aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Documentation/printk-formats.txt6
-rw-r--r--arch/blackfin/include/asm/uaccess.h6
-rw-r--r--arch/m68k/include/asm/uaccess_no.h4
-rw-r--r--arch/mips/lasat/picvue_proc.c18
-rw-r--r--arch/mn10300/include/asm/uaccess.h15
-rw-r--r--arch/powerpc/include/asm/uaccess.h15
-rw-r--r--arch/powerpc/kernel/nvram_64.c19
-rw-r--r--arch/s390/pci/pci_dma.c3
-rw-r--r--arch/sparc/include/asm/uaccess_32.h65
-rw-r--r--arch/sparc/include/asm/uaccess_64.h40
-rw-r--r--arch/sparc/kernel/mdesc.c20
-rw-r--r--arch/um/drivers/hostaudio_kern.c10
-rw-r--r--arch/um/drivers/mconsole_kern.c14
-rw-r--r--arch/x86/kernel/cpuid.c24
-rw-r--r--arch/x86/kernel/msr.c24
-rw-r--r--arch/xtensa/platforms/iss/simdisk.c12
-rw-r--r--drivers/block/cciss.c14
-rw-r--r--drivers/block/mtip32xx/mtip32xx.c23
-rw-r--r--drivers/block/nbd.c1
-rw-r--r--drivers/block/rsxx/core.c11
-rw-r--r--drivers/cdrom/cdrom.c10
-rw-r--r--drivers/char/generic_nvram.c21
-rw-r--r--drivers/char/mbcs.c28
-rw-r--r--drivers/char/nvram.c18
-rw-r--r--drivers/char/nwflash.c31
-rw-r--r--drivers/gpu/drm/amd/amdkfd/kfd_chardev.c33
-rw-r--r--drivers/gpu/vga/vgaarb.c7
-rw-r--r--drivers/md/bcache/util.c2
-rw-r--r--drivers/md/dm-bufio.c2
-rw-r--r--drivers/md/dm-io.c4
-rw-r--r--drivers/mtd/maps/pcmciamtd.c28
-rw-r--r--drivers/net/wireless/ath/wil6210/debugfs.c12
-rw-r--r--drivers/net/wireless/libertas/debugfs.c181
-rw-r--r--drivers/net/wireless/mwifiex/debugfs.c82
-rw-r--r--drivers/net/wireless/ti/wlcore/debugfs.c17
-rw-r--r--drivers/s390/char/vmcp.c11
-rw-r--r--drivers/s390/char/vmur.c15
-rw-r--r--drivers/s390/char/zcore.c13
-rw-r--r--drivers/sbus/char/openprom.c13
-rw-r--r--drivers/staging/lustre/lustre/llite/file.c2
-rw-r--r--drivers/staging/lustre/lustre/llite/llite_internal.h4
-rw-r--r--drivers/staging/lustre/lustre/llite/namei.c4
-rw-r--r--drivers/staging/lustre/lustre/llite/symlink.c2
-rw-r--r--drivers/usb/core/devices.c26
-rw-r--r--drivers/usb/core/devio.c26
-rw-r--r--drivers/usb/host/uhci-debug.c23
-rw-r--r--drivers/usb/misc/sisusbvga/sisusb.c16
-rw-r--r--fs/9p/cache.c8
-rw-r--r--fs/9p/v9fs.h2
-rw-r--r--fs/9p/vfs_inode.c2
-rw-r--r--fs/adfs/adfs.h6
-rw-r--r--fs/adfs/dir.c6
-rw-r--r--fs/adfs/dir_f.c2
-rw-r--r--fs/adfs/dir_fplus.c2
-rw-r--r--fs/affs/affs.h2
-rw-r--r--fs/affs/amigaffs.c13
-rw-r--r--fs/affs/super.c2
-rw-r--r--fs/afs/proc.c25
-rw-r--r--fs/bad_inode.c2
-rw-r--r--fs/block_dev.c12
-rw-r--r--fs/btrfs/super.c4
-rw-r--r--fs/buffer.c21
-rw-r--r--fs/cachefiles/daemon.c12
-rw-r--r--fs/compat.c21
-rw-r--r--fs/compat_ioctl.c11
-rw-r--r--fs/coredump.c8
-rw-r--r--fs/dcache.c14
-rw-r--r--fs/dlm/user.c11
-rw-r--r--fs/ecryptfs/inode.c4
-rw-r--r--fs/exec.c4
-rw-r--r--fs/ext2/xattr.c6
-rw-r--r--fs/ext4/page-io.c5
-rw-r--r--fs/ext4/xattr.c6
-rw-r--r--fs/f2fs/debug.c6
-rw-r--r--fs/f2fs/f2fs.h6
-rw-r--r--fs/fcntl.c3
-rw-r--r--fs/file.c6
-rw-r--r--fs/gfs2/ops_fstype.c4
-rw-r--r--fs/hfs/mdb.c4
-rw-r--r--fs/hpfs/map.c2
-rw-r--r--fs/internal.h2
-rw-r--r--fs/jbd2/transaction.c6
-rw-r--r--fs/jfs/jfs_logmgr.c9
-rw-r--r--fs/logfs/logfs.h4
-rw-r--r--fs/logfs/readwrite.c4
-rw-r--r--fs/logfs/segment.c2
-rw-r--r--fs/minix/itree_v1.c9
-rw-r--r--fs/minix/itree_v2.c9
-rw-r--r--fs/namei.c200
-rw-r--r--fs/namespace.c39
-rw-r--r--fs/nfsd/nfs3xdr.c2
-rw-r--r--fs/nfsd/nfs4xdr.c8
-rw-r--r--fs/nfsd/vfs.c23
-rw-r--r--fs/nilfs2/super.c6
-rw-r--r--fs/open.c5
-rw-r--r--fs/proc/base.c17
-rw-r--r--fs/proc/fd.c1
-rw-r--r--fs/proc_namespace.c27
-rw-r--r--fs/read_write.c39
-rw-r--r--fs/reiserfs/journal.c24
-rw-r--r--fs/reiserfs/prints.c9
-rw-r--r--fs/reiserfs/procfs.c5
-rw-r--r--fs/select.c6
-rw-r--r--fs/splice.c8
-rw-r--r--fs/squashfs/super.c7
-rw-r--r--fs/super.c4
-rw-r--r--fs/xattr.c38
-rw-r--r--fs/xfs/xfs_buf.c8
-rw-r--r--include/linux/fs.h14
-rw-r--r--include/linux/namei.h1
-rw-r--r--include/linux/string.h1
-rw-r--r--kernel/sysctl.c79
-rw-r--r--kernel/trace/blktrace.c12
-rw-r--r--kernel/trace/trace_events.c28
-rw-r--r--kernel/trace/trace_events_trigger.c15
-rw-r--r--kernel/user_namespace.c21
-rw-r--r--lib/dynamic_debug.c11
-rw-r--r--lib/vsprintf.c29
-rw-r--r--mm/util.c31
-rw-r--r--net/9p/trans_virtio.c16
-rw-r--r--net/rxrpc/ar-key.c24
-rw-r--r--security/integrity/iint.c11
-rw-r--r--security/selinux/selinuxfs.c114
-rw-r--r--security/smack/smackfs.c114
-rw-r--r--security/tomoyo/securityfs_if.c11
125 files changed, 792 insertions, 1478 deletions
diff --git a/Documentation/printk-formats.txt b/Documentation/printk-formats.txt
index b784c270105f..6389551bbad6 100644
--- a/Documentation/printk-formats.txt
+++ b/Documentation/printk-formats.txt
@@ -250,6 +250,12 @@ dentry names:
250 250
251 Passed by reference. 251 Passed by reference.
252 252
253block_device names:
254
255 %pg sda, sda1 or loop0p1
256
257 For printing name of block_device pointers.
258
253struct va_format: 259struct va_format:
254 260
255 %pV 261 %pV
diff --git a/arch/blackfin/include/asm/uaccess.h b/arch/blackfin/include/asm/uaccess.h
index 90612a7f2cf3..12f5d6851bbc 100644
--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -168,12 +168,6 @@ static inline int bad_user_access_length(void)
168#define __copy_to_user_inatomic __copy_to_user 168#define __copy_to_user_inatomic __copy_to_user
169#define __copy_from_user_inatomic __copy_from_user 169#define __copy_from_user_inatomic __copy_from_user
170 170
171#define copy_to_user_ret(to, from, n, retval) ({ if (copy_to_user(to, from, n))\
172 return retval; })
173
174#define copy_from_user_ret(to, from, n, retval) ({ if (copy_from_user(to, from, n))\
175 return retval; })
176
177static inline unsigned long __must_check 171static inline unsigned long __must_check
178copy_from_user(void *to, const void __user *from, unsigned long n) 172copy_from_user(void *to, const void __user *from, unsigned long n)
179{ 173{
diff --git a/arch/m68k/include/asm/uaccess_no.h b/arch/m68k/include/asm/uaccess_no.h
index 68bbe9b312f1..1bdf15263754 100644
--- a/arch/m68k/include/asm/uaccess_no.h
+++ b/arch/m68k/include/asm/uaccess_no.h
@@ -135,10 +135,6 @@ extern int __get_user_bad(void);
135#define __copy_to_user_inatomic __copy_to_user 135#define __copy_to_user_inatomic __copy_to_user
136#define __copy_from_user_inatomic __copy_from_user 136#define __copy_from_user_inatomic __copy_from_user
137 137
138#define copy_to_user_ret(to,from,n,retval) ({ if (copy_to_user(to,from,n)) return retval; })
139
140#define copy_from_user_ret(to,from,n,retval) ({ if (copy_from_user(to,from,n)) return retval; })
141
142/* 138/*
143 * Copy a null terminated string from userspace. 139 * Copy a null terminated string from userspace.
144 */ 140 */
diff --git a/arch/mips/lasat/picvue_proc.c b/arch/mips/lasat/picvue_proc.c
index 2bcd8391bc93..b42095880667 100644
--- a/arch/mips/lasat/picvue_proc.c
+++ b/arch/mips/lasat/picvue_proc.c
@@ -22,7 +22,6 @@
22static DEFINE_MUTEX(pvc_mutex); 22static DEFINE_MUTEX(pvc_mutex);
23static char pvc_lines[PVC_NLINES][PVC_LINELEN+1]; 23static char pvc_lines[PVC_NLINES][PVC_LINELEN+1];
24static int pvc_linedata[PVC_NLINES]; 24static int pvc_linedata[PVC_NLINES];
25static struct proc_dir_entry *pvc_display_dir;
26static char *pvc_linename[PVC_NLINES] = {"line1", "line2"}; 25static char *pvc_linename[PVC_NLINES] = {"line1", "line2"};
27#define DISPLAY_DIR_NAME "display" 26#define DISPLAY_DIR_NAME "display"
28static int scroll_dir, scroll_interval; 27static int scroll_dir, scroll_interval;
@@ -169,22 +168,17 @@ void pvc_proc_timerfunc(unsigned long data)
169 168
170static void pvc_proc_cleanup(void) 169static void pvc_proc_cleanup(void)
171{ 170{
172 int i; 171 remove_proc_subtree(DISPLAY_DIR_NAME, NULL);
173 for (i = 0; i < PVC_NLINES; i++)
174 remove_proc_entry(pvc_linename[i], pvc_display_dir);
175 remove_proc_entry("scroll", pvc_display_dir);
176 remove_proc_entry(DISPLAY_DIR_NAME, NULL);
177
178 del_timer_sync(&timer); 172 del_timer_sync(&timer);
179} 173}
180 174
181static int __init pvc_proc_init(void) 175static int __init pvc_proc_init(void)
182{ 176{
183 struct proc_dir_entry *proc_entry; 177 struct proc_dir_entry *dir, *proc_entry;
184 int i; 178 int i;
185 179
186 pvc_display_dir = proc_mkdir(DISPLAY_DIR_NAME, NULL); 180 dir = proc_mkdir(DISPLAY_DIR_NAME, NULL);
187 if (pvc_display_dir == NULL) 181 if (dir == NULL)
188 goto error; 182 goto error;
189 183
190 for (i = 0; i < PVC_NLINES; i++) { 184 for (i = 0; i < PVC_NLINES; i++) {
@@ -192,12 +186,12 @@ static int __init pvc_proc_init(void)
192 pvc_linedata[i] = i; 186 pvc_linedata[i] = i;
193 } 187 }
194 for (i = 0; i < PVC_NLINES; i++) { 188 for (i = 0; i < PVC_NLINES; i++) {
195 proc_entry = proc_create_data(pvc_linename[i], 0644, pvc_display_dir, 189 proc_entry = proc_create_data(pvc_linename[i], 0644, dir,
196 &pvc_line_proc_fops, &pvc_linedata[i]); 190 &pvc_line_proc_fops, &pvc_linedata[i]);
197 if (proc_entry == NULL) 191 if (proc_entry == NULL)
198 goto error; 192 goto error;
199 } 193 }
200 proc_entry = proc_create("scroll", 0644, pvc_display_dir, 194 proc_entry = proc_create("scroll", 0644, dir,
201 &pvc_scroll_proc_fops); 195 &pvc_scroll_proc_fops);
202 if (proc_entry == NULL) 196 if (proc_entry == NULL)
203 goto error; 197 goto error;
diff --git a/arch/mn10300/include/asm/uaccess.h b/arch/mn10300/include/asm/uaccess.h
index 537278746a15..20f7bf6de384 100644
--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -110,21 +110,6 @@ extern int fixup_exception(struct pt_regs *regs);
110#define __put_user(x, ptr) __put_user_nocheck((x), (ptr), sizeof(*(ptr))) 110#define __put_user(x, ptr) __put_user_nocheck((x), (ptr), sizeof(*(ptr)))
111#define __get_user(x, ptr) __get_user_nocheck((x), (ptr), sizeof(*(ptr))) 111#define __get_user(x, ptr) __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
112 112
113/*
114 * The "xxx_ret" versions return constant specified in third argument, if
115 * something bad happens. These macros can be optimized for the
116 * case of just returning from the function xxx_ret is used.
