Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull more misc uaccess and vfs updates from Al Viro:
 "The rest of the stuff from -next (more uaccess work) + assorted fixes"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  score: traps: Add missing include file to fix build error
  fs/super.c: don't fool lockdep in freeze_super() and thaw_super() paths
  fs/super.c: fix race between freeze_super() and thaw_super()
  overlayfs: Fix setting IOP_XATTR flag
  iov_iter: kernel-doc import_iovec() and rw_copy_check_uvector()
  blackfin: no access_ok() for __copy_{to,from}_user()
  arm64: don't zero in __copy_from_user{,_inatomic}
  arm: don't zero in __copy_from_user_inatomic()/__copy_from_user()
  arc: don't leak bits of kernel stack into coredump
  alpha: get rid of tail-zeroing in __copy_user()

3 files changed, 63 insertions, 20 deletions

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 89182c4e2e30..bcf3965be819 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1303,6 +1303,12 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
         if (!oe)
                 goto out_put_cred;
 
+        sb->s_magic = OVERLAYFS_SUPER_MAGIC;
+        sb->s_op = &ovl_super_operations;
+        sb->s_xattr = ovl_xattr_handlers;
+        sb->s_fs_info = ufs;
+        sb->s_flags |= MS_POSIXACL | MS_NOREMOTELOCK;
+
         root_dentry = d_make_root(ovl_new_inode(sb, S_IFDIR));
         if (!root_dentry)
                 goto out_free_oe;
@@ -1326,12 +1332,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
         ovl_inode_init(d_inode(root_dentry), realinode, !!upperpath.dentry);
         ovl_copyattr(realinode, d_inode(root_dentry));
 
-        sb->s_magic = OVERLAYFS_SUPER_MAGIC;
-        sb->s_op = &ovl_super_operations;
-        sb->s_xattr = ovl_xattr_handlers;
         sb->s_root = root_dentry;
-        sb->s_fs_info = ufs;
-        sb->s_flags |= MS_POSIXACL | MS_NOREMOTELOCK;
 
         return 0;
 
diff --git a/fs/read_write.c b/fs/read_write.c
index 66215a7b17cf..190e0d362581 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -730,6 +730,35 @@ static ssize_t do_loop_readv_writev(struct file *filp, struct iov_iter *iter,
 /* A write operation does a read from user space and vice versa */
 #define vrfy_dir(type) ((type) == READ ? VERIFY_WRITE : VERIFY_READ)
 
+/**
+ * rw_copy_check_uvector() - Copy an array of &struct iovec from userspace
+ *     into the kernel and check that it is valid.
+ *
+ * @type: One of %CHECK_IOVEC_ONLY, %READ, or %WRITE.
+ * @uvector: Pointer to the userspace array.
+ * @nr_segs: Number of elements in userspace array.
+ * @fast_segs: Number of elements in @fast_pointer.
+ * @fast_pointer: Pointer to (usually small on-stack) kernel array.
+ * @ret_pointer: (output parameter) Pointer to a variable that will point to
+ *     either @fast_pointer, a newly allocated kernel array, or NULL,
+ *     depending on which array was used.
+ *
+ * This function copies an array of &struct iovec of @nr_segs from
+ * userspace into the kernel and checks that each element is valid (e.g.
+ * it does not point to a kernel address or cause overflow by being too
+ * large, etc.).
+ *
+ * As an optimization, the caller may provide a pointer to a small
+ * on-stack array in @fast_pointer, typically %UIO_FASTIOV elements long
+ * (the size of this array, or 0 if unused, should be given in @fast_segs).
+ *
+ * @ret_pointer will always point to the array that was used, so the
+ * caller must take care not to call kfree() on it e.g. in case the
+ * @fast_pointer array was used and it was allocated on the stack.
+ *
+ * Return: The total number of bytes covered by the iovec array on success
+ *   or a negative error code on error.
+ */
 ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
                               unsigned long nr_segs, unsigned long fast_segs,
                               struct iovec *fast_pointer,
diff --git a/fs/super.c b/fs/super.c
index c2ff475c1711..c183835566c1 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1269,25 +1269,34 @@ EXPORT_SYMBOL(__sb_start_write);
 static void sb_wait_write(struct super_block *sb, int level)
 {
         percpu_down_write(sb->s_writers.rw_sem + level-1);
-        /*
-         * We are going to return to userspace and forget about this lock, the
-         * ownership goes to the caller of thaw_super() which does unlock.
-         *
-         * FIXME: we should do this before return from freeze_super() after we
-         * called sync_filesystem(sb) and s_op->freeze_fs(sb), and thaw_super()
-         * should re-acquire these locks before s_op->unfreeze_fs(sb). However
-         * this leads to lockdep false-positives, so currently we do the early
-         * release right after acquire.
-         */
-        percpu_rwsem_release(sb->s_writers.rw_sem + level-1, 0, _THIS_IP_);
 }
 
-static void sb_freeze_unlock(struct super_block *sb)
+/*
+ * We are going to return to userspace and forget about these locks, the
+ * ownership goes to the caller of thaw_super() which does unlock().
+ */
+static void lockdep_sb_freeze_release(struct super_block *sb)
+{
+        int level;
+
+        for (level = SB_FREEZE_LEVELS - 1; level >= 0; level--)
+                percpu_rwsem_release(sb->s_writers.rw_sem + level, 0, _THIS_IP_);
+}
+
+/*
+ * Tell lockdep we are holding these locks before we call ->unfreeze_fs(sb).
+ */
+static void lockdep_sb_freeze_acquire(struct super_block *sb)
 {
         int level;
 
         for (level = 0; level < SB_FREEZE_LEVELS; ++level)
                 percpu_rwsem_acquire(sb->s_writers.rw_sem + level, 0, _THIS_IP_);
+}
+
+static void sb_freeze_unlock(struct super_block *sb)
+{
+        int level;
 
         for (level = SB_FREEZE_LEVELS - 1; level >= 0; level--)
                 percpu_up_write(sb->s_writers.rw_sem + level);
@@ -1379,10 +1388,11 @@ int freeze_super(struct super_block *sb)
                 }
         }
         /*
-         * This is just for debugging purposes so that fs can warn if it
-         * sees write activity when frozen is set to SB_FREEZE_COMPLETE.
+         * For debugging purposes so that fs can warn if it sees write activity
+         * when frozen is set to SB_FREEZE_COMPLETE, and for thaw_super().
          */
         sb->s_writers.frozen = SB_FREEZE_COMPLETE;
+        lockdep_sb_freeze_release(sb);
         up_write(&sb->s_umount);
         return 0;
 }
@@ -1399,7 +1409,7 @@ int thaw_super(struct super_block *sb)
         int error;
 
         down_write(&sb->s_umount);
-        if (sb->s_writers.frozen == SB_UNFROZEN) {
+        if (sb->s_writers.frozen != SB_FREEZE_COMPLETE) {
                 up_write(&sb->s_umount);
                 return -EINVAL;
         }
@@ -1409,11 +1419,14 @@ int thaw_super(struct super_block *sb)
                 goto out;
         }
 
+        lockdep_sb_freeze_acquire(sb);
+
         if (sb->s_op->unfreeze_fs) {
                 error = sb->s_op->unfreeze_fs(sb);
                 if (error) {
                         printk(KERN_ERR
                                 "VFS:Filesystem thaw failed\n");
+                        lockdep_sb_freeze_release(sb);
                         up_write(&sb->s_umount);
                         return error;
                 }