc/mm/fault.c2
-rw-r--r--arch/powerpc/mm/subpage-prot.c2
-rw-r--r--arch/powerpc/oprofile/backtrace.c4
-rw-r--r--arch/powerpc/platforms/cell/spufs/file.c16
-rw-r--r--arch/powerpc/platforms/powernv/opal-lpc.c4
-rw-r--r--arch/powerpc/platforms/pseries/scanlog.c2
-rw-r--r--arch/riscv/include/asm/futex.h2
-rw-r--r--arch/riscv/include/asm/uaccess.h14
-rw-r--r--arch/riscv/kernel/signal.c4
-rw-r--r--arch/s390/include/asm/uaccess.h2
-rw-r--r--arch/sh/include/asm/checksum_32.h2
-rw-r--r--arch/sh/include/asm/futex.h2
-rw-r--r--arch/sh/include/asm/uaccess.h9
-rw-r--r--arch/sh/kernel/signal_32.c8
-rw-r--r--arch/sh/kernel/signal_64.c8
-rw-r--r--arch/sh/kernel/traps_64.c12
-rw-r--r--arch/sh/mm/gup.c3
-rw-r--r--arch/sh/oprofile/backtrace.c2
-rw-r--r--arch/sparc/include/asm/checksum_32.h2
-rw-r--r--arch/sparc/include/asm/uaccess_32.h2
-rw-r--r--arch/sparc/include/asm/uaccess_64.h2
-rw-r--r--arch/sparc/kernel/sigutil_32.c2
-rw-r--r--arch/sparc/kernel/unaligned_32.c7
-rw-r--r--arch/um/kernel/ptrace.c4
-rw-r--r--arch/unicore32/kernel/signal.c4
-rw-r--r--arch/x86/entry/vsyscall/vsyscall_64.c2
-rw-r--r--arch/x86/ia32/ia32_aout.c4
-rw-r--r--arch/x86/ia32/ia32_signal.c8
-rw-r--r--arch/x86/ia32/sys_ia32.c2
-rw-r--r--arch/x86/include/asm/checksum_32.h2
-rw-r--r--arch/x86/include/asm/pgtable_32.h2
-rw-r--r--arch/x86/include/asm/uaccess.h7
-rw-r--r--arch/x86/kernel/fpu/signal.c4
-rw-r--r--arch/x86/kernel/signal.c14
-rw-r--r--arch/x86/kernel/stacktrace.c2
-rw-r--r--arch/x86/kernel/vm86_32.c4
-rw-r--r--arch/x86/lib/csum-wrappers_64.c4
-rw-r--r--arch/x86/lib/usercopy_32.c2
-rw-r--r--arch/x86/lib/usercopy_64.c2
-rw-r--r--arch/x86/math-emu/fpu_system.h4
-rw-r--r--arch/x86/math-emu/load_store.c6
-rw-r--r--arch/x86/math-emu/reg_ld_str.c48
-rw-r--r--arch/x86/mm/mpx.c2
-rw-r--r--arch/x86/um/asm/checksum_32.h2
-rw-r--r--arch/x86/um/signal.c6
-rw-r--r--arch/xtensa/include/asm/checksum.h2
-rw-r--r--arch/xtensa/include/asm/futex.h2
-rw-r--r--arch/xtensa/include/asm/uaccess.h10
-rw-r--r--arch/xtensa/kernel/signal.c4
-rw-r--r--arch/xtensa/kernel/stacktrace.c2
-rw-r--r--drivers/acpi/acpi_dbg.c4
-rw-r--r--drivers/char/generic_nvram.c4
-rw-r--r--drivers/char/mem.c4
-rw-r--r--drivers/char/nwflash.c2
-rw-r--r--drivers/char/pcmcia/cm4000_cs.c4
-rw-r--r--drivers/crypto/ccp/psp-dev.c6
-rw-r--r--drivers/firewire/core-cdev.c2
-rw-r--r--drivers/firmware/efi/test/efi_test.c8
-rw-r--r--drivers/fpga/dfl-afu-dma-region.c2
-rw-r--r--drivers/fpga/dfl-fme-pr.c3
-rw-r--r--drivers/gpu/drm/amd/amdkfd/kfd_chardev.c18
-rw-r--r--drivers/gpu/drm/armada/armada_gem.c2
-rw-r--r--drivers/gpu/drm/drm_file.c2
-rw-r--r--drivers/gpu/drm/etnaviv/etnaviv_drv.c8
-rw-r--r--drivers/gpu/drm/i915/i915_gem.c7
-rw-r--r--drivers/gpu/drm/i915/i915_gem_execbuffer.c6
-rw-r--r--drivers/gpu/drm/i915/i915_gem_userptr.c3
-rw-r--r--drivers/gpu/drm/i915/i915_ioc32.c2
-rw-r--r--drivers/gpu/drm/i915/i915_perf.c2
-rw-r--r--drivers/gpu/drm/i915/i915_query.c2
-rw-r--r--drivers/gpu/drm/msm/msm_gem_submit.c2
-rw-r--r--drivers/gpu/drm/qxl/qxl_ioctl.c3
-rw-r--r--drivers/infiniband/core/uverbs_main.c3
-rw-r--r--drivers/infiniband/hw/hfi1/user_exp_rcv.c2
-rw-r--r--drivers/infiniband/hw/qib/qib_file_ops.c2
-rw-r--r--drivers/macintosh/ans-lcd.c2
-rw-r--r--drivers/macintosh/via-pmu.c2
-rw-r--r--drivers/media/pci/ivtv/ivtvfb.c2
-rw-r--r--drivers/media/v4l2-core/v4l2-compat-ioctl32.c46
-rw-r--r--drivers/misc/vmw_vmci/vmci_host.c2
-rw-r--r--drivers/pci/proc.c4
-rw-r--r--drivers/platform/goldfish/goldfish_pipe.c3
-rw-r--r--drivers/pnp/isapnp/proc.c2
-rw-r--r--drivers/scsi/pmcraid.c4
-rw-r--r--drivers/scsi/scsi_ioctl.c2
-rw-r--r--drivers/scsi/sg.c16
-rw-r--r--drivers/staging/comedi/comedi_compat32.c24
-rw-r--r--drivers/tty/n_hdlc.c2
-rw-r--r--drivers/usb/core/devices.c2
-rw-r--r--drivers/usb/core/devio.c7
-rw-r--r--drivers/usb/gadget/function/f_hid.c4
-rw-r--r--drivers/usb/gadget/udc/atmel_usba_udc.c2
-rw-r--r--drivers/vhost/vhost.c16
-rw-r--r--drivers/video/fbdev/amifb.c4
-rw-r--r--drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c2
-rw-r--r--drivers/xen/privcmd.c6
-rw-r--r--fs/binfmt_aout.c4
-rw-r--r--fs/btrfs/send.c2
-rw-r--r--fs/eventpoll.c2
-rw-r--r--fs/fat/dir.c4
-rw-r--r--fs/ioctl.c2
-rw-r--r--fs/namespace.c2
-rw-r--r--fs/ocfs2/dlmfs/dlmfs.c4
-rw-r--r--fs/pstore/pmsg.c2
-rw-r--r--fs/pstore/ram_core.c2
-rw-r--r--fs/read_write.c13
-rw-r--r--fs/readdir.c10
-rw-r--r--fs/select.c11
-rw-r--r--include/asm-generic/uaccess.h12
-rw-r--r--include/linux/regset.h4
-rw-r--r--include/linux/uaccess.h9
-rw-r--r--include/net/checksum.h4
-rw-r--r--kernel/bpf/syscall.c2
-rw-r--r--kernel/compat.c16
-rw-r--r--kernel/events/core.c2
-rw-r--r--kernel/exit.c4
-rw-r--r--kernel/futex.c35
-rw-r--r--kernel/printk/printk.c4
-rw-r--r--kernel/ptrace.c4
-rw-r--r--kernel/rseq.c6
-rw-r--r--kernel/sched/core.c4
-rw-r--r--kernel/signal.c8
-rw-r--r--kernel/sys.c2
-rw-r--r--kernel/trace/bpf_trace.c2
-rw-r--r--lib/bitmap.c4
-rw-r--r--lib/iov_iter.c8
-rw-r--r--lib/usercopy.c4
-rw-r--r--mm/gup.c6
-rw-r--r--mm/mincore.c4
-rw-r--r--net/batman-adv/icmp_socket.c2
-rw-r--r--net/batman-adv/log.c2
-rw-r--r--net/compat.c30
-rw-r--r--net/sunrpc/sysctl.c2
-rw-r--r--security/tomoyo/common.c2
-rw-r--r--sound/core/seq/seq_clientmgr.c2
-rw-r--r--sound/isa/sb/emu8000_patch.c4
-rw-r--r--tools/perf/util/include/asm/uaccess.h2
-rw-r--r--virt/kvm/kvm_main.c3
221 files changed, 610 insertions, 679 deletions
diff --git a/arch/alpha/include/asm/futex.h b/arch/alpha/include/asm/futex.h
index ca3322536f72..bfd3c01038f8 100644
--- a/arch/alpha/include/asm/futex.h
+++ b/arch/alpha/include/asm/futex.h
@@ -68,7 +68,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
68 int ret = 0, cmp; 68 int ret = 0, cmp;
69 u32 prev; 69 u32 prev;
70 70
71 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 71 if (!access_ok(uaddr, sizeof(u32)))
72 return -EFAULT; 72 return -EFAULT;
73 73
74 __asm__ __volatile__ ( 74 __asm__ __volatile__ (
diff --git a/arch/alpha/include/asm/uaccess.h b/arch/alpha/include/asm/uaccess.h
index 87d8c4f0307d..e69c4e13c328 100644
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -36,7 +36,7 @@
36#define __access_ok(addr, size) \ 36#define __access_ok(addr, size) \
37 ((get_fs().seg & (addr | size | (addr+size))) == 0) 37 ((get_fs().seg & (addr | size | (addr+size))) == 0)
38 38
39#define access_ok(type, addr, size) \ 39#define access_ok(addr, size) \
40({ \ 40({ \
41 __chk_user_ptr(addr); \ 41 __chk_user_ptr(addr); \
42 __access_ok(((unsigned long)(addr)), (size)); \ 42 __access_ok(((unsigned long)(addr)), (size)); \
diff --git a/arch/alpha/kernel/signal.c b/arch/alpha/kernel/signal.c
index 8c0c4ee0be6e..33e904a05881 100644
--- a/arch/alpha/kernel/signal.c
+++ b/arch/alpha/kernel/signal.c
@@ -65,7 +65,7 @@ SYSCALL_DEFINE3(osf_sigaction, int, sig,
65 65
66 if (act) { 66 if (act) {
67 old_sigset_t mask; 67 old_sigset_t mask;
68 if (!access_ok(VERIFY_READ, act, sizeof(*act)) || 68 if (!access_ok(act, sizeof(*act)) ||
69 __get_user(new_ka.sa.sa_handler, &act->sa_handler) || 69 __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
70 __get_user(new_ka.sa.sa_flags, &act->sa_flags) || 70 __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
71 __get_user(mask, &act->sa_mask)) 71 __get_user(mask, &act->sa_mask))
@@ -77,7 +77,7 @@ SYSCALL_DEFINE3(osf_sigaction, int, sig,
77 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL); 77 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
78 78
79 if (!ret && oact) { 79 if (!ret && oact) {
80 if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) || 80 if (!access_ok(oact, sizeof(*oact)) ||
81 __put_user(old_ka.sa.sa_handler, &oact->sa_handler) || 81 __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
82 __put_user(old_ka.sa.sa_flags, &oact->sa_flags) || 82 __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
83 __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask)) 83 __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask))
@@ -207,7 +207,7 @@ do_sigreturn(struct sigcontext __user *sc)
207 sigset_t set; 207 sigset_t set;
208 208
209 /* Verify that it's a good sigcontext before using it */ 209 /* Verify that it's a good sigcontext before using it */
210 if (!access_ok(VERIFY_READ, sc, sizeof(*sc))) 210 if (!access_ok(sc, sizeof(*sc)))
211 goto give_sigsegv; 211 goto give_sigsegv;
212 if (__get_user(set.sig[0], &sc->sc_mask)) 212 if (__get_user(set.sig[0], &sc->sc_mask))
213 goto give_sigsegv; 213 goto give_sigsegv;
@@ -235,7 +235,7 @@ do_rt_sigreturn(struct rt_sigframe __user *frame)
235 sigset_t set; 235 sigset_t set;
236 236
237 /* Verify that it's a good ucontext_t before using it */ 237 /* Verify that it's a good ucontext_t before using it */
238 if (!access_ok(VERIFY_READ, &frame->uc, sizeof(frame->uc))) 238 if (!access_ok(&frame->uc, sizeof(frame->uc)))
239 goto give_sigsegv; 239 goto give_sigsegv;
240 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 240 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
241 goto give_sigsegv; 241 goto give_sigsegv;
@@ -332,7 +332,7 @@ setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
332 332
333 oldsp = rdusp(); 333 oldsp = rdusp();
334 frame = get_sigframe(ksig, oldsp, sizeof(*frame)); 334 frame = get_sigframe(ksig, oldsp, sizeof(*frame));
335 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 335 if (!access_ok(frame, sizeof(*frame)))
336 return -EFAULT; 336 return -EFAULT;
337 337
338 err |= setup_sigcontext(&frame->sc, regs, set->sig[0], oldsp); 338 err |= setup_sigcontext(&frame->sc, regs, set->sig[0], oldsp);
@@ -377,7 +377,7 @@ setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
377 377
378 oldsp = rdusp(); 378 oldsp = rdusp();
379 frame = get_sigframe(ksig, oldsp, sizeof(*frame)); 379 frame = get_sigframe(ksig, oldsp, sizeof(*frame));
380 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 380 if (!access_ok(frame, sizeof(*frame)))
381 return -EFAULT; 381 return -EFAULT;
382 382
383 err |= copy_siginfo_to_user(&frame->info, &ksig->info); 383 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
diff --git a/arch/alpha/lib/csum_partial_copy.c b/arch/alpha/lib/csum_partial_copy.c
index ddb9c2f376fa..e53f96e8aa6d 100644
--- a/arch/alpha/lib/csum_partial_copy.c
+++ b/arch/alpha/lib/csum_partial_copy.c
@@ -333,7 +333,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, int len,
333 unsigned long doff = 7 & (unsigned long) dst; 333 unsigned long doff = 7 & (unsigned long) dst;
334 334
335 if (len) { 335 if (len) {
336 if (!access_ok(VERIFY_READ, src, len)) { 336 if (!access_ok(src, len)) {
337 if (errp) *errp = -EFAULT; 337 if (errp) *errp = -EFAULT;
338 memset(dst, 0, len); 338 memset(dst, 0, len);
339 return sum; 339 return sum;
diff --git a/arch/arc/include/asm/futex.h b/arch/arc/include/asm/futex.h
index eb887dd13e74..c29c3fae6854 100644
--- a/arch/arc/include/asm/futex.h
+++ b/arch/arc/include/asm/futex.h
@@ -126,7 +126,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, u32 expval,
126 int ret = 0; 126 int ret = 0;
127 u32 existval; 127 u32 existval;
128 128
129 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 129 if (!access_ok(uaddr, sizeof(u32)))
130 return -EFAULT; 130 return -EFAULT;
131 131
132#ifndef CONFIG_ARC_HAS_LLSC 132#ifndef CONFIG_ARC_HAS_LLSC
diff --git a/arch/arc/kernel/process.c b/arch/arc/kernel/process.c
index 8ce6e7235915..641c364fc232 100644
--- a/arch/arc/kernel/process.c
+++ b/arch/arc/kernel/process.c
@@ -61,7 +61,7 @@ SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
61 /* Z indicates to userspace if operation succeded */ 61 /* Z indicates to userspace if operation succeded */
62 regs->status32 &= ~STATUS_Z_MASK; 62 regs->status32 &= ~STATUS_Z_MASK;
63 63
64 ret = access_ok(VERIFY_WRITE, uaddr, sizeof(*uaddr)); 64 ret = access_ok(uaddr, sizeof(*uaddr));
65 if (!ret) 65 if (!ret)
66 goto fail; 66 goto fail;
67 67
diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c
index 48685445002e..1bfb7de696bd 100644
--- a/arch/arc/kernel/signal.c
+++ b/arch/arc/kernel/signal.c
@@ -169,7 +169,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
169 169
170 sf = (struct rt_sigframe __force __user *)(regs->sp); 170 sf = (struct rt_sigframe __force __user *)(regs->sp);
171 171
172 if (!access_ok(VERIFY_READ, sf, sizeof(*sf))) 172 if (!access_ok(sf, sizeof(*sf)))
173 goto badframe; 173 goto badframe;
174 174
175 if (__get_user(magic, &sf->sigret_magic)) 175 if (__get_user(magic, &sf->sigret_magic))
@@ -219,7 +219,7 @@ static inline void __user *get_sigframe(struct ksignal *ksig,
219 frame = (void __user *)((sp - framesize) & ~7); 219 frame = (void __user *)((sp - framesize) & ~7);
220 220
221 /* Check that we can actually write to the signal frame */ 221 /* Check that we can actually write to the signal frame */
222 if (!access_ok(VERIFY_WRITE, frame, framesize)) 222 if (!access_ok(frame, framesize))
223 frame = NULL; 223 frame = NULL;
224 224
225 return frame; 225 return frame;
diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
index ffebe7b7a5b7..0a46676b4245 100644
--- a/arch/arm/include/asm/futex.h
+++ b/arch/arm/include/asm/futex.h
@@ -50,7 +50,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
50 int ret; 50 int ret;
51 u32 val; 51 u32 val;
52 52
53 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 53 if (!access_ok(uaddr, sizeof(u32)))
54 return -EFAULT; 54 return -EFAULT;
55 55
56 smp_mb(); 56 smp_mb();
@@ -104,7 +104,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
104 int ret = 0; 104 int ret = 0;
105 u32 val; 105 u32 val;
106 106
107 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 107 if (!access_ok(uaddr, sizeof(u32)))
108 return -EFAULT; 108 return -EFAULT;
109 109
110 preempt_disable(); 110 preempt_disable();
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index c136eef8f690..27ed17ec45fe 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -279,7 +279,7 @@ static inline void set_fs(mm_segment_t fs)
279 279
280#endif /* CONFIG_MMU */ 280#endif /* CONFIG_MMU */
281 281
282#define access_ok(type, addr, size) (__range_ok(addr, size) == 0) 282#define access_ok(addr, size) (__range_ok(addr, size) == 0)
283 283
284#define user_addr_max() \ 284#define user_addr_max() \
285 (uaccess_kernel() ? ~0UL : get_fs()) 285 (uaccess_kernel() ? ~0UL : get_fs())
@@ -560,7 +560,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n)
560 560
561static inline unsigned long __must_check clear_user(void __user *to, unsigned long n) 561static inline unsigned long __must_check clear_user(void __user *to, unsigned long n)
562{ 562{
563 if (access_ok(VERIFY_WRITE, to, n)) 563 if (access_ok(to, n))
564 n = __clear_user(to, n); 564 n = __clear_user(to, n);
565 return n; 565 return n;
566} 566}
diff --git a/arch/arm/kernel/perf_callchain.c b/arch/arm/kernel/perf_callchain.c
index 08e43a32a693..3b69a76d341e 100644
--- a/arch/arm/kernel/perf_callchain.c
+++ b/arch/arm/kernel/perf_callchain.c
@@ -37,7 +37,7 @@ user_backtrace(struct frame_tail __user *tail,
37 struct frame_tail buftail; 37 struct frame_tail buftail;
38 unsigned long err; 38 unsigned long err;
39 39
40 if (!access_ok(VERIFY_READ, tail, sizeof(buftail))) 40 if (!access_ok(tail, sizeof(buftail)))
41 return NULL; 41 return NULL;
42 42
43 pagefault_disable(); 43 pagefault_disable();
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index b908382b69ff..76bb8de6bf6b 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -241,7 +241,7 @@ asmlinkage int sys_sigreturn(struct pt_regs *regs)
241 241
242 frame = (struct sigframe __user *)regs->ARM_sp; 242 frame = (struct sigframe __user *)regs->ARM_sp;
243 243
244 if (!access_ok(VERIFY_READ, frame, sizeof (*frame))) 244 if (!access_ok(frame, sizeof (*frame)))
245 goto badframe; 245 goto badframe;
246 246
247 if (restore_sigframe(regs, frame)) 247 if (restore_sigframe(regs, frame))
@@ -271,7 +271,7 @@ asmlinkage int sys_rt_sigreturn(struct pt_regs *regs)
271 271
272 frame = (struct rt_sigframe __user *)regs->ARM_sp; 272 frame = (struct rt_sigframe __user *)regs->ARM_sp;
273 273
274 if (!access_ok(VERIFY_READ, frame, sizeof (*frame))) 274 if (!access_ok(frame, sizeof (*frame)))
275 goto badframe; 275 goto badframe;
276 276
277 if (restore_sigframe(regs, &frame->sig)) 277 if (restore_sigframe(regs, &frame->sig))
@@ -355,7 +355,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, int framesize)
355 /* 355 /*
356 * Check that we can actually write to the signal frame. 356 * Check that we can actually write to the signal frame.
357 */ 357 */
358 if (!access_ok(VERIFY_WRITE, frame, framesize)) 358 if (!access_ok(frame, framesize))
359 frame = NULL; 359 frame = NULL;
360 360
361 return frame; 361 return frame;
diff --git a/arch/arm/kernel/swp_emulate.c b/arch/arm/kernel/swp_emulate.c
index a188d5e8ab7f..76f6e6a9736c 100644
--- a/arch/arm/kernel/swp_emulate.c
+++ b/arch/arm/kernel/swp_emulate.c
@@ -198,7 +198,7 @@ static int swp_handler(struct pt_regs *regs, unsigned int instr)
198 destreg, EXTRACT_REG_NUM(instr, RT2_OFFSET), data); 198 destreg, EXTRACT_REG_NUM(instr, RT2_OFFSET), data);
199 199
200 /* Check access in reasonable access range for both SWP and SWPB */ 200 /* Check access in reasonable access range for both SWP and SWPB */
201 if (!access_ok(VERIFY_WRITE, (address & ~3), 4)) { 201 if (!access_ok((address & ~3), 4)) {
202 pr_debug("SWP{B} emulation: access to %p not allowed!\n", 202 pr_debug("SWP{B} emulation: access to %p not allowed!\n",
203 (void *)address); 203 (void *)address);
204 res = -EFAULT; 204 res = -EFAULT;
diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index 40da0872170f..92ab36f38795 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -285,7 +285,7 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
285 maxevents > (INT_MAX/sizeof(*kbuf)) || 285 maxevents > (INT_MAX/sizeof(*kbuf)) ||
286 maxevents > (INT_MAX/sizeof(*events))) 286 maxevents > (INT_MAX/sizeof(*events)))
287 return -EINVAL; 287 return -EINVAL;
288 if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) 288 if (!access_ok(events, sizeof(*events) * maxevents))
289 return -EFAULT; 289 return -EFAULT;
290 kbuf = kmalloc_array(maxevents, sizeof(*kbuf), GFP_KERNEL); 290 kbuf = kmalloc_array(maxevents, sizeof(*kbuf), GFP_KERNEL);
291 if (!kbuf) 291 if (!kbuf)
@@ -326,7 +326,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
326 326
327 if (nsops < 1 || nsops > SEMOPM) 327 if (nsops < 1 || nsops > SEMOPM)
328 return -EINVAL; 328 return -EINVAL;
329 if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) 329 if (!access_ok(tsops, sizeof(*tsops) * nsops))
330 return -EFAULT; 330 return -EFAULT;
331 sops = kmalloc_array(nsops, sizeof(*sops), GFP_KERNEL); 331 sops = kmalloc_array(nsops, sizeof(*sops), GFP_KERNEL);
332 if (!sops) 332 if (!sops)
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index 2d668cff8ef4..33af097c454b 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -582,7 +582,7 @@ do_cache_op(unsigned long start, unsigned long end, int flags)
582 if (end < start || flags) 582 if (end < start || flags)
583 return -EINVAL; 583 return -EINVAL;
584 584
585 if (!access_ok(VERIFY_READ, start, end - start)) 585 if (!access_ok(start, end - start))
586 return -EFAULT; 586 return -EFAULT;
587 587
588 return __do_cache_op(start, end); 588 return __do_cache_op(start, end);
diff --git a/arch/arm/oprofile/common.c b/arch/arm/oprofile/common.c
index cc649a1e46da..7cb3e0453fcd 100644
--- a/arch/arm/oprofile/common.c
+++ b/arch/arm/oprofile/common.c
@@ -88,7 +88,7 @@ static struct frame_tail* user_backtrace(struct frame_tail *tail)
88 struct frame_tail buftail[2]; 88 struct frame_tail buftail[2];
89 89
90 /* Also check accessibility of one struct frame_tail beyond */ 90 /* Also check accessibility of one struct frame_tail beyond */
91 if (!access_ok(VERIFY_READ, tail, sizeof(buftail))) 91 if (!access_ok(tail, sizeof(buftail)))
92 return NULL; 92 return NULL;
93 if (__copy_from_user_inatomic(buftail, tail, sizeof(buftail))) 93 if (__copy_from_user_inatomic(buftail, tail, sizeof(buftail)))
94 return NULL; 94 return NULL;
diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
index 07fe2479d310..cccb83ad7fa8 100644
--- a/arch/arm64/include/asm/futex.h
+++ b/arch/arm64/include/asm/futex.h
@@ -96,7 +96,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr,
96 u32 val, tmp; 96 u32 val, tmp;
97 u32 __user *uaddr; 97 u32 __user *uaddr;
98 98
99 if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32))) 99 if (!access_ok(_uaddr, sizeof(u32)))
100 return -EFAULT; 100 return -EFAULT;
101 101
102 uaddr = __uaccess_mask_ptr(_uaddr); 102 uaddr = __uaccess_mask_ptr(_uaddr);
diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index ed252435fd92..547d7a0c9d05 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -95,7 +95,7 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si
95 return ret; 95 return ret;
96} 96}
97 97
98#define access_ok(type, addr, size) __range_ok(addr, size) 98#define access_ok(addr, size) __range_ok(addr, size)
99#define user_addr_max get_fs 99#define user_addr_max get_fs
100 100
101#define _ASM_EXTABLE(from, to) \ 101#define _ASM_EXTABLE(from, to) \
@@ -301,7 +301,7 @@ do { \
301({ \ 301({ \
302 __typeof__(*(ptr)) __user *__p = (ptr); \ 302 __typeof__(*(ptr)) __user *__p = (ptr); \
303 might_fault(); \ 303 might_fault(); \
304 if (access_ok(VERIFY_READ, __p, sizeof(*__p))) { \ 304 if (access_ok(__p, sizeof(*__p))) { \
305 __p = uaccess_mask_ptr(__p); \ 305 __p = uaccess_mask_ptr(__p); \
306 __get_user_err((x), __p, (err)); \ 306 __get_user_err((x), __p, (err)); \
307 } else { \ 307 } else { \
@@ -370,7 +370,7 @@ do { \
370({ \ 370({ \
371 __typeof__(*(ptr)) __user *__p = (ptr); \ 371 __typeof__(*(ptr)) __user *__p = (ptr); \
372 might_fault(); \ 372 might_fault(); \
373 if (access_ok(VERIFY_WRITE, __p, sizeof(*__p))) { \ 373 if (access_ok(__p, sizeof(*__p))) { \
374 __p = uaccess_mask_ptr(__p); \ 374 __p = uaccess_mask_ptr(__p); \
375 __put_user_err((x), __p, (err)); \ 375 __put_user_err((x), __p, (err)); \
376 } else { \ 376 } else { \
@@ -418,7 +418,7 @@ extern unsigned long __must_check __arch_copy_in_user(void __user *to, const voi
418extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n); 418extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n);
419static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n) 419static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n)
420{ 420{
421 if (access_ok(VERIFY_WRITE, to, n)) 421 if (access_ok(to, n))
422 n = __arch_clear_user(__uaccess_mask_ptr(to), n); 422 n = __arch_clear_user(__uaccess_mask_ptr(to), n);
423 return n; 423 return n;
424} 424}
diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c
index 92be1d12d590..e52e7280884a 100644
--- a/arch/arm64/kernel/armv8_deprecated.c
+++ b/arch/arm64/kernel/armv8_deprecated.c
@@ -402,7 +402,7 @@ static int swp_handler(struct pt_regs *regs, u32 instr)
402 402
403 /* Check access in reasonable access range for both SWP and SWPB */ 403 /* Check access in reasonable access range for both SWP and SWPB */
404 user_ptr = (const void __user *)(unsigned long)(address & ~3); 404 user_ptr = (const void __user *)(unsigned long)(address & ~3);
405 if (!access_ok(VERIFY_WRITE, user_ptr, 4)) { 405 if (!access_ok(user_ptr, 4)) {
406 pr_debug("SWP{B} emulation: access to 0x%08x not allowed!\n", 406 pr_debug("SWP{B} emulation: access to 0x%08x not allowed!\n",
407 address); 407 address);
408 goto fault; 408 goto fault;
diff --git a/arch/arm64/kernel/perf_callchain.c b/arch/arm64/kernel/perf_callchain.c
index a34c26afacb0..61d983f5756f 100644
--- a/arch/arm64/kernel/perf_callchain.c
+++ b/arch/arm64/kernel/perf_callchain.c
@@ -39,7 +39,7 @@ user_backtrace(struct frame_tail __user *tail,
39 unsigned long lr; 39 unsigned long lr;
40 40
41 /* Also check accessibility of one struct frame_tail beyond */ 41 /* Also check accessibility of one struct frame_tail beyond */
42 if (!access_ok(VERIFY_READ, tail, sizeof(buftail))) 42 if (!access_ok(tail, sizeof(buftail)))
43 return NULL; 43 return NULL;
44 44
45 pagefault_disable(); 45 pagefault_disable();
@@ -86,7 +86,7 @@ compat_user_backtrace(struct compat_frame_tail __user *tail,
86 unsigned long err; 86 unsigned long err;
87 87
88 /* Also check accessibility of one struct frame_tail beyond */ 88 /* Also check accessibility of one struct frame_tail beyond */
89 if (!access_ok(VERIFY_READ, tail, sizeof(buftail))) 89 if (!access_ok(tail, sizeof(buftail)))
90 return NULL; 90 return NULL;
91 91
92 pagefault_disable(); 92 pagefault_disable();
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 5dcc942906db..867a7cea70e5 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -470,7 +470,7 @@ static int parse_user_sigframe(struct user_ctxs *user,
470 offset = 0; 470 offset = 0;
471 limit = extra_size; 471 limit = extra_size;
472 472
473 if (!access_ok(VERIFY_READ, base, limit)) 473 if (!access_ok(base, limit))
474 goto invalid; 474 goto invalid;
475 475
476 continue; 476 continue;
@@ -556,7 +556,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
556 556
557 frame = (struct rt_sigframe __user *)regs->sp; 557 frame = (struct rt_sigframe __user *)regs->sp;
558 558
559 if (!access_ok(VERIFY_READ, frame, sizeof (*frame))) 559 if (!access_ok(frame, sizeof (*frame)))
560 goto badframe; 560 goto badframe;
561 561
562 if (restore_sigframe(regs, frame)) 562 if (restore_sigframe(regs, frame))
@@ -730,7 +730,7 @@ static int get_sigframe(struct rt_sigframe_user_layout *user,
730 /* 730 /*
731 * Check that we can actually write to the signal frame. 731 * Check that we can actually write to the signal frame.
732 */ 732 */
733 if (!access_ok(VERIFY_WRITE, user->sigframe, sp_top - sp)) 733 if (!access_ok(user->sigframe, sp_top - sp))
734 return -EFAULT; 734 return -EFAULT;
735 735
736 return 0; 736 return 0;
diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c
index 24b09003f821..cb7800acd19f 100644
--- a/arch/arm64/kernel/signal32.c
+++ b/arch/arm64/kernel/signal32.c
@@ -303,7 +303,7 @@ COMPAT_SYSCALL_DEFINE0(sigreturn)
303 303
304 frame = (struct compat_sigframe __user *)regs->compat_sp; 304 frame = (struct compat_sigframe __user *)regs->compat_sp;
305 305
306 if (!access_ok(VERIFY_READ, frame, sizeof (*frame))) 306 if (!access_ok(frame, sizeof (*frame)))
307 goto badframe; 307 goto badframe;
308 308
309 if (compat_restore_sigframe(regs, frame)) 309 if (compat_restore_sigframe(regs, frame))
@@ -334,7 +334,7 @@ COMPAT_SYSCALL_DEFINE0(rt_sigreturn)
334 334
335 frame = (struct compat_rt_sigframe __user *)regs->compat_sp; 335 frame = (struct compat_rt_sigframe __user *)regs->compat_sp;
336 336
337 if (!access_ok(VERIFY_READ, frame, sizeof (*frame))) 337 if (!access_ok(frame, sizeof (*frame)))
338 goto badframe; 338 goto badframe;
339 339
340 if (compat_restore_sigframe(regs, &frame->sig)) 340 if (compat_restore_sigframe(regs, &frame->sig))
@@ -365,7 +365,7 @@ static void __user *compat_get_sigframe(struct ksignal *ksig,
365 /* 365 /*
366 * Check that we can actually write to the signal frame. 366 * Check that we can actually write to the signal frame.
367 */ 367 */
368 if (!access_ok(VERIFY_WRITE, frame, framesize)) 368 if (!access_ok(frame, framesize))
369 frame = NULL; 369 frame = NULL;
370 370
371 return frame; 371 return frame;
diff --git a/arch/arm64/kernel/sys_compat.c b/arch/arm64/kernel/sys_compat.c
index 32653d156747..21005dfe8406 100644
--- a/arch/arm64/kernel/sys_compat.c
+++ b/arch/arm64/kernel/sys_compat.c
@@ -58,7 +58,7 @@ do_compat_cache_op(unsigned long start, unsigned long end, int flags)
58 if (end < start || flags) 58 if (end < start || flags)
59 return -EINVAL; 59 return -EINVAL;
60 60
61 if (!access_ok(VERIFY_READ, (const void __user *)start, end - start)) 61 if (!access_ok((const void __user *)start, end - start))
62 return -EFAULT; 62 return -EFAULT;
63 63
64 return __do_compat_cache_op(start, end); 64 return __do_compat_cache_op(start, end);
diff --git a/arch/c6x/kernel/signal.c b/arch/c6x/kernel/signal.c
index 3c4bb5a5c382..33b9f69c38f7 100644
--- a/arch/c6x/kernel/signal.c
+++ b/arch/c6x/kernel/signal.c
@@ -80,7 +80,7 @@ asmlinkage int do_rt_sigreturn(struct pt_regs *regs)
80 80
81 frame = (struct rt_sigframe __user *) ((unsigned long) regs->sp + 8); 81 frame = (struct rt_sigframe __user *) ((unsigned long) regs->sp + 8);
82 82
83 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 83 if (!access_ok(frame, sizeof(*frame)))
84 goto badframe; 84 goto badframe;
85 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 85 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
86 goto badframe; 86 goto badframe;
@@ -149,7 +149,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
149 149
150 frame = get_sigframe(ksig, regs, sizeof(*frame)); 150 frame = get_sigframe(ksig, regs, sizeof(*frame));
151 151
152 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 152 if (!access_ok(frame, sizeof(*frame)))
153 return -EFAULT; 153 return -EFAULT;
154 154
155 err |= __put_user(&frame->info, &frame->pinfo); 155 err |= __put_user(&frame->info, &frame->pinfo);
diff --git a/arch/csky/abiv1/alignment.c b/arch/csky/abiv1/alignment.c
index 60205e98fb87..d789be36eb4f 100644
--- a/arch/csky/abiv1/alignment.c
+++ b/arch/csky/abiv1/alignment.c
@@ -32,7 +32,7 @@ static int ldb_asm(uint32_t addr, uint32_t *valp)
32 uint32_t val; 32 uint32_t val;
33 int err; 33 int err;
34 34
35 if (!access_ok(VERIFY_READ, (void *)addr, 1)) 35 if (!access_ok((void *)addr, 1))
36 return 1; 36 return 1;
37 37
38 asm volatile ( 38 asm volatile (
@@ -67,7 +67,7 @@ static int stb_asm(uint32_t addr, uint32_t val)
67{ 67{
68 int err; 68 int err;
69 69
70 if (!access_ok(VERIFY_WRITE, (void *)addr, 1)) 70 if (!access_ok((void *)addr, 1))
71 return 1; 71 return 1;
72 72
73 asm volatile ( 73 asm volatile (
diff --git a/arch/csky/include/asm/uaccess.h b/arch/csky/include/asm/uaccess.h
index acaf0e210d81..eaa1c3403a42 100644
--- a/arch/csky/include/asm/uaccess.h
+++ b/arch/csky/include/asm/uaccess.h
@@ -16,10 +16,7 @@
16#include <linux/version.h> 16#include <linux/version.h>
17#include <asm/segment.h> 17#include <asm/segment.h>
18 18
19#define VERIFY_READ 0 19static inline int access_ok(const void *addr, unsigned long size)
20#define VERIFY_WRITE 1
21
22static inline int access_ok(int type, const void *addr, unsigned long size)
23{ 20{
24 unsigned long limit = current_thread_info()->addr_limit.seg; 21 unsigned long limit = current_thread_info()->addr_limit.seg;
25 22
@@ -27,12 +24,7 @@ static inline int access_ok(int type, const void *addr, unsigned long size)
27 ((unsigned long)(addr + size) < limit)); 24 ((unsigned long)(addr + size) < limit));
28} 25}
29 26
30static inline int verify_area(int type, const void *addr, unsigned long size) 27#define __addr_ok(addr) (access_ok(addr, 0))
31{
32 return access_ok(type, addr, size) ? 0 : -EFAULT;
33}
34
35#define __addr_ok(addr) (access_ok(VERIFY_READ, addr, 0))
36 28
37extern int __put_user_bad(void); 29extern int __put_user_bad(void);
38 30
@@ -91,7 +83,7 @@ extern int __put_user_bad(void);
91 long __pu_err = -EFAULT; \ 83 long __pu_err = -EFAULT; \
92 typeof(*(ptr)) *__pu_addr = (ptr); \ 84 typeof(*(ptr)) *__pu_addr = (ptr); \
93 typeof(*(ptr)) __pu_val = (typeof(*(ptr)))(x); \ 85 typeof(*(ptr)) __pu_val = (typeof(*(ptr)))(x); \
94 if (access_ok(VERIFY_WRITE, __pu_addr, size) && __pu_addr) \ 86 if (access_ok(__pu_addr, size) && __pu_addr) \
95 __put_user_size(__pu_val, __pu_addr, (size), __pu_err); \ 87 __put_user_size(__pu_val, __pu_addr, (size), __pu_err); \
96 __pu_err; \ 88 __pu_err; \
97}) 89})
@@ -217,7 +209,7 @@ do { \
217({ \ 209({ \
218 int __gu_err = -EFAULT; \ 210 int __gu_err = -EFAULT; \
219 const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ 211 const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
220 if (access_ok(VERIFY_READ, __gu_ptr, size) && __gu_ptr) \ 212 if (access_ok(__gu_ptr, size) && __gu_ptr) \
221 __get_user_size(x, __gu_ptr, size, __gu_err); \ 213 __get_user_size(x, __gu_ptr, size, __gu_err); \
222 __gu_err; \ 214 __gu_err; \
223}) 215})
diff --git a/arch/csky/kernel/signal.c b/arch/csky/kernel/signal.c
index 66e1b729b10b..9967c10eee2b 100644
--- a/arch/csky/kernel/signal.c
+++ b/arch/csky/kernel/signal.c
@@ -88,7 +88,7 @@ do_rt_sigreturn(void)
88 struct pt_regs *regs = current_pt_regs(); 88 struct pt_regs *regs = current_pt_regs();
89 struct rt_sigframe *frame = (struct rt_sigframe *)(regs->usp); 89 struct rt_sigframe *frame = (struct rt_sigframe *)(regs->usp);
90 90
91 if (verify_area(VERIFY_READ, frame, sizeof(*frame))) 91 if (!access_ok(frame, sizeof(*frame)))
92 goto badframe; 92 goto badframe;
93 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 93 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
94 goto badframe; 94 goto badframe;
diff --git a/arch/csky/lib/usercopy.c b/arch/csky/lib/usercopy.c
index ac9170e2cbb8..647a23986fb5 100644
--- a/arch/csky/lib/usercopy.c
+++ b/arch/csky/lib/usercopy.c
@@ -7,7 +7,7 @@
7unsigned long raw_copy_from_user(void *to, const void *from, 7unsigned long raw_copy_from_user(void *to, const void *from,
8 unsigned long n) 8 unsigned long n)
9{ 9{
10 if (access_ok(VERIFY_READ, from, n)) 10 if (access_ok(from, n))
11 __copy_user_zeroing(to, from, n); 11 __copy_user_zeroing(to, from, n);
12 else 12 else
13 memset(to, 0, n); 13 memset(to, 0, n);
@@ -18,7 +18,7 @@ EXPORT_SYMBOL(raw_copy_from_user);
18unsigned long raw_copy_to_user(void *to, const void *from, 18unsigned long raw_copy_to_user(void *to, const void *from,
19 unsigned long n) 19 unsigned long n)
20{ 20{
21 if (access_ok(VERIFY_WRITE, to, n)) 21 if (access_ok(to, n))
22 __copy_user(to, from, n); 22 __copy_user(to, from, n);
23 return n; 23 return n;
24} 24}
@@ -113,7 +113,7 @@ long strncpy_from_user(char *dst, const char *src, long count)
113{ 113{
114 long res = -EFAULT; 114 long res = -EFAULT;
115 115
116 if (access_ok(VERIFY_READ, src, 1)) 116 if (access_ok(src, 1))
117 __do_strncpy_from_user(dst, src, count, res); 117 __do_strncpy_from_user(dst, src, count, res);
118 return res; 118 return res;
119} 119}
@@ -236,7 +236,7 @@ do { \
236unsigned long 236unsigned long
237clear_user(void __user *to, unsigned long n) 237clear_user(void __user *to, unsigned long n)
238{ 238{
239 if (access_ok(VERIFY_WRITE, to, n)) 239 if (access_ok(to, n))
240 __do_clear_user(to, n); 240 __do_clear_user(to, n);
241 return n; 241 return n;
242} 242}
diff --git a/arch/h8300/kernel/signal.c b/arch/h8300/kernel/signal.c
index 1e8070d08770..e0f2b708e5d9 100644
--- a/arch/h8300/kernel/signal.c
+++ b/arch/h8300/kernel/signal.c
@@ -110,7 +110,7 @@ asmlinkage int sys_rt_sigreturn(void)
110 sigset_t set; 110 sigset_t set;
111 int er0; 111 int er0;
112 112
113 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 113 if (!access_ok(frame, sizeof(*frame)))
114 goto badframe; 114 goto badframe;
115 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 115 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
116 goto badframe; 116 goto badframe;
@@ -165,7 +165,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
165 165
166 frame = get_sigframe(ksig, regs, sizeof(*frame)); 166 frame = get_sigframe(ksig, regs, sizeof(*frame));
167 167
168 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 168 if (!access_ok(frame, sizeof(*frame)))
169 return -EFAULT; 169 return -EFAULT;
170 170
171 if (ksig->ka.sa.sa_flags & SA_SIGINFO) 171 if (ksig->ka.sa.sa_flags & SA_SIGINFO)
diff --git a/arch/hexagon/include/asm/futex.h b/arch/hexagon/include/asm/futex.h
index c889f5993ecd..cb635216a732 100644
--- a/arch/hexagon/include/asm/futex.h
+++ b/arch/hexagon/include/asm/futex.h
@@ -77,7 +77,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, u32 oldval,
77 int prev; 77 int prev;
78 int ret; 78 int ret;
79 79
80 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 80 if (!access_ok(uaddr, sizeof(u32)))
81 return -EFAULT; 81 return -EFAULT;
82 82
83 __asm__ __volatile__ ( 83 __asm__ __volatile__ (
diff --git a/arch/hexagon/include/asm/uaccess.h b/arch/hexagon/include/asm/uaccess.h
index 458b69886b34..a30e58d5f351 100644
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -29,9 +29,6 @@
29 29
30/* 30/*
31 * access_ok: - Checks if a user space pointer is valid 31 * access_ok: - Checks if a user space pointer is valid
32 * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
33 * %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
34 * to write to a block, it is always safe to read from it.