117 */
118
119#define put_user_ret(x, ptr, ret) \
120 ({ if (put_user((x), (ptr))) return (ret); })
121#define get_user_ret(x, ptr, ret) \
122 ({ if (get_user((x), (ptr))) return (ret); })
123#define __put_user_ret(x, ptr, ret) \
124 ({ if (__put_user((x), (ptr))) return (ret); })
125#define __get_user_ret(x, ptr, ret) \
126 ({ if (__get_user((x), (ptr))) return (ret); })
127
128struct __large_struct { unsigned long buf[100]; }; 113struct __large_struct { unsigned long buf[100]; };
129#define __m(x) (*(struct __large_struct *)(x)) 114#define __m(x) (*(struct __large_struct *)(x))
130 115
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 2a8ebae0936b..b7c20f0b8fbe 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -274,21 +274,6 @@ do { \
274 __gu_err; \ 274 __gu_err; \
275}) 275})
276 276
277#ifndef __powerpc64__
278#define __get_user64_nocheck(x, ptr, size) \
279({ \
280 long __gu_err; \
281 long long __gu_val; \
282 __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
283 __chk_user_ptr(ptr); \
284 if (!is_kernel_addr((unsigned long)__gu_addr)) \
285 might_fault(); \
286 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
287 (x) = (__force __typeof__(*(ptr)))__gu_val; \
288 __gu_err; \
289})
290#endif /* __powerpc64__ */
291
292#define __get_user_check(x, ptr, size) \ 277#define __get_user_check(x, ptr, size) \
293({ \ 278({ \
294 long __gu_err = -EFAULT; \ 279 long __gu_err = -EFAULT; \
diff --git a/arch/powerpc/kernel/nvram_64.c b/arch/powerpc/kernel/nvram_64.c
index 32e26526f7e4..0cab9e8c3794 100644
--- a/arch/powerpc/kernel/nvram_64.c
+++ b/arch/powerpc/kernel/nvram_64.c
@@ -27,6 +27,7 @@
27#include <linux/slab.h> 27#include <linux/slab.h>
28#include <linux/spinlock.h> 28#include <linux/spinlock.h>
29#include <linux/kmsg_dump.h> 29#include <linux/kmsg_dump.h>
30#include <linux/pagemap.h>
30#include <linux/pstore.h> 31#include <linux/pstore.h>
31#include <linux/zlib.h> 32#include <linux/zlib.h>
32#include <asm/uaccess.h> 33#include <asm/uaccess.h>
@@ -733,24 +734,10 @@ static void oops_to_nvram(struct kmsg_dumper *dumper,
733 734
734static loff_t dev_nvram_llseek(struct file *file, loff_t offset, int origin) 735static loff_t dev_nvram_llseek(struct file *file, loff_t offset, int origin)
735{ 736{
736 int size;
737
738 if (ppc_md.nvram_size == NULL) 737 if (ppc_md.nvram_size == NULL)
739 return -ENODEV; 738 return -ENODEV;
740 size = ppc_md.nvram_size(); 739 return generic_file_llseek_size(file, offset, origin, MAX_LFS_FILESIZE,
741 740 ppc_md.nvram_size());
742 switch (origin) {
743 case 1:
744 offset += file->f_pos;
745 break;
746 case 2:
747 offset += size;
748 break;
749 }
750 if (offset < 0)
751 return -EINVAL;
752 file->f_pos = offset;
753 return file->f_pos;
754} 741}
755 742
756 743
diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
index d348f2c09a1e..32da0a6ecec2 100644
--- a/arch/s390/pci/pci_dma.c
+++ b/arch/s390/pci/pci_dma.c
@@ -366,8 +366,7 @@ static void *s390_dma_alloc(struct device *dev, size_t size,
366 pa = page_to_phys(page); 366 pa = page_to_phys(page);
367 memset((void *) pa, 0, size); 367 memset((void *) pa, 0, size);
368 368
369 map = s390_dma_map_pages(dev, page, pa % PAGE_SIZE, 369 map = s390_dma_map_pages(dev, page, 0, size, DMA_BIDIRECTIONAL, NULL);
370 size, DMA_BIDIRECTIONAL, NULL);
371 if (dma_mapping_error(dev, map)) { 370 if (dma_mapping_error(dev, map)) {
372 free_pages(pa, get_order(size)); 371 free_pages(pa, get_order(size));
373 return NULL; 372 return NULL;
diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index 64ee103dc29d..57aca2792d29 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -205,31 +205,6 @@ int __put_user_bad(void);
205 __gu_ret; \ 205 __gu_ret; \
206}) 206})
207 207
208#define __get_user_check_ret(x, addr, size, type, retval) ({ \
209 register unsigned long __gu_val __asm__ ("l1"); \
210 if (__access_ok(addr, size)) { \
211 switch (size) { \
212 case 1: \
213 __get_user_asm_ret(__gu_val, ub, addr, retval); \
214 break; \
215 case 2: \
216 __get_user_asm_ret(__gu_val, uh, addr, retval); \
217 break; \
218 case 4: \
219 __get_user_asm_ret(__gu_val, , addr, retval); \
220 break; \
221 case 8: \
222 __get_user_asm_ret(__gu_val, d, addr, retval); \
223 break; \
224 default: \
225 if (__get_user_bad()) \
226 return retval; \
227 } \
228 x = (__force type) __gu_val; \
229 } else \
230 return retval; \
231})
232
233#define __get_user_nocheck(x, addr, size, type) ({ \ 208#define __get_user_nocheck(x, addr, size, type) ({ \
234 register int __gu_ret; \ 209 register int __gu_ret; \
235 register unsigned long __gu_val; \ 210 register unsigned long __gu_val; \
@@ -247,20 +222,6 @@ int __put_user_bad(void);
247 __gu_ret; \ 222 __gu_ret; \
248}) 223})
249 224
250#define __get_user_nocheck_ret(x, addr, size, type, retval) ({ \
251 register unsigned long __gu_val __asm__ ("l1"); \
252 switch (size) { \
253 case 1: __get_user_asm_ret(__gu_val, ub, addr, retval); break; \
254 case 2: __get_user_asm_ret(__gu_val, uh, addr, retval); break; \
255 case 4: __get_user_asm_ret(__gu_val, , addr, retval); break; \
256 case 8: __get_user_asm_ret(__gu_val, d, addr, retval); break; \
257 default: \
258 if (__get_user_bad()) \
259 return retval; \
260 } \
261 x = (__force type) __gu_val; \
262})
263
264#define __get_user_asm(x, size, addr, ret) \ 225#define __get_user_asm(x, size, addr, ret) \
265__asm__ __volatile__( \ 226__asm__ __volatile__( \
266 "/* Get user asm, inline. */\n" \ 227 "/* Get user asm, inline. */\n" \
@@ -281,32 +242,6 @@ __asm__ __volatile__( \
281 : "=&r" (ret), "=&r" (x) : "m" (*__m(addr)), \ 242 : "=&r" (ret), "=&r" (x) : "m" (*__m(addr)), \
282 "i" (-EFAULT)) 243 "i" (-EFAULT))
283 244
284#define __get_user_asm_ret(x, size, addr, retval) \
285if (__builtin_constant_p(retval) && retval == -EFAULT) \
286 __asm__ __volatile__( \
287 "/* Get user asm ret, inline. */\n" \
288 "1:\t" "ld"#size " %1, %0\n\n\t" \
289 ".section __ex_table,#alloc\n\t" \
290 ".align 4\n\t" \
291 ".word 1b,__ret_efault\n\n\t" \
292 ".previous\n\t" \
293 : "=&r" (x) : "m" (*__m(addr))); \
294else \
295 __asm__ __volatile__( \
296 "/* Get user asm ret, inline. */\n" \
297 "1:\t" "ld"#size " %1, %0\n\n\t" \
298 ".section .fixup,#alloc,#execinstr\n\t" \
299 ".align 4\n" \
300 "3:\n\t" \
301 "ret\n\t" \
302 " restore %%g0, %2, %%o0\n\n\t" \
303 ".previous\n\t" \
304 ".section __ex_table,#alloc\n\t" \
305 ".align 4\n\t" \
306 ".word 1b, 3b\n\n\t" \
307 ".previous\n\t" \
308 : "=&r" (x) : "m" (*__m(addr)), "i" (retval))
309
310int __get_user_bad(void); 245int __get_user_bad(void);
311 246
312unsigned long __copy_user(void __user *to, const void __user *from, unsigned long size); 247unsigned long __copy_user(void __user *to, const void __user *from, unsigned long size);
diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
index ea6e9a20f3ff..e9a51d64974d 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -179,20 +179,6 @@ int __put_user_bad(void);
179 __gu_ret; \ 179 __gu_ret; \
180}) 180})
181 181
182#define __get_user_nocheck_ret(data, addr, size, type, retval) ({ \
183 register unsigned long __gu_val __asm__ ("l1"); \
184 switch (size) { \
185 case 1: __get_user_asm_ret(__gu_val, ub, addr, retval); break; \
186 case 2: __get_user_asm_ret(__gu_val, uh, addr, retval); break; \
187 case 4: __get_user_asm_ret(__gu_val, uw, addr, retval); break; \
188 case 8: __get_user_asm_ret(__gu_val, x, addr, retval); break; \
189 default: \
190 if (__get_user_bad()) \
191 return retval; \
192 } \
193 data = (__force type) __gu_val; \
194})
195
196#define __get_user_asm(x, size, addr, ret) \ 182#define __get_user_asm(x, size, addr, ret) \
197__asm__ __volatile__( \ 183__asm__ __volatile__( \
198 "/* Get user asm, inline. */\n" \ 184 "/* Get user asm, inline. */\n" \
@@ -214,32 +200,6 @@ __asm__ __volatile__( \
214 : "=r" (ret), "=r" (x) : "r" (__m(addr)), \ 200 : "=r" (ret), "=r" (x) : "r" (__m(addr)), \
215 "i" (-EFAULT)) 201 "i" (-EFAULT))
216 202
217#define __get_user_asm_ret(x, size, addr, retval) \
218if (__builtin_constant_p(retval) && retval == -EFAULT) \
219 __asm__ __volatile__( \
220 "/* Get user asm ret, inline. */\n" \
221 "1:\t" "ld"#size "a [%1] %%asi, %0\n\n\t" \
222 ".section __ex_table,\"a\"\n\t" \
223 ".align 4\n\t" \
224 ".word 1b,__ret_efault\n\n\t" \
225 ".previous\n\t" \
226 : "=r" (x) : "r" (__m(addr))); \
227else \
228 __asm__ __volatile__( \
229 "/* Get user asm ret, inline. */\n" \
230 "1:\t" "ld"#size "a [%1] %%asi, %0\n\n\t" \
231 ".section .fixup,#alloc,#execinstr\n\t" \
232 ".align 4\n" \
233 "3:\n\t" \
234 "ret\n\t" \
235 " restore %%g0, %2, %%o0\n\n\t" \
236 ".previous\n\t" \
237 ".section __ex_table,\"a\"\n\t" \
238 ".align 4\n\t" \
239 ".word 1b, 3b\n\n\t" \
240 ".previous\n\t" \
241 : "=r" (x) : "r" (__m(addr)), "i" (retval))
242
243int __get_user_bad(void); 203int __get_user_bad(void);
244 204
245unsigned long __must_check ___copy_from_user(void *to, 205unsigned long __must_check ___copy_from_user(void *to,
diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
index 6f80936e0eea..11228861d9b4 100644
--- a/arch/sparc/kernel/mdesc.c
+++ b/arch/sparc/kernel/mdesc.c
@@ -1033,25 +1033,9 @@ static ssize_t mdesc_read(struct file *file, char __user *buf,
1033 1033
1034static loff_t mdesc_llseek(struct file *file, loff_t offset, int whence) 1034static loff_t mdesc_llseek(struct file *file, loff_t offset, int whence)
1035{ 1035{
1036 struct mdesc_handle *hp; 1036 struct mdesc_handle *hp = file->private_data;
1037
1038 switch (whence) {
1039 case SEEK_CUR:
1040 offset += file->f_pos;
1041 break;
1042 case SEEK_SET:
1043 break;
1044 default:
1045 return -EINVAL;
1046 }
1047
1048 hp = file->private_data;
1049 if (offset > hp->handle_size)
1050 return -EINVAL;
1051 else
1052 file->f_pos = offset;
1053 1037
1054 return offset; 1038 return no_seek_end_llseek_size(file, offset, whence, hp->handle_size);
1055} 1039}
1056 1040
1057/* mdesc_close() - /dev/mdesc is being closed, release the reference to 1041/* mdesc_close() - /dev/mdesc is being closed, release the reference to
diff --git a/arch/um/drivers/hostaudio_kern.c b/arch/um/drivers/hostaudio_kern.c
index f6b911cc3923..3a4b58730f5f 100644
--- a/arch/um/drivers/hostaudio_kern.c
+++ b/arch/um/drivers/hostaudio_kern.c
@@ -105,13 +105,9 @@ static ssize_t hostaudio_write(struct file *file, const char __user *buffer,
105 printk(KERN_DEBUG "hostaudio: write called, count = %d\n", count); 105 printk(KERN_DEBUG "hostaudio: write called, count = %d\n", count);
106#endif 106#endif
107 107
108 kbuf = kmalloc(count, GFP_KERNEL); 108 kbuf = memdup_user(buffer, count);
109 if (kbuf == NULL) 109 if (IS_ERR(kbuf))
110 return -ENOMEM; 110 return PTR_ERR(kbuf);
111
112 err = -EFAULT;
113 if (copy_from_user(kbuf, buffer, count))
114 goto out;
115 111
116 err = os_write_file(state->fd, kbuf, count); 112 err = os_write_file(state->fd, kbuf, count);
117 if (err < 0) 113 if (err < 0)
diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c
index 29880c9b324e..b821b13d343a 100644
--- a/arch/um/drivers/mconsole_kern.c
+++ b/arch/um/drivers/mconsole_kern.c
@@ -748,19 +748,11 @@ static ssize_t mconsole_proc_write(struct file *file,
748{ 748{
749 char *buf; 749 char *buf;
750 750
751 buf = kmalloc(count + 1, GFP_KERNEL); 751 buf = memdup_user_nul(buffer, count);
752 if (buf == NULL) 752 if (IS_ERR(buf))
753 return -ENOMEM; 753 return PTR_ERR(buf);
754
755 if (copy_from_user(buf, buffer, count)) {
756 count = -EFAULT;
757 goto out;
758 }
759
760 buf[count] = '\0';
761 754
762 mconsole_notify(notify_socket, MCONSOLE_USER_NOTIFY, buf, count); 755 mconsole_notify(notify_socket, MCONSOLE_USER_NOTIFY, buf, count);
763 out:
764 kfree(buf); 756 kfree(buf);
765 return count; 757 return count;
766} 758}
diff --git a/arch/x86/kernel/cpuid.c b/arch/x86/kernel/cpuid.c
index bd3507da39f0..2836de390f95 100644
--- a/arch/x86/kernel/cpuid.c
+++ b/arch/x86/kernel/cpuid.c
@@ -58,28 +58,6 @@ static void cpuid_smp_cpuid(void *cmd_block)
58 &cmd->eax, &cmd->ebx, &cmd->ecx, &cmd->edx); 58 &cmd->eax, &cmd->ebx, &cmd->ecx, &cmd->edx);
59} 59}
60 60
61static loff_t cpuid_seek(struct file *file, loff_t offset, int orig)
62{
63 loff_t ret;
64 struct inode *inode = file->f_mapping->host;
65
66 mutex_lock(&inode->i_mutex);
67 switch (orig) {
68 case 0:
69 file->f_pos = offset;
70 ret = file->f_pos;
71 break;
72 case 1:
73 file->f_pos += offset;
74 ret = file->f_pos;
75 break;
76 default:
77 ret = -EINVAL;
78 }
79 mutex_unlock(&inode->i_mutex);
80 return ret;
81}
82
83static ssize_t cpuid_read(struct file *file, char __user *buf, 61static ssize_t cpuid_read(struct file *file, char __user *buf,
84 size_t count, loff_t *ppos) 62 size_t count, loff_t *ppos)
85{ 63{
@@ -132,7 +110,7 @@ static int cpuid_open(struct inode *inode, struct file *file)
132 */ 110 */
133static const struct file_operations cpuid_fops = { 111static const struct file_operations cpuid_fops = {
134 .owner = THIS_MODULE, 112 .owner = THIS_MODULE,
135 .llseek = cpuid_seek, 113 .llseek = no_seek_end_llseek,
136 .read = cpuid_read, 114 .read = cpuid_read,
137 .open = cpuid_open, 115 .open = cpuid_open,
138}; 116};
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 113e70784854..64f9616f93f1 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -45,28 +45,6 @@
45 45
46static struct class *msr_class; 46static struct class *msr_class;
47 47
48static loff_t msr_seek(struct file *file, loff_t offset, int orig)
49{
50 loff_t ret;
51 struct inode *inode = file_inode(file);
52
53 mutex_lock(&inode->i_mutex);
54 switch (orig) {
55 case SEEK_SET:
56 file->f_pos = offset;
57 ret = file->f_pos;
58 break;
59 case SEEK_CUR:
60 file->f_pos += offset;
61 ret = file->f_pos;
62 break;
63 default:
64 ret = -EINVAL;
65 }
66 mutex_unlock(&inode->i_mutex);
67 return ret;
68}
69
70static ssize_t msr_read(struct file *file, char __user *buf, 48static ssize_t msr_read(struct file *file, char __user *buf,
71 size_t count, loff_t *ppos) 49 size_t count, loff_t *ppos)
72{ 50{
@@ -194,7 +172,7 @@ static int msr_open(struct inode *inode, struct file *file)
194 */ 172 */
195static const struct file_operations msr_fops = { 173static const struct file_operations msr_fops = {
196 .owner = THIS_MODULE, 174 .owner = THIS_MODULE,
197 .llseek = msr_seek, 175 .llseek = no_seek_end_llseek,
198 .read = msr_read, 176 .read = msr_read,
199 .write = msr_write, 177 .write = msr_write,
200 .open = msr_open, 178 .open = msr_open,
diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c
index 3c3ace2c46b6..f58a4e6472cb 100644
--- a/arch/xtensa/platforms/iss/simdisk.c
+++ b/arch/xtensa/platforms/iss/simdisk.c
@@ -227,16 +227,12 @@ static ssize_t proc_read_simdisk(struct file *file, char __user *buf,
227static ssize_t proc_write_simdisk(struct file *file, const char __user *buf, 227static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
228 size_t count, loff_t *ppos) 228 size_t count, loff_t *ppos)
229{ 229{
230 char *tmp = kmalloc(count + 1, GFP_KERNEL); 230 char *tmp = memdup_user_nul(buf, count);
231 struct simdisk *dev = PDE_DATA(file_inode(file)); 231 struct simdisk *dev = PDE_DATA(file_inode(file));
232 int err; 232 int err;
233 233
234 if (tmp == NULL) 234 if (IS_ERR(tmp))
235 return -ENOMEM; 235 return PTR_ERR(tmp);
236 if (copy_from_user(tmp, buf, count)) {
237 err = -EFAULT;
238 goto out_free;
239 }
240 236
241 err = simdisk_detach(dev); 237 err = simdisk_detach(dev);
242 if (err != 0) 238 if (err != 0)
@@ -244,8 +240,6 @@ static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
244 240
245 if (count > 0 && tmp[count - 1] == '\n') 241 if (count > 0 && tmp[count - 1] == '\n')
246 tmp[count - 1] = 0; 242 tmp[count - 1] = 0;
247 else
248 tmp[count] = 0;
249 243
250 if (tmp[0]) 244 if (tmp[0])
251 err = simdisk_attach(dev, tmp); 245 err = simdisk_attach(dev, tmp);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 0422c47261c3..b38bd06d564c 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -514,14 +514,9 @@ cciss_proc_write(struct file *file, const char __user *buf,
514 if (!buf || length > PAGE_SIZE - 1) 514 if (!buf || length > PAGE_SIZE - 1)
515 return -EINVAL; 515 return -EINVAL;
516 516
517 buffer = (char *)__get_free_page(GFP_KERNEL); 517 buffer = memdup_user_nul(buf, length);
518 if (!buffer) 518 if (IS_ERR(buffer))
519 return -ENOMEM; 519 return PTR_ERR(buffer);
520
521 err = -EFAULT;
522 if (copy_from_user(buffer, buf, length))
523 goto out;
524 buffer[length] = '\0';
525 520
526#ifdef CONFIG_CISS_SCSI_TAPE 521#ifdef CONFIG_CISS_SCSI_TAPE
527 if (strncmp(ENGAGE_SCSI, buffer, sizeof ENGAGE_SCSI - 1) == 0) { 522 if (strncmp(ENGAGE_SCSI, buffer, sizeof ENGAGE_SCSI - 1) == 0) {
@@ -537,8 +532,7 @@ cciss_proc_write(struct file *file, const char __user *buf,
537 /* might be nice to have "disengage" too, but it's not 532 /* might be nice to have "disengage" too, but it's not
538 safely possible. (only 1 module use count, lock issues.) */ 533 safely possible. (only 1 module use count, lock issues.) */
539 534
540out: 535 kfree(buffer);
541 free_page((unsigned long)buffer);
542 return err; 536 return err;
543} 537}
544 538
diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 3457ac8c03e2..34997d8ecd64 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -2029,13 +2029,10 @@ static int exec_drive_taskfile(struct driver_data *dd,
2029 } 2029 }
2030 2030
2031 if (taskout) { 2031 if (taskout) {
2032 outbuf = kzalloc(taskout, GFP_KERNEL); 2032 outbuf = memdup_user(buf + outtotal, taskout);
2033 if (outbuf == NULL) { 2033 if (IS_ERR(outbuf)) {
2034 err = -ENOMEM; 2034 err = PTR_ERR(outbuf);
2035 goto abort; 2035 outbuf = NULL;
2036 }
2037 if (copy_from_user(outbuf, buf + outtotal, taskout)) {
2038 err = -EFAULT;
2039 goto abort; 2036 goto abort;
2040 } 2037 }
2041 outbuf_dma = pci_map_single(dd->pdev, 2038 outbuf_dma = pci_map_single(dd->pdev,
@@ -2050,14 +2047,10 @@ static int exec_drive_taskfile(struct driver_data *dd,
2050 } 2047 }
2051 2048
2052 if (taskin) { 2049 if (taskin) {
2053 inbuf = kzalloc(taskin, GFP_KERNEL); 2050 inbuf = memdup_user(buf + intotal, taskin);
2054 if (inbuf == NULL) { 2051 if (IS_ERR(inbuf)) {
2055 err = -ENOMEM; 2052 err = PTR_ERR(inbuf);
2056 goto abort; 2053 inbuf = NULL;
2057 }
2058
2059 if (copy_from_user(inbuf, buf + intotal, taskin)) {
2060 err = -EFAULT;
2061 goto abort; 2054 goto abort;
2062 } 2055 }
2063 inbuf_dma = pci_map_single(dd->pdev, 2056 inbuf_dma = pci_map_single(dd->pdev,
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 93b3f99b6865..e4c5cc107934 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -827,6 +827,7 @@ static const struct block_device_operations nbd_fops =
827{ 827{
828 .owner = THIS_MODULE, 828 .owner = THIS_MODULE,
829 .ioctl = nbd_ioctl, 829 .ioctl = nbd_ioctl,
830 .compat_ioctl = nbd_ioctl,
830}; 831};
831 832
832#if IS_ENABLED(CONFIG_DEBUG_FS) 833#if IS_ENABLED(CONFIG_DEBUG_FS)
diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index d8b2488aaade..34997df132e2 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -203,14 +203,11 @@ static ssize_t rsxx_cram_write(struct file *fp, const char __user *ubuf,
203 char *buf; 203 char *buf;
204 ssize_t st; 204 ssize_t st;
205 205
206 buf = kzalloc(cnt, GFP_KERNEL); 206 buf = memdup_user(ubuf, cnt);
207 if (!buf) 207 if (IS_ERR(buf))
208 return -ENOMEM; 208 return PTR_ERR(buf);
209 209
210 st = copy_from_user(buf, ubuf, cnt); 210 st = rsxx_creg_write(card, CREG_ADD_CRAM + (u32)*ppos, cnt, buf, 1);
211 if (!st)
212 st = rsxx_creg_write(card, CREG_ADD_CRAM + (u32)*ppos, cnt,
213 buf, 1);
214 kfree(buf); 211 kfree(buf);
215 if (st) 212 if (st)
216 return st; 213 return st;
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index c206ccda899b..1b257ea9776a 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -3186,15 +3186,11 @@ static noinline int mmc_ioctl_dvd_read_struct(struct cdrom_device_info *cdi,
3186 if (!CDROM_CAN(CDC_DVD)) 3186 if (!CDROM_CAN(CDC_DVD))
3187 return -ENOSYS; 3187 return -ENOSYS;
3188 3188
3189 s = kmalloc(size, GFP_KERNEL); 3189 s = memdup_user(arg, size);
3190 if (!s) 3190 if (IS_ERR(s))
3191 return -ENOMEM; 3191 return PTR_ERR(s);
3192 3192
3193 cd_dbg(CD_DO_IOCTL, "entering DVD_READ_STRUCT\n"); 3193 cd_dbg(CD_DO_IOCTL, "entering DVD_READ_STRUCT\n");
3194 if (copy_from_user(s, arg, size)) {
3195 kfree(s);
3196 return -EFAULT;
3197 }
3198 3194
3199 ret = dvd_read_struct(cdi, s, cgc); 3195 ret = dvd_read_struct(cdi, s, cgc);
3200 if (ret) 3196 if (ret)
diff --git a/drivers/char/generic_nvram.c b/drivers/char/generic_nvram.c
index 6c4f4b5a9dd3..073db9558379 100644
--- a/drivers/char/generic_nvram.c
+++ b/drivers/char/generic_nvram.c