35 * @addr: User space pointer to start of block to check 32 * @addr: User space pointer to start of block to check
36 * @size: Size of block to check 33 * @size: Size of block to check
37 * 34 *
diff --git a/arch/hexagon/kernel/signal.c b/arch/hexagon/kernel/signal.c
index 78aa7304a5c9..31e2cf95f189 100644
--- a/arch/hexagon/kernel/signal.c
+++ b/arch/hexagon/kernel/signal.c
@@ -115,7 +115,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
115 115
116 frame = get_sigframe(ksig, regs, sizeof(struct rt_sigframe)); 116 frame = get_sigframe(ksig, regs, sizeof(struct rt_sigframe));
117 117
118 if (!access_ok(VERIFY_WRITE, frame, sizeof(struct rt_sigframe))) 118 if (!access_ok(frame, sizeof(struct rt_sigframe)))
119 return -EFAULT; 119 return -EFAULT;
120 120
121 if (copy_siginfo_to_user(&frame->info, &ksig->info)) 121 if (copy_siginfo_to_user(&frame->info, &ksig->info))
@@ -244,7 +244,7 @@ asmlinkage int sys_rt_sigreturn(void)
244 current->restart_block.fn = do_no_restart_syscall; 244 current->restart_block.fn = do_no_restart_syscall;
245 245
246 frame = (struct rt_sigframe __user *)pt_psp(regs); 246 frame = (struct rt_sigframe __user *)pt_psp(regs);
247 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 247 if (!access_ok(frame, sizeof(*frame)))
248 goto badframe; 248 goto badframe;
249 if (__copy_from_user(&blocked, &frame->uc.uc_sigmask, sizeof(blocked))) 249 if (__copy_from_user(&blocked, &frame->uc.uc_sigmask, sizeof(blocked)))
250 goto badframe; 250 goto badframe;
diff --git a/arch/hexagon/mm/uaccess.c b/arch/hexagon/mm/uaccess.c
index c599eb126c9e..6f9c4697552c 100644
--- a/arch/hexagon/mm/uaccess.c
+++ b/arch/hexagon/mm/uaccess.c
@@ -51,7 +51,7 @@ __kernel_size_t __clear_user_hexagon(void __user *dest, unsigned long count)
51 51
52unsigned long clear_user_hexagon(void __user *dest, unsigned long count) 52unsigned long clear_user_hexagon(void __user *dest, unsigned long count)
53{ 53{
54 if (!access_ok(VERIFY_WRITE, dest, count)) 54 if (!access_ok(dest, count))
55 return count; 55 return count;
56 else 56 else
57 return __clear_user_hexagon(dest, count); 57 return __clear_user_hexagon(dest, count);
diff --git a/arch/ia64/include/asm/futex.h b/arch/ia64/include/asm/futex.h
index db2dd85918c2..2e106d462196 100644
--- a/arch/ia64/include/asm/futex.h
+++ b/arch/ia64/include/asm/futex.h
@@ -86,7 +86,7 @@ static inline int
86futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, 86futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
87 u32 oldval, u32 newval) 87 u32 oldval, u32 newval)
88{ 88{
89 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 89 if (!access_ok(uaddr, sizeof(u32)))
90 return -EFAULT; 90 return -EFAULT;
91 91
92 { 92 {
diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
index a74524f2d625..306d469e43da 100644
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -67,7 +67,7 @@ static inline int __access_ok(const void __user *p, unsigned long size)
67 return likely(addr <= seg) && 67 return likely(addr <= seg) &&
68 (seg == KERNEL_DS.seg || likely(REGION_OFFSET(addr) < RGN_MAP_LIMIT)); 68 (seg == KERNEL_DS.seg || likely(REGION_OFFSET(addr) < RGN_MAP_LIMIT));
69} 69}
70#define access_ok(type, addr, size) __access_ok((addr), (size)) 70#define access_ok(addr, size) __access_ok((addr), (size))
71 71
72/* 72/*
73 * These are the main single-value transfer routines. They automatically 73 * These are the main single-value transfer routines. They automatically
diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c
index 427cd565fd61..6d50ede0ed69 100644
--- a/arch/ia64/kernel/ptrace.c
+++ b/arch/ia64/kernel/ptrace.c
@@ -836,7 +836,7 @@ ptrace_getregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
836 char nat = 0; 836 char nat = 0;
837 int i; 837 int i;
838 838
839 if (!access_ok(VERIFY_WRITE, ppr, sizeof(struct pt_all_user_regs))) 839 if (!access_ok(ppr, sizeof(struct pt_all_user_regs)))
840 return -EIO; 840 return -EIO;
841 841
842 pt = task_pt_regs(child); 842 pt = task_pt_regs(child);
@@ -981,7 +981,7 @@ ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
981 981
982 memset(&fpval, 0, sizeof(fpval)); 982 memset(&fpval, 0, sizeof(fpval));
983 983
984 if (!access_ok(VERIFY_READ, ppr, sizeof(struct pt_all_user_regs))) 984 if (!access_ok(ppr, sizeof(struct pt_all_user_regs)))
985 return -EIO; 985 return -EIO;
986 986
987 pt = task_pt_regs(child); 987 pt = task_pt_regs(child);
diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
index 99099f73b207..6062fd14e34e 100644
--- a/arch/ia64/kernel/signal.c
+++ b/arch/ia64/kernel/signal.c
@@ -132,7 +132,7 @@ ia64_rt_sigreturn (struct sigscratch *scr)
132 */ 132 */
133 retval = (long) &ia64_strace_leave_kernel; 133 retval = (long) &ia64_strace_leave_kernel;
134 134
135 if (!access_ok(VERIFY_READ, sc, sizeof(*sc))) 135 if (!access_ok(sc, sizeof(*sc)))
136 goto give_sigsegv; 136 goto give_sigsegv;
137 137
138 if (GET_SIGSET(&set, &sc->sc_mask)) 138 if (GET_SIGSET(&set, &sc->sc_mask))
@@ -264,7 +264,7 @@ setup_frame(struct ksignal *ksig, sigset_t *set, struct sigscratch *scr)
264 } 264 }
265 frame = (void __user *) ((new_sp - sizeof(*frame)) & -STACK_ALIGN); 265 frame = (void __user *) ((new_sp - sizeof(*frame)) & -STACK_ALIGN);
266 266
267 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) { 267 if (!access_ok(frame, sizeof(*frame))) {
268 force_sigsegv(ksig->sig, current); 268 force_sigsegv(ksig->sig, current);
269 return 1; 269 return 1;
270 } 270 }
diff --git a/arch/m68k/include/asm/uaccess_mm.h b/arch/m68k/include/asm/uaccess_mm.h
index c4cb889660aa..7e85de984df1 100644
--- a/arch/m68k/include/asm/uaccess_mm.h
+++ b/arch/m68k/include/asm/uaccess_mm.h
@@ -10,7 +10,7 @@
10#include <asm/segment.h> 10#include <asm/segment.h>
11 11
12/* We let the MMU do all checking */ 12/* We let the MMU do all checking */
13static inline int access_ok(int type, const void __user *addr, 13static inline int access_ok(const void __user *addr,
14 unsigned long size) 14 unsigned long size)
15{ 15{
16 return 1; 16 return 1;
diff --git a/arch/m68k/include/asm/uaccess_no.h b/arch/m68k/include/asm/uaccess_no.h
index 892efb56beef..0134008bf539 100644
--- a/arch/m68k/include/asm/uaccess_no.h
+++ b/arch/m68k/include/asm/uaccess_no.h
@@ -10,7 +10,7 @@
10 10
11#include <asm/segment.h> 11#include <asm/segment.h>
12 12
13#define access_ok(type,addr,size) _access_ok((unsigned long)(addr),(size)) 13#define access_ok(addr,size) _access_ok((unsigned long)(addr),(size))
14 14
15/* 15/*
16 * It is not enough to just have access_ok check for a real RAM address. 16 * It is not enough to just have access_ok check for a real RAM address.
diff --git a/arch/m68k/kernel/signal.c b/arch/m68k/kernel/signal.c
index 72850b85ecf8..e2a9421c5797 100644
--- a/arch/m68k/kernel/signal.c
+++ b/arch/m68k/kernel/signal.c
@@ -787,7 +787,7 @@ asmlinkage int do_sigreturn(struct pt_regs *regs, struct switch_stack *sw)
787 struct sigframe __user *frame = (struct sigframe __user *)(usp - 4); 787 struct sigframe __user *frame = (struct sigframe __user *)(usp - 4);
788 sigset_t set; 788 sigset_t set;
789 789
790 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 790 if (!access_ok(frame, sizeof(*frame)))
791 goto badframe; 791 goto badframe;
792 if (__get_user(set.sig[0], &frame->sc.sc_mask) || 792 if (__get_user(set.sig[0], &frame->sc.sc_mask) ||
793 (_NSIG_WORDS > 1 && 793 (_NSIG_WORDS > 1 &&
@@ -812,7 +812,7 @@ asmlinkage int do_rt_sigreturn(struct pt_regs *regs, struct switch_stack *sw)
812 struct rt_sigframe __user *frame = (struct rt_sigframe __user *)(usp - 4); 812 struct rt_sigframe __user *frame = (struct rt_sigframe __user *)(usp - 4);
813 sigset_t set; 813 sigset_t set;
814 814
815 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 815 if (!access_ok(frame, sizeof(*frame)))
816 goto badframe; 816 goto badframe;
817 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 817 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
818 goto badframe; 818 goto badframe;
diff --git a/arch/microblaze/include/asm/futex.h b/arch/microblaze/include/asm/futex.h
index 2572077b04ea..8c90357e5983 100644
--- a/arch/microblaze/include/asm/futex.h
+++ b/arch/microblaze/include/asm/futex.h
@@ -71,7 +71,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
71 int ret = 0, cmp; 71 int ret = 0, cmp;
72 u32 prev; 72 u32 prev;
73 73
74 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 74 if (!access_ok(uaddr, sizeof(u32)))
75 return -EFAULT; 75 return -EFAULT;
76 76
77 __asm__ __volatile__ ("1: lwx %1, %3, r0; \ 77 __asm__ __volatile__ ("1: lwx %1, %3, r0; \
diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
index 81f16aadbf9e..dbfea093a7c7 100644
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -60,26 +60,25 @@ static inline int ___range_ok(unsigned long addr, unsigned long size)
60#define __range_ok(addr, size) \ 60#define __range_ok(addr, size) \
61 ___range_ok((unsigned long)(addr), (unsigned long)(size)) 61 ___range_ok((unsigned long)(addr), (unsigned long)(size))
62 62
63#define access_ok(type, addr, size) (__range_ok((addr), (size)) == 0) 63#define access_ok(addr, size) (__range_ok((addr), (size)) == 0)
64 64
65#else 65#else
66 66
67static inline int access_ok(int type, const void __user *addr, 67static inline int access_ok(const void __user *addr, unsigned long size)
68 unsigned long size)
69{ 68{
70 if (!size) 69 if (!size)
71 goto ok; 70 goto ok;
72 71
73 if ((get_fs().seg < ((unsigned long)addr)) || 72 if ((get_fs().seg < ((unsigned long)addr)) ||
74 (get_fs().seg < ((unsigned long)addr + size - 1))) { 73 (get_fs().seg < ((unsigned long)addr + size - 1))) {
75 pr_devel("ACCESS fail: %s at 0x%08x (size 0x%x), seg 0x%08x\n", 74 pr_devel("ACCESS fail at 0x%08x (size 0x%x), seg 0x%08x\n",
76 type ? "WRITE" : "READ ", (__force u32)addr, (u32)size, 75 (__force u32)addr, (u32)size,
77 (u32)get_fs().seg); 76 (u32)get_fs().seg);
78 return 0; 77 return 0;
79 } 78 }
80ok: 79ok:
81 pr_devel("ACCESS OK: %s at 0x%08x (size 0x%x), seg 0x%08x\n", 80 pr_devel("ACCESS OK at 0x%08x (size 0x%x), seg 0x%08x\n",
82 type ? "WRITE" : "READ ", (__force u32)addr, (u32)size, 81 (__force u32)addr, (u32)size,
83 (u32)get_fs().seg); 82 (u32)get_fs().seg);
84 return 1; 83 return 1;
85} 84}
@@ -120,7 +119,7 @@ static inline unsigned long __must_check clear_user(void __user *to,
120 unsigned long n) 119 unsigned long n)
121{ 120{
122 might_fault(); 121 might_fault();
123 if (unlikely(!access_ok(VERIFY_WRITE, to, n))) 122 if (unlikely(!access_ok(to, n)))
124 return n; 123 return n;
125 124
126 return __clear_user(to, n); 125 return __clear_user(to, n);
@@ -174,7 +173,7 @@ extern long __user_bad(void);
174 const typeof(*(ptr)) __user *__gu_addr = (ptr); \ 173 const typeof(*(ptr)) __user *__gu_addr = (ptr); \
175 int __gu_err = 0; \ 174 int __gu_err = 0; \
176 \ 175 \
177 if (access_ok(VERIFY_READ, __gu_addr, size)) { \ 176 if (access_ok(__gu_addr, size)) { \
178 switch (size) { \ 177 switch (size) { \
179 case 1: \ 178 case 1: \
180 __get_user_asm("lbu", __gu_addr, __gu_val, \ 179 __get_user_asm("lbu", __gu_addr, __gu_val, \
@@ -286,7 +285,7 @@ extern long __user_bad(void);
286 typeof(*(ptr)) __user *__pu_addr = (ptr); \ 285 typeof(*(ptr)) __user *__pu_addr = (ptr); \
287 int __pu_err = 0; \ 286 int __pu_err = 0; \
288 \ 287 \
289 if (access_ok(VERIFY_WRITE, __pu_addr, size)) { \ 288 if (access_ok(__pu_addr, size)) { \
290 switch (size) { \ 289 switch (size) { \
291 case 1: \ 290 case 1: \
292 __put_user_asm("sb", __pu_addr, __pu_val, \ 291 __put_user_asm("sb", __pu_addr, __pu_val, \
@@ -358,7 +357,7 @@ extern int __strncpy_user(char *to, const char __user *from, int len);
358static inline long 357static inline long
359strncpy_from_user(char *dst, const char __user *src, long count) 358strncpy_from_user(char *dst, const char __user *src, long count)
360{ 359{
361 if (!access_ok(VERIFY_READ, src, 1)) 360 if (!access_ok(src, 1))
362 return -EFAULT; 361 return -EFAULT;
363 return __strncpy_user(dst, src, count); 362 return __strncpy_user(dst, src, count);
364} 363}
@@ -372,7 +371,7 @@ extern int __strnlen_user(const char __user *sstr, int len);
372 371
373static inline long strnlen_user(const char __user *src, long n) 372static inline long strnlen_user(const char __user *src, long n)
374{ 373{
375 if (!access_ok(VERIFY_READ, src, 1)) 374 if (!access_ok(src, 1))
376 return 0; 375 return 0;
377 return __strnlen_user(src, n); 376 return __strnlen_user(src, n);
378} 377}
diff --git a/arch/microblaze/kernel/signal.c b/arch/microblaze/kernel/signal.c
index 97001524ca2d..0685696349bb 100644
--- a/arch/microblaze/kernel/signal.c
+++ b/arch/microblaze/kernel/signal.c
@@ -91,7 +91,7 @@ asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
91 /* Always make any pending restarted system calls return -EINTR */ 91 /* Always make any pending restarted system calls return -EINTR */
92 current->restart_block.fn = do_no_restart_syscall; 92 current->restart_block.fn = do_no_restart_syscall;
93 93
94 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 94 if (!access_ok(frame, sizeof(*frame)))
95 goto badframe; 95 goto badframe;
96 96
97 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 97 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -166,7 +166,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
166 166
167 frame = get_sigframe(ksig, regs, sizeof(*frame)); 167 frame = get_sigframe(ksig, regs, sizeof(*frame));
168 168
169 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 169 if (!access_ok(frame, sizeof(*frame)))
170 return -EFAULT; 170 return -EFAULT;
171 171
172 if (ksig->ka.sa.sa_flags & SA_SIGINFO) 172 if (ksig->ka.sa.sa_flags & SA_SIGINFO)
diff --git a/arch/mips/include/asm/checksum.h b/arch/mips/include/asm/checksum.h
index e8161e4dfde7..dcebaaf8c862 100644
--- a/arch/mips/include/asm/checksum.h
+++ b/arch/mips/include/asm/checksum.h
@@ -63,7 +63,7 @@ static inline
63__wsum csum_and_copy_from_user(const void __user *src, void *dst, 63__wsum csum_and_copy_from_user(const void __user *src, void *dst,
64 int len, __wsum sum, int *err_ptr) 64 int len, __wsum sum, int *err_ptr)
65{ 65{
66 if (access_ok(VERIFY_READ, src, len)) 66 if (access_ok(src, len))
67 return csum_partial_copy_from_user(src, dst, len, sum, 67 return csum_partial_copy_from_user(src, dst, len, sum,
68 err_ptr); 68 err_ptr);
69 if (len) 69 if (len)
@@ -81,7 +81,7 @@ __wsum csum_and_copy_to_user(const void *src, void __user *dst, int len,
81 __wsum sum, int *err_ptr) 81 __wsum sum, int *err_ptr)
82{ 82{
83 might_fault(); 83 might_fault();
84 if (access_ok(VERIFY_WRITE, dst, len)) { 84 if (access_ok(dst, len)) {
85 if (uaccess_kernel()) 85 if (uaccess_kernel())
86 return __csum_partial_copy_kernel(src, 86 return __csum_partial_copy_kernel(src,
87 (__force void *)dst, 87 (__force void *)dst,
diff --git a/arch/mips/include/asm/futex.h b/arch/mips/include/asm/futex.h
index 8eff134b3a43..c14d798f3888 100644
--- a/arch/mips/include/asm/futex.h
+++ b/arch/mips/include/asm/futex.h
@@ -129,7 +129,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
129 int ret = 0; 129 int ret = 0;
130 u32 val; 130 u32 val;
131 131
132 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 132 if (!access_ok(uaddr, sizeof(u32)))
133 return -EFAULT; 133 return -EFAULT;
134 134
135 if (cpu_has_llsc && R10000_LLSC_WAR) { 135 if (cpu_has_llsc && R10000_LLSC_WAR) {
diff --git a/arch/mips/include/asm/termios.h b/arch/mips/include/asm/termios.h
index ce2d72e34274..bc29eeacc55a 100644
--- a/arch/mips/include/asm/termios.h
+++ b/arch/mips/include/asm/termios.h
@@ -32,7 +32,7 @@ static inline int user_termio_to_kernel_termios(struct ktermios *termios,
32 unsigned short iflag, oflag, cflag, lflag; 32 unsigned short iflag, oflag, cflag, lflag;
33 unsigned int err; 33 unsigned int err;
34 34
35 if (!access_ok(VERIFY_READ, termio, sizeof(struct termio))) 35 if (!access_ok(termio, sizeof(struct termio)))
36 return -EFAULT; 36 return -EFAULT;
37 37
38 err = __get_user(iflag, &termio->c_iflag); 38 err = __get_user(iflag, &termio->c_iflag);
@@ -61,7 +61,7 @@ static inline int kernel_termios_to_user_termio(struct termio __user *termio,
61{ 61{
62 int err; 62 int err;
63 63
64 if (!access_ok(VERIFY_WRITE, termio, sizeof(struct termio))) 64 if (!access_ok(termio, sizeof(struct termio)))
65 return -EFAULT; 65 return -EFAULT;
66 66
67 err = __put_user(termios->c_iflag, &termio->c_iflag); 67 err = __put_user(termios->c_iflag, &termio->c_iflag);
diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
index 06629011a434..d43c1dc6ef15 100644
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -109,9 +109,6 @@ static inline bool eva_kernel_access(void)
109 109
110/* 110/*
111 * access_ok: - Checks if a user space pointer is valid 111 * access_ok: - Checks if a user space pointer is valid
112 * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
113 * %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
114 * to write to a block, it is always safe to read from it.
115 * @addr: User space pointer to start of block to check 112 * @addr: User space pointer to start of block to check
116 * @size: Size of block to check 113 * @size: Size of block to check
117 * 114 *
@@ -134,7 +131,7 @@ static inline int __access_ok(const void __user *p, unsigned long size)
134 return (get_fs().seg & (addr | (addr + size) | __ua_size(size))) == 0; 131 return (get_fs().seg & (addr | (addr + size) | __ua_size(size))) == 0;
135} 132}
136 133
137#define access_ok(type, addr, size) \ 134#define access_ok(addr, size) \
138 likely(__access_ok((addr), (size))) 135 likely(__access_ok((addr), (size)))
139 136
140/* 137/*
@@ -304,7 +301,7 @@ do { \
304 const __typeof__(*(ptr)) __user * __gu_ptr = (ptr); \ 301 const __typeof__(*(ptr)) __user * __gu_ptr = (ptr); \
305 \ 302 \
306 might_fault(); \ 303 might_fault(); \
307 if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) { \ 304 if (likely(access_ok( __gu_ptr, size))) { \
308 if (eva_kernel_access()) \ 305 if (eva_kernel_access()) \
309 __get_kernel_common((x), size, __gu_ptr); \ 306 __get_kernel_common((x), size, __gu_ptr); \
310 else \ 307 else \
@@ -446,7 +443,7 @@ do { \
446 int __pu_err = -EFAULT; \ 443 int __pu_err = -EFAULT; \
447 \ 444 \
448 might_fault(); \ 445 might_fault(); \
449 if (likely(access_ok(VERIFY_WRITE, __pu_addr, size))) { \ 446 if (likely(access_ok( __pu_addr, size))) { \
450 if (eva_kernel_access()) \ 447 if (eva_kernel_access()) \
451 __put_kernel_common(__pu_addr, size); \ 448 __put_kernel_common(__pu_addr, size); \
452 else \ 449 else \
@@ -691,8 +688,7 @@ __clear_user(void __user *addr, __kernel_size_t size)
691({ \ 688({ \
692 void __user * __cl_addr = (addr); \ 689 void __user * __cl_addr = (addr); \
693 unsigned long __cl_size = (n); \ 690 unsigned long __cl_size = (n); \
694 if (__cl_size && access_ok(VERIFY_WRITE, \ 691 if (__cl_size && access_ok(__cl_addr, __cl_size)) \
695 __cl_addr, __cl_size)) \
696 __cl_size = __clear_user(__cl_addr, __cl_size); \ 692 __cl_size = __clear_user(__cl_addr, __cl_size); \
697 __cl_size; \ 693 __cl_size; \
698}) 694})
diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
index cb22a558431e..c50c89a978f1 100644
--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
+++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
@@ -1205,7 +1205,7 @@ fpu_emul:
1205 case lwl_op: 1205 case lwl_op:
1206 rt = regs->regs[MIPSInst_RT(inst)]; 1206 rt = regs->regs[MIPSInst_RT(inst)];
1207 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1207 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1208 if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) { 1208 if (!access_ok((void __user *)vaddr, 4)) {
1209 current->thread.cp0_baduaddr = vaddr; 1209 current->thread.cp0_baduaddr = vaddr;
1210 err = SIGSEGV; 1210 err = SIGSEGV;
1211 break; 1211 break;
@@ -1278,7 +1278,7 @@ fpu_emul:
1278 case lwr_op: 1278 case lwr_op:
1279 rt = regs->regs[MIPSInst_RT(inst)]; 1279 rt = regs->regs[MIPSInst_RT(inst)];
1280 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1280 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1281 if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) { 1281 if (!access_ok((void __user *)vaddr, 4)) {
1282 current->thread.cp0_baduaddr = vaddr; 1282 current->thread.cp0_baduaddr = vaddr;
1283 err = SIGSEGV; 1283 err = SIGSEGV;
1284 break; 1284 break;
@@ -1352,7 +1352,7 @@ fpu_emul:
1352 case swl_op: 1352 case swl_op:
1353 rt = regs->regs[MIPSInst_RT(inst)]; 1353 rt = regs->regs[MIPSInst_RT(inst)];
1354 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1354 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1355 if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) { 1355 if (!access_ok((void __user *)vaddr, 4)) {
1356 current->thread.cp0_baduaddr = vaddr; 1356 current->thread.cp0_baduaddr = vaddr;
1357 err = SIGSEGV; 1357 err = SIGSEGV;
1358 break; 1358 break;
@@ -1422,7 +1422,7 @@ fpu_emul:
1422 case swr_op: 1422 case swr_op:
1423 rt = regs->regs[MIPSInst_RT(inst)]; 1423 rt = regs->regs[MIPSInst_RT(inst)];
1424 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1424 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1425 if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) { 1425 if (!access_ok((void __user *)vaddr, 4)) {
1426 current->thread.cp0_baduaddr = vaddr; 1426 current->thread.cp0_baduaddr = vaddr;
1427 err = SIGSEGV; 1427 err = SIGSEGV;
1428 break; 1428 break;
@@ -1497,7 +1497,7 @@ fpu_emul:
1497 1497
1498 rt = regs->regs[MIPSInst_RT(inst)]; 1498 rt = regs->regs[MIPSInst_RT(inst)];
1499 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1499 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1500 if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) { 1500 if (!access_ok((void __user *)vaddr, 8)) {
1501 current->thread.cp0_baduaddr = vaddr; 1501 current->thread.cp0_baduaddr = vaddr;
1502 err = SIGSEGV; 1502 err = SIGSEGV;
1503 break; 1503 break;
@@ -1616,7 +1616,7 @@ fpu_emul:
1616 1616
1617 rt = regs->regs[MIPSInst_RT(inst)]; 1617 rt = regs->regs[MIPSInst_RT(inst)];
1618 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1618 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1619 if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) { 1619 if (!access_ok((void __user *)vaddr, 8)) {
1620 current->thread.cp0_baduaddr = vaddr; 1620 current->thread.cp0_baduaddr = vaddr;
1621 err = SIGSEGV; 1621 err = SIGSEGV;
1622 break; 1622 break;
@@ -1735,7 +1735,7 @@ fpu_emul:
1735 1735
1736 rt = regs->regs[MIPSInst_RT(inst)]; 1736 rt = regs->regs[MIPSInst_RT(inst)];
1737 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1737 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1738 if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) { 1738 if (!access_ok((void __user *)vaddr, 8)) {
1739 current->thread.cp0_baduaddr = vaddr; 1739 current->thread.cp0_baduaddr = vaddr;
1740 err = SIGSEGV; 1740 err = SIGSEGV;
1741 break; 1741 break;
@@ -1853,7 +1853,7 @@ fpu_emul:
1853 1853
1854 rt = regs->regs[MIPSInst_RT(inst)]; 1854 rt = regs->regs[MIPSInst_RT(inst)];
1855 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst); 1855 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
1856 if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) { 1856 if (!access_ok((void __user *)vaddr, 8)) {
1857 current->thread.cp0_baduaddr = vaddr; 1857 current->thread.cp0_baduaddr = vaddr;
1858 err = SIGSEGV; 1858 err = SIGSEGV;
1859 break; 1859 break;
@@ -1970,7 +1970,7 @@ fpu_emul:
1970 err = SIGBUS; 1970 err = SIGBUS;
1971 break; 1971 break;
1972 } 1972 }
1973 if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) { 1973 if (!access_ok((void __user *)vaddr, 4)) {
1974 current->thread.cp0_baduaddr = vaddr; 1974 current->thread.cp0_baduaddr = vaddr;
1975 err = SIGBUS; 1975 err = SIGBUS;
1976 break; 1976 break;
@@ -2026,7 +2026,7 @@ fpu_emul:
2026 err = SIGBUS; 2026 err = SIGBUS;
2027 break; 2027 break;
2028 } 2028 }
2029 if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) { 2029 if (!access_ok((void __user *)vaddr, 4)) {
2030 current->thread.cp0_baduaddr = vaddr; 2030 current->thread.cp0_baduaddr = vaddr;
2031 err = SIGBUS; 2031 err = SIGBUS;
2032 break; 2032 break;
@@ -2089,7 +2089,7 @@ fpu_emul:
2089 err = SIGBUS; 2089 err = SIGBUS;
2090 break; 2090 break;
2091 } 2091 }
2092 if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) { 2092 if (!access_ok((void __user *)vaddr, 8)) {
2093 current->thread.cp0_baduaddr = vaddr; 2093 current->thread.cp0_baduaddr = vaddr;
2094 err = SIGBUS; 2094 err = SIGBUS;
2095 break; 2095 break;
@@ -2150,7 +2150,7 @@ fpu_emul:
2150 err = SIGBUS; 2150 err = SIGBUS;
2151 break; 2151 break;
2152 } 2152 }
2153 if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) { 2153 if (!access_ok((void __user *)vaddr, 8)) {
2154 current->thread.cp0_baduaddr = vaddr; 2154 current->thread.cp0_baduaddr = vaddr;
2155 err = SIGBUS; 2155 err = SIGBUS;
2156 break; 2156 break;
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index ea54575255ea..0057c910bc2f 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -71,7 +71,7 @@ int ptrace_getregs(struct task_struct *child, struct user_pt_regs __user *data)
71 struct pt_regs *regs; 71 struct pt_regs *regs;
72 int i; 72 int i;
73 73
74 if (!access_ok(VERIFY_WRITE, data, 38 * 8)) 74 if (!access_ok(data, 38 * 8))
75 return -EIO; 75 return -EIO;
76 76
77 regs = task_pt_regs(child); 77 regs = task_pt_regs(child);
@@ -98,7 +98,7 @@ int ptrace_setregs(struct task_struct *child, struct user_pt_regs __user *data)
98 struct pt_regs *regs; 98 struct pt_regs *regs;
99 int i; 99 int i;
100 100
101 if (!access_ok(VERIFY_READ, data, 38 * 8)) 101 if (!access_ok(data, 38 * 8))
102 return -EIO; 102 return -EIO;
103 103
104 regs = task_pt_regs(child); 104 regs = task_pt_regs(child);
@@ -125,7 +125,7 @@ int ptrace_get_watch_regs(struct task_struct *child,
125 125
126 if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0) 126 if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0)
127 return -EIO; 127 return -EIO;
128 if (!access_ok(VERIFY_WRITE, addr, sizeof(struct pt_watch_regs))) 128 if (!access_ok(addr, sizeof(struct pt_watch_regs)))
129 return -EIO; 129 return -EIO;
130 130
131#ifdef CONFIG_32BIT 131#ifdef CONFIG_32BIT
@@ -167,7 +167,7 @@ int ptrace_set_watch_regs(struct task_struct *child,
167 167
168 if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0) 168 if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0)
169 return -EIO; 169 return -EIO;
170 if (!access_ok(VERIFY_READ, addr, sizeof(struct pt_watch_regs))) 170 if (!access_ok(addr, sizeof(struct pt_watch_regs)))
171 return -EIO; 171 return -EIO;
172 /* Check the values. */ 172 /* Check the values. */
173 for (i = 0; i < boot_cpu_data.watch_reg_use_cnt; i++) { 173 for (i = 0; i < boot_cpu_data.watch_reg_use_cnt; i++) {
@@ -359,7 +359,7 @@ int ptrace_getfpregs(struct task_struct *child, __u32 __user *data)
359{ 359{
360 int i; 360 int i;
361 361
362 if (!access_ok(VERIFY_WRITE, data, 33 * 8)) 362 if (!access_ok(data, 33 * 8))
363 return -EIO; 363 return -EIO;
364 364
365 if (tsk_used_math(child)) { 365 if (tsk_used_math(child)) {
@@ -385,7 +385,7 @@ int ptrace_setfpregs(struct task_struct *child, __u32 __user *data)
385 u32 value; 385 u32 value;
386 int i; 386 int i;
387 387
388 if (!access_ok(VERIFY_READ, data, 33 * 8)) 388 if (!access_ok(data, 33 * 8))
389 return -EIO; 389 return -EIO;
390 390
391 init_fp_ctx(child); 391 init_fp_ctx(child);
diff --git a/arch/mips/kernel/signal.c b/arch/mips/kernel/signal.c
index d3a23758592c..d75337974ee9 100644
--- a/arch/mips/kernel/signal.c
+++ b/arch/mips/kernel/signal.c
@@ -590,7 +590,7 @@ SYSCALL_DEFINE3(sigaction, int, sig, const struct sigaction __user *, act,
590 if (act) { 590 if (act) {
591 old_sigset_t mask; 591 old_sigset_t mask;
592 592
593 if (!access_ok(VERIFY_READ, act, sizeof(*act))) 593 if (!access_ok(act, sizeof(*act)))
594 return -EFAULT; 594 return -EFAULT;
595 err |= __get_user(new_ka.sa.sa_handler, &act->sa_handler); 595 err |= __get_user(new_ka.sa.sa_handler, &act->sa_handler);
596 err |= __get_user(new_ka.sa.sa_flags, &act->sa_flags); 596 err |= __get_user(new_ka.sa.sa_flags, &act->sa_flags);
@@ -604,7 +604,7 @@ SYSCALL_DEFINE3(sigaction, int, sig, const struct sigaction __user *, act,
604 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL); 604 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
605 605
606 if (!ret && oact) { 606 if (!ret && oact) {
607 if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact))) 607 if (!access_ok(oact, sizeof(*oact)))
608 return -EFAULT; 608 return -EFAULT;
609 err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags); 609 err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
610 err |= __put_user(old_ka.sa.sa_handler, &oact->sa_handler); 610 err |= __put_user(old_ka.sa.sa_handler, &oact->sa_handler);
@@ -630,7 +630,7 @@ asmlinkage void sys_sigreturn(void)
630 630
631 regs = current_pt_regs(); 631 regs = current_pt_regs();
632 frame = (struct sigframe __user *)regs->regs[29]; 632 frame = (struct sigframe __user *)regs->regs[29];
633 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 633 if (!access_ok(frame, sizeof(*frame)))
634 goto badframe; 634 goto badframe;
635 if (__copy_from_user(&blocked, &frame->sf_mask, sizeof(blocked))) 635 if (__copy_from_user(&blocked, &frame->sf_mask, sizeof(blocked)))
636 goto badframe; 636 goto badframe;
@@ -667,7 +667,7 @@ asmlinkage void sys_rt_sigreturn(void)
667 667
668 regs = current_pt_regs(); 668 regs = current_pt_regs();
669 frame = (struct rt_sigframe __user *)regs->regs[29]; 669 frame = (struct rt_sigframe __user *)regs->regs[29];
670 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 670 if (!access_ok(frame, sizeof(*frame)))
671 goto badframe; 671 goto badframe;
672 if (__copy_from_user(&set, &frame->rs_uc.uc_sigmask, sizeof(set))) 672 if (__copy_from_user(&set, &frame->rs_uc.uc_sigmask, sizeof(set)))
673 goto badframe; 673 goto badframe;
@@ -705,7 +705,7 @@ static int setup_frame(void *sig_return, struct ksignal *ksig,
705 int err = 0; 705 int err = 0;
706 706
707 frame = get_sigframe(ksig, regs, sizeof(*frame)); 707 frame = get_sigframe(ksig, regs, sizeof(*frame));
708 if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) 708 if (!access_ok(frame, sizeof (*frame)))
709 return -EFAULT; 709 return -EFAULT;
710 710
711 err |= setup_sigcontext(regs, &frame->sf_sc); 711 err |= setup_sigcontext(regs, &frame->sf_sc);
@@ -744,7 +744,7 @@ static int setup_rt_frame(void *sig_return, struct ksignal *ksig,
744 int err = 0; 744 int err = 0;
745 745
746 frame = get_sigframe(ksig, regs, sizeof(*frame)); 746 frame = get_sigframe(ksig, regs, sizeof(*frame));
747 if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) 747 if (!access_ok(frame, sizeof (*frame)))
748 return -EFAULT; 748 return -EFAULT;
749 749
750 /* Create siginfo. */ 750 /* Create siginfo. */
diff --git a/arch/mips/kernel/signal32.c b/arch/mips/kernel/signal32.c
index b5d9e1784aff..59b8965433c2 100644
--- a/arch/mips/kernel/signal32.c
+++ b/arch/mips/kernel/signal32.c
@@ -46,7 +46,7 @@ SYSCALL_DEFINE3(32_sigaction, long, sig, const struct compat_sigaction __user *,
46 old_sigset_t mask; 46 old_sigset_t mask;
47 s32 handler; 47 s32 handler;
48 48
49 if (!access_ok(VERIFY_READ, act, sizeof(*act))) 49 if (!access_ok(act, sizeof(*act)))
50 return -EFAULT; 50 return -EFAULT;
51 err |= __get_user(handler, &act->sa_handler); 51 err |= __get_user(handler, &act->sa_handler);
52 new_ka.sa.sa_handler = (void __user *)(s64)handler; 52 new_ka.sa.sa_handler = (void __user *)(s64)handler;
@@ -61,7 +61,7 @@ SYSCALL_DEFINE3(32_sigaction, long, sig, const struct compat_sigaction __user *,
61 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL); 61 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
62 62
63 if (!ret && oact) { 63 if (!ret && oact) {
64 if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact))) 64 if (!access_ok(oact, sizeof(*oact)))
65 return -EFAULT; 65 return -EFAULT;
66 err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags); 66 err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
67 err |= __put_user((u32)(u64)old_ka.sa.sa_handler, 67 err |= __put_user((u32)(u64)old_ka.sa.sa_handler,
diff --git a/arch/mips/kernel/signal_n32.c b/arch/mips/kernel/signal_n32.c
index 8f65aaf9206d..c498b027823e 100644
--- a/arch/mips/kernel/signal_n32.c
+++ b/arch/mips/kernel/signal_n32.c
@@ -73,7 +73,7 @@ asmlinkage void sysn32_rt_sigreturn(void)
73 73
74 regs = current_pt_regs(); 74 regs = current_pt_regs();
75 frame = (struct rt_sigframe_n32 __user *)regs->regs[29]; 75 frame = (struct rt_sigframe_n32 __user *)regs->regs[29];
76 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 76 if (!access_ok(frame, sizeof(*frame)))
77 goto badframe; 77 goto badframe;
78 if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask)) 78 if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask))
79 goto badframe; 79 goto badframe;
@@ -110,7 +110,7 @@ static int setup_rt_frame_n32(void *sig_return, struct ksignal *ksig,
110 int err = 0; 110 int err = 0;
111 111
112 frame = get_sigframe(ksig, regs, sizeof(*frame)); 112 frame = get_sigframe(ksig, regs, sizeof(*frame));
113 if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) 113 if (!access_ok(frame, sizeof (*frame)))
114 return -EFAULT; 114 return -EFAULT;
115 115
116 /* Create siginfo. */ 116 /* Create siginfo. */
diff --git a/arch/mips/kernel/signal_o32.c b/arch/mips/kernel/signal_o32.c
index b6e3ddef48a0..df259618e834 100644
--- a/arch/mips/kernel/signal_o32.c
+++ b/arch/mips/kernel/signal_o32.c
@@ -118,7 +118,7 @@ static int setup_frame_32(void *sig_return, struct ksignal *ksig,
118 int err = 0; 118 int err = 0;
119 119
120 frame = get_sigframe(ksig, regs, sizeof(*frame)); 120 frame = get_sigframe(ksig, regs, sizeof(*frame));
121 if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) 121 if (!access_ok(frame, sizeof (*frame)))
122 return -EFAULT; 122 return -EFAULT;
123 123
124 err |= setup_sigcontext32(regs, &frame->sf_sc); 124 err |= setup_sigcontext32(regs, &frame->sf_sc);
@@ -160,7 +160,7 @@ asmlinkage void sys32_rt_sigreturn(void)
160 160
161 regs = current_pt_regs(); 161 regs = current_pt_regs();
162 frame = (struct rt_sigframe32 __user *)regs->regs[29]; 162 frame = (struct rt_sigframe32 __user *)regs->regs[29];
163 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 163 if (!access_ok(frame, sizeof(*frame)))
164 goto badframe; 164 goto badframe;
165 if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask)) 165 if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask))
166 goto badframe; 166 goto badframe;
@@ -197,7 +197,7 @@ static int setup_rt_frame_32(void *sig_return, struct ksignal *ksig,
197 int err = 0; 197 int err = 0;
198 198
199 frame = get_sigframe(ksig, regs, sizeof(*frame)); 199 frame = get_sigframe(ksig, regs, sizeof(*frame));
200 if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame))) 200 if (!access_ok(frame, sizeof (*frame)))
201 return -EFAULT; 201 return -EFAULT;
202 202
203 /* Convert (siginfo_t -> compat_siginfo_t) and copy to user. */ 203 /* Convert (siginfo_t -> compat_siginfo_t) and copy to user. */
@@ -262,7 +262,7 @@ asmlinkage void sys32_sigreturn(void)
262 262
263 regs = current_pt_regs(); 263 regs = current_pt_regs();
264 frame = (struct sigframe32 __user *)regs->regs[29]; 264 frame = (struct sigframe32 __user *)regs->regs[29];
265 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 265 if (!access_ok(frame, sizeof(*frame)))
266 goto badframe; 266 goto badframe;
267 if (__copy_conv_sigset_from_user(&blocked, &frame->sf_mask)) 267 if (__copy_conv_sigset_from_user(&blocked, &frame->sf_mask))
268 goto badframe; 268 goto badframe;
diff --git a/arch/mips/kernel/syscall.c b/arch/mips/kernel/syscall.c
index 41a0db08cd37..b6dc78ad5d8c 100644
--- a/arch/mips/kernel/syscall.c
+++ b/arch/mips/kernel/syscall.c
@@ -101,7 +101,7 @@ static inline int mips_atomic_set(unsigned long addr, unsigned long new)
101 if (unlikely(addr & 3)) 101 if (unlikely(addr & 3))
102 return -EINVAL; 102 return -EINVAL;
103 103
104 if (unlikely(!access_ok(VERIFY_WRITE, (const void __user *)addr, 4))) 104 if (unlikely(!access_ok((const void __user *)addr, 4)))
105 return -EINVAL; 105 return -EINVAL;
106 106
107 if (cpu_has_llsc && R10000_LLSC_WAR) { 107 if (cpu_has_llsc && R10000_LLSC_WAR) {
diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c
index c60e7719ef77..595ca9c85111 100644
--- a/arch/mips/kernel/unaligned.c
+++ b/arch/mips/kernel/unaligned.c
@@ -936,7 +936,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
936 if (insn.dsp_format.func == lx_op) { 936 if (insn.dsp_format.func == lx_op) {
937 switch (insn.dsp_format.op) { 937 switch (insn.dsp_format.op) {
938 case lwx_op: 938 case lwx_op:
939 if (!access_ok(VERIFY_READ, addr, 4)) 939 if (!access_ok(addr, 4))
940 goto sigbus; 940 goto sigbus;
941 LoadW(addr, value, res); 941 LoadW(addr, value, res);
942 if (res) 942 if (res)
@@ -945,7 +945,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
945 regs->regs[insn.dsp_format.rd] = value; 945 regs->regs[insn.dsp_format.rd] = value;
946 break; 946 break;
947 case lhx_op: 947 case lhx_op:
948 if (!access_ok(VERIFY_READ, addr, 2)) 948 if (!access_ok(addr, 2))
949 goto sigbus; 949 goto sigbus;
950 LoadHW(addr, value, res); 950 LoadHW(addr, value, res);
951 if (res) 951 if (res)
@@ -968,7 +968,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
968 set_fs(USER_DS); 968 set_fs(USER_DS);
969 switch (insn.spec3_format.func) { 969 switch (insn.spec3_format.func) {
970 case lhe_op: 970 case lhe_op:
971 if (!access_ok(VERIFY_READ, addr, 2)) { 971 if (!access_ok(addr, 2)) {
972 set_fs(seg); 972 set_fs(seg);
973 goto sigbus; 973 goto sigbus;
974 } 974 }
@@ -981,7 +981,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
981 regs->regs[insn.spec3_format.rt] = value; 981 regs->regs[insn.spec3_format.rt] = value;
982 break; 982 break;
983 case lwe_op: 983 case lwe_op:
984 if (!access_ok(VERIFY_READ, addr, 4)) { 984 if (!access_ok(addr, 4)) {
985 set_fs(seg); 985 set_fs(seg);
986 goto sigbus; 986 goto sigbus;
987 } 987 }
@@ -994,7 +994,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
994 regs->regs[insn.spec3_format.rt] = value; 994 regs->regs[insn.spec3_format.rt] = value;
995 break; 995 break;
996 case lhue_op: 996 case lhue_op:
997 if (!access_ok(VERIFY_READ, addr, 2)) { 997 if (!access_ok(addr, 2)) {
998 set_fs(seg); 998 set_fs(seg);
999 goto sigbus; 999 goto sigbus;
1000 } 1000 }
@@ -1007,7 +1007,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1007 regs->regs[insn.spec3_format.rt] = value; 1007 regs->regs[insn.spec3_format.rt] = value;
1008 break; 1008 break;
1009 case she_op: 1009 case she_op:
1010 if (!access_ok(VERIFY_WRITE, addr, 2)) { 1010 if (!access_ok(addr, 2)) {
1011 set_fs(seg); 1011 set_fs(seg);
1012 goto sigbus; 1012 goto sigbus;
1013 } 1013 }
@@ -1020,7 +1020,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1020 } 1020 }
1021 break; 1021 break;
1022 case swe_op: 1022 case swe_op:
1023 if (!access_ok(VERIFY_WRITE, addr, 4)) { 1023 if (!access_ok(addr, 4)) {
1024 set_fs(seg); 1024 set_fs(seg);
1025 goto sigbus; 1025 goto sigbus;
1026 } 1026 }
@@ -1041,7 +1041,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1041#endif 1041#endif
1042 break; 1042 break;
1043 case lh_op: 1043 case lh_op:
1044 if (!access_ok(VERIFY_READ, addr, 2)) 1044 if (!access_ok(addr, 2))
1045 goto sigbus; 1045 goto sigbus;
1046 1046
1047 if (IS_ENABLED(CONFIG_EVA)) { 1047 if (IS_ENABLED(CONFIG_EVA)) {
@@ -1060,7 +1060,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1060 break; 1060 break;
1061 1061
1062 case lw_op: 1062 case lw_op:
1063 if (!access_ok(VERIFY_READ, addr, 4)) 1063 if (!access_ok(addr, 4))
1064 goto sigbus; 1064 goto sigbus;
1065 1065
1066 if (IS_ENABLED(CONFIG_EVA)) { 1066 if (IS_ENABLED(CONFIG_EVA)) {
@@ -1079,7 +1079,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1079 break; 1079 break;
1080 1080
1081 case lhu_op: 1081 case lhu_op:
1082 if (!access_ok(VERIFY_READ, addr, 2)) 1082 if (!access_ok(addr, 2))
1083 goto sigbus; 1083 goto sigbus;
1084 1084
1085 if (IS_ENABLED(CONFIG_EVA)) { 1085 if (IS_ENABLED(CONFIG_EVA)) {
@@ -1106,7 +1106,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1106 * would blow up, so for now we don't handle unaligned 64-bit 1106 * would blow up, so for now we don't handle unaligned 64-bit
1107 * instructions on 32-bit kernels. 1107 * instructions on 32-bit kernels.
1108 */ 1108 */
1109 if (!access_ok(VERIFY_READ, addr, 4)) 1109 if (!access_ok(addr, 4))
1110 goto sigbus; 1110 goto sigbus;
1111 1111
1112 LoadWU(addr, value, res); 1112 LoadWU(addr, value, res);
@@ -1129,7 +1129,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1129 * would blow up, so for now we don't handle unaligned 64-bit 1129 * would blow up, so for now we don't handle unaligned 64-bit
1130 * instructions on 32-bit kernels. 1130 * instructions on 32-bit kernels.
1131 */ 1131 */
1132 if (!access_ok(VERIFY_READ, addr, 8)) 1132 if (!access_ok(addr, 8))
1133 goto sigbus; 1133 goto sigbus;
1134 1134
1135 LoadDW(addr, value, res); 1135 LoadDW(addr, value, res);
@@ -1144,7 +1144,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1144 goto sigill; 1144 goto sigill;
1145 1145
1146 case sh_op: 1146 case sh_op:
1147 if (!access_ok(VERIFY_WRITE, addr, 2)) 1147 if (!access_ok(addr, 2))
1148 goto sigbus; 1148 goto sigbus;
1149 1149
1150 compute_return_epc(regs); 1150 compute_return_epc(regs);
@@ -1164,7 +1164,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1164 break; 1164 break;
1165 1165
1166 case sw_op: 1166 case sw_op:
1167 if (!access_ok(VERIFY_WRITE, addr, 4)) 1167 if (!access_ok(addr, 4))
1168 goto sigbus; 1168 goto sigbus;
1169 1169
1170 compute_return_epc(regs); 1170 compute_return_epc(regs);
@@ -1192,7 +1192,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1192 * would blow up, so for now we don't handle unaligned 64-bit 1192 * would blow up, so for now we don't handle unaligned 64-bit
1193 * instructions on 32-bit kernels. 1193 * instructions on 32-bit kernels.