@@ -20,6 +20,7 @@
20#include <linux/fcntl.h> 20#include <linux/fcntl.h>
21#include <linux/init.h> 21#include <linux/init.h>
22#include <linux/mutex.h> 22#include <linux/mutex.h>
23#include <linux/pagemap.h>
23#include <asm/uaccess.h> 24#include <asm/uaccess.h>
24#include <asm/nvram.h> 25#include <asm/nvram.h>
25#ifdef CONFIG_PPC_PMAC 26#ifdef CONFIG_PPC_PMAC
@@ -33,24 +34,8 @@ static ssize_t nvram_len;
33 34
34static loff_t nvram_llseek(struct file *file, loff_t offset, int origin) 35static loff_t nvram_llseek(struct file *file, loff_t offset, int origin)
35{ 36{
36 switch (origin) { 37 return generic_file_llseek_size(file, offset, origin,
37 case 0: 38 MAX_LFS_FILESIZE, nvram_len);
38 break;
39 case 1:
40 offset += file->f_pos;
41 break;
42 case 2:
43 offset += nvram_len;
44 break;
45 default:
46 offset = -1;
47 }
48 if (offset < 0)
49 return -EINVAL;
50
51 file->f_pos = offset;
52
53 return file->f_pos;
54} 39}
55 40
56static ssize_t read_nvram(struct file *file, char __user *buf, 41static ssize_t read_nvram(struct file *file, char __user *buf,
diff --git a/drivers/char/mbcs.c b/drivers/char/mbcs.c
index e5d3e3f7a49b..67d426470e53 100644
--- a/drivers/char/mbcs.c
+++ b/drivers/char/mbcs.c
@@ -26,6 +26,7 @@
26#include <linux/uio.h> 26#include <linux/uio.h>
27#include <linux/mutex.h> 27#include <linux/mutex.h>
28#include <linux/slab.h> 28#include <linux/slab.h>
29#include <linux/pagemap.h>
29#include <asm/io.h> 30#include <asm/io.h>
30#include <asm/uaccess.h> 31#include <asm/uaccess.h>
31#include <asm/pgtable.h> 32#include <asm/pgtable.h>
@@ -451,31 +452,8 @@ mbcs_sram_write(struct file * fp, const char __user *buf, size_t len, loff_t * o
451 452
452static loff_t mbcs_sram_llseek(struct file * filp, loff_t off, int whence) 453static loff_t mbcs_sram_llseek(struct file * filp, loff_t off, int whence)
453{ 454{
454 loff_t newpos; 455 return generic_file_llseek_size(filp, off, whence, MAX_LFS_FILESIZE,
455 456 MBCS_SRAM_SIZE);
456 switch (whence) {
457 case SEEK_SET:
458 newpos = off;
459 break;
460
461 case SEEK_CUR:
462 newpos = filp->f_pos + off;
463 break;
464
465 case SEEK_END:
466 newpos = MBCS_SRAM_SIZE + off;
467 break;
468
469 default: /* can't happen */
470 return -EINVAL;
471 }
472
473 if (newpos < 0)
474 return -EINVAL;
475
476 filp->f_pos = newpos;
477
478 return newpos;
479} 457}
480 458
481static uint64_t mbcs_pioaddr(struct mbcs_soft *soft, uint64_t offset) 459static uint64_t mbcs_pioaddr(struct mbcs_soft *soft, uint64_t offset)
diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
index 97c2d8d433d6..01292328a456 100644
--- a/drivers/char/nvram.c
+++ b/drivers/char/nvram.c
@@ -110,6 +110,7 @@
110#include <linux/io.h> 110#include <linux/io.h>
111#include <linux/uaccess.h> 111#include <linux/uaccess.h>
112#include <linux/mutex.h> 112#include <linux/mutex.h>
113#include <linux/pagemap.h>
113 114
114 115
115static DEFINE_MUTEX(nvram_mutex); 116static DEFINE_MUTEX(nvram_mutex);
@@ -213,21 +214,8 @@ void nvram_set_checksum(void)
213 214
214static loff_t nvram_llseek(struct file *file, loff_t offset, int origin) 215static loff_t nvram_llseek(struct file *file, loff_t offset, int origin)
215{ 216{
216 switch (origin) { 217 return generic_file_llseek_size(file, offset, origin, MAX_LFS_FILESIZE,
217 case 0: 218 NVRAM_BYTES);
218 /* nothing to do */
219 break;
220 case 1:
221 offset += file->f_pos;
222 break;
223 case 2:
224 offset += NVRAM_BYTES;
225 break;
226 default:
227 return -EINVAL;
228 }
229
230 return (offset >= 0) ? (file->f_pos = offset) : -EINVAL;
231} 219}
232 220
233static ssize_t nvram_read(struct file *file, char __user *buf, 221static ssize_t nvram_read(struct file *file, char __user *buf,
diff --git a/drivers/char/nwflash.c b/drivers/char/nwflash.c
index e371480d3639..dbe598de9b74 100644
--- a/drivers/char/nwflash.c
+++ b/drivers/char/nwflash.c
@@ -277,36 +277,7 @@ static loff_t flash_llseek(struct file *file, loff_t offset, int orig)
277 printk(KERN_DEBUG "flash_llseek: offset=0x%X, orig=0x%X.\n", 277 printk(KERN_DEBUG "flash_llseek: offset=0x%X, orig=0x%X.\n",
278 (unsigned int) offset, orig); 278 (unsigned int) offset, orig);
279 279
280 switch (orig) { 280 ret = no_seek_end_llseek_size(file, offset, orig, gbFlashSize);
281 case 0:
282 if (offset < 0) {
283 ret = -EINVAL;
284 break;
285 }
286
287 if ((unsigned int) offset > gbFlashSize) {
288 ret = -EINVAL;
289 break;
290 }
291
292 file->f_pos = (unsigned int) offset;
293 ret = file->f_pos;
294 break;
295 case 1:
296 if ((file->f_pos + offset) > gbFlashSize) {
297 ret = -EINVAL;
298 break;
299 }
300 if ((file->f_pos + offset) < 0) {
301 ret = -EINVAL;
302 break;
303 }
304 file->f_pos += offset;
305 ret = file->f_pos;
306 break;
307 default:
308 ret = -EINVAL;
309 }
310 mutex_unlock(&flash_mutex); 281 mutex_unlock(&flash_mutex);
311 return ret; 282 return ret;
312} 283}
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index c6a1b4cc6458..d321222fd92e 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -559,19 +559,10 @@ static int kfd_ioctl_dbg_address_watch(struct file *filep,
559 559
560 /* this is the actual buffer to work with */ 560 /* this is the actual buffer to work with */
561 561
562 args_buff = kmalloc(args->buf_size_in_bytes - 562 args_buff = memdup_user(args_buff,
563 sizeof(*args), GFP_KERNEL);
564 if (args_buff == NULL)
565 return -ENOMEM;
566
567 status = copy_from_user(args_buff, cmd_from_user,
568 args->buf_size_in_bytes - sizeof(*args)); 563 args->buf_size_in_bytes - sizeof(*args));
569 564 if (IS_ERR(args_buff))
570 if (status != 0) { 565 return PTR_ERR(args_buff);
571 pr_debug("Failed to copy address watch user data\n");
572 kfree(args_buff);
573 return -EINVAL;
574 }
575 566
576 aw_info.process = p; 567 aw_info.process = p;
577 568
@@ -677,22 +668,12 @@ static int kfd_ioctl_dbg_wave_control(struct file *filep,
677 if (cmd_from_user == NULL) 668 if (cmd_from_user == NULL)
678 return -EINVAL; 669 return -EINVAL;
679 670
680 /* this is the actual buffer to work with */ 671 /* copy the entire buffer from user */
681 672
682 args_buff = kmalloc(args->buf_size_in_bytes - sizeof(*args), 673 args_buff = memdup_user(cmd_from_user,
683 GFP_KERNEL);
684
685 if (args_buff == NULL)
686 return -ENOMEM;
687
688 /* Now copy the entire buffer from user */
689 status = copy_from_user(args_buff, cmd_from_user,
690 args->buf_size_in_bytes - sizeof(*args)); 674 args->buf_size_in_bytes - sizeof(*args));
691 if (status != 0) { 675 if (IS_ERR(args_buff))
692 pr_debug("Failed to copy wave control user data\n"); 676 return PTR_ERR(args_buff);
693 kfree(args_buff);
694 return -EINVAL;
695 }
696 677
697 /* move ptr to the start of the "pay-load" area */ 678 /* move ptr to the start of the "pay-load" area */
698 wac_info.process = p; 679 wac_info.process = p;
diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c
index 9abcaa53bd25..f17cb0431833 100644
--- a/drivers/gpu/vga/vgaarb.c
+++ b/drivers/gpu/vga/vgaarb.c
@@ -1163,12 +1163,8 @@ done:
1163 1163
1164static unsigned int vga_arb_fpoll(struct file *file, poll_table *wait) 1164static unsigned int vga_arb_fpoll(struct file *file, poll_table *wait)
1165{ 1165{
1166 struct vga_arb_private *priv = file->private_data;
1167
1168 pr_debug("%s\n", __func__); 1166 pr_debug("%s\n", __func__);
1169 1167
1170 if (priv == NULL)
1171 return -ENODEV;
1172 poll_wait(file, &vga_wait_queue, wait); 1168 poll_wait(file, &vga_wait_queue, wait);
1173 return POLLIN; 1169 return POLLIN;
1174} 1170}
@@ -1209,9 +1205,6 @@ static int vga_arb_release(struct inode *inode, struct file *file)
1209 1205
1210 pr_debug("%s\n", __func__); 1206 pr_debug("%s\n", __func__);
1211 1207
1212 if (priv == NULL)
1213 return -ENODEV;
1214
1215 spin_lock_irqsave(&vga_user_lock, flags); 1208 spin_lock_irqsave(&vga_user_lock, flags);
1216 list_del(&priv->list); 1209 list_del(&priv->list);
1217 for (i = 0; i < MAX_USER_CARDS; i++) { 1210 for (i = 0; i < MAX_USER_CARDS; i++) {
diff --git a/drivers/md/bcache/util.c b/drivers/md/bcache/util.c
index db3ae4c2b223..dde6172f3f10 100644
--- a/drivers/md/bcache/util.c
+++ b/drivers/md/bcache/util.c
@@ -230,7 +230,7 @@ void bch_bio_map(struct bio *bio, void *base)
230 BUG_ON(!bio->bi_iter.bi_size); 230 BUG_ON(!bio->bi_iter.bi_size);
231 BUG_ON(bio->bi_vcnt); 231 BUG_ON(bio->bi_vcnt);
232 232
233 bv->bv_offset = base ? ((unsigned long) base) % PAGE_SIZE : 0; 233 bv->bv_offset = base ? offset_in_page(base) : 0;
234 goto start; 234 goto start;
235 235
236 for (; size; bio->bi_vcnt++, bv++) { 236 for (; size; bio->bi_vcnt++, bv++) {
diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
index 6b832e06580d..cd77216beff1 100644
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -650,7 +650,7 @@ static void use_inline_bio(struct dm_buffer *b, int rw, sector_t block,
650 do { 650 do {
651 if (!bio_add_page(&b->bio, virt_to_page(ptr), 651 if (!bio_add_page(&b->bio, virt_to_page(ptr),
652 len < PAGE_SIZE ? len : PAGE_SIZE, 652 len < PAGE_SIZE ? len : PAGE_SIZE,
653 virt_to_phys(ptr) & (PAGE_SIZE - 1))) { 653 offset_in_page(ptr))) {
654 BUG_ON(b->c->block_size <= PAGE_SIZE); 654 BUG_ON(b->c->block_size <= PAGE_SIZE);
655 use_dmio(b, rw, block, end_io); 655 use_dmio(b, rw, block, end_io);
656 return; 656 return;
diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
index 81c5e1a1f363..06d426eb5a30 100644
--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -246,7 +246,7 @@ static void vm_dp_init(struct dpages *dp, void *data)
246{ 246{
247 dp->get_page = vm_get_page; 247 dp->get_page = vm_get_page;
248 dp->next_page = vm_next_page; 248 dp->next_page = vm_next_page;
249 dp->context_u = ((unsigned long) data) & (PAGE_SIZE - 1); 249 dp->context_u = offset_in_page(data);
250 dp->context_ptr = data; 250 dp->context_ptr = data;
251} 251}
252 252
@@ -271,7 +271,7 @@ static void km_dp_init(struct dpages *dp, void *data)
271{ 271{
272 dp->get_page = km_get_page; 272 dp->get_page = km_get_page;
273 dp->next_page = km_next_page; 273 dp->next_page = km_next_page;
274 dp->context_u = ((unsigned long) data) & (PAGE_SIZE - 1); 274 dp->context_u = offset_in_page(data);
275 dp->context_ptr = data; 275 dp->context_ptr = data;
276} 276}
277 277
diff --git a/drivers/mtd/maps/pcmciamtd.c b/drivers/mtd/maps/pcmciamtd.c
index 3dad2111b7e3..70bb403f69f7 100644
--- a/drivers/mtd/maps/pcmciamtd.c
+++ b/drivers/mtd/maps/pcmciamtd.c
@@ -30,7 +30,7 @@
30 30
31struct pcmciamtd_dev { 31struct pcmciamtd_dev {
32 struct pcmcia_device *p_dev; 32 struct pcmcia_device *p_dev;
33 caddr_t win_base; /* ioremapped address of PCMCIA window */ 33 void __iomem *win_base; /* ioremapped address of PCMCIA window */
34 unsigned int win_size; /* size of window */ 34 unsigned int win_size; /* size of window */
35 unsigned int offset; /* offset into card the window currently points at */ 35 unsigned int offset; /* offset into card the window currently points at */
36 struct map_info pcmcia_map; 36 struct map_info pcmcia_map;
@@ -80,7 +80,7 @@ MODULE_PARM_DESC(mem_type, "Set Memory type (0=Flash, 1=RAM, 2=ROM, default=0)")
80/* read/write{8,16} copy_{from,to} routines with window remapping 80/* read/write{8,16} copy_{from,to} routines with window remapping
81 * to access whole card 81 * to access whole card
82 */ 82 */
83static caddr_t remap_window(struct map_info *map, unsigned long to) 83static void __iomem *remap_window(struct map_info *map, unsigned long to)
84{ 84{
85 struct pcmciamtd_dev *dev = (struct pcmciamtd_dev *)map->map_priv_1; 85 struct pcmciamtd_dev *dev = (struct pcmciamtd_dev *)map->map_priv_1;
86 struct resource *win = (struct resource *) map->map_priv_2; 86 struct resource *win = (struct resource *) map->map_priv_2;
@@ -107,7 +107,7 @@ static caddr_t remap_window(struct map_info *map, unsigned long to)
107 107
108static map_word pcmcia_read8_remap(struct map_info *map, unsigned long ofs) 108static map_word pcmcia_read8_remap(struct map_info *map, unsigned long ofs)
109{ 109{
110 caddr_t addr; 110 void __iomem *addr;
111 map_word d = {{0}}; 111 map_word d = {{0}};
112 112
113 addr = remap_window(map, ofs); 113 addr = remap_window(map, ofs);
@@ -122,7 +122,7 @@ static map_word pcmcia_read8_remap(struct map_info *map, unsigned long ofs)
122 122
123static map_word pcmcia_read16_remap(struct map_info *map, unsigned long ofs) 123static map_word pcmcia_read16_remap(struct map_info *map, unsigned long ofs)
124{ 124{
125 caddr_t addr; 125 void __iomem *addr;
126 map_word d = {{0}}; 126 map_word d = {{0}};
127 127
128 addr = remap_window(map, ofs); 128 addr = remap_window(map, ofs);
@@ -143,7 +143,7 @@ static void pcmcia_copy_from_remap(struct map_info *map, void *to, unsigned long
143 pr_debug("to = %p from = %lu len = %zd\n", to, from, len); 143 pr_debug("to = %p from = %lu len = %zd\n", to, from, len);
144 while(len) { 144 while(len) {
145 int toread = win_size - (from & (win_size-1)); 145 int toread = win_size - (from & (win_size-1));
146 caddr_t addr; 146 void __iomem *addr;
147 147
148 if(toread > len) 148 if(toread > len)
149 toread = len; 149 toread = len;
@@ -163,7 +163,7 @@ static void pcmcia_copy_from_remap(struct map_info *map, void *to, unsigned long
163 163
164static void pcmcia_write8_remap(struct map_info *map, map_word d, unsigned long adr) 164static void pcmcia_write8_remap(struct map_info *map, map_word d, unsigned long adr)
165{ 165{
166 caddr_t addr = remap_window(map, adr); 166 void __iomem *addr = remap_window(map, adr);
167 167
168 if(!addr) 168 if(!addr)
169 return; 169 return;
@@ -175,7 +175,7 @@ static void pcmcia_write8_remap(struct map_info *map, map_word d, unsigned long
175 175
176static void pcmcia_write16_remap(struct map_info *map, map_word d, unsigned long adr) 176static void pcmcia_write16_remap(struct map_info *map, map_word d, unsigned long adr)
177{ 177{
178 caddr_t addr = remap_window(map, adr); 178 void __iomem *addr = remap_window(map, adr);
179 if(!addr) 179 if(!addr)
180 return; 180 return;
181 181
@@ -192,7 +192,7 @@ static void pcmcia_copy_to_remap(struct map_info *map, unsigned long to, const v
192 pr_debug("to = %lu from = %p len = %zd\n", to, from, len); 192 pr_debug("to = %lu from = %p len = %zd\n", to, from, len);
193 while(len) { 193 while(len) {
194 int towrite = win_size - (to & (win_size-1)); 194 int towrite = win_size - (to & (win_size-1));
195 caddr_t addr; 195 void __iomem *addr;
196 196
197 if(towrite > len) 197 if(towrite > len)
198 towrite = len; 198 towrite = len;
@@ -216,7 +216,7 @@ static void pcmcia_copy_to_remap(struct map_info *map, unsigned long to, const v
216 216
217static map_word pcmcia_read8(struct map_info *map, unsigned long ofs) 217static map_word pcmcia_read8(struct map_info *map, unsigned long ofs)
218{ 218{
219 caddr_t win_base = (caddr_t)map->map_priv_2; 219 void __iomem *win_base = (void __iomem *)map->map_priv_2;
220 map_word d = {{0}}; 220 map_word d = {{0}};
221 221
222 if(DEV_REMOVED(map)) 222 if(DEV_REMOVED(map))
@@ -231,7 +231,7 @@ static map_word pcmcia_read8(struct map_info *map, unsigned long ofs)
231 231
232static map_word pcmcia_read16(struct map_info *map, unsigned long ofs) 232static map_word pcmcia_read16(struct map_info *map, unsigned long ofs)
233{ 233{
234 caddr_t win_base = (caddr_t)map->map_priv_2; 234 void __iomem *win_base = (void __iomem *)map->map_priv_2;
235 map_word d = {{0}}; 235 map_word d = {{0}};
236 236
237 if(DEV_REMOVED(map)) 237 if(DEV_REMOVED(map))
@@ -246,7 +246,7 @@ static map_word pcmcia_read16(struct map_info *map, unsigned long ofs)
246 246
247static void pcmcia_copy_from(struct map_info *map, void *to, unsigned long from, ssize_t len) 247static void pcmcia_copy_from(struct map_info *map, void *to, unsigned long from, ssize_t len)
248{ 248{
249 caddr_t win_base = (caddr_t)map->map_priv_2; 249 void __iomem *win_base = (void __iomem *)map->map_priv_2;
250 250
251 if(DEV_REMOVED(map)) 251 if(DEV_REMOVED(map))
252 return; 252 return;
@@ -258,7 +258,7 @@ static void pcmcia_copy_from(struct map_info *map, void *to, unsigned long from,
258 258
259static void pcmcia_write8(struct map_info *map, map_word d, unsigned long adr) 259static void pcmcia_write8(struct map_info *map, map_word d, unsigned long adr)
260{ 260{
261 caddr_t win_base = (caddr_t)map->map_priv_2; 261 void __iomem *win_base = (void __iomem *)map->map_priv_2;
262 262
263 if(DEV_REMOVED(map)) 263 if(DEV_REMOVED(map))
264 return; 264 return;
@@ -271,7 +271,7 @@ static void pcmcia_write8(struct map_info *map, map_word d, unsigned long adr)
271 271
272static void pcmcia_write16(struct map_info *map, map_word d, unsigned long adr) 272static void pcmcia_write16(struct map_info *map, map_word d, unsigned long adr)
273{ 273{
274 caddr_t win_base = (caddr_t)map->map_priv_2; 274 void __iomem *win_base = (void __iomem *)map->map_priv_2;
275 275
276 if(DEV_REMOVED(map)) 276 if(DEV_REMOVED(map))
277 return; 277 return;
@@ -284,7 +284,7 @@ static void pcmcia_write16(struct map_info *map, map_word d, unsigned long adr)
284 284
285static void pcmcia_copy_to(struct map_info *map, unsigned long to, const void *from, ssize_t len) 285static void pcmcia_copy_to(struct map_info *map, unsigned long to, const void *from, ssize_t len)
286{ 286{
287 caddr_t win_base = (caddr_t)map->map_priv_2; 287 void __iomem *win_base = (void __iomem *)map->map_priv_2;
288 288
289 if(DEV_REMOVED(map)) 289 if(DEV_REMOVED(map))
290 return; 290 return;
diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index 97bc186f9728..a1d10b85989f 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -580,16 +580,10 @@ static ssize_t wil_write_file_rxon(struct file *file, const char __user *buf,
580 long channel; 580 long channel;
581 bool on; 581 bool on;
582 582
583 char *kbuf = kmalloc(len + 1, GFP_KERNEL); 583 char *kbuf = memdup_user_nul(buf, len);
584
585 if (!kbuf)
586 return -ENOMEM;
587 if (copy_from_user(kbuf, buf, len)) {
588 kfree(kbuf);
589 return -EIO;
590 }
591 584
592 kbuf[len] = '\0'; 585 if (IS_ERR(kbuf))
586 return PTR_ERR(kbuf);
593 rc = kstrtol(kbuf, 0, &channel); 587 rc = kstrtol(kbuf, 0, &channel);
594 kfree(kbuf); 588 kfree(kbuf);
595 if (rc) 589 if (rc)
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
index 26cbf1dcc662..faed1823c58e 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -56,19 +56,15 @@ static ssize_t lbs_sleepparams_write(struct file *file,
56 loff_t *ppos) 56 loff_t *ppos)
57{ 57{
58 struct lbs_private *priv = file->private_data; 58 struct lbs_private *priv = file->private_data;
59 ssize_t buf_size, ret; 59 ssize_t ret;
60 struct sleep_params sp; 60 struct sleep_params sp;
61 int p1, p2, p3, p4, p5, p6; 61 int p1, p2, p3, p4, p5, p6;
62 unsigned long addr = get_zeroed_page(GFP_KERNEL); 62 char *buf;
63 char *buf = (char *)addr; 63
64 if (!buf) 64 buf = memdup_user_nul(user_buf, min(count, len - 1));
65 return -ENOMEM; 65 if (IS_ERR(buf))
66 return PTR_ERR(buf);
66 67
67 buf_size = min(count, len - 1);
68 if (copy_from_user(buf, user_buf, buf_size)) {
69 ret = -EFAULT;
70 goto out_unlock;
71 }
72 ret = sscanf(buf, "%d %d %d %d %d %d", &p1, &p2, &p3, &p4, &p5, &p6); 68 ret = sscanf(buf, "%d %d %d %d %d %d", &p1, &p2, &p3, &p4, &p5, &p6);
73 if (ret != 6) { 69 if (ret != 6) {
74 ret = -EINVAL; 70 ret = -EINVAL;
@@ -88,7 +84,7 @@ static ssize_t lbs_sleepparams_write(struct file *file,
88 ret = -EINVAL; 84 ret = -EINVAL;
89 85
90out_unlock: 86out_unlock:
91 free_page(addr); 87 kfree(buf);
92 return ret; 88 return ret;
93} 89}
94 90
@@ -125,18 +121,14 @@ static ssize_t lbs_host_sleep_write(struct file *file,
125 loff_t *ppos) 121 loff_t *ppos)
126{ 122{
127 struct lbs_private *priv = file->private_data; 123 struct lbs_private *priv = file->private_data;
128 ssize_t buf_size, ret; 124 ssize_t ret;
129 int host_sleep; 125 int host_sleep;
130 unsigned long addr = get_zeroed_page(GFP_KERNEL); 126 char *buf;
131 char *buf = (char *)addr; 127
132 if (!buf) 128 buf = memdup_user_nul(user_buf, min(count, len - 1));
133 return -ENOMEM; 129 if (IS_ERR(buf))
130 return PTR_ERR(buf);
134 131
135 buf_size = min(count, len - 1);
136 if (copy_from_user(buf, user_buf, buf_size)) {
137 ret = -EFAULT;
138 goto out_unlock;
139 }
140 ret = sscanf(buf, "%d", &host_sleep); 132 ret = sscanf(buf, "%d", &host_sleep);
141 if (ret != 1) { 133 if (ret != 1) {
142 ret = -EINVAL; 134 ret = -EINVAL;
@@ -162,7 +154,7 @@ static ssize_t lbs_host_sleep_write(struct file *file,
162 ret = count; 154 ret = count;
163 155
164out_unlock: 156out_unlock:
165 free_page(addr); 157 kfree(buf);
166 return ret; 158 return ret;
167} 159}
168 160
@@ -281,21 +273,15 @@ static ssize_t lbs_threshold_write(uint16_t tlv_type, uint16_t event_mask,