1194 */ 1194 */
1195 if (!access_ok(VERIFY_WRITE, addr, 8)) 1195 if (!access_ok(addr, 8))
1196 goto sigbus; 1196 goto sigbus;
1197 1197
1198 compute_return_epc(regs); 1198 compute_return_epc(regs);
@@ -1254,7 +1254,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1254 1254
1255 switch (insn.msa_mi10_format.func) { 1255 switch (insn.msa_mi10_format.func) {
1256 case msa_ld_op: 1256 case msa_ld_op:
1257 if (!access_ok(VERIFY_READ, addr, sizeof(*fpr))) 1257 if (!access_ok(addr, sizeof(*fpr)))
1258 goto sigbus; 1258 goto sigbus;
1259 1259
1260 do { 1260 do {
@@ -1290,7 +1290,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
1290 break; 1290 break;
1291 1291
1292 case msa_st_op: 1292 case msa_st_op:
1293 if (!access_ok(VERIFY_WRITE, addr, sizeof(*fpr))) 1293 if (!access_ok(addr, sizeof(*fpr)))
1294 goto sigbus; 1294 goto sigbus;
1295 1295
1296 /* 1296 /*
@@ -1463,7 +1463,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1463 if (reg == 31) 1463 if (reg == 31)
1464 goto sigbus; 1464 goto sigbus;
1465 1465
1466 if (!access_ok(VERIFY_READ, addr, 8)) 1466 if (!access_ok(addr, 8))
1467 goto sigbus; 1467 goto sigbus;
1468 1468
1469 LoadW(addr, value, res); 1469 LoadW(addr, value, res);
@@ -1482,7 +1482,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1482 if (reg == 31) 1482 if (reg == 31)
1483 goto sigbus; 1483 goto sigbus;
1484 1484
1485 if (!access_ok(VERIFY_WRITE, addr, 8)) 1485 if (!access_ok(addr, 8))
1486 goto sigbus; 1486 goto sigbus;
1487 1487
1488 value = regs->regs[reg]; 1488 value = regs->regs[reg];
@@ -1502,7 +1502,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1502 if (reg == 31) 1502 if (reg == 31)
1503 goto sigbus; 1503 goto sigbus;
1504 1504
1505 if (!access_ok(VERIFY_READ, addr, 16)) 1505 if (!access_ok(addr, 16))
1506 goto sigbus; 1506 goto sigbus;
1507 1507
1508 LoadDW(addr, value, res); 1508 LoadDW(addr, value, res);
@@ -1525,7 +1525,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1525 if (reg == 31) 1525 if (reg == 31)
1526 goto sigbus; 1526 goto sigbus;
1527 1527
1528 if (!access_ok(VERIFY_WRITE, addr, 16)) 1528 if (!access_ok(addr, 16))
1529 goto sigbus; 1529 goto sigbus;
1530 1530
1531 value = regs->regs[reg]; 1531 value = regs->regs[reg];
@@ -1548,11 +1548,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1548 if ((rvar > 9) || !reg) 1548 if ((rvar > 9) || !reg)
1549 goto sigill; 1549 goto sigill;
1550 if (reg & 0x10) { 1550 if (reg & 0x10) {
1551 if (!access_ok 1551 if (!access_ok(addr, 4 * (rvar + 1)))
1552 (VERIFY_READ, addr, 4 * (rvar + 1)))
1553 goto sigbus; 1552 goto sigbus;
1554 } else { 1553 } else {
1555 if (!access_ok(VERIFY_READ, addr, 4 * rvar)) 1554 if (!access_ok(addr, 4 * rvar))
1556 goto sigbus; 1555 goto sigbus;
1557 } 1556 }
1558 if (rvar == 9) 1557 if (rvar == 9)
@@ -1585,11 +1584,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1585 if ((rvar > 9) || !reg) 1584 if ((rvar > 9) || !reg)
1586 goto sigill; 1585 goto sigill;
1587 if (reg & 0x10) { 1586 if (reg & 0x10) {
1588 if (!access_ok 1587 if (!access_ok(addr, 4 * (rvar + 1)))
1589 (VERIFY_WRITE, addr, 4 * (rvar + 1)))
1590 goto sigbus; 1588 goto sigbus;
1591 } else { 1589 } else {
1592 if (!access_ok(VERIFY_WRITE, addr, 4 * rvar)) 1590 if (!access_ok(addr, 4 * rvar))
1593 goto sigbus; 1591 goto sigbus;
1594 } 1592 }
1595 if (rvar == 9) 1593 if (rvar == 9)
@@ -1623,11 +1621,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1623 if ((rvar > 9) || !reg) 1621 if ((rvar > 9) || !reg)
1624 goto sigill; 1622 goto sigill;
1625 if (reg & 0x10) { 1623 if (reg & 0x10) {
1626 if (!access_ok 1624 if (!access_ok(addr, 8 * (rvar + 1)))
1627 (VERIFY_READ, addr, 8 * (rvar + 1)))
1628 goto sigbus; 1625 goto sigbus;
1629 } else { 1626 } else {
1630 if (!access_ok(VERIFY_READ, addr, 8 * rvar)) 1627 if (!access_ok(addr, 8 * rvar))
1631 goto sigbus; 1628 goto sigbus;
1632 } 1629 }
1633 if (rvar == 9) 1630 if (rvar == 9)
@@ -1665,11 +1662,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
1665 if ((rvar > 9) || !reg) 1662 if ((rvar > 9) || !reg)
1666 goto sigill; 1663 goto sigill;
1667 if (reg & 0x10) { 1664 if (reg & 0x10) {
1668 if (!access_ok 1665 if (!access_ok(addr, 8 * (rvar + 1)))
1669 (VERIFY_WRITE, addr, 8 * (rvar + 1)))
1670 goto sigbus; 1666 goto sigbus;
1671 } else { 1667 } else {
1672 if (!access_ok(VERIFY_WRITE, addr, 8 * rvar)) 1668 if (!access_ok(addr, 8 * rvar))
1673 goto sigbus; 1669 goto sigbus;
1674 } 1670 }
1675 if (rvar == 9) 1671 if (rvar == 9)
@@ -1788,7 +1784,7 @@ fpu_emul:
1788 case mm_lwm16_op: 1784 case mm_lwm16_op:
1789 reg = insn.mm16_m_format.rlist; 1785 reg = insn.mm16_m_format.rlist;
1790 rvar = reg + 1; 1786 rvar = reg + 1;
1791 if (!access_ok(VERIFY_READ, addr, 4 * rvar)) 1787 if (!access_ok(addr, 4 * rvar))
1792 goto sigbus; 1788 goto sigbus;
1793 1789
1794 for (i = 16; rvar; rvar--, i++) { 1790 for (i = 16; rvar; rvar--, i++) {
@@ -1808,7 +1804,7 @@ fpu_emul:
1808 case mm_swm16_op: 1804 case mm_swm16_op:
1809 reg = insn.mm16_m_format.rlist; 1805 reg = insn.mm16_m_format.rlist;
1810 rvar = reg + 1; 1806 rvar = reg + 1;
1811 if (!access_ok(VERIFY_WRITE, addr, 4 * rvar)) 1807 if (!access_ok(addr, 4 * rvar))
1812 goto sigbus; 1808 goto sigbus;
1813 1809
1814 for (i = 16; rvar; rvar--, i++) { 1810 for (i = 16; rvar; rvar--, i++) {
@@ -1862,7 +1858,7 @@ fpu_emul:
1862 } 1858 }
1863 1859
1864loadHW: 1860loadHW:
1865 if (!access_ok(VERIFY_READ, addr, 2)) 1861 if (!access_ok(addr, 2))
1866 goto sigbus; 1862 goto sigbus;
1867 1863
1868 LoadHW(addr, value, res); 1864 LoadHW(addr, value, res);
@@ -1872,7 +1868,7 @@ loadHW:
1872 goto success; 1868 goto success;
1873 1869
1874loadHWU: 1870loadHWU:
1875 if (!access_ok(VERIFY_READ, addr, 2)) 1871 if (!access_ok(addr, 2))
1876 goto sigbus; 1872 goto sigbus;
1877 1873
1878 LoadHWU(addr, value, res); 1874 LoadHWU(addr, value, res);
@@ -1882,7 +1878,7 @@ loadHWU:
1882 goto success; 1878 goto success;
1883 1879
1884loadW: 1880loadW:
1885 if (!access_ok(VERIFY_READ, addr, 4)) 1881 if (!access_ok(addr, 4))
1886 goto sigbus; 1882 goto sigbus;
1887 1883
1888 LoadW(addr, value, res); 1884 LoadW(addr, value, res);
@@ -1900,7 +1896,7 @@ loadWU:
1900 * would blow up, so for now we don't handle unaligned 64-bit 1896 * would blow up, so for now we don't handle unaligned 64-bit
1901 * instructions on 32-bit kernels. 1897 * instructions on 32-bit kernels.
1902 */ 1898 */
1903 if (!access_ok(VERIFY_READ, addr, 4)) 1899 if (!access_ok(addr, 4))
1904 goto sigbus; 1900 goto sigbus;
1905 1901
1906 LoadWU(addr, value, res); 1902 LoadWU(addr, value, res);
@@ -1922,7 +1918,7 @@ loadDW:
1922 * would blow up, so for now we don't handle unaligned 64-bit 1918 * would blow up, so for now we don't handle unaligned 64-bit
1923 * instructions on 32-bit kernels. 1919 * instructions on 32-bit kernels.
1924 */ 1920 */
1925 if (!access_ok(VERIFY_READ, addr, 8)) 1921 if (!access_ok(addr, 8))
1926 goto sigbus; 1922 goto sigbus;
1927 1923
1928 LoadDW(addr, value, res); 1924 LoadDW(addr, value, res);
@@ -1936,7 +1932,7 @@ loadDW:
1936 goto sigill; 1932 goto sigill;
1937 1933
1938storeHW: 1934storeHW:
1939 if (!access_ok(VERIFY_WRITE, addr, 2)) 1935 if (!access_ok(addr, 2))
1940 goto sigbus; 1936 goto sigbus;
1941 1937
1942 value = regs->regs[reg]; 1938 value = regs->regs[reg];
@@ -1946,7 +1942,7 @@ storeHW:
1946 goto success; 1942 goto success;
1947 1943
1948storeW: 1944storeW:
1949 if (!access_ok(VERIFY_WRITE, addr, 4)) 1945 if (!access_ok(addr, 4))
1950 goto sigbus; 1946 goto sigbus;
1951 1947
1952 value = regs->regs[reg]; 1948 value = regs->regs[reg];
@@ -1964,7 +1960,7 @@ storeDW:
1964 * would blow up, so for now we don't handle unaligned 64-bit 1960 * would blow up, so for now we don't handle unaligned 64-bit
1965 * instructions on 32-bit kernels. 1961 * instructions on 32-bit kernels.
1966 */ 1962 */
1967 if (!access_ok(VERIFY_WRITE, addr, 8)) 1963 if (!access_ok(addr, 8))
1968 goto sigbus; 1964 goto sigbus;
1969 1965
1970 value = regs->regs[reg]; 1966 value = regs->regs[reg];
@@ -2122,7 +2118,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
2122 goto sigbus; 2118 goto sigbus;
2123 2119
2124 case MIPS16e_lh_op: 2120 case MIPS16e_lh_op:
2125 if (!access_ok(VERIFY_READ, addr, 2)) 2121 if (!access_ok(addr, 2))
2126 goto sigbus; 2122 goto sigbus;
2127 2123
2128 LoadHW(addr, value, res); 2124 LoadHW(addr, value, res);
@@ -2133,7 +2129,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
2133 break; 2129 break;
2134 2130
2135 case MIPS16e_lhu_op: 2131 case MIPS16e_lhu_op:
2136 if (!access_ok(VERIFY_READ, addr, 2)) 2132 if (!access_ok(addr, 2))
2137 goto sigbus; 2133 goto sigbus;
2138 2134
2139 LoadHWU(addr, value, res); 2135 LoadHWU(addr, value, res);
@@ -2146,7 +2142,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
2146 case MIPS16e_lw_op: 2142 case MIPS16e_lw_op:
2147 case MIPS16e_lwpc_op: 2143 case MIPS16e_lwpc_op:
2148 case MIPS16e_lwsp_op: 2144 case MIPS16e_lwsp_op:
2149 if (!access_ok(VERIFY_READ, addr, 4)) 2145 if (!access_ok(addr, 4))
2150 goto sigbus; 2146 goto sigbus;
2151 2147
2152 LoadW(addr, value, res); 2148 LoadW(addr, value, res);
@@ -2165,7 +2161,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
2165 * would blow up, so for now we don't handle unaligned 64-bit 2161 * would blow up, so for now we don't handle unaligned 64-bit
2166 * instructions on 32-bit kernels. 2162 * instructions on 32-bit kernels.
2167 */ 2163 */
2168 if (!access_ok(VERIFY_READ, addr, 4)) 2164 if (!access_ok(addr, 4))
2169 goto sigbus; 2165 goto sigbus;
2170 2166
2171 LoadWU(addr, value, res); 2167 LoadWU(addr, value, res);
@@ -2189,7 +2185,7 @@ loadDW:
2189 * would blow up, so for now we don't handle unaligned 64-bit 2185 * would blow up, so for now we don't handle unaligned 64-bit
2190 * instructions on 32-bit kernels. 2186 * instructions on 32-bit kernels.
2191 */ 2187 */
2192 if (!access_ok(VERIFY_READ, addr, 8)) 2188 if (!access_ok(addr, 8))
2193 goto sigbus; 2189 goto sigbus;
2194 2190
2195 LoadDW(addr, value, res); 2191 LoadDW(addr, value, res);
@@ -2204,7 +2200,7 @@ loadDW:
2204 goto sigill; 2200 goto sigill;
2205 2201
2206 case MIPS16e_sh_op: 2202 case MIPS16e_sh_op:
2207 if (!access_ok(VERIFY_WRITE, addr, 2)) 2203 if (!access_ok(addr, 2))
2208 goto sigbus; 2204 goto sigbus;
2209 2205
2210 MIPS16e_compute_return_epc(regs, &oldinst); 2206 MIPS16e_compute_return_epc(regs, &oldinst);
@@ -2217,7 +2213,7 @@ loadDW:
2217 case MIPS16e_sw_op: 2213 case MIPS16e_sw_op:
2218 case MIPS16e_swsp_op: 2214 case MIPS16e_swsp_op:
2219 case MIPS16e_i8_op: /* actually - MIPS16e_swrasp_func */ 2215 case MIPS16e_i8_op: /* actually - MIPS16e_swrasp_func */
2220 if (!access_ok(VERIFY_WRITE, addr, 4)) 2216 if (!access_ok(addr, 4))
2221 goto sigbus; 2217 goto sigbus;
2222 2218
2223 MIPS16e_compute_return_epc(regs, &oldinst); 2219 MIPS16e_compute_return_epc(regs, &oldinst);
@@ -2237,7 +2233,7 @@ writeDW:
2237 * would blow up, so for now we don't handle unaligned 64-bit 2233 * would blow up, so for now we don't handle unaligned 64-bit
2238 * instructions on 32-bit kernels. 2234 * instructions on 32-bit kernels.
2239 */ 2235 */
2240 if (!access_ok(VERIFY_WRITE, addr, 8)) 2236 if (!access_ok(addr, 8))
2241 goto sigbus; 2237 goto sigbus;
2242 2238
2243 MIPS16e_compute_return_epc(regs, &oldinst); 2239 MIPS16e_compute_return_epc(regs, &oldinst);
diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index 82e2993c1a2c..e60e29078ef5 100644
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -1063,7 +1063,7 @@ emul:
1063 MIPSInst_SIMM(ir)); 1063 MIPSInst_SIMM(ir));
1064 MIPS_FPU_EMU_INC_STATS(loads); 1064 MIPS_FPU_EMU_INC_STATS(loads);
1065 1065
1066 if (!access_ok(VERIFY_READ, dva, sizeof(u64))) { 1066 if (!access_ok(dva, sizeof(u64))) {
1067 MIPS_FPU_EMU_INC_STATS(errors); 1067 MIPS_FPU_EMU_INC_STATS(errors);
1068 *fault_addr = dva; 1068 *fault_addr = dva;
1069 return SIGBUS; 1069 return SIGBUS;
@@ -1081,7 +1081,7 @@ emul:
1081 MIPSInst_SIMM(ir)); 1081 MIPSInst_SIMM(ir));
1082 MIPS_FPU_EMU_INC_STATS(stores); 1082 MIPS_FPU_EMU_INC_STATS(stores);
1083 DIFROMREG(dval, MIPSInst_RT(ir)); 1083 DIFROMREG(dval, MIPSInst_RT(ir));
1084 if (!access_ok(VERIFY_WRITE, dva, sizeof(u64))) { 1084 if (!access_ok(dva, sizeof(u64))) {
1085 MIPS_FPU_EMU_INC_STATS(errors); 1085 MIPS_FPU_EMU_INC_STATS(errors);
1086 *fault_addr = dva; 1086 *fault_addr = dva;
1087 return SIGBUS; 1087 return SIGBUS;
@@ -1097,7 +1097,7 @@ emul:
1097 wva = (u32 __user *) (xcp->regs[MIPSInst_RS(ir)] + 1097 wva = (u32 __user *) (xcp->regs[MIPSInst_RS(ir)] +
1098 MIPSInst_SIMM(ir)); 1098 MIPSInst_SIMM(ir));
1099 MIPS_FPU_EMU_INC_STATS(loads); 1099 MIPS_FPU_EMU_INC_STATS(loads);
1100 if (!access_ok(VERIFY_READ, wva, sizeof(u32))) { 1100 if (!access_ok(wva, sizeof(u32))) {
1101 MIPS_FPU_EMU_INC_STATS(errors); 1101 MIPS_FPU_EMU_INC_STATS(errors);
1102 *fault_addr = wva; 1102 *fault_addr = wva;
1103 return SIGBUS; 1103 return SIGBUS;
@@ -1115,7 +1115,7 @@ emul:
1115 MIPSInst_SIMM(ir)); 1115 MIPSInst_SIMM(ir));
1116 MIPS_FPU_EMU_INC_STATS(stores); 1116 MIPS_FPU_EMU_INC_STATS(stores);
1117 SIFROMREG(wval, MIPSInst_RT(ir)); 1117 SIFROMREG(wval, MIPSInst_RT(ir));
1118 if (!access_ok(VERIFY_WRITE, wva, sizeof(u32))) { 1118 if (!access_ok(wva, sizeof(u32))) {
1119 MIPS_FPU_EMU_INC_STATS(errors); 1119 MIPS_FPU_EMU_INC_STATS(errors);
1120 *fault_addr = wva; 1120 *fault_addr = wva;
1121 return SIGBUS; 1121 return SIGBUS;
@@ -1493,7 +1493,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
1493 xcp->regs[MIPSInst_FT(ir)]); 1493 xcp->regs[MIPSInst_FT(ir)]);
1494 1494
1495 MIPS_FPU_EMU_INC_STATS(loads); 1495 MIPS_FPU_EMU_INC_STATS(loads);
1496 if (!access_ok(VERIFY_READ, va, sizeof(u32))) { 1496 if (!access_ok(va, sizeof(u32))) {
1497 MIPS_FPU_EMU_INC_STATS(errors); 1497 MIPS_FPU_EMU_INC_STATS(errors);
1498 *fault_addr = va; 1498 *fault_addr = va;
1499 return SIGBUS; 1499 return SIGBUS;
@@ -1513,7 +1513,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
1513 MIPS_FPU_EMU_INC_STATS(stores); 1513 MIPS_FPU_EMU_INC_STATS(stores);
1514 1514
1515 SIFROMREG(val, MIPSInst_FS(ir)); 1515 SIFROMREG(val, MIPSInst_FS(ir));
1516 if (!access_ok(VERIFY_WRITE, va, sizeof(u32))) { 1516 if (!access_ok(va, sizeof(u32))) {
1517 MIPS_FPU_EMU_INC_STATS(errors); 1517 MIPS_FPU_EMU_INC_STATS(errors);
1518 *fault_addr = va; 1518 *fault_addr = va;
1519 return SIGBUS; 1519 return SIGBUS;
@@ -1590,7 +1590,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
1590 xcp->regs[MIPSInst_FT(ir)]); 1590 xcp->regs[MIPSInst_FT(ir)]);
1591 1591
1592 MIPS_FPU_EMU_INC_STATS(loads); 1592 MIPS_FPU_EMU_INC_STATS(loads);
1593 if (!access_ok(VERIFY_READ, va, sizeof(u64))) { 1593 if (!access_ok(va, sizeof(u64))) {
1594 MIPS_FPU_EMU_INC_STATS(errors); 1594 MIPS_FPU_EMU_INC_STATS(errors);
1595 *fault_addr = va; 1595 *fault_addr = va;
1596 return SIGBUS; 1596 return SIGBUS;
@@ -1609,7 +1609,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
1609 1609
1610 MIPS_FPU_EMU_INC_STATS(stores); 1610 MIPS_FPU_EMU_INC_STATS(stores);
1611 DIFROMREG(val, MIPSInst_FS(ir)); 1611 DIFROMREG(val, MIPSInst_FS(ir));
1612 if (!access_ok(VERIFY_WRITE, va, sizeof(u64))) { 1612 if (!access_ok(va, sizeof(u64))) {
1613 MIPS_FPU_EMU_INC_STATS(errors); 1613 MIPS_FPU_EMU_INC_STATS(errors);
1614 *fault_addr = va; 1614 *fault_addr = va;
1615 return SIGBUS; 1615 return SIGBUS;
diff --git a/arch/mips/mm/cache.c b/arch/mips/mm/cache.c
index 70a523151ff3..55099fbff4e6 100644
--- a/arch/mips/mm/cache.c
+++ b/arch/mips/mm/cache.c
@@ -76,7 +76,7 @@ SYSCALL_DEFINE3(cacheflush, unsigned long, addr, unsigned long, bytes,
76{ 76{
77 if (bytes == 0) 77 if (bytes == 0)
78 return 0; 78 return 0;
79 if (!access_ok(VERIFY_WRITE, (void __user *) addr, bytes)) 79 if (!access_ok((void __user *) addr, bytes))
80 return -EFAULT; 80 return -EFAULT;
81 81
82 __flush_icache_user_range(addr, addr + bytes); 82 __flush_icache_user_range(addr, addr + bytes);
diff --git a/arch/mips/mm/gup.c b/arch/mips/mm/gup.c
index 5a4875cac1ec..0d14e0d8eacf 100644
--- a/arch/mips/mm/gup.c
+++ b/arch/mips/mm/gup.c
@@ -195,8 +195,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
195 addr = start; 195 addr = start;
196 len = (unsigned long) nr_pages << PAGE_SHIFT; 196 len = (unsigned long) nr_pages << PAGE_SHIFT;
197 end = start + len; 197 end = start + len;
198 if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ, 198 if (unlikely(!access_ok((void __user *)start, len)))
199 (void __user *)start, len)))
200 return 0; 199 return 0;
201 200
202 /* 201 /*
diff --git a/arch/mips/oprofile/backtrace.c b/arch/mips/oprofile/backtrace.c
index 806fb798091f..07d98ba7f49e 100644
--- a/arch/mips/oprofile/backtrace.c
+++ b/arch/mips/oprofile/backtrace.c
@@ -19,7 +19,7 @@ struct stackframe {
19static inline int get_mem(unsigned long addr, unsigned long *result) 19static inline int get_mem(unsigned long addr, unsigned long *result)
20{ 20{
21 unsigned long *address = (unsigned long *) addr; 21 unsigned long *address = (unsigned long *) addr;
22 if (!access_ok(VERIFY_READ, address, sizeof(unsigned long))) 22 if (!access_ok(address, sizeof(unsigned long)))
23 return -1; 23 return -1;
24 if (__copy_from_user_inatomic(result, address, sizeof(unsigned long))) 24 if (__copy_from_user_inatomic(result, address, sizeof(unsigned long)))
25 return -3; 25 return -3;
diff --git a/arch/mips/sibyte/common/sb_tbprof.c b/arch/mips/sibyte/common/sb_tbprof.c
index 99c720be72d2..9ff26b0cd3b6 100644
--- a/arch/mips/sibyte/common/sb_tbprof.c
+++ b/arch/mips/sibyte/common/sb_tbprof.c
@@ -458,7 +458,7 @@ static ssize_t sbprof_tb_read(struct file *filp, char *buf,
458 char *dest = buf; 458 char *dest = buf;
459 long cur_off = *offp; 459 long cur_off = *offp;
460 460
461 if (!access_ok(VERIFY_WRITE, buf, size)) 461 if (!access_ok(buf, size))
462 return -EFAULT; 462 return -EFAULT;
463 463
464 mutex_lock(&sbp.lock); 464 mutex_lock(&sbp.lock);
diff --git a/arch/nds32/include/asm/futex.h b/arch/nds32/include/asm/futex.h
index cb6cb91cfdf8..baf178bf1d0b 100644
--- a/arch/nds32/include/asm/futex.h
+++ b/arch/nds32/include/asm/futex.h
@@ -40,7 +40,7 @@ futex_atomic_cmpxchg_inatomic(u32 * uval, u32 __user * uaddr,
40 int ret = 0; 40 int ret = 0;
41 u32 val, tmp, flags; 41 u32 val, tmp, flags;
42 42
43 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 43 if (!access_ok(uaddr, sizeof(u32)))
44 return -EFAULT; 44 return -EFAULT;
45 45
46 smp_mb(); 46 smp_mb();
diff --git a/arch/nds32/include/asm/uaccess.h b/arch/nds32/include/asm/uaccess.h
index 362a32d9bd16..53dcb49b0b12 100644
--- a/arch/nds32/include/asm/uaccess.h
+++ b/arch/nds32/include/asm/uaccess.h
@@ -13,9 +13,6 @@
13#include <asm/types.h> 13#include <asm/types.h>
14#include <linux/mm.h> 14#include <linux/mm.h>
15 15
16#define VERIFY_READ 0
17#define VERIFY_WRITE 1
18
19#define __asmeq(x, y) ".ifnc " x "," y " ; .err ; .endif\n\t" 16#define __asmeq(x, y) ".ifnc " x "," y " ; .err ; .endif\n\t"
20 17
21/* 18/*
@@ -53,7 +50,7 @@ static inline void set_fs(mm_segment_t fs)
53 50
54#define __range_ok(addr, size) (size <= get_fs() && addr <= (get_fs() -size)) 51#define __range_ok(addr, size) (size <= get_fs() && addr <= (get_fs() -size))
55 52
56#define access_ok(type, addr, size) \ 53#define access_ok(addr, size) \
57 __range_ok((unsigned long)addr, (unsigned long)size) 54 __range_ok((unsigned long)addr, (unsigned long)size)
58/* 55/*
59 * Single-value transfer routines. They automatically use the right 56 * Single-value transfer routines. They automatically use the right
@@ -94,7 +91,7 @@ static inline void set_fs(mm_segment_t fs)
94({ \ 91({ \
95 const __typeof__(*(ptr)) __user *__p = (ptr); \ 92 const __typeof__(*(ptr)) __user *__p = (ptr); \
96 might_fault(); \ 93 might_fault(); \
97 if (access_ok(VERIFY_READ, __p, sizeof(*__p))) { \ 94 if (access_ok(__p, sizeof(*__p))) { \
98 __get_user_err((x), __p, (err)); \ 95 __get_user_err((x), __p, (err)); \
99 } else { \ 96 } else { \
100 (x) = 0; (err) = -EFAULT; \ 97 (x) = 0; (err) = -EFAULT; \
@@ -189,7 +186,7 @@ do { \
189({ \ 186({ \
190 __typeof__(*(ptr)) __user *__p = (ptr); \ 187 __typeof__(*(ptr)) __user *__p = (ptr); \
191 might_fault(); \ 188 might_fault(); \
192 if (access_ok(VERIFY_WRITE, __p, sizeof(*__p))) { \ 189 if (access_ok(__p, sizeof(*__p))) { \
193 __put_user_err((x), __p, (err)); \ 190 __put_user_err((x), __p, (err)); \
194 } else { \ 191 } else { \
195 (err) = -EFAULT; \ 192 (err) = -EFAULT; \
@@ -279,7 +276,7 @@ extern unsigned long __arch_copy_to_user(void __user * to, const void *from,
279#define INLINE_COPY_TO_USER 276#define INLINE_COPY_TO_USER
280static inline unsigned long clear_user(void __user * to, unsigned long n) 277static inline unsigned long clear_user(void __user * to, unsigned long n)
281{ 278{
282 if (access_ok(VERIFY_WRITE, to, n)) 279 if (access_ok(to, n))
283 n = __arch_clear_user(to, n); 280 n = __arch_clear_user(to, n);
284 return n; 281 return n;
285} 282}
diff --git a/arch/nds32/kernel/perf_event_cpu.c b/arch/nds32/kernel/perf_event_cpu.c
index 5e00ce54d0ff..334c2a6cec23 100644
--- a/arch/nds32/kernel/perf_event_cpu.c
+++ b/arch/nds32/kernel/perf_event_cpu.c
@@ -1306,7 +1306,7 @@ user_backtrace(struct perf_callchain_entry_ctx *entry, unsigned long fp)
1306 (unsigned long *)(fp - (unsigned long)sizeof(buftail)); 1306 (unsigned long *)(fp - (unsigned long)sizeof(buftail));
1307 1307
1308 /* Check accessibility of one struct frame_tail beyond */ 1308 /* Check accessibility of one struct frame_tail beyond */
1309 if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(buftail))) 1309 if (!access_ok(user_frame_tail, sizeof(buftail)))
1310 return 0; 1310 return 0;
1311 if (__copy_from_user_inatomic 1311 if (__copy_from_user_inatomic
1312 (&buftail, user_frame_tail, sizeof(buftail))) 1312 (&buftail, user_frame_tail, sizeof(buftail)))
@@ -1332,7 +1332,7 @@ user_backtrace_opt_size(struct perf_callchain_entry_ctx *entry,
1332 (unsigned long *)(fp - (unsigned long)sizeof(buftail)); 1332 (unsigned long *)(fp - (unsigned long)sizeof(buftail));
1333 1333
1334 /* Check accessibility of one struct frame_tail beyond */ 1334 /* Check accessibility of one struct frame_tail beyond */
1335 if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(buftail))) 1335 if (!access_ok(user_frame_tail, sizeof(buftail)))
1336 return 0; 1336 return 0;
1337 if (__copy_from_user_inatomic 1337 if (__copy_from_user_inatomic
1338 (&buftail, user_frame_tail, sizeof(buftail))) 1338 (&buftail, user_frame_tail, sizeof(buftail)))
@@ -1386,7 +1386,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
1386 user_frame_tail = 1386 user_frame_tail =
1387 (unsigned long *)(fp - (unsigned long)sizeof(fp)); 1387 (unsigned long *)(fp - (unsigned long)sizeof(fp));
1388 1388
1389 if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(fp))) 1389 if (!access_ok(user_frame_tail, sizeof(fp)))
1390 return; 1390 return;
1391 1391
1392 if (__copy_from_user_inatomic 1392 if (__copy_from_user_inatomic
@@ -1406,8 +1406,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
1406 (unsigned long *)(fp - 1406 (unsigned long *)(fp -
1407 (unsigned long)sizeof(buftail)); 1407 (unsigned long)sizeof(buftail));
1408 1408
1409 if (!access_ok 1409 if (!access_ok(user_frame_tail, sizeof(buftail)))
1410 (VERIFY_READ, user_frame_tail, sizeof(buftail)))
1411 return; 1410 return;
1412 1411
1413 if (__copy_from_user_inatomic 1412 if (__copy_from_user_inatomic
@@ -1424,7 +1423,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
1424 (unsigned long *)(fp - (unsigned long) 1423 (unsigned long *)(fp - (unsigned long)
1425 sizeof(buftail_opt_size)); 1424 sizeof(buftail_opt_size));
1426 1425
1427 if (!access_ok(VERIFY_READ, user_frame_tail, 1426 if (!access_ok(user_frame_tail,
1428 sizeof(buftail_opt_size))) 1427 sizeof(buftail_opt_size)))
1429 return; 1428 return;
1430 1429
diff --git a/arch/nds32/kernel/signal.c b/arch/nds32/kernel/signal.c
index 5b5be082cfa4..5f7660aa2d68 100644
--- a/arch/nds32/kernel/signal.c
+++ b/arch/nds32/kernel/signal.c
@@ -151,7 +151,7 @@ asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
151 151
152 frame = (struct rt_sigframe __user *)regs->sp; 152 frame = (struct rt_sigframe __user *)regs->sp;
153 153
154 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 154 if (!access_ok(frame, sizeof(*frame)))
155 goto badframe; 155 goto badframe;
156 156
157 if (restore_sigframe(regs, frame)) 157 if (restore_sigframe(regs, frame))
@@ -275,7 +275,7 @@ setup_rt_frame(struct ksignal *ksig, sigset_t * set, struct pt_regs *regs)
275 get_sigframe(ksig, regs, sizeof(*frame)); 275 get_sigframe(ksig, regs, sizeof(*frame));
276 int err = 0; 276 int err = 0;
277 277
278 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 278 if (!access_ok(frame, sizeof(*frame)))
279 return -EFAULT; 279 return -EFAULT;
280 280
281 __put_user_error(0, &frame->uc.uc_flags, err); 281 __put_user_error(0, &frame->uc.uc_flags, err);
diff --git a/arch/nds32/mm/alignment.c b/arch/nds32/mm/alignment.c
index e1aed9dc692d..c8b9061a2ee3 100644
--- a/arch/nds32/mm/alignment.c
+++ b/arch/nds32/mm/alignment.c
@@ -289,13 +289,13 @@ static inline int do_16(unsigned long inst, struct pt_regs *regs)
289 unaligned_addr += shift; 289 unaligned_addr += shift;
290 290
291 if (load) { 291 if (load) {
292 if (!access_ok(VERIFY_READ, (void *)unaligned_addr, len)) 292 if (!access_ok((void *)unaligned_addr, len))
293 return -EACCES; 293 return -EACCES;
294 294
295 get_data(unaligned_addr, &target_val, len); 295 get_data(unaligned_addr, &target_val, len);
296 *idx_to_addr(regs, target_idx) = target_val; 296 *idx_to_addr(regs, target_idx) = target_val;
297 } else { 297 } else {
298 if (!access_ok(VERIFY_WRITE, (void *)unaligned_addr, len)) 298 if (!access_ok((void *)unaligned_addr, len))
299 return -EACCES; 299 return -EACCES;
300 target_val = *idx_to_addr(regs, target_idx); 300 target_val = *idx_to_addr(regs, target_idx);
301 set_data((void *)unaligned_addr, target_val, len); 301 set_data((void *)unaligned_addr, target_val, len);
@@ -479,7 +479,7 @@ static inline int do_32(unsigned long inst, struct pt_regs *regs)
479 479
480 if (load) { 480 if (load) {
481 481
482 if (!access_ok(VERIFY_READ, (void *)unaligned_addr, len)) 482 if (!access_ok((void *)unaligned_addr, len))
483 return -EACCES; 483 return -EACCES;
484 484
485 get_data(unaligned_addr, &target_val, len); 485 get_data(unaligned_addr, &target_val, len);
@@ -491,7 +491,7 @@ static inline int do_32(unsigned long inst, struct pt_regs *regs)
491 *idx_to_addr(regs, RT(inst)) = target_val; 491 *idx_to_addr(regs, RT(inst)) = target_val;
492 } else { 492 } else {
493 493
494 if (!access_ok(VERIFY_WRITE, (void *)unaligned_addr, len)) 494 if (!access_ok((void *)unaligned_addr, len))
495 return -EACCES; 495 return -EACCES;
496 496
497 target_val = *idx_to_addr(regs, RT(inst)); 497 target_val = *idx_to_addr(regs, RT(inst));
diff --git a/arch/nios2/include/asm/uaccess.h b/arch/nios2/include/asm/uaccess.h
index dfa3c7cb30b4..e0ea10806491 100644
--- a/arch/nios2/include/asm/uaccess.h
+++ b/arch/nios2/include/asm/uaccess.h
@@ -37,7 +37,7 @@
37 (((signed long)(((long)get_fs().seg) & \ 37 (((signed long)(((long)get_fs().seg) & \
38 ((long)(addr) | (((long)(addr)) + (len)) | (len)))) == 0) 38 ((long)(addr) | (((long)(addr)) + (len)) | (len)))) == 0)
39 39
40#define access_ok(type, addr, len) \ 40#define access_ok(addr, len) \
41 likely(__access_ok((unsigned long)(addr), (unsigned long)(len))) 41 likely(__access_ok((unsigned long)(addr), (unsigned long)(len)))
42 42
43# define __EX_TABLE_SECTION ".section __ex_table,\"a\"\n" 43# define __EX_TABLE_SECTION ".section __ex_table,\"a\"\n"
@@ -70,7 +70,7 @@ static inline unsigned long __must_check __clear_user(void __user *to,
70static inline unsigned long __must_check clear_user(void __user *to, 70static inline unsigned long __must_check clear_user(void __user *to,
71 unsigned long n) 71 unsigned long n)
72{ 72{
73 if (!access_ok(VERIFY_WRITE, to, n)) 73 if (!access_ok(to, n))
74 return n; 74 return n;
75 return __clear_user(to, n); 75 return __clear_user(to, n);
76} 76}
@@ -142,7 +142,7 @@ do { \
142 long __gu_err = -EFAULT; \ 142 long __gu_err = -EFAULT; \
143 const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ 143 const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
144 unsigned long __gu_val = 0; \ 144 unsigned long __gu_val = 0; \
145 if (access_ok(VERIFY_READ, __gu_ptr, sizeof(*__gu_ptr))) \ 145 if (access_ok( __gu_ptr, sizeof(*__gu_ptr))) \
146 __get_user_common(__gu_val, sizeof(*__gu_ptr), \ 146 __get_user_common(__gu_val, sizeof(*__gu_ptr), \
147 __gu_ptr, __gu_err); \ 147 __gu_ptr, __gu_err); \
148 (x) = (__force __typeof__(x))__gu_val; \ 148 (x) = (__force __typeof__(x))__gu_val; \
@@ -168,7 +168,7 @@ do { \
168 long __pu_err = -EFAULT; \ 168 long __pu_err = -EFAULT; \
169 __typeof__(*(ptr)) __user *__pu_ptr = (ptr); \ 169 __typeof__(*(ptr)) __user *__pu_ptr = (ptr); \
170 __typeof__(*(ptr)) __pu_val = (__typeof(*ptr))(x); \ 170 __typeof__(*(ptr)) __pu_val = (__typeof(*ptr))(x); \
171 if (access_ok(VERIFY_WRITE, __pu_ptr, sizeof(*__pu_ptr))) { \ 171 if (access_ok(__pu_ptr, sizeof(*__pu_ptr))) { \
172 switch (sizeof(*__pu_ptr)) { \ 172 switch (sizeof(*__pu_ptr)) { \
173 case 1: \ 173 case 1: \
174 __put_user_asm(__pu_val, "stb", __pu_ptr, __pu_err); \ 174 __put_user_asm(__pu_val, "stb", __pu_ptr, __pu_err); \
diff --git a/arch/nios2/kernel/signal.c b/arch/nios2/kernel/signal.c
index 20662b0f6c9e..4a81876b6086 100644
--- a/arch/nios2/kernel/signal.c
+++ b/arch/nios2/kernel/signal.c
@@ -106,7 +106,7 @@ asmlinkage int do_rt_sigreturn(struct switch_stack *sw)
106 sigset_t set; 106 sigset_t set;
107 int rval; 107 int rval;
108 108
109 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 109 if (!access_ok(frame, sizeof(*frame)))
110 goto badframe; 110 goto badframe;
111 111
112 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 112 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
diff --git a/arch/openrisc/include/asm/futex.h b/arch/openrisc/include/asm/futex.h
index 618da4a1bffb..fe894e6331ae 100644
--- a/arch/openrisc/include/asm/futex.h
+++ b/arch/openrisc/include/asm/futex.h
@@ -72,7 +72,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
72 int ret = 0; 72 int ret = 0;
73 u32 prev; 73 u32 prev;
74 74
75 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 75 if (!access_ok(uaddr, sizeof(u32)))
76 return -EFAULT; 76 return -EFAULT;
77 77
78 __asm__ __volatile__ ( \ 78 __asm__ __volatile__ ( \
diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
index bbf5c79cce7a..bc8191a34db7 100644
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -58,7 +58,7 @@
58/* Ensure that addr is below task's addr_limit */ 58/* Ensure that addr is below task's addr_limit */
59#define __addr_ok(addr) ((unsigned long) addr < get_fs()) 59#define __addr_ok(addr) ((unsigned long) addr < get_fs())
60 60
61#define access_ok(type, addr, size) \ 61#define access_ok(addr, size) \
62 __range_ok((unsigned long)addr, (unsigned long)size) 62 __range_ok((unsigned long)addr, (unsigned long)size)
63 63
64/* 64/*
@@ -102,7 +102,7 @@ extern long __put_user_bad(void);
102({ \ 102({ \
103 long __pu_err = -EFAULT; \ 103 long __pu_err = -EFAULT; \
104 __typeof__(*(ptr)) *__pu_addr = (ptr); \ 104 __typeof__(*(ptr)) *__pu_addr = (ptr); \
105 if (access_ok(VERIFY_WRITE, __pu_addr, size)) \ 105 if (access_ok(__pu_addr, size)) \
106 __put_user_size((x), __pu_addr, (size), __pu_err); \ 106 __put_user_size((x), __pu_addr, (size), __pu_err); \
107 __pu_err; \ 107 __pu_err; \
108}) 108})
@@ -175,7 +175,7 @@ struct __large_struct {
175({ \ 175({ \
176 long __gu_err = -EFAULT, __gu_val = 0; \ 176 long __gu_err = -EFAULT, __gu_val = 0; \
177 const __typeof__(*(ptr)) * __gu_addr = (ptr); \ 177 const __typeof__(*(ptr)) * __gu_addr = (ptr); \
178 if (access_ok(VERIFY_READ, __gu_addr, size)) \ 178 if (access_ok(__gu_addr, size)) \
179 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \ 179 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
180 (x) = (__force __typeof__(*(ptr)))__gu_val; \ 180 (x) = (__force __typeof__(*(ptr)))__gu_val; \
181 __gu_err; \ 181 __gu_err; \
@@ -254,7 +254,7 @@ extern unsigned long __clear_user(void *addr, unsigned long size);
254static inline __must_check unsigned long 254static inline __must_check unsigned long
255clear_user(void *addr, unsigned long size) 255clear_user(void *addr, unsigned long size)
256{ 256{
257 if (likely(access_ok(VERIFY_WRITE, addr, size))) 257 if (likely(access_ok(addr, size)))
258 size = __clear_user(addr, size); 258 size = __clear_user(addr, size);
259 return size; 259 return size;
260} 260}
diff --git a/arch/openrisc/kernel/signal.c b/arch/openrisc/kernel/signal.c
index 265f10fb3930..5ac9d3b1d615 100644
--- a/arch/openrisc/kernel/signal.c
+++ b/arch/openrisc/kernel/signal.c
@@ -50,7 +50,7 @@ static int restore_sigcontext(struct pt_regs *regs,
50 50
51 /* 51 /*
52 * Restore the regs from &sc->regs. 52 * Restore the regs from &sc->regs.
53 * (sc is already checked for VERIFY_READ since the sigframe was 53 * (sc is already checked since the sigframe was
54 * checked in sys_sigreturn previously) 54 * checked in sys_sigreturn previously)
55 */ 55 */
56 err |= __copy_from_user(regs, sc->regs.gpr, 32 * sizeof(unsigned long)); 56 err |= __copy_from_user(regs, sc->regs.gpr, 32 * sizeof(unsigned long));
@@ -83,7 +83,7 @@ asmlinkage long _sys_rt_sigreturn(struct pt_regs *regs)
83 if (((long)frame) & 3) 83 if (((long)frame) & 3)
84 goto badframe; 84 goto badframe;
85 85
86 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 86 if (!access_ok(frame, sizeof(*frame)))
87 goto badframe; 87 goto badframe;
88 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 88 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
89 goto badframe; 89 goto badframe;
@@ -161,7 +161,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
161 161
162 frame = get_sigframe(ksig, regs, sizeof(*frame)); 162 frame = get_sigframe(ksig, regs, sizeof(*frame));
163 163
164 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 164 if (!access_ok(frame, sizeof(*frame)))
165 return -EFAULT; 165 return -EFAULT;
166 166
167 /* Create siginfo. */ 167 /* Create siginfo. */
diff --git a/arch/parisc/include/asm/futex.h b/arch/parisc/include/asm/futex.h
index cf7ba058f619..d2c3e4106851 100644
--- a/arch/parisc/include/asm/futex.h
+++ b/arch/parisc/include/asm/futex.h
@@ -95,7 +95,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
95 if (uaccess_kernel() && !uaddr) 95 if (uaccess_kernel() && !uaddr)
96 return -EFAULT; 96 return -EFAULT;
97 97
98 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 98 if (!access_ok(uaddr, sizeof(u32)))
99 return -EFAULT; 99 return -EFAULT;
100 100
101 /* HPPA has no cmpxchg in hardware and therefore the 101 /* HPPA has no cmpxchg in hardware and therefore the
diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
index ea70e36ce6af..30ac2865ea73 100644
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -27,7 +27,7 @@
27 * that put_user is the same as __put_user, etc. 27 * that put_user is the same as __put_user, etc.
28 */ 28 */
29 29
30#define access_ok(type, uaddr, size) \ 30#define access_ok(uaddr, size) \
31 ( (uaddr) == (uaddr) ) 31 ( (uaddr) == (uaddr) )
32 32
33#define put_user __put_user 33#define put_user __put_user
diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h
index 94542776a62d..88b38b37c21b 100644
--- a/arch/powerpc/include/asm/futex.h
+++ b/arch/powerpc/include/asm/futex.h
@@ -72,7 +72,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
72 int ret = 0; 72 int ret = 0;
73 u32 prev; 73 u32 prev;
74 74
75 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 75 if (!access_ok(uaddr, sizeof(u32)))
76 return -EFAULT; 76 return -EFAULT;
77 77
78 __asm__ __volatile__ ( 78 __asm__ __volatile__ (
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index ebc0b916dcf9..b31bf45eebd4 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -62,7 +62,7 @@ static inline int __access_ok(unsigned long addr, unsigned long size,
62 62
63#endif 63#endif
64 64
65#define access_ok(type, addr, size) \ 65#define access_ok(addr, size) \
66 (__chk_user_ptr(addr), (void)(type), \ 66 (__chk_user_ptr(addr), (void)(type), \
67 __access_ok((__force unsigned long)(addr), (size), get_fs())) 67 __access_ok((__force unsigned long)(addr), (size), get_fs()))
68 68
@@ -166,7 +166,7 @@ do { \
166 long __pu_err = -EFAULT; \ 166 long __pu_err = -EFAULT; \
167 __typeof__(*(ptr)) __user *__pu_addr = (ptr); \ 167 __typeof__(*(ptr)) __user *__pu_addr = (ptr); \
168 might_fault(); \ 168 might_fault(); \
169 if (access_ok(VERIFY_WRITE, __pu_addr, size)) \ 169 if (access_ok(__pu_addr, size)) \
170 __put_user_size((x), __pu_addr, (size), __pu_err); \ 170 __put_user_size((x), __pu_addr, (size), __pu_err); \
171 __pu_err; \ 171 __pu_err; \
172}) 172})
@@ -276,7 +276,7 @@ do { \
276 __long_type(*(ptr)) __gu_val = 0; \ 276 __long_type(*(ptr)) __gu_val = 0; \
277 __typeof__(*(ptr)) __user *__gu_addr = (ptr); \ 277 __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
278 might_fault(); \ 278 might_fault(); \
279 if (access_ok(VERIFY_READ, __gu_addr, (size))) { \ 279 if (access_ok(__gu_addr, (size))) { \
280 barrier_nospec(); \ 280 barrier_nospec(); \
281 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \ 281 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
282 } \ 282 } \
@@ -374,7 +374,7 @@ extern unsigned long __clear_user(void __user *addr, unsigned long size);
374static inline unsigned long clear_user(void __user *addr, unsigned long size) 374static inline unsigned long clear_user(void __user *addr, unsigned long size)
375{ 375{
376 might_fault(); 376 might_fault();
377 if (likely(access_ok(VERIFY_WRITE, addr, size))) 377 if (likely(access_ok(addr, size)))
378 return __clear_user(addr, size); 378 return __clear_user(addr, size);
379 return size; 379 return size;
380} 380}
diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c
index 11550a3d1ac2..0d1b6370bae0 100644
--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -131,8 +131,7 @@ static int emulate_spe(struct pt_regs *regs, unsigned int reg,
131 131
132 /* Verify the address of the operand */ 132 /* Verify the address of the operand */
133 if (unlikely(user_mode(regs) && 133 if (unlikely(user_mode(regs) &&
134 !access_ok((flags & ST ? VERIFY_WRITE : VERIFY_READ), 134 !access_ok(addr, nb)))
135 addr, nb)))
136 return -EFAULT; 135 return -EFAULT;
137 136
138 /* userland only */ 137 /* userland only */
diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c
index 10fabae2574d..8246f437bbc6 100644
--- a/arch/powerpc/kernel/rtas_flash.c
+++ b/arch/powerpc/kernel/rtas_flash.c
@@ -523,7 +523,7 @@ static ssize_t validate_flash_write(struct file *file, const char __user *buf,
523 args_buf->status = VALIDATE_INCOMPLETE; 523 args_buf->status = VALIDATE_INCOMPLETE;
524 } 524 }
525 525
526 if (!access_ok(VERIFY_READ, buf, count)) { 526 if (!access_ok(buf, count)) {
527 rc = -EFAULT; 527 rc = -EFAULT;
528 goto done; 528 goto done;
529 } 529 }
diff --git a/arch/powerpc/kernel/rtasd.c b/arch/powerpc/kernel/rtasd.c
index 38cadae4ca4f..8a1746d755c9 100644
--- a/arch/powerpc/kernel/rtasd.c
+++ b/arch/powerpc/kernel/rtasd.c
@@ -335,7 +335,7 @@ static ssize_t rtas_log_read(struct file * file, char __user * buf,
335 335
336 count = rtas_error_log_buffer_max; 336 count = rtas_error_log_buffer_max;
337 337
338 if (!access_ok(VERIFY_WRITE, buf, count)) 338 if (!access_ok(buf, count))
339 return -EFAULT; 339 return -EFAULT;
340 340
341 tmp = kmalloc(count, GFP_KERNEL); 341 tmp = kmalloc(count, GFP_KERNEL);
diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c
index b3e8db376ecd..e6c30cee6abf 100644
--- a/arch/powerpc/kernel/signal.c
+++ b/arch/powerpc/kernel/signal.c
@@ -44,7 +44,7 @@ void __user *get_sigframe(struct ksignal *ksig, unsigned long sp,
44 newsp = (oldsp - frame_size) & ~0xFUL; 44 newsp = (oldsp - frame_size) & ~0xFUL;
45 45
46 /* Check access */ 46 /* Check access */
47 if (!access_ok(VERIFY_WRITE, (void __user *)newsp, oldsp - newsp)) 47 if (!access_ok((void __user *)newsp, oldsp - newsp))
48 return NULL; 48 return NULL;
49 49
50 return (void __user *)newsp; 50 return (void __user *)newsp;
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index 2d47cc79e5b3..ede4f04281ae 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1017,7 +1017,7 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int
1017#else 1017#else
1018 if (__get_user(mcp, &ucp->uc_regs)) 1018 if (__get_user(mcp, &ucp->uc_regs))
1019 return -EFAULT; 1019 return -EFAULT;
1020 if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp))) 1020 if (!access_ok(mcp, sizeof(*mcp)))
1021 return -EFAULT; 1021 return -EFAULT;
1022#endif 1022#endif
1023 set_current_blocked(&set); 1023 set_current_blocked(&set);
@@ -1120,7 +1120,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
1120 */ 1120 */
1121 mctx = (struct mcontext __user *) 1121 mctx = (struct mcontext __user *)
1122 ((unsigned long) &old_ctx->uc_mcontext & ~0xfUL); 1122 ((unsigned long) &old_ctx->uc_mcontext & ~0xfUL);
1123 if (!access_ok(VERIFY_WRITE, old_ctx, ctx_size) 1123 if (!access_ok(old_ctx, ctx_size)
1124 || save_user_regs(regs, mctx, NULL, 0, ctx_has_vsx_region) 1124 || save_user_regs(regs, mctx, NULL, 0, ctx_has_vsx_region)
1125 || put_sigset_t(&old_ctx->uc_sigmask, &current->blocked) 1125 || put_sigset_t(&old_ctx->uc_sigmask, &current->blocked)
1126 || __put_user(to_user_ptr(mctx), &old_ctx->uc_regs)) 1126 || __put_user(to_user_ptr(mctx), &old_ctx->uc_regs))
@@ -1128,7 +1128,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
1128 } 1128 }
1129 if (new_ctx == NULL) 1129 if (new_ctx == NULL)
1130 return 0; 1130 return 0;
1131 if (!access_ok(VERIFY_READ, new_ctx, ctx_size) || 1131 if (!access_ok(new_ctx, ctx_size) ||
1132 fault_in_pages_readable((u8 __user *)new_ctx, ctx_size)) 1132 fault_in_pages_readable((u8 __user *)new_ctx, ctx_size))
1133 return -EFAULT; 1133 return -EFAULT;
1134 1134
@@ -1169,7 +1169,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
1169 1169
1170 rt_sf = (struct rt_sigframe __user *) 1170 rt_sf = (struct rt_sigframe __user *)
1171 (regs->gpr[1] + __SIGNAL_FRAMESIZE + 16); 1171 (regs->gpr[1] + __SIGNAL_FRAMESIZE + 16);
1172 if (!access_ok(VERIFY_READ, rt_sf, sizeof(*rt_sf))) 1172 if (!access_ok(rt_sf, sizeof(*rt_sf)))
1173 goto bad; 1173 goto bad;
1174 1174
1175#ifdef CONFIG_PPC_TRANSACTIONAL_MEM 1175#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
@@ -1315,7 +1315,7 @@ SYSCALL_DEFINE3(debug_setcontext, struct ucontext __user *, ctx,
1315 current->thread.debug.dbcr0 = new_dbcr0; 1315 current->thread.debug.dbcr0 = new_dbcr0;
1316#endif 1316#endif
1317 1317
1318 if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx)) || 1318 if (!access_ok(ctx, sizeof(*ctx)) ||
1319 fault_in_pages_readable((u8 __user *)ctx, sizeof(*ctx))) 1319 fault_in_pages_readable((u8 __user *)ctx, sizeof(*ctx)))
1320 return -EFAULT; 1320 return -EFAULT;
1321 1321
@@ -1500,7 +1500,7 @@ SYSCALL_DEFINE0(sigreturn)
1500 { 1500 {
1501 sr = (struct mcontext __user *)from_user_ptr(sigctx.regs); 1501 sr = (struct mcontext __user *)from_user_ptr(sigctx.regs);
1502 addr = sr; 1502 addr = sr;
1503 if (!access_ok(VERIFY_READ, sr, sizeof(*sr)) 1503 if (!access_ok(sr, sizeof(*sr))
1504 || restore_user_regs(regs, sr, 1)) 1504 || restore_user_regs(regs, sr, 1))
1505 goto badframe; 1505 goto badframe;
1506 } 1506 }
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 0935fe6c282a..bd5e6834ca69 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -383,7 +383,7 @@ static long restore_sigcontext(struct task_struct *tsk, sigset_t *set, int sig,
383 err |= __get_user(v_regs, &sc->v_regs); 383 err |= __get_user(v_regs, &sc->v_regs);
384 if (err) 384 if (err)
385 return err; 385 return err;
386 if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128))) 386 if (v_regs && !access_ok(v_regs, 34 * sizeof(vector128)))
387 return -EFAULT; 387 return -EFAULT;
388 /* Copy 33 vec registers (vr0..31 and vscr) from the stack */ 388 /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
389 if (v_regs != NULL && (msr & MSR_VEC) != 0) { 389 if (v_regs != NULL && (msr & MSR_VEC) != 0) {
@@ -502,10 +502,9 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
502 err |= __get_user(tm_v_regs, &tm_sc->v_regs); 502 err |= __get_user(tm_v_regs, &tm_sc->v_regs);
503 if (err) 503 if (err)
504 return err; 504 return err;
505 if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128))) 505 if (v_regs && !access_ok(v_regs, 34 * sizeof(vector128)))
506 return -EFAULT; 506 return -EFAULT;
507 if (tm_v_regs && !access_ok(VERIFY_READ, 507 if (tm_v_regs && !access_ok(tm_v_regs, 34 * sizeof(vector128)))
508 tm_v_regs, 34 * sizeof(vector128)))
509 return -EFAULT; 508 return -EFAULT;
510 /* Copy 33 vec registers (vr0..31 and vscr) from the stack */ 509 /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
511 if (v_regs != NULL && tm_v_regs != NULL && (msr & MSR_VEC) != 0) { 510 if (v_regs != NULL && tm_v_regs != NULL && (msr & MSR_VEC) != 0) {
@@ -671,7 +670,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
671 ctx_has_vsx_region = 1; 670 ctx_has_vsx_region = 1;
672 671
673 if (old_ctx != NULL) { 672 if (old_ctx != NULL) {
674 if (!access_ok(VERIFY_WRITE, old_ctx, ctx_size) 673 if (!access_ok(old_ctx, ctx_size)
675 || setup_sigcontext(&old_ctx->uc_mcontext, current, 0, NULL, 0, 674 || setup_sigcontext(&old_ctx->uc_mcontext, current, 0, NULL, 0,
676 ctx_has_vsx_region) 675 ctx_has_vsx_region)
677 || __copy_to_user(&old_ctx->uc_sigmask, 676 || __copy_to_user(&old_ctx->uc_sigmask,
@@ -680,7 +679,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
680 } 679 }
681 if (new_ctx == NULL) 680 if (new_ctx == NULL)
682 return 0; 681 return 0;
683 if (!access_ok(VERIFY_READ, new_ctx, ctx_size) 682 if (!access_ok(new_ctx, ctx_size)
684 || __get_user(tmp, (u8 __user *) new_ctx) 683 || __get_user(tmp, (u8 __user *) new_ctx)
685 || __get_user(tmp, (u8 __user *) new_ctx + ctx_size - 1)) 684 || __get_user(tmp, (u8 __user *) new_ctx + ctx_size - 1))
686 return -EFAULT; 685 return -EFAULT;
@@ -725,7 +724,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
725 /* Always make any pending restarted system calls return -EINTR */ 724 /* Always make any pending restarted system calls return -EINTR */
726 current->restart_block.fn = do_no_restart_syscall; 725 current->restart_block.fn = do_no_restart_syscall;
727 726
728 if (!access_ok(VERIFY_READ, uc, sizeof(*uc))) 727 if (!access_ok(uc, sizeof(*uc)))
729 goto badframe; 728 goto badframe;
730 729
731 if (__copy_from_user(&set, &uc->uc_sigmask, sizeof(set))) 730 if (__copy_from_user(&set, &uc->uc_sigmask, sizeof(set)))
diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
index 466216506eb2..e6982ab21816 100644
--- a/arch/powerpc/kernel/syscalls.c
+++ b/arch/powerpc/kernel/syscalls.c
@@ -89,7 +89,7 @@ ppc_select(int n, fd_set __user *inp, fd_set __user *outp, fd_set __user *exp, s
89 if ( (unsigned long)n >= 4096 ) 89 if ( (unsigned long)n >= 4096 )
90 { 90 {
91 unsigned long __user *buffer = (unsigned long __user *)n; 91 unsigned long __user *buffer = (unsigned long __user *)n;
92 if (!access_ok(VERIFY_READ, buffer, 5*sizeof(unsigned long)) 92 if (!access_ok(buffer, 5*sizeof(unsigned long))
93 || __get_user(n, buffer) 93 || __get_user(n, buffer)
94 || __get_user(inp, ((fd_set __user * __user *)(buffer+1))) 94 || __get_user(inp, ((fd_set __user * __user *)(buffer+1)))
95 || __get_user(outp, ((fd_set __user * __user *)(buffer+2))) 95 || __get_user(outp, ((fd_set __user * __user *)(buffer+2)))
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
index 00af2c4febf4..64936b60d521 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -837,7 +837,7 @@ static void p9_hmi_special_emu(struct pt_regs *regs)
837 addr = (__force const void __user *)ea; 837 addr = (__force const void __user *)ea;
838 838
839 /* Check it */ 839 /* Check it */
840 if (!access_ok(VERIFY_READ, addr, 16)) { 840 if (!access_ok(addr, 16)) {
841 pr_devel("HMI vec emu: bad access %i:%s[%d] nip=%016lx" 841 pr_devel("HMI vec emu: bad access %i:%s[%d] nip=%016lx"
842 " instr=%08x addr=%016lx\n", 842 " instr=%08x addr=%016lx\n",
843 smp_processor_id(), current->comm, current->pid, 843 smp_processor_id(), current->comm, current->pid,
diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c
index 6f2d2fb4e098..bd2dcfbf00cd 100644
--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
+++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
@@ -1744,7 +1744,7 @@ static ssize_t kvm_htab_read(struct file *file, char __user *buf,
1744 int first_pass; 1744 int first_pass;
1745 unsigned long hpte[2]; 1745 unsigned long hpte[2];
1746 1746
1747 if (!access_ok(VERIFY_WRITE, buf, count)) 1747 if (!access_ok(buf, count))
1748 return -EFAULT; 1748 return -EFAULT;
1749 if (kvm_is_radix(kvm)) 1749 if (kvm_is_radix(kvm))
1750 return 0; 1750 return 0;
@@ -1844,7 +1844,7 @@ static ssize_t kvm_htab_write(struct file *file, const char __user *buf,
1844 int mmu_ready; 1844 int mmu_ready;
1845 int pshift; 1845 int pshift;
1846 1846
1847 if (!access_ok(VERIFY_READ, buf, count)) 1847 if (!access_ok(buf, count))
1848 return -EFAULT; 1848 return -EFAULT;
1849 if (kvm_is_radix(kvm)) 1849 if (kvm_is_radix(kvm))
1850 return -EINVAL; 1850 return -EINVAL;
diff --git a/arch/powerpc/lib/checksum_wrappers.c b/arch/powerpc/lib/checksum_wrappers.c
index a0cb63fb76a1..890d4ddd91d6 100644
--- a/arch/powerpc/lib/checksum_wrappers.c
+++ b/arch/powerpc/lib/checksum_wrappers.c
@@ -37,7 +37,7 @@ __wsum csum_and_copy_from_user(const void __user *src, void *dst,
37 goto out; 37 goto out;
38 } 38 }
39 39
40 if (unlikely((len < 0) || !access_ok(VERIFY_READ, src, len))) { 40 if (unlikely((len < 0) || !access_ok(src, len))) {
41 *err_ptr = -EFAULT; 41 *err_ptr = -EFAULT;
42 csum = (__force unsigned int)sum; 42 csum = (__force unsigned int)sum;
43 goto out; 43 goto out;
@@ -78,7 +78,7 @@ __wsum csum_and_copy_to_user(const void *src, void __user *dst, int len,
78 goto out; 78 goto out;
79 } 79 }
80 80
81 if (unlikely((len < 0) || !access_ok(VERIFY_WRITE, dst, len))) { 81 if (unlikely((len < 0) || !access_ok(dst, len))) {
82 *err_ptr = -EFAULT; 82 *err_ptr = -EFAULT;
83 csum = -1; /* invalid checksum */ 83 csum = -1; /* invalid checksum */
84 goto out; 84 goto out;
diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index a6dcfda3e11e..887f11bcf330 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -274,7 +274,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
274 return false; 274 return false;
275 275
276 if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) && 276 if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
277 access_ok(VERIFY_READ, nip, sizeof(*nip))) { 277 access_ok(nip, sizeof(*nip))) {
278 unsigned int inst; 278 unsigned int inst;
279 int res; 279 int res;
280 280
diff --git a/arch/powerpc/mm/subpage-prot.c b/arch/powerpc/mm/subpage-prot.c
index 3327551c8b47..5e4178790dee 100644
--- a/arch/powerpc/mm/subpage-prot.c
+++ b/arch/powerpc/mm/subpage-prot.c
@@ -214,7 +214,7 @@ SYSCALL_DEFINE3(subpage_prot, unsigned long, addr,
214 return 0; 214 return 0;
215 } 215 }
216 216
217 if (!access_ok(VERIFY_READ, map, (len >> PAGE_SHIFT) * sizeof(u32))) 217 if (!access_ok(map, (len >> PAGE_SHIFT) * sizeof(u32)))
218 return -EFAULT; 218 return -EFAULT;
219 219
220 down_write(&mm->mmap_sem); 220 down_write(&mm->mmap_sem);
diff --git a/arch/powerpc/oprofile/backtrace.c b/arch/powerpc/oprofile/backtrace.c
index 5df6290d1ccc..260c53700978 100644
--- a/arch/powerpc/oprofile/backtrace.c
+++ b/arch/powerpc/oprofile/backtrace.c
@@ -31,7 +31,7 @@ static unsigned int user_getsp32(unsigned int sp, int is_first)
31 unsigned int stack_frame[2]; 31 unsigned int stack_frame[2];
32 void __user *p = compat_ptr(sp); 32 void __user *p = compat_ptr(sp);
33 33
34 if (!access_ok(VERIFY_READ, p, sizeof(stack_frame))) 34 if (!access_ok(p, sizeof(stack_frame)))
35 return 0; 35 return 0;
36 36
37 /* 37 /*
@@ -57,7 +57,7 @@ static unsigned long user_getsp64(unsigned long sp, int is_first)
57{ 57{
58 unsigned long stack_frame[3]; 58 unsigned long stack_frame[3];
59 59
60 if (!access_ok(VERIFY_READ, (void __user *)sp, sizeof(stack_frame))) 60 if (!access_ok((void __user *)sp, sizeof(stack_frame)))
61 return 0; 61 return 0;
62 62
63 if (__copy_from_user_inatomic(stack_frame, (void __user *)sp, 63 if (__copy_from_user_inatomic(stack_frame, (void __user *)sp,
diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
index 43e7b93f27c7..ae8123edddc6 100644
--- a/arch/powerpc/platforms/cell/spufs/file.c
+++ b/arch/powerpc/platforms/cell/spufs/file.c
@@ -609,7 +609,7 @@ static ssize_t spufs_mbox_read(struct file *file, char __user *buf,
609 if (len < 4) 609 if (len < 4)
610 return -EINVAL; 610 return -EINVAL;
611 611
612 if (!access_ok(VERIFY_WRITE, buf, len)) 612 if (!access_ok(buf, len))
613 return -EFAULT; 613 return -EFAULT;
614 614
615 udata = (void __user *)buf; 615 udata = (void __user *)buf;
@@ -717,7 +717,7 @@ static ssize_t spufs_ibox_read(struct file *file, char __user *buf,
717 if (len < 4) 717 if (len < 4)
718 return -EINVAL; 718 return -EINVAL;
719 719
720 if (!access_ok(VERIFY_WRITE, buf, len)) 720 if (!access_ok(buf, len))
721 return -EFAULT; 721 return -EFAULT;
722 722
723 udata = (void __user *)buf; 723 udata = (void __user *)buf;
@@ -856,7 +856,7 @@ static ssize_t spufs_wbox_write(struct file *file, const char __user *buf,
856 return -EINVAL; 856 return -EINVAL;
857 857
858 udata = (void __user *)buf; 858 udata = (void __user *)buf;
859 if (!access_ok(VERIFY_READ, buf, len)) 859 if (!access_ok(buf, len))
860 return -EFAULT; 860 return -EFAULT;
861 861
862 if (__get_user(wbox_data, udata)) 862 if (__get_user(wbox_data, udata))
@@ -1994,7 +1994,7 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
1994 int ret; 1994 int ret;
1995 struct spu_context *ctx = file->private_data; 1995 struct spu_context *ctx = file->private_data;
1996 1996
1997 if (!access_ok(VERIFY_WRITE, buf, len)) 1997 if (!access_ok(buf, len))
1998 return -EFAULT; 1998 return -EFAULT;
1999 1999
2000 ret = spu_acquire_saved(ctx); 2000 ret = spu_acquire_saved(ctx);
@@ -2034,7 +2034,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
2034 struct spu_context *ctx = file->private_data; 2034 struct spu_context *ctx = file->private_data;
2035 int ret; 2035 int ret;
2036 2036
2037 if (!access_ok(VERIFY_WRITE, buf, len)) 2037 if (!access_ok(buf, len))
2038 return -EFAULT; 2038 return -EFAULT;
2039 2039
2040 ret = spu_acquire_saved(ctx); 2040 ret = spu_acquire_saved(ctx);
@@ -2077,7 +2077,7 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
2077 struct spu_context *ctx = file->private_data; 2077 struct spu_context *ctx = file->private_data;
2078 int ret; 2078 int ret;
2079 2079
2080 if (!access_ok(VERIFY_WRITE, buf, len)) 2080 if (!access_ok(buf, len))
2081 return -EFAULT; 2081 return -EFAULT;
2082 2082
2083 ret = spu_acquire_saved(ctx); 2083 ret = spu_acquire_saved(ctx);
@@ -2129,7 +2129,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
2129 struct spu_context *ctx = file->private_data; 2129 struct spu_context *ctx = file->private_data;
2130 int ret; 2130 int ret;
2131 2131
2132 if (!access_ok(VERIFY_WRITE, buf, len)) 2132 if (!access_ok(buf, len))
2133 return -EFAULT; 2133 return -EFAULT;
2134 2134
2135 ret = spu_acquire_saved(ctx); 2135 ret = spu_acquire_saved(ctx);
@@ -2160,7 +2160,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
2160 if (len < ret) 2160 if (len < ret)
2161 return -EINVAL; 2161 return -EINVAL;
2162 2162
2163 if (!access_ok(VERIFY_WRITE, buf, len)) 2163 if (!access_ok(buf, len))
2164 return -EFAULT; 2164 return -EFAULT;
2165 2165
2166 info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW; 2166 info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c
index 6c7ad1d8b32e..2623996a193a 100644
--- a/arch/powerpc/platforms/powernv/opal-lpc.c
+++ b/arch/powerpc/platforms/powernv/opal-lpc.c
@@ -192,7 +192,7 @@ static ssize_t lpc_debug_read(struct file *filp, char __user *ubuf,
192 u32 data, pos, len, todo; 192 u32 data, pos, len, todo;
193 int rc; 193 int rc;
194 194
195 if (!access_ok(VERIFY_WRITE, ubuf, count)) 195 if (!access_ok(ubuf, count))
196 return -EFAULT; 196 return -EFAULT;
197 197
198 todo = count; 198 todo = count;
@@ -283,7 +283,7 @@ static ssize_t lpc_debug_write(struct file *filp, const char __user *ubuf,
283 u32 data, pos, len, todo; 283 u32 data, pos, len, todo;
284 int rc; 284 int rc;
285 285
286 if (!access_ok(VERIFY_READ, ubuf, count)) 286 if (!access_ok(ubuf, count))
287 return -EFAULT; 287 return -EFAULT;
288 288
289 todo = count; 289 todo = count;
diff --git a/arch/powerpc/platforms/pseries/scanlog.c b/arch/powerpc/platforms/pseries/scanlog.c
index 054ce7a16fc3..24b157e1e890 100644
--- a/arch/powerpc/platforms/pseries/scanlog.c
+++ b/arch/powerpc/platforms/pseries/scanlog.c
@@ -63,7 +63,7 @@ static ssize_t scanlog_read(struct file *file, char __user *buf,
63 return -EINVAL; 63 return -EINVAL;
64 } 64 }
65 65
66 if (!access_ok(VERIFY_WRITE, buf, count)) 66 if (!access_ok(buf, count))
67 return -EFAULT; 67 return -EFAULT;
68 68
69 for (;;) { 69 for (;;) {
diff --git a/arch/riscv/include/asm/futex.h b/arch/riscv/include/asm/futex.h
index 3b19eba1bc8e..66641624d8a5 100644
--- a/arch/riscv/include/asm/futex.h
+++ b/arch/riscv/include/asm/futex.h
@@ -95,7 +95,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
95 u32 val; 95 u32 val;
96 uintptr_t tmp; 96 uintptr_t tmp;
97 97
98 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 98 if (!access_ok(uaddr, sizeof(u32)))
99 return -EFAULT; 99 return -EFAULT;
100 100
101 __enable_user_access(); 101 __enable_user_access();
diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
index 8c3e3e3c8be1..637b896894fc 100644
--- a/arch/riscv/include/asm/uaccess.h
+++ b/arch/riscv/include/asm/uaccess.h
@@ -54,14 +54,8 @@ static inline void set_fs(mm_segment_t fs)
54#define user_addr_max() (get_fs()) 54#define user_addr_max() (get_fs())
55 55
56 56
57#define VERIFY_READ 0
58#define VERIFY_WRITE 1
59
60/** 57/**
61 * access_ok: - Checks if a user space pointer is valid 58 * access_ok: - Checks if a user space pointer is valid
62 * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
63 * %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
64 * to write to a block, it is always safe to read from it.
65 * @addr: User space pointer to start of block to check 59 * @addr: User space pointer to start of block to check
66 * @size: Size of block to check 60 * @size: Size of block to check
67 * 61 *
@@ -76,7 +70,7 @@ static inline void set_fs(mm_segment_t fs)
76 * checks that the pointer is in the user space range - after calling 70 * checks that the pointer is in the user space range - after calling
77 * this function, memory access functions may still return -EFAULT. 71 * this function, memory access functions may still return -EFAULT.
78 */ 72 */
79#define access_ok(type, addr, size) ({ \ 73#define access_ok(addr, size) ({ \
80 __chk_user_ptr(addr); \ 74 __chk_user_ptr(addr); \
81 likely(__access_ok((unsigned long __force)(addr), (size))); \ 75 likely(__access_ok((unsigned long __force)(addr), (size))); \
82}) 76})
@@ -258,7 +252,7 @@ do { \
258({ \ 252({ \
259 const __typeof__(*(ptr)) __user *__p = (ptr); \ 253 const __typeof__(*(ptr)) __user *__p = (ptr); \
260 might_fault(); \ 254 might_fault(); \
261 access_ok(VERIFY_READ, __p, sizeof(*__p)) ? \ 255 access_ok(__p, sizeof(*__p)) ? \
262 __get_user((x), __p) : \ 256 __get_user((x), __p) : \
263 ((x) = 0, -EFAULT); \ 257 ((x) = 0, -EFAULT); \
264}) 258})
@@ -386,7 +380,7 @@ do { \
386({ \ 380({ \
387 __typeof__(*(ptr)) __user *__p = (ptr); \ 381 __typeof__(*(ptr)) __user *__p = (ptr); \
388 might_fault(); \ 382 might_fault(); \
389 access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ? \ 383 access_ok(__p, sizeof(*__p)) ? \
390 __put_user((x), __p) : \ 384 __put_user((x), __p) : \
391 -EFAULT; \ 385 -EFAULT; \
392}) 386})
@@ -421,7 +415,7 @@ static inline
421unsigned long __must_check clear_user(void __user *to, unsigned long n) 415unsigned long __must_check clear_user(void __user *to, unsigned long n)
422{ 416{
423 might_fault(); 417 might_fault();
424 return access_ok(VERIFY_WRITE, to, n) ? 418 return access_ok(to, n) ?
425 __clear_user(to, n) : n; 419 __clear_user(to, n) : n;
426} 420}
427 421
diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c
index f9b5e7e352ef..837e1646091a 100644
--- a/arch/riscv/kernel/signal.c
+++ b/arch/riscv/kernel/signal.c
@@ -115,7 +115,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
115 115
116 frame = (struct rt_sigframe __user *)regs->sp; 116 frame = (struct rt_sigframe __user *)regs->sp;
117 117
118 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 118 if (!access_ok(frame, sizeof(*frame)))
119 goto badframe; 119 goto badframe;
120 120
121 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 121 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -187,7 +187,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
187 long err = 0; 187 long err = 0;
188 188
189 frame = get_sigframe(ksig, regs, sizeof(*frame)); 189 frame = get_sigframe(ksig, regs, sizeof(*frame));
190 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 190 if (!access_ok(frame, sizeof(*frame)))
191 return -EFAULT; 191 return -EFAULT;
192 192
193 err |= copy_siginfo_to_user(&frame->info, &ksig->info); 193 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
index ad6b91013a05..bd2545977ad3 100644
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -48,7 +48,7 @@ static inline int __range_ok(unsigned long addr, unsigned long size)
48 __range_ok((unsigned long)(addr), (size)); \ 48 __range_ok((unsigned long)(addr), (size)); \
49}) 49})
50 50
51#define access_ok(type, addr, size) __access_ok(addr, size) 51#define access_ok(addr, size) __access_ok(addr, size)
52 52
53unsigned long __must_check 53unsigned long __must_check
54raw_copy_from_user(void *to, const void __user *from, unsigned long n); 54raw_copy_from_user(void *to, const void __user *from, unsigned long n);
diff --git a/arch/sh/include/asm/checksum_32.h b/arch/sh/include/asm/checksum_32.h
index b58f3d95dc19..36b84cfd3f67 100644
--- a/arch/sh/include/asm/checksum_32.h
+++ b/arch/sh/include/asm/checksum_32.h
@@ -197,7 +197,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
197 int len, __wsum sum, 197 int len, __wsum sum,
198 int *err_ptr) 198 int *err_ptr)
199{ 199{
200 if (access_ok(VERIFY_WRITE, dst, len)) 200 if (access_ok(dst, len))
201 return csum_partial_copy_generic((__force const void *)src, 201 return csum_partial_copy_generic((__force const void *)src,
202 dst, len, sum, NULL, err_ptr); 202 dst, len, sum, NULL, err_ptr);
203 203
diff --git a/arch/sh/include/asm/futex.h b/arch/sh/include/asm/futex.h
index 6d192f4908a7..3190ec89df81 100644
--- a/arch/sh/include/asm/futex.h
+++ b/arch/sh/include/asm/futex.h
@@ -22,7 +22,7 @@ static inline int
22futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, 22futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
23 u32 oldval, u32 newval) 23 u32 oldval, u32 newval)
24{ 24{
25 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 25 if (!access_ok(uaddr, sizeof(u32)))
26 return -EFAULT; 26 return -EFAULT;
27 27
28 return atomic_futex_op_cmpxchg_inatomic(uval, uaddr, oldval, newval); 28 return atomic_futex_op_cmpxchg_inatomic(uval, uaddr, oldval, newval);
diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
index 32eb56e00c11..deebbfab5342 100644
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -18,7 +18,7 @@
18 */ 18 */
19#define __access_ok(addr, size) \ 19#define __access_ok(addr, size) \
20 (__addr_ok((addr) + (size))) 20 (__addr_ok((addr) + (size)))
21#define access_ok(type, addr, size) \ 21#define access_ok(addr, size) \
22 (__chk_user_ptr(addr), \ 22 (__chk_user_ptr(addr), \
23 __access_ok((unsigned long __force)(addr), (size))) 23 __access_ok((unsigned long __force)(addr), (size)))
24 24
@@ -66,7 +66,7 @@ struct __large_struct { unsigned long buf[100]; };
66 long __gu_err = -EFAULT; \ 66 long __gu_err = -EFAULT; \
67 unsigned long __gu_val = 0; \ 67 unsigned long __gu_val = 0; \
68 const __typeof__(*(ptr)) *__gu_addr = (ptr); \ 68 const __typeof__(*(ptr)) *__gu_addr = (ptr); \
69 if (likely(access_ok(VERIFY_READ, __gu_addr, (size)))) \ 69 if (likely(access_ok(__gu_addr, (size)))) \
70 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \ 70 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
71 (x) = (__force __typeof__(*(ptr)))__gu_val; \ 71 (x) = (__force __typeof__(*(ptr)))__gu_val; \
72 __gu_err; \ 72 __gu_err; \
@@ -87,7 +87,7 @@ struct __large_struct { unsigned long buf[100]; };
87 long __pu_err = -EFAULT; \ 87 long __pu_err = -EFAULT; \
88 __typeof__(*(ptr)) __user *__pu_addr = (ptr); \ 88 __typeof__(*(ptr)) __user *__pu_addr = (ptr); \
89 __typeof__(*(ptr)) __pu_val = x; \ 89 __typeof__(*(ptr)) __pu_val = x; \
90 if (likely(access_ok(VERIFY_WRITE, __pu_addr, size))) \ 90 if (likely(access_ok(__pu_addr, size))) \
91 __put_user_size(__pu_val, __pu_addr, (size), \ 91 __put_user_size(__pu_val, __pu_addr, (size), \
92 __pu_err); \ 92 __pu_err); \
93 __pu_err; \ 93 __pu_err; \
@@ -132,8 +132,7 @@ __kernel_size_t __clear_user(void *addr, __kernel_size_t size);
132 void __user * __cl_addr = (addr); \ 132 void __user * __cl_addr = (addr); \
133 unsigned long __cl_size = (n); \ 133 unsigned long __cl_size = (n); \
134 \ 134 \
135 if (__cl_size && access_ok(VERIFY_WRITE, \ 135 if (__cl_size && access_ok(__cl_addr, __cl_size)) \
136 ((unsigned long)(__cl_addr)), __cl_size)) \
137 __cl_size = __clear_user(__cl_addr, __cl_size); \ 136 __cl_size = __clear_user(__cl_addr, __cl_size); \
138 \ 137 \
139 __cl_size; \ 138 __cl_size; \
diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c
index c46c0020ff55..2a2121ba8ebe 100644
--- a/arch/sh/kernel/signal_32.c
+++ b/arch/sh/kernel/signal_32.c
@@ -160,7 +160,7 @@ asmlinkage int sys_sigreturn(void)
160 /* Always make any pending restarted system calls return -EINTR */ 160 /* Always make any pending restarted system calls return -EINTR */
161 current->restart_block.fn = do_no_restart_syscall; 161 current->restart_block.fn = do_no_restart_syscall;
162 162
163 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 163 if (!access_ok(frame, sizeof(*frame)))
164 goto badframe; 164 goto badframe;
165 165
166 if (__get_user(set.sig[0], &frame->sc.oldmask) 166 if (__get_user(set.sig[0], &frame->sc.oldmask)
@@ -190,7 +190,7 @@ asmlinkage int sys_rt_sigreturn(void)
190 /* Always make any pending restarted system calls return -EINTR */ 190 /* Always make any pending restarted system calls return -EINTR */
191 current->restart_block.fn = do_no_restart_syscall; 191 current->restart_block.fn = do_no_restart_syscall;
192 192
193 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 193 if (!access_ok(frame, sizeof(*frame)))
194 goto badframe; 194 goto badframe;
195 195
196 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 196 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -272,7 +272,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
272 272
273 frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame)); 273 frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
274 274
275 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 275 if (!access_ok(frame, sizeof(*frame)))
276 return -EFAULT; 276 return -EFAULT;
277 277
278 err |= setup_sigcontext(&frame->sc, regs, set->sig[0]); 278 err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
@@ -338,7 +338,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
338 338
339 frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame)); 339 frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
340 340
341 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 341 if (!access_ok(frame, sizeof(*frame)))
342 return -EFAULT; 342 return -EFAULT;
343 343
344 err |= copy_siginfo_to_user(&frame->info, &ksig->info); 344 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
diff --git a/arch/sh/kernel/signal_64.c b/arch/sh/kernel/signal_64.c
index 76661dee3c65..f1f1598879c2 100644
--- a/arch/sh/kernel/signal_64.c
+++ b/arch/sh/kernel/signal_64.c
@@ -259,7 +259,7 @@ asmlinkage int sys_sigreturn(unsigned long r2, unsigned long r3,
259 /* Always make any pending restarted system calls return -EINTR */ 259 /* Always make any pending restarted system calls return -EINTR */
260 current->restart_block.fn = do_no_restart_syscall; 260 current->restart_block.fn = do_no_restart_syscall;
261 261
262 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 262 if (!access_ok(frame, sizeof(*frame)))
263 goto badframe; 263 goto badframe;
264 264
265 if (__get_user(set.sig[0], &frame->sc.oldmask) 265 if (__get_user(set.sig[0], &frame->sc.oldmask)
@@ -293,7 +293,7 @@ asmlinkage int sys_rt_sigreturn(unsigned long r2, unsigned long r3,
293 /* Always make any pending restarted system calls return -EINTR */ 293 /* Always make any pending restarted system calls return -EINTR */
294 current->restart_block.fn = do_no_restart_syscall; 294 current->restart_block.fn = do_no_restart_syscall;
295 295
296 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 296 if (!access_ok(frame, sizeof(*frame)))
297 goto badframe; 297 goto badframe;
298 298
299 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 299 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -379,7 +379,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
379 379
380 frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame)); 380 frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
381 381
382 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 382 if (!access_ok(frame, sizeof(*frame)))
383 return -EFAULT; 383 return -EFAULT;
384 384
385 err |= setup_sigcontext(&frame->sc, regs, set->sig[0]); 385 err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
@@ -465,7 +465,7 @@ static int setup_rt_frame(struct ksignal *kig, sigset_t *set,
465 465
466 frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame)); 466 frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
467 467
468 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 468 if (!access_ok(frame, sizeof(*frame)))
469 return -EFAULT; 469 return -EFAULT;
470 470
471 err |= __put_user(&frame->info, &frame->pinfo); 471 err |= __put_user(&frame->info, &frame->pinfo);
diff --git a/arch/sh/kernel/traps_64.c b/arch/sh/kernel/traps_64.c
index c52bda4d2574..8ce90a7da67d 100644
--- a/arch/sh/kernel/traps_64.c
+++ b/arch/sh/kernel/traps_64.c
@@ -40,7 +40,7 @@ static int read_opcode(reg_size_t pc, insn_size_t *result_opcode, int from_user_
40 /* SHmedia */ 40 /* SHmedia */
41 aligned_pc = pc & ~3; 41 aligned_pc = pc & ~3;
42 if (from_user_mode) { 42 if (from_user_mode) {
43 if (!access_ok(VERIFY_READ, aligned_pc, sizeof(insn_size_t))) { 43 if (!access_ok(aligned_pc, sizeof(insn_size_t))) {
44 get_user_error = -EFAULT; 44 get_user_error = -EFAULT;
45 } else { 45 } else {
46 get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc); 46 get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc);
@@ -180,7 +180,7 @@ static int misaligned_load(struct pt_regs *regs,
180 if (user_mode(regs)) { 180 if (user_mode(regs)) {
181 __u64 buffer; 181 __u64 buffer;
182 182
183 if (!access_ok(VERIFY_READ, (unsigned long) address, 1UL<<width_shift)) { 183 if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
184 return -1; 184 return -1;
185 } 185 }
186 186
@@ -254,7 +254,7 @@ static int misaligned_store(struct pt_regs *regs,
254 if (user_mode(regs)) { 254 if (user_mode(regs)) {
255 __u64 buffer; 255 __u64 buffer;
256 256
257 if (!access_ok(VERIFY_WRITE, (unsigned long) address, 1UL<<width_shift)) { 257 if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
258 return -1; 258 return -1;
259 } 259 }
260 260
@@ -327,7 +327,7 @@ static int misaligned_fpu_load(struct pt_regs *regs,
327 __u64 buffer; 327 __u64 buffer;
328 __u32 buflo, bufhi; 328 __u32 buflo, bufhi;
329 329
330 if (!access_ok(VERIFY_READ, (unsigned long) address, 1UL<<width_shift)) { 330 if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
331 return -1; 331 return -1;
332 } 332 }
333 333
@@ -400,7 +400,7 @@ static int misaligned_fpu_store(struct pt_regs *regs,
400 /* Initialise these to NaNs. */ 400 /* Initialise these to NaNs. */
401 __u32 buflo=0xffffffffUL, bufhi=0xffffffffUL; 401 __u32 buflo=0xffffffffUL, bufhi=0xffffffffUL;
402 402
403 if (!access_ok(VERIFY_WRITE, (unsigned long) address, 1UL<<width_shift)) { 403 if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
404 return -1; 404 return -1;
405 } 405 }
406 406
@@ -663,7 +663,7 @@ void do_reserved_inst(unsigned long error_code, struct pt_regs *regs)
663 /* SHmedia : check for defect. This requires executable vmas 663 /* SHmedia : check for defect. This requires executable vmas
664 to be readable too. */ 664 to be readable too. */
665 aligned_pc = pc & ~3; 665 aligned_pc = pc & ~3;
666 if (!access_ok(VERIFY_READ, aligned_pc, sizeof(insn_size_t))) 666 if (!access_ok(aligned_pc, sizeof(insn_size_t)))
667 get_user_error = -EFAULT; 667 get_user_error = -EFAULT;
668 else 668 else
669 get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc); 669 get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc);
diff --git a/arch/sh/mm/gup.c b/arch/sh/mm/gup.c
index 56c86ca98ecf..3e27f6d1f1ec 100644
--- a/arch/sh/mm/gup.c
+++ b/arch/sh/mm/gup.c
@@ -177,8 +177,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
177 addr = start; 177 addr = start;
178 len = (unsigned long) nr_pages << PAGE_SHIFT; 178 len = (unsigned long) nr_pages << PAGE_SHIFT;
179 end = start + len; 179 end = start + len;
180 if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ, 180 if (unlikely(!access_ok((void __user *)start, len)))
181 (void __user *)start, len)))
182 return 0; 181 return 0;
183 182
184 /* 183 /*
diff --git a/arch/sh/oprofile/backtrace.c b/arch/sh/oprofile/backtrace.c
index c7695f99c8c3..8279a7e91043 100644
--- a/arch/sh/oprofile/backtrace.c
+++ b/arch/sh/oprofile/backtrace.c
@@ -51,7 +51,7 @@ user_backtrace(unsigned long *stackaddr, struct pt_regs *regs)
51 unsigned long buf_stack; 51 unsigned long buf_stack;
52 52
53 /* Also check accessibility of address */ 53 /* Also check accessibility of address */
54 if (!access_ok(VERIFY_READ, stackaddr, sizeof(unsigned long))) 54 if (!access_ok(stackaddr, sizeof(unsigned long)))
55 return NULL; 55 return NULL;
56 56
57 if (__copy_from_user_inatomic(&buf_stack, stackaddr, sizeof(unsigned long))) 57 if (__copy_from_user_inatomic(&buf_stack, stackaddr, sizeof(unsigned long)))
diff --git a/arch/sparc/include/asm/checksum_32.h b/arch/sparc/include/asm/checksum_32.h
index d1e53d7aed39..5fc98d80b03b 100644
--- a/arch/sparc/include/asm/checksum_32.h
+++ b/arch/sparc/include/asm/checksum_32.h
@@ -87,7 +87,7 @@ static inline __wsum
87csum_partial_copy_to_user(const void *src, void __user *dst, int len, 87csum_partial_copy_to_user(const void *src, void __user *dst, int len,
88 __wsum sum, int *err) 88 __wsum sum, int *err)
89{ 89{
90 if (!access_ok (VERIFY_WRITE, dst, len)) { 90 if (!access_ok(dst, len)) {
91 *err = -EFAULT; 91 *err = -EFAULT;
92 return sum; 92 return sum;
93 } else { 93 } else {
diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index de71c65b99f0..69afb856e181 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -39,7 +39,7 @@
39#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; }) 39#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
40#define __kernel_ok (uaccess_kernel()) 40#define __kernel_ok (uaccess_kernel())
41#define __access_ok(addr, size) (__user_ok((addr) & get_fs().seg, (size))) 41#define __access_ok(addr, size) (__user_ok((addr) & get_fs().seg, (size)))
42#define access_ok(type, addr, size) \ 42#define access_ok(addr, size) \
43 ({ (void)(type); __access_ok((unsigned long)(addr), size); }) 43 ({ (void)(type); __access_ok((unsigned long)(addr), size); })
44 44
45/* 45/*
diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
index cbb308cee394..87ae9ffb1521 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -68,7 +68,7 @@ static inline int __access_ok(const void __user * addr, unsigned long size)
68 return 1; 68 return 1;
69} 69}
70 70
71static inline int access_ok(int type, const void __user * addr, unsigned long size) 71static inline int access_ok(const void __user * addr, unsigned long size)
72{ 72{
73 return 1; 73 return 1;
74} 74}
diff --git a/arch/sparc/kernel/sigutil_32.c b/arch/sparc/kernel/sigutil_32.c
index 1e9fae56a853..f25c6daa9f52 100644
--- a/arch/sparc/kernel/sigutil_32.c
+++ b/arch/sparc/kernel/sigutil_32.c
@@ -65,7 +65,7 @@ int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
65 set_used_math(); 65 set_used_math();
66 clear_tsk_thread_flag(current, TIF_USEDFPU); 66 clear_tsk_thread_flag(current, TIF_USEDFPU);
67 67
68 if (!access_ok(VERIFY_READ, fpu, sizeof(*fpu))) 68 if (!access_ok(fpu, sizeof(*fpu)))
69 return -EFAULT; 69 return -EFAULT;
70 70
71 err = __copy_from_user(&current->thread.float_regs[0], &fpu->si_float_regs[0], 71 err = __copy_from_user(&current->thread.float_regs[0], &fpu->si_float_regs[0],
diff --git a/arch/sparc/kernel/unaligned_32.c b/arch/sparc/kernel/unaligned_32.c
index 64ac8c0c1429..83db94c0b431 100644
--- a/arch/sparc/kernel/unaligned_32.c
+++ b/arch/sparc/kernel/unaligned_32.c
@@ -278,7 +278,6 @@ static inline int ok_for_user(struct pt_regs *regs, unsigned int insn,
278 enum direction dir) 278 enum direction dir)
279{ 279{
280 unsigned int reg; 280 unsigned int reg;
281 int check = (dir == load) ? VERIFY_READ : VERIFY_WRITE;
282 int size = ((insn >> 19) & 3) == 3 ? 8 : 4; 281 int size = ((insn >> 19) & 3) == 3 ? 8 : 4;
283 282
284 if ((regs->pc | regs->npc) & 3) 283 if ((regs->pc | regs->npc) & 3)
@@ -290,18 +289,18 @@ static inline int ok_for_user(struct pt_regs *regs, unsigned int insn,
290 289
291 reg = (insn >> 25) & 0x1f; 290 reg = (insn >> 25) & 0x1f;
292 if (reg >= 16) { 291 if (reg >= 16) {
293 if (!access_ok(check, WINREG_ADDR(reg - 16), size)) 292 if (!access_ok(WINREG_ADDR(reg - 16), size))
294 return -EFAULT; 293 return -EFAULT;
295 } 294 }
296 reg = (insn >> 14) & 0x1f; 295 reg = (insn >> 14) & 0x1f;
297 if (reg >= 16) { 296 if (reg >= 16) {
298 if (!access_ok(check, WINREG_ADDR(reg - 16), size)) 297 if (!access_ok(WINREG_ADDR(reg - 16), size))
299 return -EFAULT; 298 return -EFAULT;
300 } 299 }
301 if (!(insn & 0x2000)) { 300 if (!(insn & 0x2000)) {
302 reg = (insn & 0x1f); 301 reg = (insn & 0x1f);
303 if (reg >= 16) { 302 if (reg >= 16) {
304 if (!access_ok(check, WINREG_ADDR(reg - 16), size)) 303 if (!access_ok(WINREG_ADDR(reg - 16), size))
305 return -EFAULT; 304 return -EFAULT;
306 } 305 }
307 } 306 }
diff --git a/arch/um/kernel/ptrace.c b/arch/um/kernel/ptrace.c
index 1a1d88a4d940..5f47422401e1 100644
--- a/arch/um/kernel/ptrace.c
+++ b/arch/um/kernel/ptrace.c
@@ -66,7 +66,7 @@ long arch_ptrace(struct task_struct *child, long request,
66 66
67#ifdef PTRACE_GETREGS 67#ifdef PTRACE_GETREGS
68 case PTRACE_GETREGS: { /* Get all gp regs from the child. */ 68 case PTRACE_GETREGS: { /* Get all gp regs from the child. */
69 if (!access_ok(VERIFY_WRITE, p, MAX_REG_OFFSET)) { 69 if (!access_ok(p, MAX_REG_OFFSET)) {
70 ret = -EIO; 70 ret = -EIO;
71 break; 71 break;
72 } 72 }
@@ -81,7 +81,7 @@ long arch_ptrace(struct task_struct *child, long request,
81#ifdef PTRACE_SETREGS 81#ifdef PTRACE_SETREGS
82 case PTRACE_SETREGS: { /* Set all gp regs in the child. */ 82 case PTRACE_SETREGS: { /* Set all gp regs in the child. */
83 unsigned long tmp = 0; 83 unsigned long tmp = 0;
84 if (!access_ok(VERIFY_READ, p, MAX_REG_OFFSET)) { 84 if (!access_ok(p, MAX_REG_OFFSET)) {
85 ret = -EIO; 85 ret = -EIO;
86 break; 86 break;
87 } 87 }
diff --git a/arch/unicore32/kernel/signal.c b/arch/unicore32/kernel/signal.c
index 4ae51cf15ade..63be04809d40 100644
--- a/arch/unicore32/kernel/signal.c
+++ b/arch/unicore32/kernel/signal.c
@@ -117,7 +117,7 @@ asmlinkage int __sys_rt_sigreturn(struct pt_regs *regs)
117 117
118 frame = (struct rt_sigframe __user *)regs->UCreg_sp; 118 frame = (struct rt_sigframe __user *)regs->UCreg_sp;
119 119
120 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 120 if (!access_ok(frame, sizeof(*frame)))
121 goto badframe; 121 goto badframe;
122 122
123 if (restore_sigframe(regs, &frame->sig)) 123 if (restore_sigframe(regs, &frame->sig))
@@ -205,7 +205,7 @@ static inline void __user *get_sigframe(struct k_sigaction *ka,
205 /* 205 /*
206 * Check that we can actually write to the signal frame. 206 * Check that we can actually write to the signal frame.