281 struct cmd_ds_802_11_subscribe_event *events; 273 struct cmd_ds_802_11_subscribe_event *events;
282 struct mrvl_ie_thresholds *tlv; 274 struct mrvl_ie_thresholds *tlv;
283 struct lbs_private *priv = file->private_data; 275 struct lbs_private *priv = file->private_data;
284 ssize_t buf_size;
285 int value, freq, new_mask; 276 int value, freq, new_mask;
286 uint16_t curr_mask; 277 uint16_t curr_mask;
287 char *buf; 278 char *buf;
288 int ret; 279 int ret;
289 280
290 buf = (char *)get_zeroed_page(GFP_KERNEL); 281 buf = memdup_user_nul(userbuf, min(count, len - 1));
291 if (!buf) 282 if (IS_ERR(buf))
292 return -ENOMEM; 283 return PTR_ERR(buf);
293 284
294 buf_size = min(count, len - 1);
295 if (copy_from_user(buf, userbuf, buf_size)) {
296 ret = -EFAULT;
297 goto out_page;
298 }
299 ret = sscanf(buf, "%d %d %d", &value, &freq, &new_mask); 285 ret = sscanf(buf, "%d %d %d", &value, &freq, &new_mask);
300 if (ret != 3) { 286 if (ret != 3) {
301 ret = -EINVAL; 287 ret = -EINVAL;
@@ -343,7 +329,7 @@ static ssize_t lbs_threshold_write(uint16_t tlv_type, uint16_t event_mask,
343 out_events: 329 out_events:
344 kfree(events); 330 kfree(events);
345 out_page: 331 out_page:
346 free_page((unsigned long)buf); 332 kfree(buf);
347 return ret; 333 return ret;
348} 334}
349 335
@@ -472,22 +458,15 @@ static ssize_t lbs_rdmac_write(struct file *file,
472 size_t count, loff_t *ppos) 458 size_t count, loff_t *ppos)
473{ 459{
474 struct lbs_private *priv = file->private_data; 460 struct lbs_private *priv = file->private_data;
475 ssize_t res, buf_size; 461 char *buf;
476 unsigned long addr = get_zeroed_page(GFP_KERNEL); 462
477 char *buf = (char *)addr; 463 buf = memdup_user_nul(userbuf, min(count, len - 1));
478 if (!buf) 464 if (IS_ERR(buf))
479 return -ENOMEM; 465 return PTR_ERR(buf);
480 466
481 buf_size = min(count, len - 1);
482 if (copy_from_user(buf, userbuf, buf_size)) {
483 res = -EFAULT;
484 goto out_unlock;
485 }
486 priv->mac_offset = simple_strtoul(buf, NULL, 16); 467 priv->mac_offset = simple_strtoul(buf, NULL, 16);
487 res = count; 468 kfree(buf);
488out_unlock: 469 return count;
489 free_page(addr);
490 return res;
491} 470}
492 471
493static ssize_t lbs_wrmac_write(struct file *file, 472static ssize_t lbs_wrmac_write(struct file *file,
@@ -496,18 +475,14 @@ static ssize_t lbs_wrmac_write(struct file *file,
496{ 475{
497 476
498 struct lbs_private *priv = file->private_data; 477 struct lbs_private *priv = file->private_data;
499 ssize_t res, buf_size; 478 ssize_t res;
500 u32 offset, value; 479 u32 offset, value;
501 unsigned long addr = get_zeroed_page(GFP_KERNEL); 480 char *buf;
502 char *buf = (char *)addr; 481
503 if (!buf) 482 buf = memdup_user_nul(userbuf, min(count, len - 1));
504 return -ENOMEM; 483 if (IS_ERR(buf))
484 return PTR_ERR(buf);
505 485
506 buf_size = min(count, len - 1);
507 if (copy_from_user(buf, userbuf, buf_size)) {
508 res = -EFAULT;
509 goto out_unlock;
510 }
511 res = sscanf(buf, "%x %x", &offset, &value); 486 res = sscanf(buf, "%x %x", &offset, &value);
512 if (res != 2) { 487 if (res != 2) {
513 res = -EFAULT; 488 res = -EFAULT;
@@ -520,7 +495,7 @@ static ssize_t lbs_wrmac_write(struct file *file,
520 if (!res) 495 if (!res)
521 res = count; 496 res = count;
522out_unlock: 497out_unlock:
523 free_page(addr); 498 kfree(buf);
524 return res; 499 return res;
525} 500}
526 501
@@ -554,22 +529,16 @@ static ssize_t lbs_rdbbp_write(struct file *file,
554 size_t count, loff_t *ppos) 529 size_t count, loff_t *ppos)
555{ 530{
556 struct lbs_private *priv = file->private_data; 531 struct lbs_private *priv = file->private_data;
557 ssize_t res, buf_size; 532 char *buf;
558 unsigned long addr = get_zeroed_page(GFP_KERNEL); 533
559 char *buf = (char *)addr; 534 buf = memdup_user_nul(userbuf, min(count, len - 1));
560 if (!buf) 535 if (IS_ERR(buf))
561 return -ENOMEM; 536 return PTR_ERR(buf);
562 537
563 buf_size = min(count, len - 1);
564 if (copy_from_user(buf, userbuf, buf_size)) {
565 res = -EFAULT;
566 goto out_unlock;
567 }
568 priv->bbp_offset = simple_strtoul(buf, NULL, 16); 538 priv->bbp_offset = simple_strtoul(buf, NULL, 16);
569 res = count; 539 kfree(buf);
570out_unlock: 540
571 free_page(addr); 541 return count;
572 return res;
573} 542}
574 543
575static ssize_t lbs_wrbbp_write(struct file *file, 544static ssize_t lbs_wrbbp_write(struct file *file,
@@ -578,18 +547,14 @@ static ssize_t lbs_wrbbp_write(struct file *file,
578{ 547{
579 548
580 struct lbs_private *priv = file->private_data; 549 struct lbs_private *priv = file->private_data;
581 ssize_t res, buf_size; 550 ssize_t res;
582 u32 offset, value; 551 u32 offset, value;
583 unsigned long addr = get_zeroed_page(GFP_KERNEL); 552 char *buf;
584 char *buf = (char *)addr; 553
585 if (!buf) 554 buf = memdup_user_nul(userbuf, min(count, len - 1));
586 return -ENOMEM; 555 if (IS_ERR(buf))
556 return PTR_ERR(buf);
587 557
588 buf_size = min(count, len - 1);
589 if (copy_from_user(buf, userbuf, buf_size)) {
590 res = -EFAULT;
591 goto out_unlock;
592 }
593 res = sscanf(buf, "%x %x", &offset, &value); 558 res = sscanf(buf, "%x %x", &offset, &value);
594 if (res != 2) { 559 if (res != 2) {
595 res = -EFAULT; 560 res = -EFAULT;
@@ -602,7 +567,7 @@ static ssize_t lbs_wrbbp_write(struct file *file,
602 if (!res) 567 if (!res)
603 res = count; 568 res = count;
604out_unlock: 569out_unlock:
605 free_page(addr); 570 kfree(buf);
606 return res; 571 return res;
607} 572}
608 573
@@ -636,22 +601,15 @@ static ssize_t lbs_rdrf_write(struct file *file,
636 size_t count, loff_t *ppos) 601 size_t count, loff_t *ppos)
637{ 602{
638 struct lbs_private *priv = file->private_data; 603 struct lbs_private *priv = file->private_data;
639 ssize_t res, buf_size; 604 char *buf;
640 unsigned long addr = get_zeroed_page(GFP_KERNEL); 605
641 char *buf = (char *)addr; 606 buf = memdup_user_nul(userbuf, min(count, len - 1));
642 if (!buf) 607 if (IS_ERR(buf))
643 return -ENOMEM; 608 return PTR_ERR(buf);
644 609
645 buf_size = min(count, len - 1);
646 if (copy_from_user(buf, userbuf, buf_size)) {
647 res = -EFAULT;
648 goto out_unlock;
649 }
650 priv->rf_offset = simple_strtoul(buf, NULL, 16); 610 priv->rf_offset = simple_strtoul(buf, NULL, 16);
651 res = count; 611 kfree(buf);
652out_unlock: 612 return count;
653 free_page(addr);
654 return res;
655} 613}
656 614
657static ssize_t lbs_wrrf_write(struct file *file, 615static ssize_t lbs_wrrf_write(struct file *file,
@@ -660,18 +618,14 @@ static ssize_t lbs_wrrf_write(struct file *file,
660{ 618{
661 619
662 struct lbs_private *priv = file->private_data; 620 struct lbs_private *priv = file->private_data;
663 ssize_t res, buf_size; 621 ssize_t res;
664 u32 offset, value; 622 u32 offset, value;
665 unsigned long addr = get_zeroed_page(GFP_KERNEL); 623 char *buf;
666 char *buf = (char *)addr; 624
667 if (!buf) 625 buf = memdup_user_nul(userbuf, min(count, len - 1));
668 return -ENOMEM; 626 if (IS_ERR(buf))
627 return PTR_ERR(buf);
669 628
670 buf_size = min(count, len - 1);
671 if (copy_from_user(buf, userbuf, buf_size)) {
672 res = -EFAULT;
673 goto out_unlock;
674 }
675 res = sscanf(buf, "%x %x", &offset, &value); 629 res = sscanf(buf, "%x %x", &offset, &value);
676 if (res != 2) { 630 if (res != 2) {
677 res = -EFAULT; 631 res = -EFAULT;
@@ -684,7 +638,7 @@ static ssize_t lbs_wrrf_write(struct file *file,
684 if (!res) 638 if (!res)
685 res = count; 639 res = count;
686out_unlock: 640out_unlock:
687 free_page(addr); 641 kfree(buf);
688 return res; 642 return res;
689} 643}
690 644
@@ -915,16 +869,9 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
915 if (cnt == 0) 869 if (cnt == 0)
916 return 0; 870 return 0;
917 871
918 pdata = kmalloc(cnt + 1, GFP_KERNEL); 872 pdata = memdup_user_nul(buf, cnt);
919 if (pdata == NULL) 873 if (IS_ERR(pdata))
920 return 0; 874 return PTR_ERR(pdata);
921
922 if (copy_from_user(pdata, buf, cnt)) {
923 lbs_deb_debugfs("Copy from user failed\n");
924 kfree(pdata);
925 return 0;
926 }
927 pdata[cnt] = '\0';
928 875
929 p0 = pdata; 876 p0 = pdata;
930 for (i = 0; i < num_of_items; i++) { 877 for (i = 0; i < num_of_items; i++) {
diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
index 9824d8dd2b44..241e1c3fbf08 100644
--- a/drivers/net/wireless/mwifiex/debugfs.c
+++ b/drivers/net/wireless/mwifiex/debugfs.c
@@ -447,20 +447,13 @@ static ssize_t
447mwifiex_regrdwr_write(struct file *file, 447mwifiex_regrdwr_write(struct file *file,
448 const char __user *ubuf, size_t count, loff_t *ppos) 448 const char __user *ubuf, size_t count, loff_t *ppos)
449{ 449{
450 unsigned long addr = get_zeroed_page(GFP_KERNEL); 450 char *buf;
451 char *buf = (char *) addr;
452 size_t buf_size = min_t(size_t, count, PAGE_SIZE - 1);
453 int ret; 451 int ret;
454 u32 reg_type = 0, reg_offset = 0, reg_value = UINT_MAX; 452 u32 reg_type = 0, reg_offset = 0, reg_value = UINT_MAX;
455 453
456 if (!buf) 454 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
457 return -ENOMEM; 455 if (IS_ERR(buf))
458 456 return PTR_ERR(buf);
459
460 if (copy_from_user(buf, ubuf, buf_size)) {
461 ret = -EFAULT;
462 goto done;
463 }
464 457
465 sscanf(buf, "%u %x %x", &reg_type, &reg_offset, &reg_value); 458 sscanf(buf, "%u %x %x", &reg_type, &reg_offset, &reg_value);
466 459
@@ -474,7 +467,7 @@ mwifiex_regrdwr_write(struct file *file,
474 ret = count; 467 ret = count;
475 } 468 }
476done: 469done:
477 free_page(addr); 470 kfree(buf);
478 return ret; 471 return ret;
479} 472}
480 473
@@ -572,17 +565,11 @@ mwifiex_debug_mask_write(struct file *file, const char __user *ubuf,
572 int ret; 565 int ret;
573 unsigned long debug_mask; 566 unsigned long debug_mask;
574 struct mwifiex_private *priv = (void *)file->private_data; 567 struct mwifiex_private *priv = (void *)file->private_data;
575 unsigned long addr = get_zeroed_page(GFP_KERNEL); 568 char *buf;
576 char *buf = (void *)addr;
577 size_t buf_size = min(count, (size_t)(PAGE_SIZE - 1));
578 569
579 if (!buf) 570 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
580 return -ENOMEM; 571 if (IS_ERR(buf))
581 572 return PTR_ERR(buf);
582 if (copy_from_user(buf, ubuf, buf_size)) {
583 ret = -EFAULT;
584 goto done;
585 }
586 573
587 if (kstrtoul(buf, 0, &debug_mask)) { 574 if (kstrtoul(buf, 0, &debug_mask)) {
588 ret = -EINVAL; 575 ret = -EINVAL;