207 */ 207 */
208 if (!access_ok(VERIFY_WRITE, frame, framesize)) 208 if (!access_ok(frame, framesize))
209 frame = NULL; 209 frame = NULL;
210 210
211 return frame; 211 return frame;
diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
index d78bcc03e60e..d9d81ad7a400 100644
--- a/arch/x86/entry/vsyscall/vsyscall_64.c
+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
@@ -99,7 +99,7 @@ static bool write_ok_or_segv(unsigned long ptr, size_t size)
99 * sig_on_uaccess_err, this could go away. 99 * sig_on_uaccess_err, this could go away.
100 */ 100 */
101 101
102 if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) { 102 if (!access_ok((void __user *)ptr, size)) {
103 struct thread_struct *thread = &current->thread; 103 struct thread_struct *thread = &current->thread;
104 104
105 thread->error_code = X86_PF_USER | X86_PF_WRITE; 105 thread->error_code = X86_PF_USER | X86_PF_WRITE;
diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
index 8e02b30cf08e..f65b78d32f5e 100644
--- a/arch/x86/ia32/ia32_aout.c
+++ b/arch/x86/ia32/ia32_aout.c
@@ -176,10 +176,10 @@ static int aout_core_dump(struct coredump_params *cprm)
176 176
177 /* make sure we actually have a data and stack area to dump */ 177 /* make sure we actually have a data and stack area to dump */
178 set_fs(USER_DS); 178 set_fs(USER_DS);
179 if (!access_ok(VERIFY_READ, (void *) (unsigned long)START_DATA(dump), 179 if (!access_ok((void *) (unsigned long)START_DATA(dump),
180 dump.u_dsize << PAGE_SHIFT)) 180 dump.u_dsize << PAGE_SHIFT))
181 dump.u_dsize = 0; 181 dump.u_dsize = 0;
182 if (!access_ok(VERIFY_READ, (void *) (unsigned long)START_STACK(dump), 182 if (!access_ok((void *) (unsigned long)START_STACK(dump),
183 dump.u_ssize << PAGE_SHIFT)) 183 dump.u_ssize << PAGE_SHIFT))
184 dump.u_ssize = 0; 184 dump.u_ssize = 0;
185 185
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 86b1341cba9a..321fe5f5d0e9 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -119,7 +119,7 @@ asmlinkage long sys32_sigreturn(void)
119 struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); 119 struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
120 sigset_t set; 120 sigset_t set;
121 121
122 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 122 if (!access_ok(frame, sizeof(*frame)))
123 goto badframe; 123 goto badframe;
124 if (__get_user(set.sig[0], &frame->sc.oldmask) 124 if (__get_user(set.sig[0], &frame->sc.oldmask)
125 || (_COMPAT_NSIG_WORDS > 1 125 || (_COMPAT_NSIG_WORDS > 1
@@ -147,7 +147,7 @@ asmlinkage long sys32_rt_sigreturn(void)
147 147
148 frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); 148 frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4);
149 149
150 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 150 if (!access_ok(frame, sizeof(*frame)))
151 goto badframe; 151 goto badframe;
152 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 152 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
153 goto badframe; 153 goto badframe;
@@ -269,7 +269,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
269 269
270 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate); 270 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
271 271
272 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 272 if (!access_ok(frame, sizeof(*frame)))
273 return -EFAULT; 273 return -EFAULT;
274 274
275 if (__put_user(sig, &frame->sig)) 275 if (__put_user(sig, &frame->sig))
@@ -349,7 +349,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
349 349
350 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate); 350 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
351 351
352 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 352 if (!access_ok(frame, sizeof(*frame)))
353 return -EFAULT; 353 return -EFAULT;
354 354
355 put_user_try { 355 put_user_try {
diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
index 11ef7b7c9cc8..a43212036257 100644
--- a/arch/x86/ia32/sys_ia32.c
+++ b/arch/x86/ia32/sys_ia32.c
@@ -75,7 +75,7 @@ static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
75 typeof(ubuf->st_gid) gid = 0; 75 typeof(ubuf->st_gid) gid = 0;
76 SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid)); 76 SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid));
77 SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid)); 77 SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid));
78 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) || 78 if (!access_ok(ubuf, sizeof(struct stat64)) ||
79 __put_user(huge_encode_dev(stat->dev), &ubuf->st_dev) || 79 __put_user(huge_encode_dev(stat->dev), &ubuf->st_dev) ||
80 __put_user(stat->ino, &ubuf->__st_ino) || 80 __put_user(stat->ino, &ubuf->__st_ino) ||
81 __put_user(stat->ino, &ubuf->st_ino) || 81 __put_user(stat->ino, &ubuf->st_ino) ||
diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
index 7a659c74cd03..f57b94e02c57 100644
--- a/arch/x86/include/asm/checksum_32.h
+++ b/arch/x86/include/asm/checksum_32.h
@@ -182,7 +182,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
182 __wsum ret; 182 __wsum ret;
183 183
184 might_sleep(); 184 might_sleep();
185 if (access_ok(VERIFY_WRITE, dst, len)) { 185 if (access_ok(dst, len)) {
186 stac(); 186 stac();
187 ret = csum_partial_copy_generic(src, (__force void *)dst, 187 ret = csum_partial_copy_generic(src, (__force void *)dst,
188 len, sum, NULL, err_ptr); 188 len, sum, NULL, err_ptr);
diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
index b3ec519e3982..4fe9e7fc74d3 100644
--- a/arch/x86/include/asm/pgtable_32.h
+++ b/arch/x86/include/asm/pgtable_32.h
@@ -37,7 +37,7 @@ void sync_initial_page_table(void);
37/* 37/*
38 * Define this if things work differently on an i386 and an i486: 38 * Define this if things work differently on an i386 and an i486:
39 * it will (on an i486) warn about kernel memory accesses that are 39 * it will (on an i486) warn about kernel memory accesses that are
40 * done without a 'access_ok(VERIFY_WRITE,..)' 40 * done without a 'access_ok( ..)'
41 */ 41 */
42#undef TEST_ACCESS_OK 42#undef TEST_ACCESS_OK
43 43
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index b5e58cc0c5e7..3920f456db79 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -77,9 +77,6 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
77 77
78/** 78/**
79 * access_ok: - Checks if a user space pointer is valid 79 * access_ok: - Checks if a user space pointer is valid
80 * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
81 * %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
82 * to write to a block, it is always safe to read from it.
83 * @addr: User space pointer to start of block to check 80 * @addr: User space pointer to start of block to check
84 * @size: Size of block to check 81 * @size: Size of block to check
85 * 82 *
@@ -95,7 +92,7 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
95 * checks that the pointer is in the user space range - after calling 92 * checks that the pointer is in the user space range - after calling
96 * this function, memory access functions may still return -EFAULT. 93 * this function, memory access functions may still return -EFAULT.
97 */ 94 */
98#define access_ok(type, addr, size) \ 95#define access_ok(addr, size) \
99({ \ 96({ \
100 WARN_ON_IN_IRQ(); \ 97 WARN_ON_IN_IRQ(); \
101 likely(!__range_not_ok(addr, size, user_addr_max())); \ 98 likely(!__range_not_ok(addr, size, user_addr_max())); \
@@ -670,7 +667,7 @@ extern void __cmpxchg_wrong_size(void)
670 667
671#define user_atomic_cmpxchg_inatomic(uval, ptr, old, new) \ 668#define user_atomic_cmpxchg_inatomic(uval, ptr, old, new) \
672({ \ 669({ \
673 access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) ? \ 670 access_ok((ptr), sizeof(*(ptr))) ? \
674 __user_atomic_cmpxchg_inatomic((uval), (ptr), \ 671 __user_atomic_cmpxchg_inatomic((uval), (ptr), \
675 (old), (new), sizeof(*(ptr))) : \ 672 (old), (new), sizeof(*(ptr))) : \
676 -EFAULT; \ 673 -EFAULT; \
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index d99a8ee9e185..f6a1d299627c 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -164,7 +164,7 @@ int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
164 ia32_fxstate &= (IS_ENABLED(CONFIG_X86_32) || 164 ia32_fxstate &= (IS_ENABLED(CONFIG_X86_32) ||
165 IS_ENABLED(CONFIG_IA32_EMULATION)); 165 IS_ENABLED(CONFIG_IA32_EMULATION));
166 166
167 if (!access_ok(VERIFY_WRITE, buf, size)) 167 if (!access_ok(buf, size))
168 return -EACCES; 168 return -EACCES;
169 169
170 if (!static_cpu_has(X86_FEATURE_FPU)) 170 if (!static_cpu_has(X86_FEATURE_FPU))
@@ -281,7 +281,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
281 return 0; 281 return 0;
282 } 282 }
283 283
284 if (!access_ok(VERIFY_READ, buf, size)) 284 if (!access_ok(buf, size))
285 return -EACCES; 285 return -EACCES;
286 286
287 fpu__initialize(fpu); 287 fpu__initialize(fpu);
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 92a3b312a53c..08dfd4c1a4f9 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -322,7 +322,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
322 322
323 frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate); 323 frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
324 324
325 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 325 if (!access_ok(frame, sizeof(*frame)))
326 return -EFAULT; 326 return -EFAULT;
327 327
328 if (__put_user(sig, &frame->sig)) 328 if (__put_user(sig, &frame->sig))
@@ -385,7 +385,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
385 385
386 frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate); 386 frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
387 387
388 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 388 if (!access_ok(frame, sizeof(*frame)))
389 return -EFAULT; 389 return -EFAULT;
390 390
391 put_user_try { 391 put_user_try {
@@ -465,7 +465,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
465 465
466 frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe), &fp); 466 frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe), &fp);
467 467
468 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 468 if (!access_ok(frame, sizeof(*frame)))
469 return -EFAULT; 469 return -EFAULT;
470 470
471 if (ksig->ka.sa.sa_flags & SA_SIGINFO) { 471 if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
@@ -547,7 +547,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
547 547
548 frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate); 548 frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
549 549
550 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 550 if (!access_ok(frame, sizeof(*frame)))
551 return -EFAULT; 551 return -EFAULT;
552 552
553 if (ksig->ka.sa.sa_flags & SA_SIGINFO) { 553 if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
@@ -610,7 +610,7 @@ SYSCALL_DEFINE0(sigreturn)
610 610
611 frame = (struct sigframe __user *)(regs->sp - 8); 611 frame = (struct sigframe __user *)(regs->sp - 8);
612 612
613 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 613 if (!access_ok(frame, sizeof(*frame)))
614 goto badframe; 614 goto badframe;
615 if (__get_user(set.sig[0], &frame->sc.oldmask) || (_NSIG_WORDS > 1 615 if (__get_user(set.sig[0], &frame->sc.oldmask) || (_NSIG_WORDS > 1
616 && __copy_from_user(&set.sig[1], &frame->extramask, 616 && __copy_from_user(&set.sig[1], &frame->extramask,
@@ -642,7 +642,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
642 unsigned long uc_flags; 642 unsigned long uc_flags;
643 643
644 frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long)); 644 frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long));
645 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 645 if (!access_ok(frame, sizeof(*frame)))
646 goto badframe; 646 goto badframe;
647 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 647 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
648 goto badframe; 648 goto badframe;
@@ -871,7 +871,7 @@ asmlinkage long sys32_x32_rt_sigreturn(void)
871 871
872 frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8); 872 frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8);
873 873
874 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 874 if (!access_ok(frame, sizeof(*frame)))
875 goto badframe; 875 goto badframe;
876 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 876 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
877 goto badframe; 877 goto badframe;
diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 7627455047c2..5c2d71a1dc06 100644
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -177,7 +177,7 @@ copy_stack_frame(const void __user *fp, struct stack_frame_user *frame)
177{ 177{
178 int ret; 178 int ret;
179 179
180 if (!access_ok(VERIFY_READ, fp, sizeof(*frame))) 180 if (!access_ok(fp, sizeof(*frame)))
181 return 0; 181 return 0;
182 182
183 ret = 1; 183 ret = 1;
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index c2fd39752da8..a092b6b40c6b 100644
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -114,7 +114,7 @@ void save_v86_state(struct kernel_vm86_regs *regs, int retval)
114 set_flags(regs->pt.flags, VEFLAGS, X86_EFLAGS_VIF | vm86->veflags_mask); 114 set_flags(regs->pt.flags, VEFLAGS, X86_EFLAGS_VIF | vm86->veflags_mask);
115 user = vm86->user_vm86; 115 user = vm86->user_vm86;
116 116
117 if (!access_ok(VERIFY_WRITE, user, vm86->vm86plus.is_vm86pus ? 117 if (!access_ok(user, vm86->vm86plus.is_vm86pus ?
118 sizeof(struct vm86plus_struct) : 118 sizeof(struct vm86plus_struct) :
119 sizeof(struct vm86_struct))) { 119 sizeof(struct vm86_struct))) {
120 pr_alert("could not access userspace vm86 info\n"); 120 pr_alert("could not access userspace vm86 info\n");
@@ -278,7 +278,7 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus)
278 if (vm86->saved_sp0) 278 if (vm86->saved_sp0)
279 return -EPERM; 279 return -EPERM;
280 280
281 if (!access_ok(VERIFY_READ, user_vm86, plus ? 281 if (!access_ok(user_vm86, plus ?
282 sizeof(struct vm86_struct) : 282 sizeof(struct vm86_struct) :
283 sizeof(struct vm86plus_struct))) 283 sizeof(struct vm86plus_struct)))
284 return -EFAULT; 284 return -EFAULT;
diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
index 8bd53589ecfb..a6a2b7dccbff 100644
--- a/arch/x86/lib/csum-wrappers_64.c
+++ b/arch/x86/lib/csum-wrappers_64.c
@@ -27,7 +27,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
27 might_sleep(); 27 might_sleep();
28 *errp = 0; 28 *errp = 0;
29 29
30 if (!likely(access_ok(VERIFY_READ, src, len))) 30 if (!likely(access_ok(src, len)))
31 goto out_err; 31 goto out_err;
32 32
33 /* 33 /*
@@ -89,7 +89,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
89 89
90 might_sleep(); 90 might_sleep();
91 91
92 if (unlikely(!access_ok(VERIFY_WRITE, dst, len))) { 92 if (unlikely(!access_ok(dst, len))) {
93 *errp = -EFAULT; 93 *errp = -EFAULT;
94 return 0; 94 return 0;
95 } 95 }
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
index 71fb58d44d58..bfd94e7812fc 100644
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
@@ -67,7 +67,7 @@ unsigned long
67clear_user(void __user *to, unsigned long n) 67clear_user(void __user *to, unsigned long n)
68{ 68{
69 might_fault(); 69 might_fault();
70 if (access_ok(VERIFY_WRITE, to, n)) 70 if (access_ok(to, n))
71 __do_clear_user(to, n); 71 __do_clear_user(to, n);
72 return n; 72 return n;
73} 73}
diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
index 1bd837cdc4b1..ee42bb0cbeb3 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -48,7 +48,7 @@ EXPORT_SYMBOL(__clear_user);
48 48
49unsigned long clear_user(void __user *to, unsigned long n) 49unsigned long clear_user(void __user *to, unsigned long n)
50{ 50{
51 if (access_ok(VERIFY_WRITE, to, n)) 51 if (access_ok(to, n))
52 return __clear_user(to, n); 52 return __clear_user(to, n);
53 return n; 53 return n;
54} 54}
diff --git a/arch/x86/math-emu/fpu_system.h b/arch/x86/math-emu/fpu_system.h
index c8b1b31ed7c4..f98a0c956764 100644
--- a/arch/x86/math-emu/fpu_system.h
+++ b/arch/x86/math-emu/fpu_system.h
@@ -104,7 +104,7 @@ static inline bool seg_writable(struct desc_struct *d)
104#define instruction_address (*(struct address *)&I387->soft.fip) 104#define instruction_address (*(struct address *)&I387->soft.fip)
105#define operand_address (*(struct address *)&I387->soft.foo) 105#define operand_address (*(struct address *)&I387->soft.foo)
106 106
107#define FPU_access_ok(x,y,z) if ( !access_ok(x,y,z) ) \ 107#define FPU_access_ok(y,z) if ( !access_ok(y,z) ) \
108 math_abort(FPU_info,SIGSEGV) 108 math_abort(FPU_info,SIGSEGV)
109#define FPU_abort math_abort(FPU_info, SIGSEGV) 109#define FPU_abort math_abort(FPU_info, SIGSEGV)
110 110
@@ -119,7 +119,7 @@ static inline bool seg_writable(struct desc_struct *d)
119/* A simpler test than access_ok() can probably be done for 119/* A simpler test than access_ok() can probably be done for
120 FPU_code_access_ok() because the only possible error is to step 120 FPU_code_access_ok() because the only possible error is to step
121 past the upper boundary of a legal code area. */ 121 past the upper boundary of a legal code area. */
122#define FPU_code_access_ok(z) FPU_access_ok(VERIFY_READ,(void __user *)FPU_EIP,z) 122#define FPU_code_access_ok(z) FPU_access_ok((void __user *)FPU_EIP,z)
123#endif 123#endif
124 124
125#define FPU_get_user(x,y) get_user((x),(y)) 125#define FPU_get_user(x,y) get_user((x),(y))
diff --git a/arch/x86/math-emu/load_store.c b/arch/x86/math-emu/load_store.c
index f821a9cd7753..f15263e158e8 100644
--- a/arch/x86/math-emu/load_store.c
+++ b/arch/x86/math-emu/load_store.c
@@ -251,7 +251,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
251 break; 251 break;
252 case 024: /* fldcw */ 252 case 024: /* fldcw */
253 RE_ENTRANT_CHECK_OFF; 253 RE_ENTRANT_CHECK_OFF;
254 FPU_access_ok(VERIFY_READ, data_address, 2); 254 FPU_access_ok(data_address, 2);
255 FPU_get_user(control_word, 255 FPU_get_user(control_word,
256 (unsigned short __user *)data_address); 256 (unsigned short __user *)data_address);
257 RE_ENTRANT_CHECK_ON; 257 RE_ENTRANT_CHECK_ON;
@@ -291,7 +291,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
291 break; 291 break;
292 case 034: /* fstcw m16int */ 292 case 034: /* fstcw m16int */
293 RE_ENTRANT_CHECK_OFF; 293 RE_ENTRANT_CHECK_OFF;
294 FPU_access_ok(VERIFY_WRITE, data_address, 2); 294 FPU_access_ok(data_address, 2);
295 FPU_put_user(control_word, 295 FPU_put_user(control_word,
296 (unsigned short __user *)data_address); 296 (unsigned short __user *)data_address);
297 RE_ENTRANT_CHECK_ON; 297 RE_ENTRANT_CHECK_ON;
@@ -305,7 +305,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
305 break; 305 break;
306 case 036: /* fstsw m2byte */ 306 case 036: /* fstsw m2byte */
307 RE_ENTRANT_CHECK_OFF; 307 RE_ENTRANT_CHECK_OFF;
308 FPU_access_ok(VERIFY_WRITE, data_address, 2); 308 FPU_access_ok(data_address, 2);
309 FPU_put_user(status_word(), 309 FPU_put_user(status_word(),
310 (unsigned short __user *)data_address); 310 (unsigned short __user *)data_address);
311 RE_ENTRANT_CHECK_ON; 311 RE_ENTRANT_CHECK_ON;
diff --git a/arch/x86/math-emu/reg_ld_str.c b/arch/x86/math-emu/reg_ld_str.c
index d40ff45497b9..f3779743d15e 100644
--- a/arch/x86/math-emu/reg_ld_str.c
+++ b/arch/x86/math-emu/reg_ld_str.c
@@ -84,7 +84,7 @@ int FPU_load_extended(long double __user *s, int stnr)
84 FPU_REG *sti_ptr = &st(stnr); 84 FPU_REG *sti_ptr = &st(stnr);
85 85
86 RE_ENTRANT_CHECK_OFF; 86 RE_ENTRANT_CHECK_OFF;
87 FPU_access_ok(VERIFY_READ, s, 10); 87 FPU_access_ok(s, 10);
88 __copy_from_user(sti_ptr, s, 10); 88 __copy_from_user(sti_ptr, s, 10);
89 RE_ENTRANT_CHECK_ON; 89 RE_ENTRANT_CHECK_ON;
90 90
@@ -98,7 +98,7 @@ int FPU_load_double(double __user *dfloat, FPU_REG *loaded_data)
98 unsigned m64, l64; 98 unsigned m64, l64;
99 99
100 RE_ENTRANT_CHECK_OFF; 100 RE_ENTRANT_CHECK_OFF;
101 FPU_access_ok(VERIFY_READ, dfloat, 8); 101 FPU_access_ok(dfloat, 8);
102 FPU_get_user(m64, 1 + (unsigned long __user *)dfloat); 102 FPU_get_user(m64, 1 + (unsigned long __user *)dfloat);
103 FPU_get_user(l64, (unsigned long __user *)dfloat); 103 FPU_get_user(l64, (unsigned long __user *)dfloat);
104 RE_ENTRANT_CHECK_ON; 104 RE_ENTRANT_CHECK_ON;
@@ -159,7 +159,7 @@ int FPU_load_single(float __user *single, FPU_REG *loaded_data)
159 int exp, tag, negative; 159 int exp, tag, negative;
160 160
161 RE_ENTRANT_CHECK_OFF; 161 RE_ENTRANT_CHECK_OFF;
162 FPU_access_ok(VERIFY_READ, single, 4); 162 FPU_access_ok(single, 4);
163 FPU_get_user(m32, (unsigned long __user *)single); 163 FPU_get_user(m32, (unsigned long __user *)single);
164 RE_ENTRANT_CHECK_ON; 164 RE_ENTRANT_CHECK_ON;
165 165
@@ -214,7 +214,7 @@ int FPU_load_int64(long long __user *_s)
214 FPU_REG *st0_ptr = &st(0); 214 FPU_REG *st0_ptr = &st(0);
215 215
216 RE_ENTRANT_CHECK_OFF; 216 RE_ENTRANT_CHECK_OFF;
217 FPU_access_ok(VERIFY_READ, _s, 8); 217 FPU_access_ok(_s, 8);
218 if (copy_from_user(&s, _s, 8)) 218 if (copy_from_user(&s, _s, 8))
219 FPU_abort; 219 FPU_abort;
220 RE_ENTRANT_CHECK_ON; 220 RE_ENTRANT_CHECK_ON;
@@ -243,7 +243,7 @@ int FPU_load_int32(long __user *_s, FPU_REG *loaded_data)
243 int negative; 243 int negative;
244 244
245 RE_ENTRANT_CHECK_OFF; 245 RE_ENTRANT_CHECK_OFF;
246 FPU_access_ok(VERIFY_READ, _s, 4); 246 FPU_access_ok(_s, 4);
247 FPU_get_user(s, _s); 247 FPU_get_user(s, _s);
248 RE_ENTRANT_CHECK_ON; 248 RE_ENTRANT_CHECK_ON;
249 249
@@ -271,7 +271,7 @@ int FPU_load_int16(short __user *_s, FPU_REG *loaded_data)
271 int s, negative; 271 int s, negative;
272 272
273 RE_ENTRANT_CHECK_OFF; 273 RE_ENTRANT_CHECK_OFF;
274 FPU_access_ok(VERIFY_READ, _s, 2); 274 FPU_access_ok(_s, 2);
275 /* Cast as short to get the sign extended. */ 275 /* Cast as short to get the sign extended. */
276 FPU_get_user(s, _s); 276 FPU_get_user(s, _s);
277 RE_ENTRANT_CHECK_ON; 277 RE_ENTRANT_CHECK_ON;
@@ -304,7 +304,7 @@ int FPU_load_bcd(u_char __user *s)
304 int sign; 304 int sign;
305 305
306 RE_ENTRANT_CHECK_OFF; 306 RE_ENTRANT_CHECK_OFF;
307 FPU_access_ok(VERIFY_READ, s, 10); 307 FPU_access_ok(s, 10);
308 RE_ENTRANT_CHECK_ON; 308 RE_ENTRANT_CHECK_ON;
309 for (pos = 8; pos >= 0; pos--) { 309 for (pos = 8; pos >= 0; pos--) {
310 l *= 10; 310 l *= 10;
@@ -345,7 +345,7 @@ int FPU_store_extended(FPU_REG *st0_ptr, u_char st0_tag,
345 345
346 if (st0_tag != TAG_Empty) { 346 if (st0_tag != TAG_Empty) {
347 RE_ENTRANT_CHECK_OFF; 347 RE_ENTRANT_CHECK_OFF;
348 FPU_access_ok(VERIFY_WRITE, d, 10); 348 FPU_access_ok(d, 10);
349 349
350 FPU_put_user(st0_ptr->sigl, (unsigned long __user *)d); 350 FPU_put_user(st0_ptr->sigl, (unsigned long __user *)d);
351 FPU_put_user(st0_ptr->sigh, 351 FPU_put_user(st0_ptr->sigh,
@@ -364,7 +364,7 @@ int FPU_store_extended(FPU_REG *st0_ptr, u_char st0_tag,
364 /* The masked response */ 364 /* The masked response */
365 /* Put out the QNaN indefinite */ 365 /* Put out the QNaN indefinite */
366 RE_ENTRANT_CHECK_OFF; 366 RE_ENTRANT_CHECK_OFF;
367 FPU_access_ok(VERIFY_WRITE, d, 10); 367 FPU_access_ok(d, 10);
368 FPU_put_user(0, (unsigned long __user *)d); 368 FPU_put_user(0, (unsigned long __user *)d);
369 FPU_put_user(0xc0000000, 1 + (unsigned long __user *)d); 369 FPU_put_user(0xc0000000, 1 + (unsigned long __user *)d);
370 FPU_put_user(0xffff, 4 + (short __user *)d); 370 FPU_put_user(0xffff, 4 + (short __user *)d);
@@ -539,7 +539,7 @@ denormal_arg:
539 /* The masked response */ 539 /* The masked response */
540 /* Put out the QNaN indefinite */ 540 /* Put out the QNaN indefinite */
541 RE_ENTRANT_CHECK_OFF; 541 RE_ENTRANT_CHECK_OFF;
542 FPU_access_ok(VERIFY_WRITE, dfloat, 8); 542 FPU_access_ok(dfloat, 8);
543 FPU_put_user(0, (unsigned long __user *)dfloat); 543 FPU_put_user(0, (unsigned long __user *)dfloat);
544 FPU_put_user(0xfff80000, 544 FPU_put_user(0xfff80000,
545 1 + (unsigned long __user *)dfloat); 545 1 + (unsigned long __user *)dfloat);
@@ -552,7 +552,7 @@ denormal_arg:
552 l[1] |= 0x80000000; 552 l[1] |= 0x80000000;
553 553
554 RE_ENTRANT_CHECK_OFF; 554 RE_ENTRANT_CHECK_OFF;
555 FPU_access_ok(VERIFY_WRITE, dfloat, 8); 555 FPU_access_ok(dfloat, 8);
556 FPU_put_user(l[0], (unsigned long __user *)dfloat); 556 FPU_put_user(l[0], (unsigned long __user *)dfloat);
557 FPU_put_user(l[1], 1 + (unsigned long __user *)dfloat); 557 FPU_put_user(l[1], 1 + (unsigned long __user *)dfloat);
558 RE_ENTRANT_CHECK_ON; 558 RE_ENTRANT_CHECK_ON;
@@ -724,7 +724,7 @@ int FPU_store_single(FPU_REG *st0_ptr, u_char st0_tag, float __user *single)
724 /* The masked response */ 724 /* The masked response */
725 /* Put out the QNaN indefinite */ 725 /* Put out the QNaN indefinite */
726 RE_ENTRANT_CHECK_OFF; 726 RE_ENTRANT_CHECK_OFF;
727 FPU_access_ok(VERIFY_WRITE, single, 4); 727 FPU_access_ok(single, 4);
728 FPU_put_user(0xffc00000, 728 FPU_put_user(0xffc00000,
729 (unsigned long __user *)single); 729 (unsigned long __user *)single);
730 RE_ENTRANT_CHECK_ON; 730 RE_ENTRANT_CHECK_ON;
@@ -742,7 +742,7 @@ int FPU_store_single(FPU_REG *st0_ptr, u_char st0_tag, float __user *single)
742 templ |= 0x80000000; 742 templ |= 0x80000000;
743 743
744 RE_ENTRANT_CHECK_OFF; 744 RE_ENTRANT_CHECK_OFF;
745 FPU_access_ok(VERIFY_WRITE, single, 4); 745 FPU_access_ok(single, 4);
746 FPU_put_user(templ, (unsigned long __user *)single); 746 FPU_put_user(templ, (unsigned long __user *)single);
747 RE_ENTRANT_CHECK_ON; 747 RE_ENTRANT_CHECK_ON;
748 748
@@ -791,7 +791,7 @@ int FPU_store_int64(FPU_REG *st0_ptr, u_char st0_tag, long long __user *d)
791 } 791 }
792 792
793 RE_ENTRANT_CHECK_OFF; 793 RE_ENTRANT_CHECK_OFF;
794 FPU_access_ok(VERIFY_WRITE, d, 8); 794 FPU_access_ok(d, 8);
795 if (copy_to_user(d, &tll, 8)) 795 if (copy_to_user(d, &tll, 8))
796 FPU_abort; 796 FPU_abort;
797 RE_ENTRANT_CHECK_ON; 797 RE_ENTRANT_CHECK_ON;
@@ -838,7 +838,7 @@ int FPU_store_int32(FPU_REG *st0_ptr, u_char st0_tag, long __user *d)
838 } 838 }
839 839
840 RE_ENTRANT_CHECK_OFF; 840 RE_ENTRANT_CHECK_OFF;
841 FPU_access_ok(VERIFY_WRITE, d, 4); 841 FPU_access_ok(d, 4);
842 FPU_put_user(t.sigl, (unsigned long __user *)d); 842 FPU_put_user(t.sigl, (unsigned long __user *)d);
843 RE_ENTRANT_CHECK_ON; 843 RE_ENTRANT_CHECK_ON;
844 844
@@ -884,7 +884,7 @@ int FPU_store_int16(FPU_REG *st0_ptr, u_char st0_tag, short __user *d)
884 } 884 }
885 885
886 RE_ENTRANT_CHECK_OFF; 886 RE_ENTRANT_CHECK_OFF;
887 FPU_access_ok(VERIFY_WRITE, d, 2); 887 FPU_access_ok(d, 2);
888 FPU_put_user((short)t.sigl, d); 888 FPU_put_user((short)t.sigl, d);
889 RE_ENTRANT_CHECK_ON; 889 RE_ENTRANT_CHECK_ON;
890 890
@@ -925,7 +925,7 @@ int FPU_store_bcd(FPU_REG *st0_ptr, u_char st0_tag, u_char __user *d)
925 if (control_word & CW_Invalid) { 925 if (control_word & CW_Invalid) {
926 /* Produce the QNaN "indefinite" */ 926 /* Produce the QNaN "indefinite" */
927 RE_ENTRANT_CHECK_OFF; 927 RE_ENTRANT_CHECK_OFF;
928 FPU_access_ok(VERIFY_WRITE, d, 10); 928 FPU_access_ok(d, 10);
929 for (i = 0; i < 7; i++) 929 for (i = 0; i < 7; i++)
930 FPU_put_user(0, d + i); /* These bytes "undefined" */ 930 FPU_put_user(0, d + i); /* These bytes "undefined" */
931 FPU_put_user(0xc0, d + 7); /* This byte "undefined" */ 931 FPU_put_user(0xc0, d + 7); /* This byte "undefined" */
@@ -941,7 +941,7 @@ int FPU_store_bcd(FPU_REG *st0_ptr, u_char st0_tag, u_char __user *d)
941 } 941 }
942 942
943 RE_ENTRANT_CHECK_OFF; 943 RE_ENTRANT_CHECK_OFF;
944 FPU_access_ok(VERIFY_WRITE, d, 10); 944 FPU_access_ok(d, 10);
945 RE_ENTRANT_CHECK_ON; 945 RE_ENTRANT_CHECK_ON;
946 for (i = 0; i < 9; i++) { 946 for (i = 0; i < 9; i++) {
947 b = FPU_div_small(&ll, 10); 947 b = FPU_div_small(&ll, 10);
@@ -1034,7 +1034,7 @@ u_char __user *fldenv(fpu_addr_modes addr_modes, u_char __user *s)
1034 ((addr_modes.default_mode == PM16) 1034 ((addr_modes.default_mode == PM16)
1035 ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) { 1035 ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) {
1036 RE_ENTRANT_CHECK_OFF; 1036 RE_ENTRANT_CHECK_OFF;
1037 FPU_access_ok(VERIFY_READ, s, 0x0e); 1037 FPU_access_ok(s, 0x0e);
1038 FPU_get_user(control_word, (unsigned short __user *)s); 1038 FPU_get_user(control_word, (unsigned short __user *)s);
1039 FPU_get_user(partial_status, (unsigned short __user *)(s + 2)); 1039 FPU_get_user(partial_status, (unsigned short __user *)(s + 2));
1040 FPU_get_user(tag_word, (unsigned short __user *)(s + 4)); 1040 FPU_get_user(tag_word, (unsigned short __user *)(s + 4));
@@ -1056,7 +1056,7 @@ u_char __user *fldenv(fpu_addr_modes addr_modes, u_char __user *s)
1056 } 1056 }
1057 } else { 1057 } else {
1058 RE_ENTRANT_CHECK_OFF; 1058 RE_ENTRANT_CHECK_OFF;
1059 FPU_access_ok(VERIFY_READ, s, 0x1c); 1059 FPU_access_ok(s, 0x1c);
1060 FPU_get_user(control_word, (unsigned short __user *)s); 1060 FPU_get_user(control_word, (unsigned short __user *)s);
1061 FPU_get_user(partial_status, (unsigned short __user *)(s + 4)); 1061 FPU_get_user(partial_status, (unsigned short __user *)(s + 4));
1062 FPU_get_user(tag_word, (unsigned short __user *)(s + 8)); 1062 FPU_get_user(tag_word, (unsigned short __user *)(s + 8));
@@ -1125,7 +1125,7 @@ void frstor(fpu_addr_modes addr_modes, u_char __user *data_address)
1125 1125
1126 /* Copy all registers in stack order. */ 1126 /* Copy all registers in stack order. */
1127 RE_ENTRANT_CHECK_OFF; 1127 RE_ENTRANT_CHECK_OFF;
1128 FPU_access_ok(VERIFY_READ, s, 80); 1128 FPU_access_ok(s, 80);
1129 __copy_from_user(register_base + offset, s, other); 1129 __copy_from_user(register_base + offset, s, other);
1130 if (offset) 1130 if (offset)
1131 __copy_from_user(register_base, s + other, offset); 1131 __copy_from_user(register_base, s + other, offset);
@@ -1146,7 +1146,7 @@ u_char __user *fstenv(fpu_addr_modes addr_modes, u_char __user *d)
1146 ((addr_modes.default_mode == PM16) 1146 ((addr_modes.default_mode == PM16)
1147 ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) { 1147 ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) {
1148 RE_ENTRANT_CHECK_OFF; 1148 RE_ENTRANT_CHECK_OFF;
1149 FPU_access_ok(VERIFY_WRITE, d, 14); 1149 FPU_access_ok(d, 14);
1150#ifdef PECULIAR_486 1150#ifdef PECULIAR_486
1151 FPU_put_user(control_word & ~0xe080, (unsigned long __user *)d); 1151 FPU_put_user(control_word & ~0xe080, (unsigned long __user *)d);
1152#else 1152#else
@@ -1174,7 +1174,7 @@ u_char __user *fstenv(fpu_addr_modes addr_modes, u_char __user *d)
1174 d += 0x0e; 1174 d += 0x0e;
1175 } else { 1175 } else {
1176 RE_ENTRANT_CHECK_OFF; 1176 RE_ENTRANT_CHECK_OFF;
1177 FPU_access_ok(VERIFY_WRITE, d, 7 * 4); 1177 FPU_access_ok(d, 7 * 4);
1178#ifdef PECULIAR_486 1178#ifdef PECULIAR_486
1179 control_word &= ~0xe080; 1179 control_word &= ~0xe080;
1180 /* An 80486 sets nearly all of the reserved bits to 1. */ 1180 /* An 80486 sets nearly all of the reserved bits to 1. */
@@ -1204,7 +1204,7 @@ void fsave(fpu_addr_modes addr_modes, u_char __user *data_address)
1204 d = fstenv(addr_modes, data_address); 1204 d = fstenv(addr_modes, data_address);
1205 1205
1206 RE_ENTRANT_CHECK_OFF; 1206 RE_ENTRANT_CHECK_OFF;
1207 FPU_access_ok(VERIFY_WRITE, d, 80); 1207 FPU_access_ok(d, 80);
1208 1208
1209 /* Copy all registers in stack order. */ 1209 /* Copy all registers in stack order. */
1210 if (__copy_to_user(d, register_base + offset, other)) 1210 if (__copy_to_user(d, register_base + offset, other))
diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index 2385538e8065..de1851d15699 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -495,7 +495,7 @@ static int get_bt_addr(struct mm_struct *mm,
495 unsigned long bd_entry; 495 unsigned long bd_entry;
496 unsigned long bt_addr; 496 unsigned long bt_addr;
497 497
498 if (!access_ok(VERIFY_READ, (bd_entry_ptr), sizeof(*bd_entry_ptr))) 498 if (!access_ok((bd_entry_ptr), sizeof(*bd_entry_ptr)))
499 return -EFAULT; 499 return -EFAULT;
500 500
501 while (1) { 501 while (1) {
diff --git a/arch/x86/um/asm/checksum_32.h b/arch/x86/um/asm/checksum_32.h
index 83a75f8a1233..b9ac7c9eb72c 100644
--- a/arch/x86/um/asm/checksum_32.h
+++ b/arch/x86/um/asm/checksum_32.h
@@ -43,7 +43,7 @@ static __inline__ __wsum csum_and_copy_to_user(const void *src,
43 void __user *dst, 43 void __user *dst,
44 int len, __wsum sum, int *err_ptr) 44 int len, __wsum sum, int *err_ptr)
45{ 45{
46 if (access_ok(VERIFY_WRITE, dst, len)) { 46 if (access_ok(dst, len)) {
47 if (copy_to_user(dst, src, len)) { 47 if (copy_to_user(dst, src, len)) {
48 *err_ptr = -EFAULT; 48 *err_ptr = -EFAULT;
49 return (__force __wsum)-1; 49 return (__force __wsum)-1;
diff --git a/arch/x86/um/signal.c b/arch/x86/um/signal.c
index 727ed442e0a5..8b4a71efe7ee 100644
--- a/arch/x86/um/signal.c
+++ b/arch/x86/um/signal.c
@@ -367,7 +367,7 @@ int setup_signal_stack_sc(unsigned long stack_top, struct ksignal *ksig,
367 /* This is the same calculation as i386 - ((sp + 4) & 15) == 0 */ 367 /* This is the same calculation as i386 - ((sp + 4) & 15) == 0 */
368 stack_top = ((stack_top + 4) & -16UL) - 4; 368 stack_top = ((stack_top + 4) & -16UL) - 4;
369 frame = (struct sigframe __user *) stack_top - 1; 369 frame = (struct sigframe __user *) stack_top - 1;
370 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 370 if (!access_ok(frame, sizeof(*frame)))
371 return 1; 371 return 1;
372 372
373 restorer = frame->retcode; 373 restorer = frame->retcode;
@@ -412,7 +412,7 @@ int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
412 412
413 stack_top &= -8UL; 413 stack_top &= -8UL;
414 frame = (struct rt_sigframe __user *) stack_top - 1; 414 frame = (struct rt_sigframe __user *) stack_top - 1;
415 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 415 if (!access_ok(frame, sizeof(*frame)))
416 return 1; 416 return 1;
417 417
418 restorer = frame->retcode; 418 restorer = frame->retcode;
@@ -497,7 +497,7 @@ int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
497 /* Subtract 128 for a red zone and 8 for proper alignment */ 497 /* Subtract 128 for a red zone and 8 for proper alignment */
498 frame = (struct rt_sigframe __user *) ((unsigned long) frame - 128 - 8); 498 frame = (struct rt_sigframe __user *) ((unsigned long) frame - 128 - 8);
499 499
500 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) 500 if (!access_ok(frame, sizeof(*frame)))
501 goto out; 501 goto out;
502 502
503 if (ksig->ka.sa.sa_flags & SA_SIGINFO) { 503 if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
diff --git a/arch/xtensa/include/asm/checksum.h b/arch/xtensa/include/asm/checksum.h
index 3ae74d7e074b..f302ef57973a 100644
--- a/arch/xtensa/include/asm/checksum.h
+++ b/arch/xtensa/include/asm/checksum.h
@@ -243,7 +243,7 @@ static __inline__ __wsum csum_and_copy_to_user(const void *src,
243 void __user *dst, int len, 243 void __user *dst, int len,
244 __wsum sum, int *err_ptr) 244 __wsum sum, int *err_ptr)
245{ 245{
246 if (access_ok(VERIFY_WRITE, dst, len)) 246 if (access_ok(dst, len))
247 return csum_partial_copy_generic(src,dst,len,sum,NULL,err_ptr); 247 return csum_partial_copy_generic(src,dst,len,sum,NULL,err_ptr);
248 248
249 if (len) 249 if (len)
diff --git a/arch/xtensa/include/asm/futex.h b/arch/xtensa/include/asm/futex.h
index fd0eef6b8e7c..505d09eff184 100644
--- a/arch/xtensa/include/asm/futex.h
+++ b/arch/xtensa/include/asm/futex.h
@@ -93,7 +93,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
93{ 93{
94 int ret = 0; 94 int ret = 0;
95 95
96 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 96 if (!access_ok(uaddr, sizeof(u32)))
97 return -EFAULT; 97 return -EFAULT;
98 98
99#if !XCHAL_HAVE_S32C1I 99#if !XCHAL_HAVE_S32C1I
diff --git a/arch/xtensa/include/asm/uaccess.h b/arch/xtensa/include/asm/uaccess.h
index d11ef2939652..4b2480304bc3 100644
--- a/arch/xtensa/include/asm/uaccess.h
+++ b/arch/xtensa/include/asm/uaccess.h
@@ -42,7 +42,7 @@
42#define __user_ok(addr, size) \ 42#define __user_ok(addr, size) \
43 (((size) <= TASK_SIZE)&&((addr) <= TASK_SIZE-(size))) 43 (((size) <= TASK_SIZE)&&((addr) <= TASK_SIZE-(size)))
44#define __access_ok(addr, size) (__kernel_ok || __user_ok((addr), (size))) 44#define __access_ok(addr, size) (__kernel_ok || __user_ok((addr), (size)))
45#define access_ok(type, addr, size) __access_ok((unsigned long)(addr), (size)) 45#define access_ok(addr, size) __access_ok((unsigned long)(addr), (size))
46 46
47#define user_addr_max() (uaccess_kernel() ? ~0UL : TASK_SIZE) 47#define user_addr_max() (uaccess_kernel() ? ~0UL : TASK_SIZE)
48 48
@@ -86,7 +86,7 @@ extern long __put_user_bad(void);
86({ \ 86({ \
87 long __pu_err = -EFAULT; \ 87 long __pu_err = -EFAULT; \
88 __typeof__(*(ptr)) *__pu_addr = (ptr); \ 88 __typeof__(*(ptr)) *__pu_addr = (ptr); \
89 if (access_ok(VERIFY_WRITE, __pu_addr, size)) \ 89 if (access_ok(__pu_addr, size)) \
90 __put_user_size((x), __pu_addr, (size), __pu_err); \ 90 __put_user_size((x), __pu_addr, (size), __pu_err); \
91 __pu_err; \ 91 __pu_err; \
92}) 92})
@@ -183,7 +183,7 @@ __asm__ __volatile__( \
183({ \ 183({ \
184 long __gu_err = -EFAULT, __gu_val = 0; \ 184 long __gu_err = -EFAULT, __gu_val = 0; \
185 const __typeof__(*(ptr)) *__gu_addr = (ptr); \ 185 const __typeof__(*(ptr)) *__gu_addr = (ptr); \
186 if (access_ok(VERIFY_READ, __gu_addr, size)) \ 186 if (access_ok(__gu_addr, size)) \
187 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \ 187 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
188 (x) = (__force __typeof__(*(ptr)))__gu_val; \ 188 (x) = (__force __typeof__(*(ptr)))__gu_val; \
189 __gu_err; \ 189 __gu_err; \
@@ -269,7 +269,7 @@ __xtensa_clear_user(void *addr, unsigned long size)
269static inline unsigned long 269static inline unsigned long
270clear_user(void *addr, unsigned long size) 270clear_user(void *addr, unsigned long size)
271{ 271{
272 if (access_ok(VERIFY_WRITE, addr, size)) 272 if (access_ok(addr, size))
273 return __xtensa_clear_user(addr, size); 273 return __xtensa_clear_user(addr, size);
274 return size ? -EFAULT : 0; 274 return size ? -EFAULT : 0;
275} 275}
@@ -284,7 +284,7 @@ extern long __strncpy_user(char *, const char *, long);
284static inline long 284static inline long
285strncpy_from_user(char *dst, const char *src, long count) 285strncpy_from_user(char *dst, const char *src, long count)
286{ 286{
287 if (access_ok(VERIFY_READ, src, 1)) 287 if (access_ok(src, 1))
288 return __strncpy_user(dst, src, count); 288 return __strncpy_user(dst, src, count);
289 return -EFAULT; 289 return -EFAULT;
290} 290}
diff --git a/arch/xtensa/kernel/signal.c b/arch/xtensa/kernel/signal.c
index 74e1682876ac..dc22a238ed9c 100644
--- a/arch/xtensa/kernel/signal.c
+++ b/arch/xtensa/kernel/signal.c
@@ -251,7 +251,7 @@ asmlinkage long xtensa_rt_sigreturn(long a0, long a1, long a2, long a3,
251 251
252 frame = (struct rt_sigframe __user *) regs->areg[1]; 252 frame = (struct rt_sigframe __user *) regs->areg[1];
253 253
254 if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) 254 if (!access_ok(frame, sizeof(*frame)))
255 goto badframe; 255 goto badframe;
256 256
257 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set))) 257 if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -348,7 +348,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
348 if (regs->depc > 64) 348 if (regs->depc > 64)
349 panic ("Double exception sys_sigreturn\n"); 349 panic ("Double exception sys_sigreturn\n");
350 350
351 if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) { 351 if (!access_ok(frame, sizeof(*frame))) {
352 return -EFAULT; 352 return -EFAULT;
353 } 353 }
354 354
diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c
index 0df4080fa20f..174c11f13bba 100644
--- a/arch/xtensa/kernel/stacktrace.c
+++ b/arch/xtensa/kernel/stacktrace.c
@@ -91,7 +91,7 @@ void xtensa_backtrace_user(struct pt_regs *regs, unsigned int depth,
91 pc = MAKE_PC_FROM_RA(a0, pc); 91 pc = MAKE_PC_FROM_RA(a0, pc);
92 92
93 /* Check if the region is OK to access. */ 93 /* Check if the region is OK to access. */
94 if (!access_ok(VERIFY_READ, &SPILL_SLOT(a1, 0), 8)) 94 if (!access_ok(&SPILL_SLOT(a1, 0), 8))
95 return; 95 return;
96 /* Copy a1, a0 from user space stack frame. */ 96 /* Copy a1, a0 from user space stack frame. */
97 if (__get_user(a0, &SPILL_SLOT(a1, 0)) || 97 if (__get_user(a0, &SPILL_SLOT(a1, 0)) ||
diff --git a/drivers/acpi/acpi_dbg.c b/drivers/acpi/acpi_dbg.c
index f21c99ec46ee..a2dcd62ea32f 100644
--- a/drivers/acpi/acpi_dbg.c
+++ b/drivers/acpi/acpi_dbg.c
@@ -614,7 +614,7 @@ static ssize_t acpi_aml_read(struct file *file, char __user *buf,
614 614
615 if (!count) 615 if (!count)
616 return 0; 616 return 0;
617 if (!access_ok(VERIFY_WRITE, buf, count)) 617 if (!access_ok(buf, count))
618 return -EFAULT; 618 return -EFAULT;
619 619
620 while (count > 0) { 620 while (count > 0) {
@@ -684,7 +684,7 @@ static ssize_t acpi_aml_write(struct file *file, const char __user *buf,
684 684
685 if (!count) 685 if (!count)
686 return 0; 686 return 0;
687 if (!access_ok(VERIFY_READ, buf, count)) 687 if (!access_ok(buf, count))
688 return -EFAULT; 688 return -EFAULT;
689 689
690 while (count > 0) { 690 while (count > 0) {
diff --git a/drivers/char/generic_nvram.c b/drivers/char/generic_nvram.c
index 14e728fbb8a0..ff5394f47587 100644
--- a/drivers/char/generic_nvram.c
+++ b/drivers/char/generic_nvram.c
@@ -44,7 +44,7 @@ static ssize_t read_nvram(struct file *file, char __user *buf,
44 unsigned int i; 44 unsigned int i;
45 char __user *p = buf; 45 char __user *p = buf;
46 46
47 if (!access_ok(VERIFY_WRITE, buf, count)) 47 if (!access_ok(buf, count))
48 return -EFAULT; 48 return -EFAULT;
49 if (*ppos >= nvram_len) 49 if (*ppos >= nvram_len)
50 return 0; 50 return 0;
@@ -62,7 +62,7 @@ static ssize_t write_nvram(struct file *file, const char __user *buf,
62 const char __user *p = buf; 62 const char __user *p = buf;
63 char c; 63 char c;
64 64
65 if (!access_ok(VERIFY_READ, buf, count)) 65 if (!access_ok(buf, count))
66 return -EFAULT; 66 return -EFAULT;
67 if (*ppos >= nvram_len) 67 if (*ppos >= nvram_len)
68 return 0; 68 return 0;
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 7b4e4de778e4..b08dc50f9f26 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -609,7 +609,7 @@ static ssize_t read_port(struct file *file, char __user *buf,
609 unsigned long i = *ppos; 609 unsigned long i = *ppos;
610 char __user *tmp = buf; 610 char __user *tmp = buf;
611 611
612 if (!access_ok(VERIFY_WRITE, buf, count)) 612 if (!access_ok(buf, count))
613 return -EFAULT; 613 return -EFAULT;
614 while (count-- > 0 && i < 65536) { 614 while (count-- > 0 && i < 65536) {
615 if (__put_user(inb(i), tmp) < 0) 615 if (__put_user(inb(i), tmp) < 0)
@@ -627,7 +627,7 @@ static ssize_t write_port(struct file *file, const char __user *buf,
627 unsigned long i = *ppos; 627 unsigned long i = *ppos;
628 const char __user *tmp = buf; 628 const char __user *tmp = buf;
629 629
630 if (!access_ok(VERIFY_READ, buf, count)) 630 if (!access_ok(buf, count))
631 return -EFAULT; 631 return -EFAULT;
632 while (count-- > 0 && i < 65536) { 632 while (count-- > 0 && i < 65536) {
633 char c; 633 char c;
diff --git a/drivers/char/nwflash.c b/drivers/char/nwflash.c
index a284ae25e69a..76fb434068d4 100644
--- a/drivers/char/nwflash.c
+++ b/drivers/char/nwflash.c
@@ -167,7 +167,7 @@ static ssize_t flash_write(struct file *file, const char __user *buf,
167 if (count > gbFlashSize - p) 167 if (count > gbFlashSize - p)
168 count = gbFlashSize - p; 168 count = gbFlashSize - p;
169 169
170 if (!access_ok(VERIFY_READ, buf, count)) 170 if (!access_ok(buf, count))
171 return -EFAULT; 171 return -EFAULT;
172 172
173 /* 173 /*
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 809507bf8f1c..7a4eb86aedac 100644
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -1445,11 +1445,11 @@ static long cmm_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
1445 _IOC_DIR(cmd), _IOC_READ, _IOC_WRITE, size, cmd); 1445 _IOC_DIR(cmd), _IOC_READ, _IOC_WRITE, size, cmd);
1446 1446
1447 if (_IOC_DIR(cmd) & _IOC_READ) { 1447 if (_IOC_DIR(cmd) & _IOC_READ) {
1448 if (!access_ok(VERIFY_WRITE, argp, size)) 1448 if (!access_ok(argp, size))
1449 goto out; 1449 goto out;
1450 } 1450 }
1451 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1451 if (_IOC_DIR(cmd) & _IOC_WRITE) {
1452 if (!access_ok(VERIFY_READ, argp, size)) 1452 if (!access_ok(argp, size))
1453 goto out; 1453 goto out;
1454 } 1454 }
1455 rc = 0; 1455 rc = 0;
diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index d64a78ccc03e..b16be8a11d92 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -364,7 +364,7 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp)
364 goto cmd; 364 goto cmd;
365 365
366 /* allocate a physically contiguous buffer to store the CSR blob */ 366 /* allocate a physically contiguous buffer to store the CSR blob */
367 if (!access_ok(VERIFY_WRITE, input.address, input.length) || 367 if (!access_ok(input.address, input.length) ||
368 input.length > SEV_FW_BLOB_MAX_SIZE) { 368 input.length > SEV_FW_BLOB_MAX_SIZE) {
369 ret = -EFAULT; 369 ret = -EFAULT;
370 goto e_free; 370 goto e_free;
@@ -644,14 +644,14 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp)
644 644
645 /* Allocate a physically contiguous buffer to store the PDH blob. */ 645 /* Allocate a physically contiguous buffer to store the PDH blob. */
646 if ((input.pdh_cert_len > SEV_FW_BLOB_MAX_SIZE) || 646 if ((input.pdh_cert_len > SEV_FW_BLOB_MAX_SIZE) ||
647 !access_ok(VERIFY_WRITE, input.pdh_cert_address, input.pdh_cert_len)) { 647 !access_ok(input.pdh_cert_address, input.pdh_cert_len)) {
648 ret = -EFAULT; 648 ret = -EFAULT;
649 goto e_free; 649 goto e_free;
650 } 650 }
651 651
652 /* Allocate a physically contiguous buffer to store the cert chain blob. */ 652 /* Allocate a physically contiguous buffer to store the cert chain blob. */
653 if ((input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) || 653 if ((input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) ||
654 !access_ok(VERIFY_WRITE, input.cert_chain_address, input.cert_chain_len)) { 654 !access_ok(input.cert_chain_address, input.cert_chain_len)) {
655 ret = -EFAULT; 655 ret = -EFAULT;
656 goto e_free; 656 goto e_free;
657 } 657 }
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index d8e185582642..16a7045736a9 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1094,7 +1094,7 @@ static int ioctl_queue_iso(struct client *client, union ioctl_arg *arg)
1094 return -EINVAL; 1094 return -EINVAL;
1095 1095
1096 p = (struct fw_cdev_iso_packet __user *)u64_to_uptr(a->packets); 1096 p = (struct fw_cdev_iso_packet __user *)u64_to_uptr(a->packets);
1097 if (!access_ok(VERIFY_READ, p, a->size)) 1097 if (!access_ok(p, a->size))
1098 return -EFAULT; 1098 return -EFAULT;
1099 1099
1100 end = (void __user *)p + a->size; 1100 end = (void __user *)p + a->size;
diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 769640940c9f..51ecf7d6da48 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -68,7 +68,7 @@ copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src,
68 return 0; 68 return 0;
69 } 69 }
70 70
71 if (!access_ok(VERIFY_READ, src, 1)) 71 if (!access_ok(src, 1))
72 return -EFAULT; 72 return -EFAULT;
73 73
74 buf = memdup_user(src, len); 74 buf = memdup_user(src, len);
@@ -89,7 +89,7 @@ copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src,
89static inline int 89static inline int
90get_ucs2_strsize_from_user(efi_char16_t __user *src, size_t *len) 90get_ucs2_strsize_from_user(efi_char16_t __user *src, size_t *len)
91{ 91{
92 if (!access_ok(VERIFY_READ, src, 1)) 92 if (!access_ok(src, 1))
93 return -EFAULT; 93 return -EFAULT;
94 94
95 *len = user_ucs2_strsize(src); 95 *len = user_ucs2_strsize(src);
@@ -116,7 +116,7 @@ copy_ucs2_from_user(efi_char16_t **dst, efi_char16_t __user *src)
116{ 116{
117 size_t len; 117 size_t len;
118 118
119 if (!access_ok(VERIFY_READ, src, 1)) 119 if (!access_ok(src, 1))
120 return -EFAULT; 120 return -EFAULT;
121 121
122 len = user_ucs2_strsize(src); 122 len = user_ucs2_strsize(src);
@@ -140,7 +140,7 @@ copy_ucs2_to_user_len(efi_char16_t __user *dst, efi_char16_t *src, size_t len)
140 if (!src) 140 if (!src)
141 return 0; 141 return 0;
142 142
143 if (!access_ok(VERIFY_WRITE, dst, 1)) 143 if (!access_ok(dst, 1))
144 return -EFAULT; 144 return -EFAULT;
145 145
146 return copy_to_user(dst, src, len); 146 return copy_to_user(dst, src, len);
diff --git a/drivers/fpga/dfl-afu-dma-region.c b/drivers/fpga/dfl-afu-dma-region.c
index 025aba3ea76c..e18a786fc943 100644
--- a/drivers/fpga/dfl-afu-dma-region.c
+++ b/drivers/fpga/dfl-afu-dma-region.c
@@ -369,7 +369,7 @@ int afu_dma_map_region(struct dfl_feature_platform_data *pdata,
369 if (user_addr + length < user_addr) 369 if (user_addr + length < user_addr)
370 return -EINVAL; 370 return -EINVAL;
371 371
372 if (!access_ok(VERIFY_WRITE, (void __user *)(unsigned long)user_addr, 372 if (!access_ok((void __user *)(unsigned long)user_addr,
373 length)) 373 length))
374 return -EINVAL; 374 return -EINVAL;
375 375
diff --git a/drivers/fpga/dfl-fme-pr.c b/drivers/fpga/dfl-fme-pr.c
index fe5a5578fbf7..d9ca9554844a 100644
--- a/drivers/fpga/dfl-fme-pr.c
+++ b/drivers/fpga/dfl-fme-pr.c
@@ -99,8 +99,7 @@ static int fme_pr(struct platform_device *pdev, unsigned long arg)
99 return -EINVAL; 99 return -EINVAL;
100 } 100 }
101 101
102 if (!access_ok(VERIFY_READ, 102 if (!access_ok((void __user *)(unsigned long)port_pr.buffer_address,
103 (void __user *)(unsigned long)port_pr.buffer_address,
104 port_pr.buffer_size)) 103 port_pr.buffer_size))
105 return -EFAULT; 104 return -EFAULT;
106 105
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 3623538baf6f..be68752c3469 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -158,8 +158,7 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
158 } 158 }
159 159
160 if ((args->ring_base_address) && 160 if ((args->ring_base_address) &&
161 (!access_ok(VERIFY_WRITE, 161 (!access_ok((const void __user *) args->ring_base_address,
162 (const void __user *) args->ring_base_address,
163 sizeof(uint64_t)))) { 162 sizeof(uint64_t)))) {
164 pr_err("Can't access ring base address\n"); 163 pr_err("Can't access ring base address\n");
165 return -EFAULT; 164 return -EFAULT;
@@ -170,31 +169,27 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
170 return -EINVAL; 169 return -EINVAL;
171 } 170 }
172 171
173 if (!access_ok(VERIFY_WRITE, 172 if (!access_ok((const void __user *) args->read_pointer_address,
174 (const void __user *) args->read_pointer_address,
175 sizeof(uint32_t))) { 173 sizeof(uint32_t))) {
176 pr_err("Can't access read pointer\n"); 174 pr_err("Can't access read pointer\n");
177 return -EFAULT; 175 return -EFAULT;
178 } 176 }
179 177
180 if (!access_ok(VERIFY_WRITE, 178 if (!access_ok((const void __user *) args->write_pointer_address,
181 (const void __user *) args->write_pointer_address,
182 sizeof(uint32_t))) { 179 sizeof(uint32_t))) {
183 pr_err("Can't access write pointer\n"); 180 pr_err("Can't access write pointer\n");
184 return -EFAULT; 181 return -EFAULT;
185 } 182 }
186 183
187 if (args->eop_buffer_address && 184 if (args->eop_buffer_address &&
188 !access_ok(VERIFY_WRITE, 185 !access_ok((const void __user *) args->eop_buffer_address,
189 (const void __user *) args->eop_buffer_address,
190 sizeof(uint32_t))) { 186 sizeof(uint32_t))) {
191 pr_debug("Can't access eop buffer"); 187 pr_debug("Can't access eop buffer");
192 return -EFAULT; 188 return -EFAULT;
193 } 189 }
194 190
195 if (args->ctx_save_restore_address && 191 if (args->ctx_save_restore_address &&
196 !access_ok(VERIFY_WRITE, 192 !access_ok((const void __user *) args->ctx_save_restore_address,
197 (const void __user *) args->ctx_save_restore_address,
198 sizeof(uint32_t))) { 193 sizeof(uint32_t))) {
199 pr_debug("Can't access ctx save restore buffer"); 194 pr_debug("Can't access ctx save restore buffer");
200 return -EFAULT; 195 return -EFAULT;
@@ -365,8 +360,7 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p,
365 } 360 }
366 361
367 if ((args->ring_base_address) && 362 if ((args->ring_base_address) &&
368 (!access_ok(VERIFY_WRITE, 363 (!access_ok((const void __user *) args->ring_base_address,
369 (const void __user *) args->ring_base_address,
370 sizeof(uint64_t)))) { 364 sizeof(uint64_t)))) {
371 pr_err("Can't access ring base address\n"); 365 pr_err("Can't access ring base address\n");
372 return -EFAULT; 366 return -EFAULT;
diff --git a/drivers/gpu/drm/armada/armada_gem.c b/drivers/gpu/drm/armada/armada_gem.c
index 892c1d9304bb..642d0e70d0f8 100644
--- a/drivers/gpu/drm/armada/armada_gem.c
+++ b/drivers/gpu/drm/armada/armada_gem.c
@@ -334,7 +334,7 @@ int armada_gem_pwrite_ioctl(struct drm_device *dev, void *data,
334 334
335 ptr = (char __user *)(uintptr_t)args->ptr; 335 ptr = (char __user *)(uintptr_t)args->ptr;
336 336
337 if (!access_ok(VERIFY_READ, ptr, args->size)) 337 if (!access_ok(ptr, args->size))
338 return -EFAULT; 338 return -EFAULT;
339 339
340 ret = fault_in_pages_readable(ptr, args->size); 340 ret = fault_in_pages_readable(ptr, args->size);
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index ffa8dc35515f..46f48f245eb5 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -525,7 +525,7 @@ ssize_t drm_read(struct file *filp, char __user *buffer,
525 struct drm_device *dev = file_priv->minor->dev; 525 struct drm_device *dev = file_priv->minor->dev;
526 ssize_t ret; 526 ssize_t ret;
527 527
528 if (!access_ok(VERIFY_WRITE, buffer, count)) 528 if (!access_ok(buffer, count))
529 return -EFAULT; 529 return -EFAULT;
530 530
531 ret = mutex_lock_interruptible(&file_priv->event_read_lock); 531 ret = mutex_lock_interruptible(&file_priv->event_read_lock);
diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
index 96efc84396bf..18c27f795cf6 100644
--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
@@ -339,7 +339,6 @@ static int etnaviv_ioctl_gem_userptr(struct drm_device *dev, void *data,
339 struct drm_file *file) 339 struct drm_file *file)
340{ 340{
341 struct drm_etnaviv_gem_userptr *args = data; 341 struct drm_etnaviv_gem_userptr *args = data;
342 int access;
343 342
344 if (args->flags & ~(ETNA_USERPTR_READ|ETNA_USERPTR_WRITE) || 343 if (args->flags & ~(ETNA_USERPTR_READ|ETNA_USERPTR_WRITE) ||
345 args->flags == 0) 344 args->flags == 0)
@@ -351,12 +350,7 @@ static int etnaviv_ioctl_gem_userptr(struct drm_device *dev, void *data,
351 args->user_ptr & ~PAGE_MASK) 350 args->user_ptr & ~PAGE_MASK)
352 return -EINVAL; 351 return -EINVAL;
353 352
354 if (args->flags & ETNA_USERPTR_WRITE) 353 if (!access_ok((void __user *)(unsigned long)args->user_ptr,
355 access = VERIFY_WRITE;
356 else
357 access = VERIFY_READ;
358
359 if (!access_ok(access, (void __user *)(unsigned long)args->user_ptr,
360 args->user_size)) 354 args->user_size))
361 return -EFAULT; 355 return -EFAULT;
362 356
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index a9de07bb72c8..216f52b744a6 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1282,8 +1282,7 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
1282 if (args->size == 0) 1282 if (args->size == 0)
1283 return 0; 1283 return 0;
1284 1284
1285 if (!access_ok(VERIFY_WRITE, 1285 if (!access_ok(u64_to_user_ptr(args->data_ptr),
1286 u64_to_user_ptr(args->data_ptr),
1287 args->size)) 1286 args->size))
1288 return -EFAULT; 1287 return -EFAULT;
1289 1288
@@ -1609,9 +1608,7 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
1609 if (args->size == 0) 1608 if (args->size == 0)
1610 return 0; 1609 return 0;
1611 1610
1612 if (!access_ok(VERIFY_READ, 1611 if (!access_ok(u64_to_user_ptr(args->data_ptr), args->size))
1613 u64_to_user_ptr(args->data_ptr),
1614 args->size))
1615 return -EFAULT; 1612 return -EFAULT;
1616 1613
1617 obj = i915_gem_object_lookup(file, args->handle); 1614 obj = i915_gem_object_lookup(file, args->handle);
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 8ff6b581cf1c..fee66ccebed6 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1447,7 +1447,7 @@ static int eb_relocate_vma(struct i915_execbuffer *eb, struct i915_vma *vma)
1447 * to read. However, if the array is not writable the user loses 1447 * to read. However, if the array is not writable the user loses
1448 * the updated relocation values. 1448 * the updated relocation values.
1449 */ 1449 */
1450 if (unlikely(!access_ok(VERIFY_READ, urelocs, remain*sizeof(*urelocs)))) 1450 if (unlikely(!access_ok(urelocs, remain*sizeof(*urelocs))))
1451 return -EFAULT; 1451 return -EFAULT;
1452 1452
1453 do { 1453 do {
@@ -1554,7 +1554,7 @@ static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
1554 1554
1555 addr = u64_to_user_ptr(entry->relocs_ptr); 1555 addr = u64_to_user_ptr(entry->relocs_ptr);
1556 size *= sizeof(struct drm_i915_gem_relocation_entry); 1556 size *= sizeof(struct drm_i915_gem_relocation_entry);
1557 if (!access_ok(VERIFY_READ, addr, size)) 1557 if (!access_ok(addr, size))
1558 return -EFAULT; 1558 return -EFAULT;
1559 1559
1560 end = addr + size; 1560 end = addr + size;
@@ -2090,7 +2090,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
2090 return ERR_PTR(-EINVAL); 2090 return ERR_PTR(-EINVAL);
2091 2091
2092 user = u64_to_user_ptr(args->cliprects_ptr); 2092 user = u64_to_user_ptr(args->cliprects_ptr);
2093 if (!access_ok(VERIFY_READ, user, nfences * sizeof(*user))) 2093 if (!access_ok(user, nfences * sizeof(*user)))
2094 return ERR_PTR(-EFAULT); 2094 return ERR_PTR(-EFAULT);
2095 2095
2096 fences = kvmalloc_array(nfences, sizeof(*fences), 2096 fences = kvmalloc_array(nfences, sizeof(*fences),
diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c
index 3df77020aada..9558582c105e 100644
--- a/drivers/gpu/drm/i915/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/i915_gem_userptr.c
@@ -789,8 +789,7 @@ i915_gem_userptr_ioctl(struct drm_device *dev,
789 if (offset_in_page(args->user_ptr | args->user_size)) 789 if (offset_in_page(args->user_ptr | args->user_size))
790 return -EINVAL; 790 return -EINVAL;
791 791
792 if (!access_ok(args->flags & I915_USERPTR_READ_ONLY ? VERIFY_READ : VERIFY_WRITE, 792 if (!access_ok((char __user *)(unsigned long)args->user_ptr, args->user_size))
793 (char __user *)(unsigned long)args->user_ptr, args->user_size))
794 return -EFAULT; 793 return -EFAULT;
795 794
796 if (args->flags & I915_USERPTR_READ_ONLY) { 795 if (args->flags & I915_USERPTR_READ_ONLY) {
diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
index 0e5c580d117c..e869daf9c8a9 100644
--- a/drivers/gpu/drm/i915/i915_ioc32.c
+++ b/drivers/gpu/drm/i915/i915_ioc32.c
@@ -52,7 +52,7 @@ static int compat_i915_getparam(struct file *file, unsigned int cmd,
52 return -EFAULT; 52 return -EFAULT;
53 53
54 request = compat_alloc_user_space(sizeof(*request)); 54 request = compat_alloc_user_space(sizeof(*request));
55 if (!access_ok(VERIFY_WRITE, request, sizeof(*request)) || 55 if (!access_ok(request, sizeof(*request)) ||
56 __put_user(req32.param, &request->param) || 56 __put_user(req32.param, &request->param) ||
57 __put_user((void __user *)(unsigned long)req32.value, 57 __put_user((void __user *)(unsigned long)req32.value,
58 &request->value)) 58 &request->value))
diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
index 4529edfdcfc8..2b2eb57ca71f 100644
--- a/drivers/gpu/drm/i915/i915_perf.c
+++ b/drivers/gpu/drm/i915/i915_perf.c
@@ -3052,7 +3052,7 @@ static struct i915_oa_reg *alloc_oa_regs(struct drm_i915_private *dev_priv,
3052 if (!n_regs) 3052 if (!n_regs)
3053 return NULL; 3053 return NULL;
3054 3054
3055 if (!access_ok(VERIFY_READ, regs, n_regs * sizeof(u32) * 2)) 3055 if (!access_ok(regs, n_regs * sizeof(u32) * 2))
3056 return ERR_PTR(-EFAULT); 3056 return ERR_PTR(-EFAULT);
3057 3057
3058 /* No is_valid function means we're not allowing any register to be programmed. */ 3058 /* No is_valid function means we're not allowing any register to be programmed. */
diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
index 6fc4b8eeab42..fe56465cdfd6 100644
--- a/drivers/gpu/drm/i915/i915_query.c
+++ b/drivers/gpu/drm/i915/i915_query.c
@@ -46,7 +46,7 @@ static int query_topology_info(struct drm_i915_private *dev_priv,
46 if (topo.flags != 0) 46 if (topo.flags != 0)
47 return -EINVAL; 47 return -EINVAL;
48 48
49 if (!access_ok(VERIFY_WRITE, u64_to_user_ptr(query_item->data_ptr), 49 if (!access_ok(u64_to_user_ptr(query_item->data_ptr),
50 total_length)) 50 total_length))
51 return -EFAULT; 51 return -EFAULT;
52 52
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index a28465d90529..12b983fc0b56 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -77,7 +77,7 @@ void msm_gem_submit_free(struct msm_gem_submit *submit)
77static inline unsigned long __must_check 77static inline unsigned long __must_check
78copy_from_user_inatomic(void *to, const void __user *from, unsigned long n) 78copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
79{ 79{
80 if (access_ok(VERIFY_READ, from, n)) 80 if (access_ok(from, n))
81 return __copy_from_user_inatomic(to, from, n); 81 return __copy_from_user_inatomic(to, from, n);
82 return -EFAULT; 82 return -EFAULT;
83} 83}
diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
index 6e828158bcb0..d410e2925162 100644
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -163,8 +163,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
163 if (cmd->command_size > PAGE_SIZE - sizeof(union qxl_release_info)) 163 if (cmd->command_size > PAGE_SIZE - sizeof(union qxl_release_info))
164 return -EINVAL; 164 return -EINVAL;
165 165
166 if (!access_ok(VERIFY_READ, 166 if (!access_ok(u64_to_user_ptr(cmd->command),
167 u64_to_user_ptr(cmd->command),
168 cmd->command_size)) 167 cmd->command_size))
169 return -EFAULT; 168 return -EFAULT;
170 169
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index 9f9172eb1512..fb0007aa0c27 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -611,8 +611,7 @@ static ssize_t verify_hdr(struct ib_uverbs_cmd_hdr *hdr,
611 if (hdr->out_words * 8 < method_elm->resp_size) 611 if (hdr->out_words * 8 < method_elm->resp_size)
612 return -ENOSPC; 612 return -ENOSPC;
613 613
614 if (!access_ok(VERIFY_WRITE, 614 if (!access_ok(u64_to_user_ptr(ex_hdr->response),
615 u64_to_user_ptr(ex_hdr->response),
616 (hdr->out_words + ex_hdr->provider_out_words) * 8)) 615 (hdr->out_words + ex_hdr->provider_out_words) * 8))
617 return -EFAULT; 616 return -EFAULT;
618 } else { 617 } else {
diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index dbe7d14a5c76..0cd71ce7cc71 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -232,7 +232,7 @@ static int pin_rcv_pages(struct hfi1_filedata *fd, struct tid_user_buf *tidbuf)
232 } 232 }
233 233
234 /* Verify that access is OK for the user buffer */ 234 /* Verify that access is OK for the user buffer */
235 if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 235 if (!access_ok((void __user *)vaddr,
236 npages * PAGE_SIZE)) { 236 npages * PAGE_SIZE)) {
237 dd_dev_err(dd, "Fail vaddr %p, %u pages, !access_ok\n", 237 dd_dev_err(dd, "Fail vaddr %p, %u pages, !access_ok\n",
238 (void *)vaddr, npages); 238 (void *)vaddr, npages);
diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
index 98e1ce14fa2a..78fa634de98a 100644
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -343,7 +343,7 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp,
343 343
344 /* virtual address of first page in transfer */ 344 /* virtual address of first page in transfer */
345 vaddr = ti->tidvaddr; 345 vaddr = ti->tidvaddr;
346 if (!access_ok(VERIFY_WRITE, (void __user *) vaddr, 346 if (!access_ok((void __user *) vaddr,
347 cnt * PAGE_SIZE)) { 347 cnt * PAGE_SIZE)) {
348 ret = -EFAULT; 348 ret = -EFAULT;
349 goto done; 349 goto done;
diff --git a/drivers/macintosh/ans-lcd.c b/drivers/macintosh/ans-lcd.c
index ef0c2366cf59..400960cf04d5 100644
--- a/drivers/macintosh/ans-lcd.c
+++ b/drivers/macintosh/ans-lcd.c
@@ -64,7 +64,7 @@ anslcd_write( struct file * file, const char __user * buf,
64 printk(KERN_DEBUG "LCD: write\n"); 64 printk(KERN_DEBUG "LCD: write\n");
65#endif 65#endif
66 66
67 if (!access_ok(VERIFY_READ, buf, count)) 67 if (!access_ok(buf, count))
68 return -EFAULT; 68 return -EFAULT;
69 69
70 mutex_lock(&anslcd_mutex); 70 mutex_lock(&anslcd_mutex);
diff --git a/drivers/macintosh/via-pmu.c b/drivers/macintosh/via-pmu.c
index ac0cf37d6239..21d532a78fa4 100644
--- a/drivers/macintosh/via-pmu.c
+++ b/drivers/macintosh/via-pmu.c
@@ -2188,7 +2188,7 @@ pmu_read(struct file *file, char __user *buf,
2188 2188
2189 if (count < 1 || !pp) 2189 if (count < 1 || !pp)
2190 return -EINVAL; 2190 return -EINVAL;
2191 if (!access_ok(VERIFY_WRITE, buf, count)) 2191 if (!access_ok(buf, count))
2192 return -EFAULT; 2192 return -EFAULT;
2193 2193
2194 spin_lock_irqsave(&pp->lock, flags); 2194 spin_lock_irqsave(&pp->lock, flags);
diff --git a/drivers/media/pci/ivtv/ivtvfb.c b/drivers/media/pci/ivtv/ivtvfb.c
index 3e02de02ffdd..8ec2525d8ef5 100644
--- a/drivers/media/pci/ivtv/ivtvfb.c
+++ b/drivers/media/pci/ivtv/ivtvfb.c
@@ -356,7 +356,7 @@ static int ivtvfb_prep_frame(struct ivtv *itv, int cmd, void __user *source,
356 IVTVFB_WARN("ivtvfb_prep_frame: Count not a multiple of 4 (%d)\n", count); 356 IVTVFB_WARN("ivtvfb_prep_frame: Count not a multiple of 4 (%d)\n", count);
357 357
358 /* Check Source */ 358 /* Check Source */
359 if (!access_ok(VERIFY_READ, source + dest_offset, count)) { 359 if (!access_ok(source + dest_offset, count)) {
360 IVTVFB_WARN("Invalid userspace pointer %p\n", source); 360 IVTVFB_WARN("Invalid userspace pointer %p\n", source);
361 361
362 IVTVFB_DEBUG_WARN("access_ok() failed for offset 0x%08lx source %p count %d\n", 362 IVTVFB_DEBUG_WARN("access_ok() failed for offset 0x%08lx source %p count %d\n",
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index fe4577a46869..73dac1d8d4f6 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -158,7 +158,7 @@ static int get_v4l2_window32(struct v4l2_window __user *p64,
158 compat_caddr_t p; 158 compat_caddr_t p;
159 u32 clipcount; 159 u32 clipcount;
160 160
161 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 161 if (!access_ok(p32, sizeof(*p32)) ||
162 copy_in_user(&p64->w, &p32->w, sizeof(p32->w)) || 162 copy_in_user(&p64->w, &p32->w, sizeof(p32->w)) ||
163 assign_in_user(&p64->field, &p32->field) || 163 assign_in_user(&p64->field, &p32->field) ||
164 assign_in_user(&p64->chromakey, &p32->chromakey) || 164 assign_in_user(&p64->chromakey, &p32->chromakey) ||
@@ -283,7 +283,7 @@ static int __bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
283 283
284static int bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size) 284static int bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
285{ 285{
286 if (!access_ok(VERIFY_READ, p32, sizeof(*p32))) 286 if (!access_ok(p32, sizeof(*p32)))
287 return -EFAULT; 287 return -EFAULT;
288 return __bufsize_v4l2_format(p32, size); 288 return __bufsize_v4l2_format(p32, size);
289} 289}
@@ -335,7 +335,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
335 struct v4l2_format32 __user *p32, 335 struct v4l2_format32 __user *p32,
336 void __user *aux_buf, u32 aux_space) 336 void __user *aux_buf, u32 aux_space)
337{ 337{
338 if (!access_ok(VERIFY_READ, p32, sizeof(*p32))) 338 if (!access_ok(p32, sizeof(*p32)))
339 return -EFAULT; 339 return -EFAULT;
340 return __get_v4l2_format32(p64, p32, aux_buf, aux_space); 340 return __get_v4l2_format32(p64, p32, aux_buf, aux_space);
341} 341}
@@ -343,7 +343,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
343static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *p32, 343static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *p32,
344 u32 *size) 344 u32 *size)
345{ 345{
346 if (!access_ok(VERIFY_READ, p32, sizeof(*p32))) 346 if (!access_ok(p32, sizeof(*p32)))
347 return -EFAULT; 347 return -EFAULT;
348 return __bufsize_v4l2_format(&p32->format, size); 348 return __bufsize_v4l2_format(&p32->format, size);
349} 349}
@@ -352,7 +352,7 @@ static int get_v4l2_create32(struct v4l2_create_buffers __user *p64,
352 struct v4l2_create_buffers32 __user *p32, 352 struct v4l2_create_buffers32 __user *p32,
353 void __user *aux_buf, u32 aux_space) 353 void __user *aux_buf, u32 aux_space)
354{ 354{
355 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 355 if (!access_ok(p32, sizeof(*p32)) ||
356 copy_in_user(p64, p32, 356 copy_in_user(p64, p32,
357 offsetof(struct v4l2_create_buffers32, format))) 357 offsetof(struct v4l2_create_buffers32, format)))
358 return -EFAULT; 358 return -EFAULT;
@@ -404,7 +404,7 @@ static int __put_v4l2_format32(struct v4l2_format __user *p64,
404static int put_v4l2_format32(struct v4l2_format __user *p64, 404static int put_v4l2_format32(struct v4l2_format __user *p64,
405 struct v4l2_format32 __user *p32) 405 struct v4l2_format32 __user *p32)
406{ 406{
407 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32))) 407 if (!access_ok(p32, sizeof(*p32)))
408 return -EFAULT; 408 return -EFAULT;
409 return __put_v4l2_format32(p64, p32); 409 return __put_v4l2_format32(p64, p32);
410} 410}
@@ -412,7 +412,7 @@ static int put_v4l2_format32(struct v4l2_format __user *p64,
412static int put_v4l2_create32(struct v4l2_create_buffers __user *p64, 412static int put_v4l2_create32(struct v4l2_create_buffers __user *p64,
413 struct v4l2_create_buffers32 __user *p32) 413 struct v4l2_create_buffers32 __user *p32)
414{ 414{
415 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) || 415 if (!access_ok(p32, sizeof(*p32)) ||
416 copy_in_user(p32, p64, 416 copy_in_user(p32, p64,
417 offsetof(struct v4l2_create_buffers32, format)) || 417 offsetof(struct v4l2_create_buffers32, format)) ||
418 assign_in_user(&p32->capabilities, &p64->capabilities) || 418 assign_in_user(&p32->capabilities, &p64->capabilities) ||
@@ -434,7 +434,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
434 struct v4l2_standard32 __user *p32) 434 struct v4l2_standard32 __user *p32)
435{ 435{
436 /* other fields are not set by the user, nor used by the driver */ 436 /* other fields are not set by the user, nor used by the driver */
437 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 437 if (!access_ok(p32, sizeof(*p32)) ||
438 assign_in_user(&p64->index, &p32->index)) 438 assign_in_user(&p64->index, &p32->index))
439 return -EFAULT; 439 return -EFAULT;
440 return 0; 440 return 0;
@@ -443,7 +443,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
443static int put_v4l2_standard32(struct v4l2_standard __user *p64, 443static int put_v4l2_standard32(struct v4l2_standard __user *p64,
444 struct v4l2_standard32 __user *p32) 444 struct v4l2_standard32 __user *p32)
445{ 445{
446 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) || 446 if (!access_ok(p32, sizeof(*p32)) ||
447 assign_in_user(&p32->index, &p64->index) || 447 assign_in_user(&p32->index, &p64->index) ||
448 assign_in_user(&p32->id, &p64->id) || 448 assign_in_user(&p32->id, &p64->id) ||
449 copy_in_user(p32->name, p64->name, sizeof(p32->name)) || 449 copy_in_user(p32->name, p64->name, sizeof(p32->name)) ||
@@ -560,7 +560,7 @@ static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *p32, u32 *size)
560 u32 type; 560 u32 type;
561 u32 length; 561 u32 length;
562 562
563 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 563 if (!access_ok(p32, sizeof(*p32)) ||
564 get_user(type, &p32->type) || 564 get_user(type, &p32->type) ||
565 get_user(length, &p32->length)) 565 get_user(length, &p32->length))
566 return -EFAULT; 566 return -EFAULT;
@@ -593,7 +593,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
593 compat_caddr_t p; 593 compat_caddr_t p;
594 int ret; 594 int ret;
595 595
596 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 596 if (!access_ok(p32, sizeof(*p32)) ||
597 assign_in_user(&p64->index, &p32->index) || 597 assign_in_user(&p64->index, &p32->index) ||
598 get_user(type, &p32->type) || 598 get_user(type, &p32->type) ||
599 put_user(type, &p64->type) || 599 put_user(type, &p64->type) ||
@@ -632,7 +632,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
632 return -EFAULT; 632 return -EFAULT;
633 633
634 uplane32 = compat_ptr(p); 634 uplane32 = compat_ptr(p);
635 if (!access_ok(VERIFY_READ, uplane32, 635 if (!access_ok(uplane32,
636 num_planes * sizeof(*uplane32))) 636 num_planes * sizeof(*uplane32)))
637 return -EFAULT; 637 return -EFAULT;
638 638
@@ -691,7 +691,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user *p64,
691 compat_caddr_t p; 691 compat_caddr_t p;
692 int ret; 692 int ret;
693 693
694 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) || 694 if (!access_ok(p32, sizeof(*p32)) ||
695 assign_in_user(&p32->index, &p64->index) || 695 assign_in_user(&p32->index, &p64->index) ||
696 get_user(type, &p64->type) || 696 get_user(type, &p64->type) ||
697 put_user(type, &p32->type) || 697 put_user(type, &p32->type) ||
@@ -781,7 +781,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
781{ 781{
782 compat_caddr_t tmp; 782 compat_caddr_t tmp;
783 783
784 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 784 if (!access_ok(p32, sizeof(*p32)) ||
785 get_user(tmp, &p32->base) || 785 get_user(tmp, &p32->base) ||
786 put_user_force(compat_ptr(tmp), &p64->base) || 786 put_user_force(compat_ptr(tmp), &p64->base) ||
787 assign_in_user(&p64->capability, &p32->capability) || 787 assign_in_user(&p64->capability, &p32->capability) ||
@@ -796,7 +796,7 @@ static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
796{ 796{
797 void *base; 797 void *base;
798 798
799 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) || 799 if (!access_ok(p32, sizeof(*p32)) ||
800 get_user(base, &p64->base) || 800 get_user(base, &p64->base) ||
801 put_user(ptr_to_compat((void __user *)base), &p32->base) || 801 put_user(ptr_to_compat((void __user *)base), &p32->base) ||
802 assign_in_user(&p32->capability, &p64->capability) || 802 assign_in_user(&p32->capability, &p64->capability) ||
@@ -893,7 +893,7 @@ static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *p32,
893{ 893{
894 u32 count; 894 u32 count;
895 895
896 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 896 if (!access_ok(p32, sizeof(*p32)) ||
897 get_user(count, &p32->count)) 897 get_user(count, &p32->count))
898 return -EFAULT; 898 return -EFAULT;
899 if (count > V4L2_CID_MAX_CTRLS) 899 if (count > V4L2_CID_MAX_CTRLS)
@@ -913,7 +913,7 @@ static int get_v4l2_ext_controls32(struct file *file,
913 u32 n; 913 u32 n;
914 compat_caddr_t p; 914 compat_caddr_t p;
915 915
916 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 916 if (!access_ok(p32, sizeof(*p32)) ||
917 assign_in_user(&p64->which, &p32->which) || 917 assign_in_user(&p64->which, &p32->which) ||
918 get_user(count, &p32->count) || 918 get_user(count, &p32->count) ||
919 put_user(count, &p64->count) || 919 put_user(count, &p64->count) ||
@@ -929,7 +929,7 @@ static int get_v4l2_ext_controls32(struct file *file,
929 if (get_user(p, &p32->controls)) 929 if (get_user(p, &p32->controls))
930 return -EFAULT; 930 return -EFAULT;
931 ucontrols = compat_ptr(p); 931 ucontrols = compat_ptr(p);
932 if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols))) 932 if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
933 return -EFAULT; 933 return -EFAULT;
934 if (aux_space < count * sizeof(*kcontrols)) 934 if (aux_space < count * sizeof(*kcontrols))
935 return -EFAULT; 935 return -EFAULT;
@@ -979,7 +979,7 @@ static int put_v4l2_ext_controls32(struct file *file,
979 * with __user causes smatch warnings, so instead declare it 979 * with __user causes smatch warnings, so instead declare it
980 * without __user and cast it as a userspace pointer where needed. 980 * without __user and cast it as a userspace pointer where needed.
981 */ 981 */
982 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) || 982 if (!access_ok(p32, sizeof(*p32)) ||
983 assign_in_user(&p32->which, &p64->which) || 983 assign_in_user(&p32->which, &p64->which) ||
984 get_user(count, &p64->count) || 984 get_user(count, &p64->count) ||
985 put_user(count, &p32->count) || 985 put_user(count, &p32->count) ||
@@ -994,7 +994,7 @@ static int put_v4l2_ext_controls32(struct file *file,
994 if (get_user(p, &p32->controls)) 994 if (get_user(p, &p32->controls))
995 return -EFAULT; 995 return -EFAULT;
996 ucontrols = compat_ptr(p); 996 ucontrols = compat_ptr(p);
997 if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols))) 997 if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
998 return -EFAULT; 998 return -EFAULT;
999 999
1000 for (n = 0; n < count; n++) { 1000 for (n = 0; n < count; n++) {
@@ -1043,7 +1043,7 @@ struct v4l2_event32 {
1043static int put_v4l2_event32(struct v4l2_event __user *p64, 1043static int put_v4l2_event32(struct v4l2_event __user *p64,
1044 struct v4l2_event32 __user *p32) 1044 struct v4l2_event32 __user *p32)
1045{ 1045{
1046 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) || 1046 if (!access_ok(p32, sizeof(*p32)) ||
1047 assign_in_user(&p32->type, &p64->type) || 1047 assign_in_user(&p32->type, &p64->type) ||
1048 copy_in_user(&p32->u, &p64->u, sizeof(p64->u)) || 1048 copy_in_user(&p32->u, &p64->u, sizeof(p64->u)) ||
1049 assign_in_user(&p32->pending, &p64->pending) || 1049 assign_in_user(&p32->pending, &p64->pending) ||
@@ -1069,7 +1069,7 @@ static int get_v4l2_edid32(struct v4l2_edid __user *p64,
1069{ 1069{
1070 compat_uptr_t tmp; 1070 compat_uptr_t tmp;
1071 1071
1072 if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) || 1072 if (!access_ok(p32, sizeof(*p32)) ||
1073 assign_in_user(&p64->pad, &p32->pad) || 1073 assign_in_user(&p64->pad, &p32->pad) ||
1074 assign_in_user(&p64->start_block, &p32->start_block) || 1074 assign_in_user(&p64->start_block, &p32->start_block) ||
1075 assign_in_user_cast(&p64->blocks, &p32->blocks) || 1075 assign_in_user_cast(&p64->blocks, &p32->blocks) ||
@@ -1085,7 +1085,7 @@ static int put_v4l2_edid32(struct v4l2_edid __user *p64,
1085{ 1085{
1086 void *edid; 1086 void *edid;
1087 1087
1088 if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) || 1088 if (!access_ok(p32, sizeof(*p32)) ||
1089 assign_in_user(&p32->pad, &p64->pad) || 1089 assign_in_user(&p32->pad, &p64->pad) ||
1090 assign_in_user(&p32->start_block, &p64->start_block) || 1090 assign_in_user(&p32->start_block, &p64->start_block) ||
1091 assign_in_user(&p32->blocks, &p64->blocks) || 1091 assign_in_user(&p32->blocks, &p64->blocks) ||
diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c
index 5da1f3e3f997..997f92543dd4 100644
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -236,7 +236,7 @@ static int vmci_host_setup_notify(struct vmci_ctx *context,
236 * about the size. 236 * about the size.