@@ -592,7 +579,7 @@ mwifiex_debug_mask_write(struct file *file, const char __user *ubuf,
592 priv->adapter->debug_mask = debug_mask; 579 priv->adapter->debug_mask = debug_mask;
593 ret = count; 580 ret = count;
594done: 581done:
595 free_page(addr); 582 kfree(buf);
596 return ret; 583 return ret;
597} 584}
598 585
@@ -609,17 +596,11 @@ mwifiex_memrw_write(struct file *file, const char __user *ubuf, size_t count,
609 struct mwifiex_ds_mem_rw mem_rw; 596 struct mwifiex_ds_mem_rw mem_rw;
610 u16 cmd_action; 597 u16 cmd_action;
611 struct mwifiex_private *priv = (void *)file->private_data; 598 struct mwifiex_private *priv = (void *)file->private_data;
612 unsigned long addr = get_zeroed_page(GFP_KERNEL); 599 char *buf;
613 char *buf = (void *)addr;
614 size_t buf_size = min(count, (size_t)(PAGE_SIZE - 1));
615
616 if (!buf)
617 return -ENOMEM;
618 600
619 if (copy_from_user(buf, ubuf, buf_size)) { 601 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
620 ret = -EFAULT; 602 if (IS_ERR(buf))
621 goto done; 603 return PTR_ERR(buf);
622 }
623 604
624 ret = sscanf(buf, "%c %x %x", &cmd, &mem_rw.addr, &mem_rw.value); 605 ret = sscanf(buf, "%c %x %x", &cmd, &mem_rw.addr, &mem_rw.value);
625 if (ret != 3) { 606 if (ret != 3) {
@@ -645,7 +626,7 @@ mwifiex_memrw_write(struct file *file, const char __user *ubuf, size_t count,
645 ret = count; 626 ret = count;
646 627
647done: 628done:
648 free_page(addr); 629 kfree(buf);
649 return ret; 630 return ret;
650} 631}
651 632
@@ -686,20 +667,13 @@ static ssize_t
686mwifiex_rdeeprom_write(struct file *file, 667mwifiex_rdeeprom_write(struct file *file,
687 const char __user *ubuf, size_t count, loff_t *ppos) 668 const char __user *ubuf, size_t count, loff_t *ppos)
688{ 669{
689 unsigned long addr = get_zeroed_page(GFP_KERNEL); 670 char *buf;
690 char *buf = (char *) addr;
691 size_t buf_size = min_t(size_t, count, PAGE_SIZE - 1);
692 int ret = 0; 671 int ret = 0;
693 int offset = -1, bytes = -1; 672 int offset = -1, bytes = -1;
694 673
695 if (!buf) 674 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
696 return -ENOMEM; 675 if (IS_ERR(buf))
697 676 return PTR_ERR(buf);
698
699 if (copy_from_user(buf, ubuf, buf_size)) {
700 ret = -EFAULT;
701 goto done;
702 }
703 677
704 sscanf(buf, "%d %d", &offset, &bytes); 678 sscanf(buf, "%d %d", &offset, &bytes);
705 679
@@ -712,7 +686,7 @@ mwifiex_rdeeprom_write(struct file *file,
712 ret = count; 686 ret = count;
713 } 687 }
714done: 688done:
715 free_page(addr); 689 kfree(buf);
716 return ret; 690 return ret;
717} 691}
718 692
@@ -771,21 +745,15 @@ mwifiex_hscfg_write(struct file *file, const char __user *ubuf,
771 size_t count, loff_t *ppos) 745 size_t count, loff_t *ppos)
772{ 746{
773 struct mwifiex_private *priv = (void *)file->private_data; 747 struct mwifiex_private *priv = (void *)file->private_data;
774 unsigned long addr = get_zeroed_page(GFP_KERNEL); 748 char *buf;
775 char *buf = (char *)addr;
776 size_t buf_size = min_t(size_t, count, PAGE_SIZE - 1);
777 int ret, arg_num; 749 int ret, arg_num;
778 struct mwifiex_ds_hs_cfg hscfg; 750 struct mwifiex_ds_hs_cfg hscfg;
779 int conditions = HS_CFG_COND_DEF; 751 int conditions = HS_CFG_COND_DEF;
780 u32 gpio = HS_CFG_GPIO_DEF, gap = HS_CFG_GAP_DEF; 752 u32 gpio = HS_CFG_GPIO_DEF, gap = HS_CFG_GAP_DEF;
781 753
782 if (!buf) 754 buf = memdup_user_nul(ubuf, min(count, (size_t)(PAGE_SIZE - 1)));
783 return -ENOMEM; 755 if (IS_ERR(buf))
784 756 return PTR_ERR(buf);
785 if (copy_from_user(buf, ubuf, buf_size)) {
786 ret = -EFAULT;
787 goto done;
788 }
789 757
790 arg_num = sscanf(buf, "%d %x %x", &conditions, &gpio, &gap); 758 arg_num = sscanf(buf, "%d %x %x", &conditions, &gpio, &gap);
791 759
@@ -823,7 +791,7 @@ mwifiex_hscfg_write(struct file *file, const char __user *ubuf,
823 priv->adapter->hs_enabling = false; 791 priv->adapter->hs_enabling = false;
824 ret = count; 792 ret = count;
825done: 793done:
826 free_page(addr); 794 kfree(buf);
827 return ret; 795 return ret;
828} 796}
829 797
diff --git a/drivers/net/wireless/ti/wlcore/debugfs.c b/drivers/net/wireless/ti/wlcore/debugfs.c
index eb43f94a1597..be72306f8c69 100644
--- a/drivers/net/wireless/ti/wlcore/debugfs.c
+++ b/drivers/net/wireless/ti/wlcore/debugfs.c
@@ -1205,26 +1205,11 @@ err_out:
1205 1205
1206static loff_t dev_mem_seek(struct file *file, loff_t offset, int orig) 1206static loff_t dev_mem_seek(struct file *file, loff_t offset, int orig)
1207{ 1207{
1208 loff_t ret;
1209
1210 /* only requests of dword-aligned size and offset are supported */ 1208 /* only requests of dword-aligned size and offset are supported */
1211 if (offset % 4) 1209 if (offset % 4)
1212 return -EINVAL; 1210 return -EINVAL;
1213 1211
1214 switch (orig) { 1212 return no_seek_end_llseek(file, offset, orig);
1215 case SEEK_SET:
1216 file->f_pos = offset;
1217 ret = file->f_pos;
1218 break;
1219 case SEEK_CUR:
1220 file->f_pos += offset;
1221 ret = file->f_pos;
1222 break;
1223 default:
1224 ret = -EINVAL;
1225 }
1226
1227 return ret;
1228} 1213}
1229 1214
1230static const struct file_operations dev_mem_ops = { 1215static const struct file_operations dev_mem_ops = {
diff --git a/drivers/s390/char/vmcp.c b/drivers/s390/char/vmcp.c
index 0fdedadff7bc..2a67b496a9e2 100644
--- a/drivers/s390/char/vmcp.c
+++ b/drivers/s390/char/vmcp.c
@@ -88,14 +88,9 @@ vmcp_write(struct file *file, const char __user *buff, size_t count,
88 88
89 if (count > 240) 89 if (count > 240)
90 return -EINVAL; 90 return -EINVAL;
91 cmd = kmalloc(count + 1, GFP_KERNEL); 91 cmd = memdup_user_nul(buff, count);
92 if (!cmd) 92 if (IS_ERR(cmd))
93 return -ENOMEM; 93 return PTR_ERR(cmd);
94 if (copy_from_user(cmd, buff, count)) {
95 kfree(cmd);
96 return -EFAULT;
97 }
98 cmd[count] = '\0';
99 session = file->private_data; 94 session = file->private_data;
100 if (mutex_lock_interruptible(&session->mutex)) { 95 if (mutex_lock_interruptible(&session->mutex)) {
101 kfree(cmd); 96 kfree(cmd);
diff --git a/drivers/s390/char/vmur.c b/drivers/s390/char/vmur.c
index 0efb27f6f199..6c30e93ab8fa 100644
--- a/drivers/s390/char/vmur.c
+++ b/drivers/s390/char/vmur.c
@@ -782,24 +782,11 @@ static int ur_release(struct inode *inode, struct file *file)
782 782
783static loff_t ur_llseek(struct file *file, loff_t offset, int whence) 783static loff_t ur_llseek(struct file *file, loff_t offset, int whence)
784{ 784{
785 loff_t newpos;
786
787 if ((file->f_flags & O_ACCMODE) != O_RDONLY) 785 if ((file->f_flags & O_ACCMODE) != O_RDONLY)
788 return -ESPIPE; /* seek allowed only for reader */ 786 return -ESPIPE; /* seek allowed only for reader */
789 if (offset % PAGE_SIZE) 787 if (offset % PAGE_SIZE)
790 return -ESPIPE; /* only multiples of 4K allowed */ 788 return -ESPIPE; /* only multiples of 4K allowed */
791 switch (whence) { 789 return no_seek_end_llseek(file, offset, whence);
792 case 0: /* SEEK_SET */
793 newpos = offset;
794 break;
795 case 1: /* SEEK_CUR */
796 newpos = file->f_pos + offset;
797 break;
798 default:
799 return -EINVAL;
800 }
801 file->f_pos = newpos;
802 return newpos;
803} 790}
804 791
805static const struct file_operations ur_fops = { 792static const struct file_operations ur_fops = {
diff --git a/drivers/s390/char/zcore.c b/drivers/s390/char/zcore.c
index 823f41fc4bbd..3339b862ec17 100644
--- a/drivers/s390/char/zcore.c
+++ b/drivers/s390/char/zcore.c
@@ -385,18 +385,7 @@ static loff_t zcore_lseek(struct file *file, loff_t offset, int orig)
385 loff_t rc; 385 loff_t rc;
386 386
387 mutex_lock(&zcore_mutex); 387 mutex_lock(&zcore_mutex);
388 switch (orig) { 388 rc = no_seek_end_llseek(file, offset, orig);
389 case 0:
390 file->f_pos = offset;
391 rc = file->f_pos;
392 break;
393 case 1:
394 file->f_pos += offset;
395 rc = file->f_pos;
396 break;
397 default:
398 rc = -EINVAL;
399 }
400 mutex_unlock(&zcore_mutex); 389 mutex_unlock(&zcore_mutex);
401 return rc; 390 return rc;
402} 391}
diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 5843288f64bc..e077ebd89319 100644
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -390,16 +390,9 @@ static int copyin_string(char __user *user, size_t len, char **ptr)
390 if ((ssize_t)len < 0 || (ssize_t)(len + 1) < 0) 390 if ((ssize_t)len < 0 || (ssize_t)(len + 1) < 0)
391 return -EINVAL; 391 return -EINVAL;
392 392
393 tmp = kmalloc(len + 1, GFP_KERNEL); 393 tmp = memdup_user_nul(user, len);
394 if (!tmp) 394 if (IS_ERR(tmp))
395 return -ENOMEM; 395 return PTR_ERR(tmp);
396
397 if (copy_from_user(tmp, user, len)) {
398 kfree(tmp);
399 return -EFAULT;
400 }
401
402 tmp[len] = '\0';
403 396
404 *ptr = tmp; 397 *ptr = tmp;
405 398
diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c
index 02f27593013e..31cd6b323a39 100644
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -3139,7 +3139,7 @@ struct file_operations ll_file_operations_noflock = {
3139 .lock = ll_file_noflock 3139 .lock = ll_file_noflock
3140}; 3140};
3141 3141
3142struct inode_operations ll_file_inode_operations = { 3142const struct inode_operations ll_file_inode_operations = {
3143 .setattr = ll_setattr, 3143 .setattr = ll_setattr,
3144 .getattr = ll_getattr, 3144 .getattr = ll_getattr,
3145 .permission = ll_inode_permission, 3145 .permission = ll_inode_permission,
diff --git a/drivers/staging/lustre/lustre/llite/llite_internal.h b/drivers/staging/lustre/lustre/llite/llite_internal.h
index 9096d311e45d..6102b29dbf30 100644
--- a/drivers/staging/lustre/lustre/llite/llite_internal.h
+++ b/drivers/staging/lustre/lustre/llite/llite_internal.h
@@ -705,7 +705,7 @@ extern const struct address_space_operations ll_aops;
705extern struct file_operations ll_file_operations; 705extern struct file_operations ll_file_operations;
706extern struct file_operations ll_file_operations_flock; 706extern struct file_operations ll_file_operations_flock;
707extern struct file_operations ll_file_operations_noflock; 707extern struct file_operations ll_file_operations_noflock;
708extern struct inode_operations ll_file_inode_operations; 708extern const struct inode_operations ll_file_inode_operations;
709int ll_have_md_lock(struct inode *inode, __u64 *bits, 709int ll_have_md_lock(struct inode *inode, __u64 *bits,
710 ldlm_mode_t l_req_mode); 710 ldlm_mode_t l_req_mode);
711ldlm_mode_t ll_take_md_lock(struct inode *inode, __u64 bits, 711ldlm_mode_t ll_take_md_lock(struct inode *inode, __u64 bits,