237 */ 237 */
238 BUILD_BUG_ON(sizeof(bool) != sizeof(u8)); 238 BUILD_BUG_ON(sizeof(bool) != sizeof(u8));
239 if (!access_ok(VERIFY_WRITE, (void __user *)uva, sizeof(u8))) 239 if (!access_ok((void __user *)uva, sizeof(u8)))
240 return VMCI_ERROR_GENERIC; 240 return VMCI_ERROR_GENERIC;
241 241
242 /* 242 /*
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 7ac035af39f0..6fa1627ce08d 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -52,7 +52,7 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
52 nbytes = size - pos; 52 nbytes = size - pos;
53 cnt = nbytes; 53 cnt = nbytes;
54 54
55 if (!access_ok(VERIFY_WRITE, buf, cnt)) 55 if (!access_ok(buf, cnt))
56 return -EINVAL; 56 return -EINVAL;
57 57
58 pci_config_pm_runtime_get(dev); 58 pci_config_pm_runtime_get(dev);
@@ -125,7 +125,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
125 nbytes = size - pos; 125 nbytes = size - pos;
126 cnt = nbytes; 126 cnt = nbytes;
127 127
128 if (!access_ok(VERIFY_READ, buf, cnt)) 128 if (!access_ok(buf, cnt))
129 return -EINVAL; 129 return -EINVAL;
130 130
131 pci_config_pm_runtime_get(dev); 131 pci_config_pm_runtime_get(dev);
diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index 7c639006252e..321bc673c417 100644
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -416,8 +416,7 @@ static ssize_t goldfish_pipe_read_write(struct file *filp,
416 if (unlikely(bufflen == 0)) 416 if (unlikely(bufflen == 0))
417 return 0; 417 return 0;
418 /* Check the buffer range for access */ 418 /* Check the buffer range for access */
419 if (unlikely(!access_ok(is_write ? VERIFY_WRITE : VERIFY_READ, 419 if (unlikely(!access_ok(buffer, bufflen)))
420 buffer, bufflen)))
421 return -EFAULT; 420 return -EFAULT;
422 421
423 address = (unsigned long)buffer; 422 address = (unsigned long)buffer;
diff --git a/drivers/pnp/isapnp/proc.c b/drivers/pnp/isapnp/proc.c
index 262285e48a09..051613140812 100644
--- a/drivers/pnp/isapnp/proc.c
+++ b/drivers/pnp/isapnp/proc.c
@@ -47,7 +47,7 @@ static ssize_t isapnp_proc_bus_read(struct file *file, char __user * buf,
47 nbytes = size - pos; 47 nbytes = size - pos;
48 cnt = nbytes; 48 cnt = nbytes;
49 49
50 if (!access_ok(VERIFY_WRITE, buf, cnt)) 50 if (!access_ok(buf, cnt))
51 return -EINVAL; 51 return -EINVAL;
52 52
53 isapnp_cfg_begin(dev->card->number, dev->number); 53 isapnp_cfg_begin(dev->card->number, dev->number);
diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
index 7c4673308f5b..e338d7a4f571 100644
--- a/drivers/scsi/pmcraid.c
+++ b/drivers/scsi/pmcraid.c
@@ -3600,7 +3600,7 @@ static long pmcraid_ioctl_passthrough(
3600 u32 ioasc; 3600 u32 ioasc;
3601 int request_size; 3601 int request_size;
3602 int buffer_size; 3602 int buffer_size;
3603 u8 access, direction; 3603 u8 direction;
3604 int rc = 0; 3604 int rc = 0;
3605 3605
3606 /* If IOA reset is in progress, wait 10 secs for reset to complete */ 3606 /* If IOA reset is in progress, wait 10 secs for reset to complete */
@@ -3649,10 +3649,8 @@ static long pmcraid_ioctl_passthrough(
3649 request_size = le32_to_cpu(buffer->ioarcb.data_transfer_length); 3649 request_size = le32_to_cpu(buffer->ioarcb.data_transfer_length);
3650 3650
3651 if (buffer->ioarcb.request_flags0 & TRANSFER_DIR_WRITE) { 3651 if (buffer->ioarcb.request_flags0 & TRANSFER_DIR_WRITE) {
3652 access = VERIFY_READ;
3653 direction = DMA_TO_DEVICE; 3652 direction = DMA_TO_DEVICE;
3654 } else { 3653 } else {
3655 access = VERIFY_WRITE;
3656 direction = DMA_FROM_DEVICE; 3654 direction = DMA_FROM_DEVICE;
3657 } 3655 }
3658 3656
diff --git a/drivers/scsi/scsi_ioctl.c b/drivers/scsi/scsi_ioctl.c
index cc30fccc1a2e..840d96fe81bc 100644
--- a/drivers/scsi/scsi_ioctl.c
+++ b/drivers/scsi/scsi_ioctl.c
@@ -221,7 +221,7 @@ int scsi_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
221 221
222 switch (cmd) { 222 switch (cmd) {
223 case SCSI_IOCTL_GET_IDLUN: 223 case SCSI_IOCTL_GET_IDLUN:
224 if (!access_ok(VERIFY_WRITE, arg, sizeof(struct scsi_idlun))) 224 if (!access_ok(arg, sizeof(struct scsi_idlun)))
225 return -EFAULT; 225 return -EFAULT;
226 226
227 __put_user((sdev->id & 0xff) 227 __put_user((sdev->id & 0xff)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 4e27460ec926..d3f15319b9b3 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -434,7 +434,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
434 SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, 434 SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
435 "sg_read: count=%d\n", (int) count)); 435 "sg_read: count=%d\n", (int) count));
436 436
437 if (!access_ok(VERIFY_WRITE, buf, count)) 437 if (!access_ok(buf, count))
438 return -EFAULT; 438 return -EFAULT;
439 if (sfp->force_packid && (count >= SZ_SG_HEADER)) { 439 if (sfp->force_packid && (count >= SZ_SG_HEADER)) {
440 old_hdr = kmalloc(SZ_SG_HEADER, GFP_KERNEL); 440 old_hdr = kmalloc(SZ_SG_HEADER, GFP_KERNEL);
@@ -632,7 +632,7 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
632 scsi_block_when_processing_errors(sdp->device))) 632 scsi_block_when_processing_errors(sdp->device)))
633 return -ENXIO; 633 return -ENXIO;
634 634
635 if (!access_ok(VERIFY_READ, buf, count)) 635 if (!access_ok(buf, count))
636 return -EFAULT; /* protects following copy_from_user()s + get_user()s */ 636 return -EFAULT; /* protects following copy_from_user()s + get_user()s */
637 if (count < SZ_SG_HEADER) 637 if (count < SZ_SG_HEADER)
638 return -EIO; 638 return -EIO;
@@ -729,7 +729,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
729 729
730 if (count < SZ_SG_IO_HDR) 730 if (count < SZ_SG_IO_HDR)
731 return -EINVAL; 731 return -EINVAL;
732 if (!access_ok(VERIFY_READ, buf, count)) 732 if (!access_ok(buf, count))
733 return -EFAULT; /* protects following copy_from_user()s + get_user()s */ 733 return -EFAULT; /* protects following copy_from_user()s + get_user()s */
734 734
735 sfp->cmd_q = 1; /* when sg_io_hdr seen, set command queuing on */ 735 sfp->cmd_q = 1; /* when sg_io_hdr seen, set command queuing on */
@@ -768,7 +768,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
768 sg_remove_request(sfp, srp); 768 sg_remove_request(sfp, srp);
769 return -EMSGSIZE; 769 return -EMSGSIZE;
770 } 770 }
771 if (!access_ok(VERIFY_READ, hp->cmdp, hp->cmd_len)) { 771 if (!access_ok(hp->cmdp, hp->cmd_len)) {
772 sg_remove_request(sfp, srp); 772 sg_remove_request(sfp, srp);
773 return -EFAULT; /* protects following copy_from_user()s + get_user()s */ 773 return -EFAULT; /* protects following copy_from_user()s + get_user()s */
774 } 774 }
@@ -922,7 +922,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
922 return -ENODEV; 922 return -ENODEV;
923 if (!scsi_block_when_processing_errors(sdp->device)) 923 if (!scsi_block_when_processing_errors(sdp->device))
924 return -ENXIO; 924 return -ENXIO;
925 if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR)) 925 if (!access_ok(p, SZ_SG_IO_HDR))
926 return -EFAULT; 926 return -EFAULT;
927 result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR, 927 result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
928 1, read_only, 1, &srp); 928 1, read_only, 1, &srp);
@@ -968,7 +968,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
968 case SG_GET_LOW_DMA: 968 case SG_GET_LOW_DMA:
969 return put_user((int) sdp->device->host->unchecked_isa_dma, ip); 969 return put_user((int) sdp->device->host->unchecked_isa_dma, ip);
970 case SG_GET_SCSI_ID: 970 case SG_GET_SCSI_ID:
971 if (!access_ok(VERIFY_WRITE, p, sizeof (sg_scsi_id_t))) 971 if (!access_ok(p, sizeof (sg_scsi_id_t)))
972 return -EFAULT; 972 return -EFAULT;
973 else { 973 else {
974 sg_scsi_id_t __user *sg_idp = p; 974 sg_scsi_id_t __user *sg_idp = p;
@@ -997,7 +997,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
997 sfp->force_packid = val ? 1 : 0; 997 sfp->force_packid = val ? 1 : 0;
998 return 0; 998 return 0;
999 case SG_GET_PACK_ID: 999 case SG_GET_PACK_ID:
1000 if (!access_ok(VERIFY_WRITE, ip, sizeof (int))) 1000 if (!access_ok(ip, sizeof (int)))
1001 return -EFAULT; 1001 return -EFAULT;
1002 read_lock_irqsave(&sfp->rq_list_lock, iflags); 1002 read_lock_irqsave(&sfp->rq_list_lock, iflags);
1003 list_for_each_entry(srp, &sfp->rq_list, entry) { 1003 list_for_each_entry(srp, &sfp->rq_list, entry) {
@@ -1078,7 +1078,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
1078 val = (sdp->device ? 1 : 0); 1078 val = (sdp->device ? 1 : 0);
1079 return put_user(val, ip); 1079 return put_user(val, ip);
1080 case SG_GET_REQUEST_TABLE: 1080 case SG_GET_REQUEST_TABLE:
1081 if (!access_ok(VERIFY_WRITE, p, SZ_SG_REQ_INFO * SG_MAX_QUEUE)) 1081 if (!access_ok(p, SZ_SG_REQ_INFO * SG_MAX_QUEUE))
1082 return -EFAULT; 1082 return -EFAULT;
1083 else { 1083 else {
1084 sg_req_info_t *rinfo; 1084 sg_req_info_t *rinfo;
diff --git a/drivers/staging/comedi/comedi_compat32.c b/drivers/staging/comedi/comedi_compat32.c
index fa9d239474ee..36a3564ba1fb 100644
--- a/drivers/staging/comedi/comedi_compat32.c
+++ b/drivers/staging/comedi/comedi_compat32.c
@@ -102,8 +102,8 @@ static int compat_chaninfo(struct file *file, unsigned long arg)
102 chaninfo = compat_alloc_user_space(sizeof(*chaninfo)); 102 chaninfo = compat_alloc_user_space(sizeof(*chaninfo));
103 103
104 /* Copy chaninfo structure. Ignore unused members. */ 104 /* Copy chaninfo structure. Ignore unused members. */
105 if (!access_ok(VERIFY_READ, chaninfo32, sizeof(*chaninfo32)) || 105 if (!access_ok(chaninfo32, sizeof(*chaninfo32)) ||
106 !access_ok(VERIFY_WRITE, chaninfo, sizeof(*chaninfo))) 106 !access_ok(chaninfo, sizeof(*chaninfo)))
107 return -EFAULT; 107 return -EFAULT;
108 108
109 err = 0; 109 err = 0;
@@ -136,8 +136,8 @@ static int compat_rangeinfo(struct file *file, unsigned long arg)
136 rangeinfo = compat_alloc_user_space(sizeof(*rangeinfo)); 136 rangeinfo = compat_alloc_user_space(sizeof(*rangeinfo));
137 137
138 /* Copy rangeinfo structure. */ 138 /* Copy rangeinfo structure. */
139 if (!access_ok(VERIFY_READ, rangeinfo32, sizeof(*rangeinfo32)) || 139 if (!access_ok(rangeinfo32, sizeof(*rangeinfo32)) ||
140 !access_ok(VERIFY_WRITE, rangeinfo, sizeof(*rangeinfo))) 140 !access_ok(rangeinfo, sizeof(*rangeinfo)))
141 return -EFAULT; 141 return -EFAULT;
142 142
143 err = 0; 143 err = 0;
@@ -163,8 +163,8 @@ static int get_compat_cmd(struct comedi_cmd __user *cmd,
163 } temp; 163 } temp;
164 164
165 /* Copy cmd structure. */ 165 /* Copy cmd structure. */
166 if (!access_ok(VERIFY_READ, cmd32, sizeof(*cmd32)) || 166 if (!access_ok(cmd32, sizeof(*cmd32)) ||
167 !access_ok(VERIFY_WRITE, cmd, sizeof(*cmd))) 167 !access_ok(cmd, sizeof(*cmd)))
168 return -EFAULT; 168 return -EFAULT;
169 169
170 err = 0; 170 err = 0;
@@ -217,8 +217,8 @@ static int put_compat_cmd(struct comedi32_cmd_struct __user *cmd32,
217 * Assume the pointer values are already valid. 217 * Assume the pointer values are already valid.
218 * (Could use ptr_to_compat() to set them.) 218 * (Could use ptr_to_compat() to set them.)
219 */ 219 */
220 if (!access_ok(VERIFY_READ, cmd, sizeof(*cmd)) || 220 if (!access_ok(cmd, sizeof(*cmd)) ||
221 !access_ok(VERIFY_WRITE, cmd32, sizeof(*cmd32))) 221 !access_ok(cmd32, sizeof(*cmd32)))
222 return -EFAULT; 222 return -EFAULT;
223 223
224 err = 0; 224 err = 0;
@@ -317,8 +317,8 @@ static int get_compat_insn(struct comedi_insn __user *insn,
317 317
318 /* Copy insn structure. Ignore the unused members. */ 318 /* Copy insn structure. Ignore the unused members. */
319 err = 0; 319 err = 0;
320 if (!access_ok(VERIFY_READ, insn32, sizeof(*insn32)) || 320 if (!access_ok(insn32, sizeof(*insn32)) ||
321 !access_ok(VERIFY_WRITE, insn, sizeof(*insn))) 321 !access_ok(insn, sizeof(*insn)))
322 return -EFAULT; 322 return -EFAULT;
323 323
324 err |= __get_user(temp.uint, &insn32->insn); 324 err |= __get_user(temp.uint, &insn32->insn);
@@ -350,7 +350,7 @@ static int compat_insnlist(struct file *file, unsigned long arg)
350 insnlist32 = compat_ptr(arg); 350 insnlist32 = compat_ptr(arg);
351 351
352 /* Get 32-bit insnlist structure. */ 352 /* Get 32-bit insnlist structure. */
353 if (!access_ok(VERIFY_READ, insnlist32, sizeof(*insnlist32))) 353 if (!access_ok(insnlist32, sizeof(*insnlist32)))
354 return -EFAULT; 354 return -EFAULT;
355 355
356 err = 0; 356 err = 0;
@@ -365,7 +365,7 @@ static int compat_insnlist(struct file *file, unsigned long arg)
365 insn[n_insns])); 365 insn[n_insns]));
366 366
367 /* Set native insnlist structure. */ 367 /* Set native insnlist structure. */
368 if (!access_ok(VERIFY_WRITE, &s->insnlist, sizeof(s->insnlist))) 368 if (!access_ok(&s->insnlist, sizeof(s->insnlist)))
369 return -EFAULT; 369 return -EFAULT;
370 370
371 err |= __put_user(n_insns, &s->insnlist.n_insns); 371 err |= __put_user(n_insns, &s->insnlist.n_insns);
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 99460af61b77..4164414d4c64 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -573,7 +573,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
573 return -EIO; 573 return -EIO;
574 574
575 /* verify user access to buffer */ 575 /* verify user access to buffer */
576 if (!access_ok(VERIFY_WRITE, buf, nr)) { 576 if (!access_ok(buf, nr)) {
577 printk(KERN_WARNING "%s(%d) n_hdlc_tty_read() can't verify user " 577 printk(KERN_WARNING "%s(%d) n_hdlc_tty_read() can't verify user "
578 "buffer\n", __FILE__, __LINE__); 578 "buffer\n", __FILE__, __LINE__);
579 return -EFAULT; 579 return -EFAULT;
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index 3de3c750b5f6..44f28a114c2b 100644
--- a/drivers/usb/core/devices.c
+++ b/drivers/usb/core/devices.c
@@ -598,7 +598,7 @@ static ssize_t usb_device_read(struct file *file, char __user *buf,
598 return -EINVAL; 598 return -EINVAL;
599 if (nbytes <= 0) 599 if (nbytes <= 0)
600 return 0; 600 return 0;
601 if (!access_ok(VERIFY_WRITE, buf, nbytes)) 601 if (!access_ok(buf, nbytes))
602 return -EFAULT; 602 return -EFAULT;
603 603
604 mutex_lock(&usb_bus_idr_lock); 604 mutex_lock(&usb_bus_idr_lock);
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index a75bc0b8a50f..d65566341dd1 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1094,7 +1094,7 @@ static int proc_control(struct usb_dev_state *ps, void __user *arg)
1094 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue, 1094 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1095 ctrl.wIndex, ctrl.wLength); 1095 ctrl.wIndex, ctrl.wLength);
1096 if (ctrl.bRequestType & 0x80) { 1096 if (ctrl.bRequestType & 0x80) {
1097 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data, 1097 if (ctrl.wLength && !access_ok(ctrl.data,
1098 ctrl.wLength)) { 1098 ctrl.wLength)) {
1099 ret = -EINVAL; 1099 ret = -EINVAL;
1100 goto done; 1100 goto done;
@@ -1183,7 +1183,7 @@ static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1183 } 1183 }
1184 tmo = bulk.timeout; 1184 tmo = bulk.timeout;
1185 if (bulk.ep & 0x80) { 1185 if (bulk.ep & 0x80) {
1186 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) { 1186 if (len1 && !access_ok(bulk.data, len1)) {
1187 ret = -EINVAL; 1187 ret = -EINVAL;
1188 goto done; 1188 goto done;
1189 } 1189 }
@@ -1584,8 +1584,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
1584 } 1584 }
1585 1585
1586 if (uurb->buffer_length > 0 && 1586 if (uurb->buffer_length > 0 &&
1587 !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ, 1587 !access_ok(uurb->buffer, uurb->buffer_length)) {
1588 uurb->buffer, uurb->buffer_length)) {
1589 ret = -EFAULT; 1588 ret = -EFAULT;
1590 goto error; 1589 goto error;
1591 } 1590 }
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 54e859dcb25c..75b113a5b25c 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -252,7 +252,7 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
252 if (!count) 252 if (!count)
253 return 0; 253 return 0;
254 254
255 if (!access_ok(VERIFY_WRITE, buffer, count)) 255 if (!access_ok(buffer, count))
256 return -EFAULT; 256 return -EFAULT;
257 257
258 spin_lock_irqsave(&hidg->read_spinlock, flags); 258 spin_lock_irqsave(&hidg->read_spinlock, flags);
@@ -339,7 +339,7 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
339 unsigned long flags; 339 unsigned long flags;
340 ssize_t status = -ENOMEM; 340 ssize_t status = -ENOMEM;
341 341
342 if (!access_ok(VERIFY_READ, buffer, count)) 342 if (!access_ok(buffer, count))
343 return -EFAULT; 343 return -EFAULT;
344 344
345 spin_lock_irqsave(&hidg->write_spinlock, flags); 345 spin_lock_irqsave(&hidg->write_spinlock, flags);
diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
index 11247322d587..660712e0bf98 100644
--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
+++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
@@ -88,7 +88,7 @@ static ssize_t queue_dbg_read(struct file *file, char __user *buf,
88 size_t len, remaining, actual = 0; 88 size_t len, remaining, actual = 0;
89 char tmpbuf[38]; 89 char tmpbuf[38];
90 90
91 if (!access_ok(VERIFY_WRITE, buf, nbytes)) 91 if (!access_ok(buf, nbytes))
92 return -EFAULT; 92 return -EFAULT;
93 93
94 inode_lock(file_inode(file)); 94 inode_lock(file_inode(file));
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 55e5aa662ad5..9f7942cbcbb2 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -655,7 +655,7 @@ static bool log_access_ok(void __user *log_base, u64 addr, unsigned long sz)
655 a + (unsigned long)log_base > ULONG_MAX) 655 a + (unsigned long)log_base > ULONG_MAX)
656 return false; 656 return false;
657 657
658 return access_ok(VERIFY_WRITE, log_base + a, 658 return access_ok(log_base + a,
659 (sz + VHOST_PAGE_SIZE * 8 - 1) / VHOST_PAGE_SIZE / 8); 659 (sz + VHOST_PAGE_SIZE * 8 - 1) / VHOST_PAGE_SIZE / 8);
660} 660}
661 661
@@ -681,7 +681,7 @@ static bool vq_memory_access_ok(void __user *log_base, struct vhost_umem *umem,
681 return false; 681 return false;
682 682
683 683
684 if (!access_ok(VERIFY_WRITE, (void __user *)a, 684 if (!access_ok((void __user *)a,
685 node->size)) 685 node->size))
686 return false; 686 return false;
687 else if (log_all && !log_access_ok(log_base, 687 else if (log_all && !log_access_ok(log_base,
@@ -973,10 +973,10 @@ static bool umem_access_ok(u64 uaddr, u64 size, int access)
973 return false; 973 return false;
974 974
975 if ((access & VHOST_ACCESS_RO) && 975 if ((access & VHOST_ACCESS_RO) &&
976 !access_ok(VERIFY_READ, (void __user *)a, size)) 976 !access_ok((void __user *)a, size))
977 return false; 977 return false;
978 if ((access & VHOST_ACCESS_WO) && 978 if ((access & VHOST_ACCESS_WO) &&
979 !access_ok(VERIFY_WRITE, (void __user *)a, size)) 979 !access_ok((void __user *)a, size))
980 return false; 980 return false;
981 return true; 981 return true;
982} 982}
@@ -1185,10 +1185,10 @@ static bool vq_access_ok(struct vhost_virtqueue *vq, unsigned int num,
1185{ 1185{
1186 size_t s = vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX) ? 2 : 0; 1186 size_t s = vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX) ? 2 : 0;
1187 1187
1188 return access_ok(VERIFY_READ, desc, num * sizeof *desc) && 1188 return access_ok(desc, num * sizeof *desc) &&
1189 access_ok(VERIFY_READ, avail, 1189 access_ok(avail,
1190 sizeof *avail + num * sizeof *avail->ring + s) && 1190 sizeof *avail + num * sizeof *avail->ring + s) &&
1191 access_ok(VERIFY_WRITE, used, 1191 access_ok(used,
1192 sizeof *used + num * sizeof *used->ring + s); 1192 sizeof *used + num * sizeof *used->ring + s);
1193} 1193}
1194 1194
@@ -1814,7 +1814,7 @@ int vhost_vq_init_access(struct vhost_virtqueue *vq)
1814 goto err; 1814 goto err;
1815 vq->signalled_used_valid = false; 1815 vq->signalled_used_valid = false;
1816 if (!vq->iotlb && 1816 if (!vq->iotlb &&
1817 !access_ok(VERIFY_READ, &vq->used->idx, sizeof vq->used->idx)) { 1817 !access_ok(&vq->used->idx, sizeof vq->used->idx)) {
1818 r = -EFAULT; 1818 r = -EFAULT;
1819 goto err; 1819 goto err;
1820 } 1820 }
diff --git a/drivers/video/fbdev/amifb.c b/drivers/video/fbdev/amifb.c
index 0777aff211e5..758457026694 100644
--- a/drivers/video/fbdev/amifb.c
+++ b/drivers/video/fbdev/amifb.c
@@ -1855,7 +1855,7 @@ static int ami_get_var_cursorinfo(struct fb_var_cursorinfo *var,
1855 var->yspot = par->crsr.spot_y; 1855 var->yspot = par->crsr.spot_y;
1856 if (size > var->height * var->width) 1856 if (size > var->height * var->width)
1857 return -ENAMETOOLONG; 1857 return -ENAMETOOLONG;
1858 if (!access_ok(VERIFY_WRITE, data, size)) 1858 if (!access_ok(data, size))
1859 return -EFAULT; 1859 return -EFAULT;
1860 delta = 1 << par->crsr.fmode; 1860 delta = 1 << par->crsr.fmode;
1861 lspr = lofsprite + (delta << 1); 1861 lspr = lofsprite + (delta << 1);
@@ -1935,7 +1935,7 @@ static int ami_set_var_cursorinfo(struct fb_var_cursorinfo *var,
1935 return -EINVAL; 1935 return -EINVAL;
1936 if (!var->height) 1936 if (!var->height)
1937 return -EINVAL; 1937 return -EINVAL;
1938 if (!access_ok(VERIFY_READ, data, var->width * var->height)) 1938 if (!access_ok(data, var->width * var->height))
1939 return -EFAULT; 1939 return -EFAULT;
1940 delta = 1 << fmode; 1940 delta = 1 << fmode;
1941 lofsprite = shfsprite = (u_short *)spritememory; 1941 lofsprite = shfsprite = (u_short *)spritememory;
diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
index a3edb20ea4c3..53f93616c671 100644
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -493,7 +493,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
493 if (!display || !display->driver->memory_read) 493 if (!display || !display->driver->memory_read)
494 return -ENOENT; 494 return -ENOENT;
495 495
496 if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size)) 496 if (!access_ok(mr->buffer, mr->buffer_size))
497 return -EFAULT; 497 return -EFAULT;
498 498
499 if (mr->w > 4096 || mr->h > 4096) 499 if (mr->w > 4096 || mr->h > 4096)
diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index 7e6e682104dc..b24ddac1604b 100644
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -459,14 +459,14 @@ static long privcmd_ioctl_mmap_batch(
459 return -EFAULT; 459 return -EFAULT;
460 /* Returns per-frame error in m.arr. */ 460 /* Returns per-frame error in m.arr. */
461 m.err = NULL; 461 m.err = NULL;
462 if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) 462 if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
463 return -EFAULT; 463 return -EFAULT;
464 break; 464 break;
465 case 2: 465 case 2:
466 if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2))) 466 if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
467 return -EFAULT; 467 return -EFAULT;
468 /* Returns per-frame error code in m.err. */ 468 /* Returns per-frame error code in m.err. */
469 if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err)))) 469 if (!access_ok(m.err, m.num * (sizeof(*m.err))))
470 return -EFAULT; 470 return -EFAULT;
471 break; 471 break;
472 default: 472 default:
@@ -661,7 +661,7 @@ static long privcmd_ioctl_dm_op(struct file *file, void __user *udata)
661 goto out; 661 goto out;
662 } 662 }
663 663
664 if (!access_ok(VERIFY_WRITE, kbufs[i].uptr, 664 if (!access_ok(kbufs[i].uptr,
665 kbufs[i].size)) { 665 kbufs[i].size)) {
666 rc = -EFAULT; 666 rc = -EFAULT;
667 goto out; 667 goto out;
diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
index c3deb2e35f20..ca9725f18e00 100644
--- a/fs/binfmt_aout.c
+++ b/fs/binfmt_aout.c
@@ -78,9 +78,9 @@ static int aout_core_dump(struct coredump_params *cprm)
78 78
79/* make sure we actually have a data and stack area to dump */ 79/* make sure we actually have a data and stack area to dump */
80 set_fs(USER_DS); 80 set_fs(USER_DS);
81 if (!access_ok(VERIFY_READ, START_DATA(dump), dump.u_dsize << PAGE_SHIFT)) 81 if (!access_ok(START_DATA(dump), dump.u_dsize << PAGE_SHIFT))
82 dump.u_dsize = 0; 82 dump.u_dsize = 0;
83 if (!access_ok(VERIFY_READ, START_STACK(dump), dump.u_ssize << PAGE_SHIFT)) 83 if (!access_ok(START_STACK(dump), dump.u_ssize << PAGE_SHIFT))
84 dump.u_ssize = 0; 84 dump.u_ssize = 0;
85 85
86 set_fs(KERNEL_DS); 86 set_fs(KERNEL_DS);
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 1b15b43905f8..7ea2d6b1f170 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6646,7 +6646,7 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
6646 goto out; 6646 goto out;
6647 } 6647 }
6648 6648
6649 if (!access_ok(VERIFY_READ, arg->clone_sources, 6649 if (!access_ok(arg->clone_sources,
6650 sizeof(*arg->clone_sources) * 6650 sizeof(*arg->clone_sources) *
6651 arg->clone_sources_count)) { 6651 arg->clone_sources_count)) {
6652 ret = -EFAULT; 6652 ret = -EFAULT;
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 8a5a1010886b..7ebae39fbcb3 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -2172,7 +2172,7 @@ static int do_epoll_wait(int epfd, struct epoll_event __user *events,
2172 return -EINVAL; 2172 return -EINVAL;
2173 2173
2174 /* Verify that the area passed by the user is writeable */ 2174 /* Verify that the area passed by the user is writeable */
2175 if (!access_ok(VERIFY_WRITE, events, maxevents * sizeof(struct epoll_event))) 2175 if (!access_ok(events, maxevents * sizeof(struct epoll_event)))
2176 return -EFAULT; 2176 return -EFAULT;
2177 2177
2178 /* Get the "struct file *" for the eventpoll file */ 2178 /* Get the "struct file *" for the eventpoll file */
diff --git a/fs/fat/dir.c b/fs/fat/dir.c
index c8366cb8eccd..0295a095b920 100644
--- a/fs/fat/dir.c
+++ b/fs/fat/dir.c
@@ -805,7 +805,7 @@ static long fat_dir_ioctl(struct file *filp, unsigned int cmd,
805 return fat_generic_ioctl(filp, cmd, arg); 805 return fat_generic_ioctl(filp, cmd, arg);
806 } 806 }
807 807
808 if (!access_ok(VERIFY_WRITE, d1, sizeof(struct __fat_dirent[2]))) 808 if (!access_ok(d1, sizeof(struct __fat_dirent[2])))
809 return -EFAULT; 809 return -EFAULT;
810 /* 810 /*
811 * Yes, we don't need this put_user() absolutely. However old 811 * Yes, we don't need this put_user() absolutely. However old
@@ -845,7 +845,7 @@ static long fat_compat_dir_ioctl(struct file *filp, unsigned cmd,
845 return fat_generic_ioctl(filp, cmd, (unsigned long)arg); 845 return fat_generic_ioctl(filp, cmd, (unsigned long)arg);
846 } 846 }
847 847
848 if (!access_ok(VERIFY_WRITE, d1, sizeof(struct compat_dirent[2]))) 848 if (!access_ok(d1, sizeof(struct compat_dirent[2])))
849 return -EFAULT; 849 return -EFAULT;
850 /* 850 /*
851 * Yes, we don't need this put_user() absolutely. However old 851 * Yes, we don't need this put_user() absolutely. However old
diff --git a/fs/ioctl.c b/fs/ioctl.c
index d64f622cac8b..fef3a6bf7c78 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -203,7 +203,7 @@ static int ioctl_fiemap(struct file *filp, unsigned long arg)
203 fieinfo.fi_extents_start = ufiemap->fm_extents; 203 fieinfo.fi_extents_start = ufiemap->fm_extents;
204 204
205 if (fiemap.fm_extent_count != 0 && 205 if (fiemap.fm_extent_count != 0 &&
206 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start, 206 !access_ok(fieinfo.fi_extents_start,
207 fieinfo.fi_extents_max * sizeof(struct fiemap_extent))) 207 fieinfo.fi_extents_max * sizeof(struct fiemap_extent)))
208 return -EFAULT; 208 return -EFAULT;
209 209
diff --git a/fs/namespace.c b/fs/namespace.c
index a7f91265ea67..97b7c7098c3d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2651,7 +2651,7 @@ static long exact_copy_from_user(void *to, const void __user * from,
2651 const char __user *f = from; 2651 const char __user *f = from;
2652 char c; 2652 char c;
2653 2653
2654 if (!access_ok(VERIFY_READ, from, n)) 2654 if (!access_ok(from, n))
2655 return n; 2655 return n;
2656 2656
2657 current->kernel_uaccess_faults_ok++; 2657 current->kernel_uaccess_faults_ok++;
diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c
index b8fa1487cd85..8decbe95dcec 100644
--- a/fs/ocfs2/dlmfs/dlmfs.c
+++ b/fs/ocfs2/dlmfs/dlmfs.c
@@ -254,7 +254,7 @@ static ssize_t dlmfs_file_read(struct file *filp,
254 if (!count) 254 if (!count)
255 return 0; 255 return 0;
256 256
257 if (!access_ok(VERIFY_WRITE, buf, count)) 257 if (!access_ok(buf, count))
258 return -EFAULT; 258 return -EFAULT;
259 259
260 /* don't read past the lvb */ 260 /* don't read past the lvb */
@@ -302,7 +302,7 @@ static ssize_t dlmfs_file_write(struct file *filp,
302 if (!count) 302 if (!count)
303 return 0; 303 return 0;
304 304
305 if (!access_ok(VERIFY_READ, buf, count)) 305 if (!access_ok(buf, count))
306 return -EFAULT; 306 return -EFAULT;
307 307
308 /* don't write past the lvb */ 308 /* don't write past the lvb */
diff --git a/fs/pstore/pmsg.c b/fs/pstore/pmsg.c
index 24db02de1787..97fcef74e5af 100644
--- a/fs/pstore/pmsg.c
+++ b/fs/pstore/pmsg.c
@@ -33,7 +33,7 @@ static ssize_t write_pmsg(struct file *file, const char __user *buf,
33 record.size = count; 33 record.size = count;
34 34
35 /* check outside lock, page in any data. write_user also checks */ 35 /* check outside lock, page in any data. write_user also checks */
36 if (!access_ok(VERIFY_READ, buf, count)) 36 if (!access_ok(buf, count))
37 return -EFAULT; 37 return -EFAULT;
38 38
39 mutex_lock(&pmsg_lock); 39 mutex_lock(&pmsg_lock);
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index c11711c2cc83..f375c0735351 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -357,7 +357,7 @@ int notrace persistent_ram_write_user(struct persistent_ram_zone *prz,
357 int rem, ret = 0, c = count; 357 int rem, ret = 0, c = count;
358 size_t start; 358 size_t start;
359 359
360 if (unlikely(!access_ok(VERIFY_READ, s, count))) 360 if (unlikely(!access_ok(s, count)))
361 return -EFAULT; 361 return -EFAULT;
362 if (unlikely(c > prz->buffer_size)) { 362 if (unlikely(c > prz->buffer_size)) {
363 s += c - prz->buffer_size; 363 s += c - prz->buffer_size;
diff --git a/fs/read_write.c b/fs/read_write.c
index 58f30537c47a..ff3c5e6f87cf 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -442,7 +442,7 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
442 return -EBADF; 442 return -EBADF;
443 if (!(file->f_mode & FMODE_CAN_READ)) 443 if (!(file->f_mode & FMODE_CAN_READ))
444 return -EINVAL; 444 return -EINVAL;
445 if (unlikely(!access_ok(VERIFY_WRITE, buf, count))) 445 if (unlikely(!access_ok(buf, count)))
446 return -EFAULT; 446 return -EFAULT;
447 447
448 ret = rw_verify_area(READ, file, pos, count); 448 ret = rw_verify_area(READ, file, pos, count);
@@ -538,7 +538,7 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_
538 return -EBADF; 538 return -EBADF;
539 if (!(file->f_mode & FMODE_CAN_WRITE)) 539 if (!(file->f_mode & FMODE_CAN_WRITE))
540 return -EINVAL; 540 return -EINVAL;
541 if (unlikely(!access_ok(VERIFY_READ, buf, count))) 541 if (unlikely(!access_ok(buf, count)))
542 return -EFAULT; 542 return -EFAULT;
543 543
544 ret = rw_verify_area(WRITE, file, pos, count); 544 ret = rw_verify_area(WRITE, file, pos, count);
@@ -718,9 +718,6 @@ static ssize_t do_loop_readv_writev(struct file *filp, struct iov_iter *iter,
718 return ret; 718 return ret;
719} 719}
720 720
721/* A write operation does a read from user space and vice versa */
722#define vrfy_dir(type) ((type) == READ ? VERIFY_WRITE : VERIFY_READ)
723
724/** 721/**
725 * rw_copy_check_uvector() - Copy an array of &struct iovec from userspace 722 * rw_copy_check_uvector() - Copy an array of &struct iovec from userspace
726 * into the kernel and check that it is valid. 723 * into the kernel and check that it is valid.
@@ -810,7 +807,7 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
810 goto out; 807 goto out;
811 } 808 }
812 if (type >= 0 809 if (type >= 0
813 && unlikely(!access_ok(vrfy_dir(type), buf, len))) { 810 && unlikely(!access_ok(buf, len))) {
814 ret = -EFAULT; 811 ret = -EFAULT;
815 goto out; 812 goto out;
816 } 813 }
@@ -856,7 +853,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
856 *ret_pointer = iov; 853 *ret_pointer = iov;
857 854
858 ret = -EFAULT; 855 ret = -EFAULT;
859 if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector))) 856 if (!access_ok(uvector, nr_segs*sizeof(*uvector)))
860 goto out; 857 goto out;
861 858
862 /* 859 /*
@@ -881,7 +878,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
881 if (len < 0) /* size_t not fitting in compat_ssize_t .. */ 878 if (len < 0) /* size_t not fitting in compat_ssize_t .. */
882 goto out; 879 goto out;
883 if (type >= 0 && 880 if (type >= 0 &&
884 !access_ok(vrfy_dir(type), compat_ptr(buf), len)) { 881 !access_ok(compat_ptr(buf), len)) {
885 ret = -EFAULT; 882 ret = -EFAULT;
886 goto out; 883 goto out;
887 } 884 }
diff --git a/fs/readdir.c b/fs/readdir.c
index d97f548e6323..2f6a4534e0df 100644
--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -105,7 +105,7 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
105 } 105 }
106 buf->result++; 106 buf->result++;
107 dirent = buf->dirent; 107 dirent = buf->dirent;
108 if (!access_ok(VERIFY_WRITE, dirent, 108 if (!access_ok(dirent,
109 (unsigned long)(dirent->d_name + namlen + 1) - 109 (unsigned long)(dirent->d_name + namlen + 1) -
110 (unsigned long)dirent)) 110 (unsigned long)dirent))
111 goto efault; 111 goto efault;
@@ -221,7 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
221 }; 221 };
222 int error; 222 int error;
223 223
224 if (!access_ok(VERIFY_WRITE, dirent, count)) 224 if (!access_ok(dirent, count))
225 return -EFAULT; 225 return -EFAULT;
226 226
227 f = fdget_pos(fd); 227 f = fdget_pos(fd);
@@ -304,7 +304,7 @@ int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
304 }; 304 };
305 int error; 305 int error;
306 306
307 if (!access_ok(VERIFY_WRITE, dirent, count)) 307 if (!access_ok(dirent, count))
308 return -EFAULT; 308 return -EFAULT;
309 309
310 f = fdget_pos(fd); 310 f = fdget_pos(fd);
@@ -365,7 +365,7 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
365 } 365 }
366 buf->result++; 366 buf->result++;
367 dirent = buf->dirent; 367 dirent = buf->dirent;
368 if (!access_ok(VERIFY_WRITE, dirent, 368 if (!access_ok(dirent,
369 (unsigned long)(dirent->d_name + namlen + 1) - 369 (unsigned long)(dirent->d_name + namlen + 1) -
370 (unsigned long)dirent)) 370 (unsigned long)dirent))
371 goto efault; 371 goto efault;
@@ -475,7 +475,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
475 }; 475 };
476 int error; 476 int error;
477 477
478 if (!access_ok(VERIFY_WRITE, dirent, count)) 478 if (!access_ok(dirent, count))
479 return -EFAULT; 479 return -EFAULT;
480 480
481 f = fdget_pos(fd); 481 f = fdget_pos(fd);
diff --git a/fs/select.c b/fs/select.c
index 4c8652390c94..d0f35dbc0e8f 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -381,9 +381,6 @@ typedef struct {
381#define FDS_BYTES(nr) (FDS_LONGS(nr)*sizeof(long)) 381#define FDS_BYTES(nr) (FDS_LONGS(nr)*sizeof(long))
382 382
383/* 383/*
384 * We do a VERIFY_WRITE here even though we are only reading this time:
385 * we'll write to it eventually..
386 *
387 * Use "unsigned long" accesses to let user-mode fd_set's be long-aligned. 384 * Use "unsigned long" accesses to let user-mode fd_set's be long-aligned.
388 */ 385 */
389static inline 386static inline
@@ -782,7 +779,7 @@ SYSCALL_DEFINE6(pselect6, int, n, fd_set __user *, inp, fd_set __user *, outp,
782 sigset_t __user *up = NULL; 779 sigset_t __user *up = NULL;
783 780
784 if (sig) { 781 if (sig) {
785 if (!access_ok(VERIFY_READ, sig, sizeof(void *)+sizeof(size_t)) 782 if (!access_ok(sig, sizeof(void *)+sizeof(size_t))
786 || __get_user(up, (sigset_t __user * __user *)sig) 783 || __get_user(up, (sigset_t __user * __user *)sig)
787 || __get_user(sigsetsize, 784 || __get_user(sigsetsize,
788 (size_t __user *)(sig+sizeof(void *)))) 785 (size_t __user *)(sig+sizeof(void *))))
@@ -802,7 +799,7 @@ SYSCALL_DEFINE6(pselect6_time32, int, n, fd_set __user *, inp, fd_set __user *,
802 sigset_t __user *up = NULL; 799 sigset_t __user *up = NULL;
803 800
804 if (sig) { 801 if (sig) {
805 if (!access_ok(VERIFY_READ, sig, sizeof(void *)+sizeof(size_t)) 802 if (!access_ok(sig, sizeof(void *)+sizeof(size_t))
806 || __get_user(up, (sigset_t __user * __user *)sig) 803 || __get_user(up, (sigset_t __user * __user *)sig)
807 || __get_user(sigsetsize, 804 || __get_user(sigsetsize,
808 (size_t __user *)(sig+sizeof(void *)))) 805 (size_t __user *)(sig+sizeof(void *))))
@@ -1368,7 +1365,7 @@ COMPAT_SYSCALL_DEFINE6(pselect6_time64, int, n, compat_ulong_t __user *, inp,
1368 compat_uptr_t up = 0; 1365 compat_uptr_t up = 0;
1369 1366
1370 if (sig) { 1367 if (sig) {
1371 if (!access_ok(VERIFY_READ, sig, 1368 if (!access_ok(sig,
1372 sizeof(compat_uptr_t)+sizeof(compat_size_t)) || 1369 sizeof(compat_uptr_t)+sizeof(compat_size_t)) ||
1373 __get_user(up, (compat_uptr_t __user *)sig) || 1370 __get_user(up, (compat_uptr_t __user *)sig) ||
1374 __get_user(sigsetsize, 1371 __get_user(sigsetsize,
@@ -1390,7 +1387,7 @@ COMPAT_SYSCALL_DEFINE6(pselect6, int, n, compat_ulong_t __user *, inp,
1390 compat_uptr_t up = 0; 1387 compat_uptr_t up = 0;
1391 1388
1392 if (sig) { 1389 if (sig) {
1393 if (!access_ok(VERIFY_READ, sig, 1390 if (!access_ok(sig,
1394 sizeof(compat_uptr_t)+sizeof(compat_size_t)) || 1391 sizeof(compat_uptr_t)+sizeof(compat_size_t)) ||
1395 __get_user(up, (compat_uptr_t __user *)sig) || 1392 __get_user(up, (compat_uptr_t __user *)sig) ||
1396 __get_user(sigsetsize, 1393 __get_user(sigsetsize,
diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index 6b2e63df2739..d82c78a79da5 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -35,7 +35,7 @@ static inline void set_fs(mm_segment_t fs)
35#define segment_eq(a, b) ((a).seg == (b).seg) 35#define segment_eq(a, b) ((a).seg == (b).seg)
36#endif 36#endif
37 37
38#define access_ok(type, addr, size) __access_ok((unsigned long)(addr),(size)) 38#define access_ok(addr, size) __access_ok((unsigned long)(addr),(size))
39 39
40/* 40/*
41 * The architecture should really override this if possible, at least 41 * The architecture should really override this if possible, at least
@@ -78,7 +78,7 @@ static inline int __access_ok(unsigned long addr, unsigned long size)
78({ \ 78({ \
79 void __user *__p = (ptr); \ 79 void __user *__p = (ptr); \
80 might_fault(); \ 80 might_fault(); \
81 access_ok(VERIFY_WRITE, __p, sizeof(*ptr)) ? \ 81 access_ok(__p, sizeof(*ptr)) ? \
82 __put_user((x), ((__typeof__(*(ptr)) __user *)__p)) : \ 82 __put_user((x), ((__typeof__(*(ptr)) __user *)__p)) : \
83 -EFAULT; \ 83 -EFAULT; \
84}) 84})
@@ -140,7 +140,7 @@ extern int __put_user_bad(void) __attribute__((noreturn));
140({ \ 140({ \
141 const void __user *__p = (ptr); \ 141 const void __user *__p = (ptr); \
142 might_fault(); \ 142 might_fault(); \
143 access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \ 143 access_ok(__p, sizeof(*ptr)) ? \
144 __get_user((x), (__typeof__(*(ptr)) __user *)__p) :\ 144 __get_user((x), (__typeof__(*(ptr)) __user *)__p) :\
145 ((x) = (__typeof__(*(ptr)))0,-EFAULT); \ 145 ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
146}) 146})
@@ -175,7 +175,7 @@ __strncpy_from_user(char *dst, const char __user *src, long count)
175static inline long 175static inline long
176strncpy_from_user(char *dst, const char __user *src, long count) 176strncpy_from_user(char *dst, const char __user *src, long count)
177{ 177{
178 if (!access_ok(VERIFY_READ, src, 1)) 178 if (!access_ok(src, 1))
179 return -EFAULT; 179 return -EFAULT;
180 return __strncpy_from_user(dst, src, count); 180 return __strncpy_from_user(dst, src, count);
181} 181}
@@ -196,7 +196,7 @@ strncpy_from_user(char *dst, const char __user *src, long count)
196 */ 196 */
197static inline long strnlen_user(const char __user *src, long n) 197static inline long strnlen_user(const char __user *src, long n)
198{ 198{
199 if (!access_ok(VERIFY_READ, src, 1)) 199 if (!access_ok(src, 1))
200 return 0; 200 return 0;
201 return __strnlen_user(src, n); 201 return __strnlen_user(src, n);
202} 202}
@@ -217,7 +217,7 @@ static inline __must_check unsigned long
217clear_user(void __user *to, unsigned long n) 217clear_user(void __user *to, unsigned long n)
218{ 218{
219 might_fault(); 219 might_fault();
220 if (!access_ok(VERIFY_WRITE, to, n)) 220 if (!access_ok(to, n))
221 return n; 221 return n;
222 222
223 return __clear_user(to, n); 223 return __clear_user(to, n);
diff --git a/include/linux/regset.h b/include/linux/regset.h
index 494cedaafdf2..a85c1707285c 100644
--- a/include/linux/regset.h
+++ b/include/linux/regset.h
@@ -376,7 +376,7 @@ static inline int copy_regset_to_user(struct task_struct *target,
376 if (!regset->get) 376 if (!regset->get)
377 return -EOPNOTSUPP; 377 return -EOPNOTSUPP;
378 378
379 if (!access_ok(VERIFY_WRITE, data, size)) 379 if (!access_ok(data, size))
380 return -EFAULT; 380 return -EFAULT;
381 381
382 return regset->get(target, regset, offset, size, NULL, data); 382 return regset->get(target, regset, offset, size, NULL, data);
@@ -402,7 +402,7 @@ static inline int copy_regset_from_user(struct task_struct *target,
402 if (!regset->set) 402 if (!regset->set)
403 return -EOPNOTSUPP; 403 return -EOPNOTSUPP;
404 404
405 if (!access_ok(VERIFY_READ, data, size)) 405 if (!access_ok(data, size))
406 return -EFAULT; 406 return -EFAULT;
407 407
408 return regset->set(target, regset, offset, size, NULL, data); 408 return regset->set(target, regset, offset, size, NULL, data);
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd47..bf2523867a02 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -6,9 +6,6 @@
6#include <linux/thread_info.h> 6#include <linux/thread_info.h>
7#include <linux/kasan-checks.h> 7#include <linux/kasan-checks.h>
8 8
9#define VERIFY_READ 0
10#define VERIFY_WRITE 1
11
12#define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS) 9#define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
13 10
14#include <asm/uaccess.h> 11#include <asm/uaccess.h>
@@ -111,7 +108,7 @@ _copy_from_user(void *to, const void __user *from, unsigned long n)
111{ 108{
112 unsigned long res = n; 109 unsigned long res = n;
113 might_fault(); 110 might_fault();
114 if (likely(access_ok(VERIFY_READ, from, n))) { 111 if (likely(access_ok(from, n))) {
115 kasan_check_write(to, n); 112 kasan_check_write(to, n);
116 res = raw_copy_from_user(to, from, n); 113 res = raw_copy_from_user(to, from, n);
117 } 114 }
@@ -129,7 +126,7 @@ static inline unsigned long
129_copy_to_user(void __user *to, const void *from, unsigned long n) 126_copy_to_user(void __user *to, const void *from, unsigned long n)
130{ 127{
131 might_fault(); 128 might_fault();
132 if (access_ok(VERIFY_WRITE, to, n)) { 129 if (access_ok(to, n)) {
133 kasan_check_read(from, n); 130 kasan_check_read(from, n);
134 n = raw_copy_to_user(to, from, n); 131 n = raw_copy_to_user(to, from, n);
135 } 132 }
@@ -160,7 +157,7 @@ static __always_inline unsigned long __must_check
160copy_in_user(void __user *to, const void __user *from, unsigned long n) 157copy_in_user(void __user *to, const void __user *from, unsigned long n)
161{ 158{
162 might_fault(); 159 might_fault();
163 if (access_ok(VERIFY_WRITE, to, n) && access_ok(VERIFY_READ, from, n)) 160 if (access_ok(to, n) && access_ok(from, n))
164 n = raw_copy_in_user(to, from, n); 161 n = raw_copy_in_user(to, from, n);
165 return n; 162 return n;
166} 163}
diff --git a/include/net/checksum.h b/include/net/checksum.h
index aef2b2bb6603..0f319e13be2c 100644
--- a/include/net/checksum.h
+++ b/include/net/checksum.h
@@ -30,7 +30,7 @@ static inline
30__wsum csum_and_copy_from_user (const void __user *src, void *dst, 30__wsum csum_and_copy_from_user (const void __user *src, void *dst,
31 int len, __wsum sum, int *err_ptr) 31 int len, __wsum sum, int *err_ptr)
32{ 32{
33 if (access_ok(VERIFY_READ, src, len)) 33 if (access_ok(src, len))
34 return csum_partial_copy_from_user(src, dst, len, sum, err_ptr); 34 return csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
35 35
36 if (len) 36 if (len)
@@ -46,7 +46,7 @@ static __inline__ __wsum csum_and_copy_to_user
46{ 46{
47 sum = csum_partial(src, len, sum); 47 sum = csum_partial(src, len, sum);
48 48
49 if (access_ok(VERIFY_WRITE, dst, len)) { 49 if (access_ok(dst, len)) {
50 if (copy_to_user(dst, src, len) == 0) 50 if (copy_to_user(dst, src, len) == 0)
51 return sum; 51 return sum;
52 } 52 }
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 0607db304def..b155cd17c1bd 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -79,7 +79,7 @@ int bpf_check_uarg_tail_zero(void __user *uaddr,
79 if (unlikely(actual_size > PAGE_SIZE)) /* silly large */ 79 if (unlikely(actual_size > PAGE_SIZE)) /* silly large */
80 return -E2BIG; 80 return -E2BIG;
81 81
82 if (unlikely(!access_ok(VERIFY_READ, uaddr, actual_size))) 82 if (unlikely(!access_ok(uaddr, actual_size)))
83 return -EFAULT; 83 return -EFAULT;
84 84
85 if (actual_size <= expected_size) 85 if (actual_size <= expected_size)
diff --git a/kernel/compat.c b/kernel/compat.c
index 089d00d0da9c..705d4ae6c018 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -95,28 +95,28 @@ int compat_put_timex(struct compat_timex __user *utp, const struct timex *txc)
95 95
96static int __compat_get_timeval(struct timeval *tv, const struct old_timeval32 __user *ctv) 96static int __compat_get_timeval(struct timeval *tv, const struct old_timeval32 __user *ctv)
97{ 97{
98 return (!access_ok(VERIFY_READ, ctv, sizeof(*ctv)) || 98 return (!access_ok(ctv, sizeof(*ctv)) ||
99 __get_user(tv->tv_sec, &ctv->tv_sec) || 99 __get_user(tv->tv_sec, &ctv->tv_sec) ||
100 __get_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0; 100 __get_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0;
101} 101}
102 102
103static int __compat_put_timeval(const struct timeval *tv, struct old_timeval32 __user *ctv) 103static int __compat_put_timeval(const struct timeval *tv, struct old_timeval32 __user *ctv)
104{ 104{
105 return (!access_ok(VERIFY_WRITE, ctv, sizeof(*ctv)) || 105 return (!access_ok(ctv, sizeof(*ctv)) ||
106 __put_user(tv->tv_sec, &ctv->tv_sec) || 106 __put_user(tv->tv_sec, &ctv->tv_sec) ||
107 __put_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0; 107 __put_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0;
108} 108}
109 109
110static int __compat_get_timespec(struct timespec *ts, const struct old_timespec32 __user *cts) 110static int __compat_get_timespec(struct timespec *ts, const struct old_timespec32 __user *cts)
111{ 111{
112 return (!access_ok(VERIFY_READ, cts, sizeof(*cts)) || 112 return (!access_ok(cts, sizeof(*cts)) ||
113 __get_user(ts->tv_sec, &cts->tv_sec) || 113 __get_user(ts->tv_sec, &cts->tv_sec) ||
114 __get_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0; 114 __get_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
115} 115}
116 116
117static int __compat_put_timespec(const struct timespec *ts, struct old_timespec32 __user *cts) 117static int __compat_put_timespec(const struct timespec *ts, struct old_timespec32 __user *cts)
118{ 118{
119 return (!access_ok(VERIFY_WRITE, cts, sizeof(*cts)) || 119 return (!access_ok(cts, sizeof(*cts)) ||
120 __put_user(ts->tv_sec, &cts->tv_sec) || 120 __put_user(ts->tv_sec, &cts->tv_sec) ||
121 __put_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0; 121 __put_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
122} 122}
@@ -335,7 +335,7 @@ int get_compat_sigevent(struct sigevent *event,
335 const struct compat_sigevent __user *u_event) 335 const struct compat_sigevent __user *u_event)
336{ 336{
337 memset(event, 0, sizeof(*event)); 337 memset(event, 0, sizeof(*event));
338 return (!access_ok(VERIFY_READ, u_event, sizeof(*u_event)) || 338 return (!access_ok(u_event, sizeof(*u_event)) ||
339 __get_user(event->sigev_value.sival_int, 339 __get_user(event->sigev_value.sival_int,
340 &u_event->sigev_value.sival_int) || 340 &u_event->sigev_value.sival_int) ||
341 __get_user(event->sigev_signo, &u_event->sigev_signo) || 341 __get_user(event->sigev_signo, &u_event->sigev_signo) ||
@@ -354,7 +354,7 @@ long compat_get_bitmap(unsigned long *mask, const compat_ulong_t __user *umask,
354 bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG); 354 bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
355 nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size); 355 nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
356 356
357 if (!access_ok(VERIFY_READ, umask, bitmap_size / 8)) 357 if (!access_ok(umask, bitmap_size / 8))
358 return -EFAULT; 358 return -EFAULT;
359 359
360 user_access_begin(); 360 user_access_begin();
@@ -384,7 +384,7 @@ long compat_put_bitmap(compat_ulong_t __user *umask, unsigned long *mask,
384 bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG); 384 bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
385 nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size); 385 nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
386 386
387 if (!access_ok(VERIFY_WRITE, umask, bitmap_size / 8)) 387 if (!access_ok(umask, bitmap_size / 8))
388 return -EFAULT; 388 return -EFAULT;
389 389
390 user_access_begin(); 390 user_access_begin();
@@ -438,7 +438,7 @@ void __user *compat_alloc_user_space(unsigned long len)
438 438
439 ptr = arch_compat_alloc_user_space(len); 439 ptr = arch_compat_alloc_user_space(len);
440 440
441 if (unlikely(!access_ok(VERIFY_WRITE, ptr, len))) 441 if (unlikely(!access_ok(ptr, len)))
442 return NULL; 442 return NULL;
443 443
444 return ptr; 444 return ptr;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 67ecac337374..3cd13a30f732 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10135,7 +10135,7 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
10135 u32 size; 10135 u32 size;
10136 int ret; 10136 int ret;
10137 10137
10138 if (!access_ok(VERIFY_WRITE, uattr, PERF_ATTR_SIZE_VER0)) 10138 if (!access_ok(uattr, PERF_ATTR_SIZE_VER0))
10139 return -EFAULT; 10139 return -EFAULT;
10140 10140
10141 /* 10141 /*
diff --git a/kernel/exit.c b/kernel/exit.c
index 0e21e6d21f35..8a01b671dc1f 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1604,7 +1604,7 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
1604 if (!infop) 1604 if (!infop)
1605 return err; 1605 return err;
1606 1606
1607 if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) 1607 if (!access_ok(infop, sizeof(*infop)))
1608 return -EFAULT; 1608 return -EFAULT;
1609 1609
1610 user_access_begin(); 1610 user_access_begin();
@@ -1732,7 +1732,7 @@ COMPAT_SYSCALL_DEFINE5(waitid,
1732 if (!infop) 1732 if (!infop)
1733 return err; 1733 return err;
1734 1734
1735 if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) 1735 if (!access_ok(infop, sizeof(*infop)))
1736 return -EFAULT; 1736 return -EFAULT;
1737 1737
1738 user_access_begin(); 1738 user_access_begin();
diff --git a/kernel/futex.c b/kernel/futex.c
index 054105854e0e..be3bff2315ff 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -481,13 +481,18 @@ static void drop_futex_key_refs(union futex_key *key)
481 } 481 }
482} 482}
483 483
484enum futex_access {
485 FUTEX_READ,
486 FUTEX_WRITE
487};
488
484/** 489/**
485 * get_futex_key() - Get parameters which are the keys for a futex 490 * get_futex_key() - Get parameters which are the keys for a futex
486 * @uaddr: virtual address of the futex 491 * @uaddr: virtual address of the futex
487 * @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED 492 * @fshared: 0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
488 * @key: address where result is stored. 493 * @key: address where result is stored.
489 * @rw: mapping needs to be read/write (values: VERIFY_READ, 494 * @rw: mapping needs to be read/write (values: FUTEX_READ,
490 * VERIFY_WRITE) 495 * FUTEX_WRITE)
491 * 496 *
492 * Return: a negative error code or 0 497 * Return: a negative error code or 0
493 * 498 *
@@ -500,7 +505,7 @@ static void drop_futex_key_refs(union futex_key *key)
500 * lock_page() might sleep, the caller should not hold a spinlock. 505 * lock_page() might sleep, the caller should not hold a spinlock.
501 */ 506 */
502static int 507static int
503get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) 508get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, enum futex_access rw)
504{ 509{
505 unsigned long address = (unsigned long)uaddr; 510 unsigned long address = (unsigned long)uaddr;
506 struct mm_struct *mm = current->mm; 511 struct mm_struct *mm = current->mm;
@@ -516,7 +521,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
516 return -EINVAL; 521 return -EINVAL;
517 address -= key->both.offset; 522 address -= key->both.offset;
518 523
519 if (unlikely(!access_ok(rw, uaddr, sizeof(u32)))) 524 if (unlikely(!access_ok(uaddr, sizeof(u32))))
520 return -EFAULT; 525 return -EFAULT;
521 526
522 if (unlikely(should_fail_futex(fshared))) 527 if (unlikely(should_fail_futex(fshared)))
@@ -546,7 +551,7 @@ again:
546 * If write access is not required (eg. FUTEX_WAIT), try 551 * If write access is not required (eg. FUTEX_WAIT), try
547 * and get read-only access. 552 * and get read-only access.
548 */ 553 */
549 if (err == -EFAULT && rw == VERIFY_READ) { 554 if (err == -EFAULT && rw == FUTEX_READ) {
550 err = get_user_pages_fast(address, 1, 0, &page); 555 err = get_user_pages_fast(address, 1, 0, &page);
551 ro = 1; 556 ro = 1;
552 } 557 }
@@ -1583,7 +1588,7 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset)
1583 if (!bitset) 1588 if (!bitset)
1584 return -EINVAL; 1589 return -EINVAL;
1585 1590
1586 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_READ); 1591 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_READ);
1587 if (unlikely(ret != 0)) 1592 if (unlikely(ret != 0))
1588 goto out; 1593 goto out;
1589 1594
@@ -1642,7 +1647,7 @@ static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
1642 oparg = 1 << oparg; 1647 oparg = 1 << oparg;
1643 } 1648 }
1644 1649
1645 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) 1650 if (!access_ok(uaddr, sizeof(u32)))
1646 return -EFAULT; 1651 return -EFAULT;
1647 1652
1648 ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr); 1653 ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
@@ -1682,10 +1687,10 @@ futex_wake_op(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2,
1682 DEFINE_WAKE_Q(wake_q); 1687 DEFINE_WAKE_Q(wake_q);
1683 1688
1684retry: 1689retry:
1685 ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ); 1690 ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
1686 if (unlikely(ret != 0)) 1691 if (unlikely(ret != 0))
1687 goto out; 1692 goto out;
1688 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE); 1693 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
1689 if (unlikely(ret != 0)) 1694 if (unlikely(ret != 0))
1690 goto out_put_key1; 1695 goto out_put_key1;
1691 1696
@@ -1961,11 +1966,11 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
1961 } 1966 }
1962 1967
1963retry: 1968retry:
1964 ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ); 1969 ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
1965 if (unlikely(ret != 0)) 1970 if (unlikely(ret != 0))
1966 goto out; 1971 goto out;
1967 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, 1972 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2,
1968 requeue_pi ? VERIFY_WRITE : VERIFY_READ); 1973 requeue_pi ? FUTEX_WRITE : FUTEX_READ);
1969 if (unlikely(ret != 0)) 1974 if (unlikely(ret != 0))
1970 goto out_put_key1; 1975 goto out_put_key1;
1971 1976
@@ -2634,7 +2639,7 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
2634 * while the syscall executes. 2639 * while the syscall executes.
2635 */ 2640 */
2636retry: 2641retry:
2637 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, VERIFY_READ); 2642 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, FUTEX_READ);
2638 if (unlikely(ret != 0)) 2643 if (unlikely(ret != 0))
2639 return ret; 2644 return ret;
2640 2645
@@ -2793,7 +2798,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
2793 } 2798 }
2794 2799
2795retry: 2800retry:
2796 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, VERIFY_WRITE); 2801 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE);
2797 if (unlikely(ret != 0)) 2802 if (unlikely(ret != 0))
2798 goto out; 2803 goto out;
2799 2804
@@ -2972,7 +2977,7 @@ retry:
2972 if ((uval & FUTEX_TID_MASK) != vpid) 2977 if ((uval & FUTEX_TID_MASK) != vpid)
2973 return -EPERM; 2978 return -EPERM;
2974 2979
2975 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE); 2980 ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_WRITE);
2976 if (ret) 2981 if (ret)
2977 return ret; 2982 return ret;
2978 2983
@@ -3199,7 +3204,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
3199 */ 3204 */
3200 rt_mutex_init_waiter(&rt_waiter); 3205 rt_mutex_init_waiter(&rt_waiter);
3201 3206
3202 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE); 3207 ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
3203 if (unlikely(ret != 0)) 3208 if (unlikely(ret != 0))
3204 goto out; 3209 goto out;
3205 3210
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 1306fe0c1dc6..d3d170374ceb 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1466,7 +1466,7 @@ int do_syslog(int type, char __user *buf, int len, int source)
1466 return -EINVAL; 1466 return -EINVAL;
1467 if (!len) 1467 if (!len)
1468 return 0; 1468 return 0;
1469 if (!access_ok(VERIFY_WRITE, buf, len)) 1469 if (!access_ok(buf, len))
1470 return -EFAULT; 1470 return -EFAULT;
1471 error = wait_event_interruptible(log_wait, 1471 error = wait_event_interruptible(log_wait,
1472 syslog_seq != log_next_seq); 1472 syslog_seq != log_next_seq);
@@ -1484,7 +1484,7 @@ int do_syslog(int type, char __user *buf, int len, int source)
1484 return -EINVAL; 1484 return -EINVAL;
1485 if (!len) 1485 if (!len)
1486 return 0; 1486 return 0;
1487 if (!access_ok(VERIFY_WRITE, buf, len)) 1487 if (!access_ok(buf, len))
1488 return -EFAULT; 1488 return -EFAULT;
1489 error = syslog_print_all(buf, len, clear); 1489 error = syslog_print_all(buf, len, clear);
1490 break; 1490 break;
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index c2cee9db5204..771e93f9c43f 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1073,7 +1073,7 @@ int ptrace_request(struct task_struct *child, long request,
1073 struct iovec kiov; 1073 struct iovec kiov;
1074 struct iovec __user *uiov = datavp; 1074 struct iovec __user *uiov = datavp;
1075 1075
1076 if (!access_ok(VERIFY_WRITE, uiov, sizeof(*uiov))) 1076 if (!access_ok(uiov, sizeof(*uiov)))
1077 return -EFAULT; 1077 return -EFAULT;
1078 1078
1079 if (__get_user(kiov.iov_base, &uiov->iov_base) || 1079 if (__get_user(kiov.iov_base, &uiov->iov_base) ||
@@ -1229,7 +1229,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
1229 compat_uptr_t ptr; 1229 compat_uptr_t ptr;
1230 compat_size_t len; 1230 compat_size_t len;
1231 1231
1232 if (!access_ok(VERIFY_WRITE, uiov, sizeof(*uiov))) 1232 if (!access_ok(uiov, sizeof(*uiov)))
1233 return -EFAULT; 1233 return -EFAULT;
1234 1234
1235 if (__get_user(ptr, &uiov->iov_base) || 1235 if (__get_user(ptr, &uiov->iov_base) ||
diff --git a/kernel/rseq.c b/kernel/rseq.c
index c6242d8594dc..25e9a7b60eba 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -267,7 +267,7 @@ void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs)
267 267
268 if (unlikely(t->flags & PF_EXITING)) 268 if (unlikely(t->flags & PF_EXITING))
269 return; 269 return;
270 if (unlikely(!access_ok(VERIFY_WRITE, t->rseq, sizeof(*t->rseq)))) 270 if (unlikely(!access_ok(t->rseq, sizeof(*t->rseq))))
271 goto error; 271 goto error;
272 ret = rseq_ip_fixup(regs); 272 ret = rseq_ip_fixup(regs);
273 if (unlikely(ret < 0)) 273 if (unlikely(ret < 0))
@@ -295,7 +295,7 @@ void rseq_syscall(struct pt_regs *regs)
295 295
296 if (!t->rseq) 296 if (!t->rseq)
297 return; 297 return;
298 if (!access_ok(VERIFY_READ, t->rseq, sizeof(*t->rseq)) || 298 if (!access_ok(t->rseq, sizeof(*t->rseq)) ||
299 rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs)) 299 rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs))
300 force_sig(SIGSEGV, t); 300 force_sig(SIGSEGV, t);
301} 301}
@@ -351,7 +351,7 @@ SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len,
351 if (!IS_ALIGNED((unsigned long)rseq, __alignof__(*rseq)) || 351 if (!IS_ALIGNED((unsigned long)rseq, __alignof__(*rseq)) ||
352 rseq_len != sizeof(*rseq)) 352 rseq_len != sizeof(*rseq))
353 return -EINVAL; 353 return -EINVAL;
354 if (!access_ok(VERIFY_WRITE, rseq, rseq_len)) 354 if (!access_ok(rseq, rseq_len))
355 return -EFAULT; 355 return -EFAULT;
356 current->rseq = rseq; 356 current->rseq = rseq;
357 current->rseq_len = rseq_len; 357 current->rseq_len = rseq_len;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index f66920173370..1f3e19fd6dc6 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4450,7 +4450,7 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a
4450 u32 size; 4450 u32 size;
4451 int ret; 4451 int ret;
4452 4452
4453 if (!access_ok(VERIFY_WRITE, uattr, SCHED_ATTR_SIZE_VER0)) 4453 if (!access_ok(uattr, SCHED_ATTR_SIZE_VER0))
4454 return -EFAULT; 4454 return -EFAULT;
4455 4455
4456 /* Zero the full structure, so that a short copy will be nice: */ 4456 /* Zero the full structure, so that a short copy will be nice: */
@@ -4650,7 +4650,7 @@ static int sched_read_attr(struct sched_attr __user *uattr,
4650{ 4650{
4651 int ret; 4651 int ret;
4652 4652
4653 if (!access_ok(VERIFY_WRITE, uattr, usize)) 4653 if (!access_ok(uattr, usize))
4654 return -EFAULT; 4654 return -EFAULT;
4655 4655
4656 /* 4656 /*
diff --git a/kernel/signal.c b/kernel/signal.c
index 53e07d97ffe0..e1d7ad8e6ab1 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3997,7 +3997,7 @@ SYSCALL_DEFINE3(sigaction, int, sig,
3997 3997
3998 if (act) { 3998 if (act) {
3999 old_sigset_t mask; 3999 old_sigset_t mask;
4000 if (!access_ok(VERIFY_READ, act, sizeof(*act)) || 4000 if (!access_ok(act, sizeof(*act)) ||
4001 __get_user(new_ka.sa.sa_handler, &act->sa_handler) || 4001 __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
4002 __get_user(new_ka.sa.sa_restorer, &act->sa_restorer) || 4002 __get_user(new_ka.sa.sa_restorer, &act->sa_restorer) ||
4003 __get_user(new_ka.sa.sa_flags, &act->sa_flags) || 4003 __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
@@ -4012,7 +4012,7 @@ SYSCALL_DEFINE3(sigaction, int, sig,
4012 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL); 4012 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
4013 4013
4014 if (!ret && oact) { 4014 if (!ret && oact) {
4015 if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) || 4015 if (!access_ok(oact, sizeof(*oact)) ||
4016 __put_user(old_ka.sa.sa_handler, &oact->sa_handler) || 4016 __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
4017 __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer) || 4017 __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer) ||
4018 __put_user(old_ka.sa.sa_flags, &oact->sa_flags) || 4018 __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
@@ -4034,7 +4034,7 @@ COMPAT_SYSCALL_DEFINE3(sigaction, int, sig,
4034 compat_uptr_t handler, restorer; 4034 compat_uptr_t handler, restorer;
4035 4035
4036 if (act) { 4036 if (act) {
4037 if (!access_ok(VERIFY_READ, act, sizeof(*act)) || 4037 if (!access_ok(act, sizeof(*act)) ||
4038 __get_user(handler, &act->sa_handler) || 4038 __get_user(handler, &act->sa_handler) ||
4039 __get_user(restorer, &act->sa_restorer) || 4039 __get_user(restorer, &act->sa_restorer) ||
4040 __get_user(new_ka.sa.sa_flags, &act->sa_flags) || 4040 __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
@@ -4052,7 +4052,7 @@ COMPAT_SYSCALL_DEFINE3(sigaction, int, sig,
4052 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL); 4052 ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
4053 4053
4054 if (!ret && oact) { 4054 if (!ret && oact) {
4055 if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) || 4055 if (!access_ok(oact, sizeof(*oact)) ||
4056 __put_user(ptr_to_compat(old_ka.sa.sa_handler), 4056 __put_user(ptr_to_compat(old_ka.sa.sa_handler),
4057 &oact->sa_handler) || 4057 &oact->sa_handler) ||
4058 __put_user(ptr_to_compat(old_ka.sa.sa_restorer), 4058 __put_user(ptr_to_compat(old_ka.sa.sa_restorer),
diff --git a/kernel/sys.c b/kernel/sys.c
index 64b5a230f38d..a48cbf1414b8 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2627,7 +2627,7 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info)
2627 s.freehigh >>= bitcount; 2627 s.freehigh >>= bitcount;
2628 } 2628 }
2629 2629
2630 if (!access_ok(VERIFY_WRITE, info, sizeof(struct compat_sysinfo)) || 2630 if (!access_ok(info, sizeof(struct compat_sysinfo)) ||
2631 __put_user(s.uptime, &info->uptime) || 2631 __put_user(s.uptime, &info->uptime) ||
2632 __put_user(s.loads[0], &info->loads[0]) || 2632 __put_user(s.loads[0], &info->loads[0]) ||
2633 __put_user(s.loads[1], &info->loads[1]) || 2633 __put_user(s.loads[1], &info->loads[1]) ||
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 9ddb6fddb4e0..8b068adb9da1 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -170,7 +170,7 @@ BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
170 return -EPERM; 170 return -EPERM;
171 if (unlikely(uaccess_kernel())) 171 if (unlikely(uaccess_kernel()))
172 return -EPERM; 172 return -EPERM;
173 if (!access_ok(VERIFY_WRITE, unsafe_ptr, size)) 173 if (!access_ok(unsafe_ptr, size))
174 return -EPERM; 174 return -EPERM;
175 175
176 return probe_kernel_write(unsafe_ptr, src, size); 176 return probe_kernel_write(unsafe_ptr, src, size);
diff --git a/lib/bitmap.c b/lib/bitmap.c
index eead55aa7170..98872e9025da 100644
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -443,7 +443,7 @@ int bitmap_parse_user(const char __user *ubuf,
443 unsigned int ulen, unsigned long *maskp, 443 unsigned int ulen, unsigned long *maskp,
444 int nmaskbits) 444 int nmaskbits)
445{ 445{
446 if (!access_ok(VERIFY_READ, ubuf, ulen)) 446 if (!access_ok(ubuf, ulen))
447 return -EFAULT; 447 return -EFAULT;
448 return __bitmap_parse((const char __force *)ubuf, 448 return __bitmap_parse((const char __force *)ubuf,
449 ulen, 1, maskp, nmaskbits); 449 ulen, 1, maskp, nmaskbits);
@@ -641,7 +641,7 @@ int bitmap_parselist_user(const char __user *ubuf,
641 unsigned int ulen, unsigned long *maskp, 641 unsigned int ulen, unsigned long *maskp,
642 int nmaskbits) 642 int nmaskbits)
643{ 643{
644 if (!access_ok(VERIFY_READ, ubuf, ulen)) 644 if (!access_ok(ubuf, ulen))
645 return -EFAULT; 645 return -EFAULT;
646 return __bitmap_parselist((const char __force *)ubuf, 646 return __bitmap_parselist((const char __force *)ubuf,
647 ulen, 1, maskp, nmaskbits); 647 ulen, 1, maskp, nmaskbits);
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1928009f506e..c93870987b58 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -136,7 +136,7 @@
136 136
137static int copyout(void __user *to, const void *from, size_t n) 137static int copyout(void __user *to, const void *from, size_t n)
138{ 138{
139 if (access_ok(VERIFY_WRITE, to, n)) { 139 if (access_ok(to, n)) {
140 kasan_check_read(from, n); 140 kasan_check_read(from, n);
141 n = raw_copy_to_user(to, from, n); 141 n = raw_copy_to_user(to, from, n);
142 } 142 }
@@ -145,7 +145,7 @@ static int copyout(void __user *to, const void *from, size_t n)
145 145
146static int copyin(void *to, const void __user *from, size_t n) 146static int copyin(void *to, const void __user *from, size_t n)
147{ 147{
148 if (access_ok(VERIFY_READ, from, n)) { 148 if (access_ok(from, n)) {
149 kasan_check_write(to, n); 149 kasan_check_write(to, n);
150 n = raw_copy_from_user(to, from, n); 150 n = raw_copy_from_user(to, from, n);
151 } 151 }
@@ -614,7 +614,7 @@ EXPORT_SYMBOL(_copy_to_iter);
614#ifdef CONFIG_ARCH_HAS_UACCESS_MCSAFE 614#ifdef CONFIG_ARCH_HAS_UACCESS_MCSAFE
615static int copyout_mcsafe(void __user *to, const void *from, size_t n) 615static int copyout_mcsafe(void __user *to, const void *from, size_t n)
616{ 616{
617 if (access_ok(VERIFY_WRITE, to, n)) { 617 if (access_ok(to, n)) {
618 kasan_check_read(from, n); 618 kasan_check_read(from, n);
619 n = copy_to_user_mcsafe((__force void *) to, from, n); 619 n = copy_to_user_mcsafe((__force void *) to, from, n);
620 } 620 }
@@ -1663,7 +1663,7 @@ int import_single_range(int rw, void __user *buf, size_t len,
1663{ 1663{
1664 if (len > MAX_RW_COUNT) 1664 if (len > MAX_RW_COUNT)
1665 len = MAX_RW_COUNT; 1665 len = MAX_RW_COUNT;
1666 if (unlikely(!access_ok(!rw, buf, len))) 1666 if (unlikely(!access_ok(buf, len)))
1667 return -EFAULT; 1667 return -EFAULT;
1668 1668
1669 iov->iov_base = buf; 1669 iov->iov_base = buf;
diff --git a/lib/usercopy.c b/lib/usercopy.c
index 3744b2a8e591..c2bfbcaeb3dc 100644
--- a/lib/usercopy.c
+++ b/lib/usercopy.c
@@ -8,7 +8,7 @@ unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n
8{ 8{
9 unsigned long res = n; 9 unsigned long res = n;
10 might_fault(); 10 might_fault();
11 if (likely(access_ok(VERIFY_READ, from, n))) { 11 if (likely(access_ok(from, n))) {
12 kasan_check_write(to, n); 12 kasan_check_write(to, n);
13 res = raw_copy_from_user(to, from, n); 13 res = raw_copy_from_user(to, from, n);
14 } 14 }
@@ -23,7 +23,7 @@ EXPORT_SYMBOL(_copy_from_user);
23unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n) 23unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n)
24{ 24{
25 might_fault(); 25 might_fault();
26 if (likely(access_ok(VERIFY_WRITE, to, n))) { 26 if (likely(access_ok(to, n))) {
27 kasan_check_read(from, n); 27 kasan_check_read(from, n);
28 n = raw_copy_to_user(to, from, n); 28 n = raw_copy_to_user(to, from, n);
29 } 29 }
diff --git a/mm/gup.c b/mm/gup.c
index 8cb68a50dbdf..6f591ccb8eca 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1813,8 +1813,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
1813 len = (unsigned long) nr_pages << PAGE_SHIFT; 1813 len = (unsigned long) nr_pages << PAGE_SHIFT;
1814 end = start + len; 1814 end = start + len;
1815 1815
1816 if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ, 1816 if (unlikely(!access_ok((void __user *)start, len)))
1817 (void __user *)start, len)))
1818 return 0; 1817 return 0;
1819 1818
1820 /* 1819 /*
@@ -1868,8 +1867,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
1868 if (nr_pages <= 0) 1867 if (nr_pages <= 0)
1869 return 0; 1868 return 0;
1870 1869
1871 if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ, 1870 if (unlikely(!access_ok((void __user *)start, len)))
1872 (void __user *)start, len)))
1873 return -EFAULT; 1871 return -EFAULT;
1874 1872
1875 if (gup_fast_permitted(start, nr_pages, write)) { 1873 if (gup_fast_permitted(start, nr_pages, write)) {
diff --git a/mm/mincore.c b/mm/mincore.c
index 4985965aa20a..218099b5ed31 100644
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -233,14 +233,14 @@ SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len,
233 return -EINVAL; 233 return -EINVAL;
234 234
235 /* ..and we need to be passed a valid user-space range */ 235 /* ..and we need to be passed a valid user-space range */
236 if (!access_ok(VERIFY_READ, (void __user *) start, len)) 236 if (!access_ok((void __user *) start, len))
237 return -ENOMEM; 237 return -ENOMEM;
238 238
239 /* This also avoids any overflows on PAGE_ALIGN */ 239 /* This also avoids any overflows on PAGE_ALIGN */
240 pages = len >> PAGE_SHIFT; 240 pages = len >> PAGE_SHIFT;
241 pages += (offset_in_page(len)) != 0; 241 pages += (offset_in_page(len)) != 0;
242 242
243 if (!access_ok(VERIFY_WRITE, vec, pages)) 243 if (!access_ok(vec, pages))
244 return -EFAULT; 244 return -EFAULT;
245 245
246 tmp = (void *) __get_free_page(GFP_USER); 246 tmp = (void *) __get_free_page(GFP_USER);
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index d70f363c52ae..6d5859714f52 100644
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -147,7 +147,7 @@ static ssize_t batadv_socket_read(struct file *file, char __user *buf,
147 if (!buf || count < sizeof(struct batadv_icmp_packet)) 147 if (!buf || count < sizeof(struct batadv_icmp_packet))
148 return -EINVAL; 148 return -EINVAL;
149 149
150 if (!access_ok(VERIFY_WRITE, buf, count)) 150 if (!access_ok(buf, count))
151 return -EFAULT; 151 return -EFAULT;
152 152
153 error = wait_event_interruptible(socket_client->queue_wait, 153 error = wait_event_interruptible(socket_client->queue_wait,
diff --git a/net/batman-adv/log.c b/net/batman-adv/log.c
index 02e55b78132f..75f602e1ce94 100644
--- a/net/batman-adv/log.c
+++ b/net/batman-adv/log.c
@@ -136,7 +136,7 @@ static ssize_t batadv_log_read(struct file *file, char __user *buf,
136 if (count == 0) 136 if (count == 0)
137 return 0; 137 return 0;
138 138
139 if (!access_ok(VERIFY_WRITE, buf, count)) 139 if (!access_ok(buf, count))
140 return -EFAULT; 140 return -EFAULT;
141 141
142 error = wait_event_interruptible(debug_log->queue_wait, 142 error = wait_event_interruptible(debug_log->queue_wait,
diff --git a/net/compat.c b/net/compat.c
index c3a2f868e8af..959d1c51826d 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -358,7 +358,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
358 358
359 if (optlen < sizeof(*up)) 359 if (optlen < sizeof(*up))
360 return -EINVAL; 360 return -EINVAL;
361 if (!access_ok(VERIFY_READ, up, sizeof(*up)) || 361 if (!access_ok(up, sizeof(*up)) ||
362 __get_user(ktime.tv_sec, &up->tv_sec) || 362 __get_user(ktime.tv_sec, &up->tv_sec) ||
363 __get_user(ktime.tv_usec, &up->tv_usec)) 363 __get_user(ktime.tv_usec, &up->tv_usec))
364 return -EFAULT; 364 return -EFAULT;
@@ -438,7 +438,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
438 438
439 if (!err) { 439 if (!err) {
440 if (put_user(sizeof(*up), optlen) || 440 if (put_user(sizeof(*up), optlen) ||
441 !access_ok(VERIFY_WRITE, up, sizeof(*up)) || 441 !access_ok(up, sizeof(*up)) ||
442 __put_user(ktime.tv_sec, &up->tv_sec) || 442 __put_user(ktime.tv_sec, &up->tv_sec) ||
443 __put_user(ktime.tv_usec, &up->tv_usec)) 443 __put_user(ktime.tv_usec, &up->tv_usec))
444 err = -EFAULT; 444 err = -EFAULT;
@@ -590,8 +590,8 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
590 compat_alloc_user_space(sizeof(struct group_req)); 590 compat_alloc_user_space(sizeof(struct group_req));
591 u32 interface; 591 u32 interface;
592 592
593 if (!access_ok(VERIFY_READ, gr32, sizeof(*gr32)) || 593 if (!access_ok(gr32, sizeof(*gr32)) ||
594 !access_ok(VERIFY_WRITE, kgr, sizeof(struct group_req)) || 594 !access_ok(kgr, sizeof(struct group_req)) ||
595 __get_user(interface, &gr32->gr_interface) || 595 __get_user(interface, &gr32->gr_interface) ||
596 __put_user(interface, &kgr->gr_interface) || 596 __put_user(interface, &kgr->gr_interface) ||
597 copy_in_user(&kgr->gr_group, &gr32->gr_group, 597 copy_in_user(&kgr->gr_group, &gr32->gr_group,
@@ -611,8 +611,8 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
611 sizeof(struct group_source_req)); 611 sizeof(struct group_source_req));
612 u32 interface; 612 u32 interface;
613 613
614 if (!access_ok(VERIFY_READ, gsr32, sizeof(*gsr32)) || 614 if (!access_ok(gsr32, sizeof(*gsr32)) ||
615 !access_ok(VERIFY_WRITE, kgsr, 615 !access_ok(kgsr,
616 sizeof(struct group_source_req)) || 616 sizeof(struct group_source_req)) ||
617 __get_user(interface, &gsr32->gsr_interface) || 617 __get_user(interface, &gsr32->gsr_interface) ||
618 __put_user(interface, &kgsr->gsr_interface) || 618 __put_user(interface, &kgsr->gsr_interface) ||
@@ -631,7 +631,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
631 struct group_filter __user *kgf; 631 struct group_filter __user *kgf;
632 u32 interface, fmode, numsrc; 632 u32 interface, fmode, numsrc;
633 633
634 if (!access_ok(VERIFY_READ, gf32, __COMPAT_GF0_SIZE) || 634 if (!access_ok(gf32, __COMPAT_GF0_SIZE) ||
635 __get_user(interface, &gf32->gf_interface) || 635 __get_user(interface, &gf32->gf_interface) ||
636 __get_user(fmode, &gf32->gf_fmode) || 636 __get_user(fmode, &gf32->gf_fmode) ||
637 __get_user(numsrc, &gf32->gf_numsrc)) 637 __get_user(numsrc, &gf32->gf_numsrc))
@@ -641,7 +641,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
641 if (koptlen < GROUP_FILTER_SIZE(numsrc)) 641 if (koptlen < GROUP_FILTER_SIZE(numsrc))
642 return -EINVAL; 642 return -EINVAL;
643 kgf = compat_alloc_user_space(koptlen); 643 kgf = compat_alloc_user_space(koptlen);
644 if (!access_ok(VERIFY_WRITE, kgf, koptlen) || 644 if (!access_ok(kgf, koptlen) ||
645 __put_user(interface, &kgf->gf_interface) || 645 __put_user(interface, &kgf->gf_interface) ||
646 __put_user(fmode, &kgf->gf_fmode) || 646 __put_user(fmode, &kgf->gf_fmode) ||
647 __put_user(numsrc, &kgf->gf_numsrc) || 647 __put_user(numsrc, &kgf->gf_numsrc) ||
@@ -675,7 +675,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
675 return getsockopt(sock, level, optname, optval, optlen); 675 return getsockopt(sock, level, optname, optval, optlen);
676 676
677 koptlen = compat_alloc_user_space(sizeof(*koptlen)); 677 koptlen = compat_alloc_user_space(sizeof(*koptlen));
678 if (!access_ok(VERIFY_READ, optlen, sizeof(*optlen)) || 678 if (!access_ok(optlen, sizeof(*optlen)) ||
679 __get_user(ulen, optlen)) 679 __get_user(ulen, optlen))
680 return -EFAULT; 680 return -EFAULT;
681 681
@@ -685,14 +685,14 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
685 if (klen < GROUP_FILTER_SIZE(0)) 685 if (klen < GROUP_FILTER_SIZE(0))
686 return -EINVAL; 686 return -EINVAL;
687 687
688 if (!access_ok(VERIFY_WRITE, koptlen, sizeof(*koptlen)) || 688 if (!access_ok(koptlen, sizeof(*koptlen)) ||
689 __put_user(klen, koptlen)) 689 __put_user(klen, koptlen))
690 return -EFAULT; 690 return -EFAULT;
691 691
692 /* have to allow space for previous compat_alloc_user_space, too */ 692 /* have to allow space for previous compat_alloc_user_space, too */
693 kgf = compat_alloc_user_space(klen+sizeof(*optlen)); 693 kgf = compat_alloc_user_space(klen+sizeof(*optlen));
694 694
695 if (!access_ok(VERIFY_READ, gf32, __COMPAT_GF0_SIZE) || 695 if (!access_ok(gf32, __COMPAT_GF0_SIZE) ||
696 __get_user(interface, &gf32->gf_interface) || 696 __get_user(interface, &gf32->gf_interface) ||
697 __get_user(fmode, &gf32->gf_fmode) || 697 __get_user(fmode, &gf32->gf_fmode) ||
698 __get_user(numsrc, &gf32->gf_numsrc) || 698 __get_user(numsrc, &gf32->gf_numsrc) ||
@@ -706,18 +706,18 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
706 if (err) 706 if (err)
707 return err; 707 return err;
708 708
709 if (!access_ok(VERIFY_READ, koptlen, sizeof(*koptlen)) || 709 if (!access_ok(koptlen, sizeof(*koptlen)) ||
710 __get_user(klen, koptlen)) 710 __get_user(klen, koptlen))
711 return -EFAULT; 711 return -EFAULT;
712 712
713 ulen = klen - (sizeof(*kgf)-sizeof(*gf32)); 713 ulen = klen - (sizeof(*kgf)-sizeof(*gf32));
714 714
715 if (!access_ok(VERIFY_WRITE, optlen, sizeof(*optlen)) || 715 if (!access_ok(optlen, sizeof(*optlen)) ||
716 __put_user(ulen, optlen)) 716 __put_user(ulen, optlen))
717 return -EFAULT; 717 return -EFAULT;
718 718
719 if (!access_ok(VERIFY_READ, kgf, klen) || 719 if (!access_ok(kgf, klen) ||
720 !access_ok(VERIFY_WRITE, gf32, ulen) || 720 !access_ok(gf32, ulen) ||
721 __get_user(interface, &kgf->gf_interface) || 721 __get_user(interface, &kgf->gf_interface) ||
722 __get_user(fmode, &kgf->gf_fmode) || 722 __get_user(fmode, &kgf->gf_fmode) ||
723 __get_user(numsrc, &kgf->gf_numsrc) || 723 __get_user(numsrc, &kgf->gf_numsrc) ||
diff --git a/net/sunrpc/sysctl.c b/net/sunrpc/sysctl.c
index 8c3936403fea..0bea8ff8b0d3 100644
--- a/net/sunrpc/sysctl.c
+++ b/net/sunrpc/sysctl.c
@@ -89,7 +89,7 @@ proc_dodebug(struct ctl_table *table, int write,
89 left = *lenp; 89 left = *lenp;
90 90
91 if (write) { 91 if (write) {
92 if (!access_ok(VERIFY_READ, buffer, left)) 92 if (!access_ok(buffer, left))
93 return -EFAULT; 93 return -EFAULT;
94 p = buffer; 94 p = buffer;
95 while (left && __get_user(c, p) >= 0 && isspace(c)) 95 while (left && __get_user(c, p) >= 0 && isspace(c))
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 9b38f94b5dd0..c598aa00d5e3 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2591,7 +2591,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
2591 int idx; 2591 int idx;
2592 if (!head->write) 2592 if (!head->write)
2593 return -ENOSYS; 2593 return -ENOSYS;
2594 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2594 if (!access_ok(buffer, buffer_len))
2595 return -EFAULT; 2595 return -EFAULT;
2596 if (mutex_lock_interruptible(&head->io_sem)) 2596 if (mutex_lock_interruptible(&head->io_sem))
2597 return -EINTR; 2597 return -EINTR;
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 92e6524a3a9d..7d4640d1fe9f 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -393,7 +393,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count,
393 if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_INPUT)) 393 if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_INPUT))
394 return -ENXIO; 394 return -ENXIO;
395 395
396 if (!access_ok(VERIFY_WRITE, buf, count)) 396 if (!access_ok(buf, count))
397 return -EFAULT; 397 return -EFAULT;
398 398
399 /* check client structures are in place */ 399 /* check client structures are in place */
diff --git a/sound/isa/sb/emu8000_patch.c b/sound/isa/sb/emu8000_patch.c
index d45a6b9d6437..3d44c358c4b3 100644
--- a/sound/isa/sb/emu8000_patch.c
+++ b/sound/isa/sb/emu8000_patch.c
@@ -183,10 +183,10 @@ snd_emu8000_sample_new(struct snd_emux *rec, struct snd_sf_sample *sp,
183 } 183 }
184 184
185 if (sp->v.mode_flags & SNDRV_SFNT_SAMPLE_8BITS) { 185 if (sp->v.mode_flags & SNDRV_SFNT_SAMPLE_8BITS) {
186 if (!access_ok(VERIFY_READ, data, sp->v.size)) 186 if (!access_ok(data, sp->v.size))
187 return -EFAULT; 187 return -EFAULT;
188 } else { 188 } else {
189 if (!access_ok(VERIFY_READ, data, sp->v.size * 2)) 189 if (!access_ok(data, sp->v.size * 2))
190 return -EFAULT; 190 return -EFAULT;
191 } 191 }
192 192
diff --git a/tools/perf/util/include/asm/uaccess.h b/tools/perf/util/include/asm/uaccess.h
index 6a6f4b990547..548100315710 100644
--- a/tools/perf/util/include/asm/uaccess.h
+++ b/tools/perf/util/include/asm/uaccess.h
@@ -10,6 +10,6 @@
10 10
11#define get_user __get_user 11#define get_user __get_user
12 12
13#define access_ok(type, addr, size) 1 13#define access_ok(addr, size) 1
14 14
15#endif 15#endif
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 666d0155662d..1f888a103f78 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -939,8 +939,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
939 /* We can read the guest memory with __xxx_user() later on. */ 939 /* We can read the guest memory with __xxx_user() later on. */
940 if ((id < KVM_USER_MEM_SLOTS) && 940 if ((id < KVM_USER_MEM_SLOTS) &&
941 ((mem->userspace_addr & (PAGE_SIZE - 1)) || 941 ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
942 !access_ok(VERIFY_WRITE, 942 !access_ok((void __user *)(unsigned long)mem->userspace_addr,
943 (void __user *)(unsigned long)mem->userspace_addr,
944 mem->memory_size))) 943 mem->memory_size)))
945 goto out; 944 goto out;
946 if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM) 945 if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM)
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-01 08:11:10 -0400