@@ -805,7 +805,7 @@ struct inode *search_inode_for_lustre(struct super_block *sb,
805 const struct lu_fid *fid); 805 const struct lu_fid *fid);
806 806
807/* llite/symlink.c */ 807/* llite/symlink.c */
808extern struct inode_operations ll_fast_symlink_inode_operations; 808extern const struct inode_operations ll_fast_symlink_inode_operations;
809 809
810/* llite/llite_close.c */ 810/* llite/llite_close.c */
811struct ll_close_queue { 811struct ll_close_queue {
diff --git a/drivers/staging/lustre/lustre/llite/namei.c b/drivers/staging/lustre/lustre/llite/namei.c
index 2ca22001a534..64db5e86672f 100644
--- a/drivers/staging/lustre/lustre/llite/namei.c
+++ b/drivers/staging/lustre/lustre/llite/namei.c
@@ -126,9 +126,7 @@ struct inode *ll_iget(struct super_block *sb, ino_t hash,
126 rc = cl_file_inode_init(inode, md); 126 rc = cl_file_inode_init(inode, md);
127 } 127 }
128 if (rc != 0) { 128 if (rc != 0) {
129 make_bad_inode(inode); 129 iget_failed(inode);
130 unlock_new_inode(inode);
131 iput(inode);
132 inode = ERR_PTR(rc); 130 inode = ERR_PTR(rc);
133 } else 131 } else
134 unlock_new_inode(inode); 132 unlock_new_inode(inode);
diff --git a/drivers/staging/lustre/lustre/llite/symlink.c b/drivers/staging/lustre/lustre/llite/symlink.c
index e489a3271f06..2610348f6c72 100644
--- a/drivers/staging/lustre/lustre/llite/symlink.c
+++ b/drivers/staging/lustre/lustre/llite/symlink.c
@@ -149,7 +149,7 @@ static const char *ll_get_link(struct dentry *dentry,
149 return symname; 149 return symname;
150} 150}
151 151
152struct inode_operations ll_fast_symlink_inode_operations = { 152const struct inode_operations ll_fast_symlink_inode_operations = {
153 .readlink = generic_readlink, 153 .readlink = generic_readlink,
154 .setattr = ll_setattr, 154 .setattr = ll_setattr,
155 .get_link = ll_get_link, 155 .get_link = ll_get_link,
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index 2a3bbdf7eb94..cffa0a0d7de2 100644
--- a/drivers/usb/core/devices.c
+++ b/drivers/usb/core/devices.c
@@ -661,32 +661,8 @@ static unsigned int usb_device_poll(struct file *file,
661 return 0; 661 return 0;
662} 662}
663 663
664static loff_t usb_device_lseek(struct file *file, loff_t offset, int orig)
665{
666 loff_t ret;
667
668 mutex_lock(&file_inode(file)->i_mutex);
669
670 switch (orig) {
671 case 0:
672 file->f_pos = offset;
673 ret = file->f_pos;
674 break;
675 case 1:
676 file->f_pos += offset;
677 ret = file->f_pos;
678 break;
679 case 2:
680 default:
681 ret = -EINVAL;
682 }
683
684 mutex_unlock(&file_inode(file)->i_mutex);
685 return ret;
686}
687
688const struct file_operations usbfs_devices_fops = { 664const struct file_operations usbfs_devices_fops = {
689 .llseek = usb_device_lseek, 665 .llseek = no_seek_end_llseek,
690 .read = usb_device_read, 666 .read = usb_device_read,
691 .poll = usb_device_poll, 667 .poll = usb_device_poll,
692}; 668};
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 38ae877c46e3..dbc3e143453a 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -157,30 +157,6 @@ static int connected(struct usb_dev_state *ps)
157 ps->dev->state != USB_STATE_NOTATTACHED); 157 ps->dev->state != USB_STATE_NOTATTACHED);
158} 158}
159 159
160static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig)
161{
162 loff_t ret;
163
164 mutex_lock(&file_inode(file)->i_mutex);
165
166 switch (orig) {
167 case 0:
168 file->f_pos = offset;
169 ret = file->f_pos;
170 break;
171 case 1:
172 file->f_pos += offset;
173 ret = file->f_pos;
174 break;
175 case 2:
176 default:
177 ret = -EINVAL;
178 }
179
180 mutex_unlock(&file_inode(file)->i_mutex);
181 return ret;
182}
183
184static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, 160static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
185 loff_t *ppos) 161 loff_t *ppos)
186{ 162{
@@ -2366,7 +2342,7 @@ static unsigned int usbdev_poll(struct file *file,
2366 2342
2367const struct file_operations usbdev_file_operations = { 2343const struct file_operations usbdev_file_operations = {
2368 .owner = THIS_MODULE, 2344 .owner = THIS_MODULE,
2369 .llseek = usbdev_lseek, 2345 .llseek = no_seek_end_llseek,
2370 .read = usbdev_read, 2346 .read = usbdev_read,
2371 .poll = usbdev_poll, 2347 .poll = usbdev_poll,
2372 .unlocked_ioctl = usbdev_ioctl, 2348 .unlocked_ioctl = usbdev_ioctl,
diff --git a/drivers/usb/host/uhci-debug.c b/drivers/usb/host/uhci-debug.c
index 1b28a000d5c6..9c6635d43db0 100644
--- a/drivers/usb/host/uhci-debug.c
+++ b/drivers/usb/host/uhci-debug.c
@@ -584,27 +584,8 @@ static int uhci_debug_open(struct inode *inode, struct file *file)
584 584
585static loff_t uhci_debug_lseek(struct file *file, loff_t off, int whence) 585static loff_t uhci_debug_lseek(struct file *file, loff_t off, int whence)
586{ 586{
587 struct uhci_debug *up; 587 struct uhci_debug *up = file->private_data;
588 loff_t new = -1; 588 return no_seek_end_llseek_size(file, off, whence, up->size);
589
590 up = file->private_data;
591
592 /*
593 * XXX: atomic 64bit seek access, but that needs to be fixed in the VFS
594 */
595 switch (whence) {
596 case 0:
597 new = off;
598 break;
599 case 1:
600 new = file->f_pos + off;
601 break;
602 }
603
604 if (new < 0 || new > up->size)
605 return -EINVAL;
606
607 return (file->f_pos = new);
608} 589}
609 590
610static ssize_t uhci_debug_read(struct file *file, char __user *buf, 591static ssize_t uhci_debug_read(struct file *file, char __user *buf,
diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c
index 306d6852ebc7..8efbabacc84e 100644
--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -2825,21 +2825,7 @@ sisusb_lseek(struct file *file, loff_t offset, int orig)
2825 return -ENODEV; 2825 return -ENODEV;
2826 } 2826 }
2827 2827
2828 switch (orig) { 2828 ret = no_seek_end_llseek(file, offset, orig);
2829 case 0:
2830 file->f_pos = offset;
2831 ret = file->f_pos;
2832 /* never negative, no force_successful_syscall needed */
2833 break;
2834 case 1:
2835 file->f_pos += offset;
2836 ret = file->f_pos;
2837 /* never negative, no force_successful_syscall needed */
2838 break;
2839 default:
2840 /* seeking relative to "end of file" is not supported */
2841 ret = -EINVAL;
2842 }
2843 2829
2844 mutex_unlock(&sisusb->lock); 2830 mutex_unlock(&sisusb->lock);
2845 return ret; 2831 return ret;
diff --git a/fs/9p/cache.c b/fs/9p/cache.c
index a69260f27555..103ca5e1267b 100644
--- a/fs/9p/cache.c
+++ b/fs/9p/cache.c
@@ -243,14 +243,14 @@ void v9fs_cache_inode_set_cookie(struct inode *inode, struct file *filp)
243 if (!v9inode->fscache) 243 if (!v9inode->fscache)
244 return; 244 return;
245 245
246 spin_lock(&v9inode->fscache_lock); 246 mutex_lock(&v9inode->fscache_lock);
247 247
248 if ((filp->f_flags & O_ACCMODE) != O_RDONLY) 248 if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
249 v9fs_cache_inode_flush_cookie(inode); 249 v9fs_cache_inode_flush_cookie(inode);
250 else 250 else
251 v9fs_cache_inode_get_cookie(inode); 251 v9fs_cache_inode_get_cookie(inode);
252 252
253 spin_unlock(&v9inode->fscache_lock); 253 mutex_unlock(&v9inode->fscache_lock);
254} 254}
255 255
256void v9fs_cache_inode_reset_cookie(struct inode *inode) 256void v9fs_cache_inode_reset_cookie(struct inode *inode)
@@ -264,7 +264,7 @@ void v9fs_cache_inode_reset_cookie(struct inode *inode)
264 264
265 old = v9inode->fscache; 265 old = v9inode->fscache;
266 266
267 spin_lock(&v9inode->fscache_lock); 267 mutex_lock(&v9inode->fscache_lock);
268 fscache_relinquish_cookie(v9inode->fscache, 1); 268 fscache_relinquish_cookie(v9inode->fscache, 1);
269 269
270 v9ses = v9fs_inode2v9ses(inode); 270 v9ses = v9fs_inode2v9ses(inode);
@@ -274,7 +274,7 @@ void v9fs_cache_inode_reset_cookie(struct inode *inode)
274 p9_debug(P9_DEBUG_FSC, "inode %p revalidating cookie old %p new %p\n", 274 p9_debug(P9_DEBUG_FSC, "inode %p revalidating cookie old %p new %p\n",
275 inode, old, v9inode->fscache); 275 inode, old, v9inode->fscache);
276 276
277 spin_unlock(&v9inode->fscache_lock); 277 mutex_unlock(&v9inode->fscache_lock);
278} 278}
279 279
280int __v9fs_fscache_release_page(struct page *page, gfp_t gfp) 280int __v9fs_fscache_release_page(struct page *page, gfp_t gfp)
diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
index 0923f2cf3c80..6877050384a1 100644
--- a/fs/9p/v9fs.h
+++ b/fs/9p/v9fs.h
@@ -123,7 +123,7 @@ struct v9fs_session_info {
123 123
124struct v9fs_inode { 124struct v9fs_inode {
125#ifdef CONFIG_9P_FSCACHE 125#ifdef CONFIG_9P_FSCACHE
126 spinlock_t fscache_lock; 126 struct mutex fscache_lock;
127 struct fscache_cookie *fscache; 127 struct fscache_cookie *fscache;
128#endif 128#endif
129 struct p9_qid qid; 129 struct p9_qid qid;
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index c7cc7c30f0c8..3a08b3e6ff1d 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -244,7 +244,7 @@ struct inode *v9fs_alloc_inode(struct super_block *sb)
244 return NULL; 244 return NULL;
245#ifdef CONFIG_9P_FSCACHE 245#ifdef CONFIG_9P_FSCACHE
246 v9inode->fscache = NULL; 246 v9inode->fscache = NULL;
247 spin_lock_init(&v9inode->fscache_lock); 247 mutex_init(&v9inode->fscache_lock);
248#endif 248#endif
249 v9inode->writeback_fid = NULL; 249 v9inode->writeback_fid = NULL;
250 v9inode->cache_validity = 0; 250 v9inode->cache_validity = 0;
diff --git a/fs/adfs/adfs.h b/fs/adfs/adfs.h
index 24575d9d882d..ea4aba56f29d 100644
--- a/fs/adfs/adfs.h
+++ b/fs/adfs/adfs.h
@@ -45,7 +45,7 @@ struct adfs_dir_ops;
45struct adfs_sb_info { 45struct adfs_sb_info {
46 union { struct { 46 union { struct {
47 struct adfs_discmap *s_map; /* bh list containing map */ 47 struct adfs_discmap *s_map; /* bh list containing map */
48 struct adfs_dir_ops *s_dir; /* directory operations */ 48 const struct adfs_dir_ops *s_dir; /* directory operations */
49 }; 49 };
50 struct rcu_head rcu; /* used only at shutdown time */ 50 struct rcu_head rcu; /* used only at shutdown time */
51 }; 51 };
@@ -168,8 +168,8 @@ void __adfs_error(struct super_block *sb, const char *function,
168extern const struct inode_operations adfs_dir_inode_operations; 168extern const struct inode_operations adfs_dir_inode_operations;
169extern const struct file_operations adfs_dir_operations; 169extern const struct file_operations adfs_dir_operations;
170extern const struct dentry_operations adfs_dentry_operations; 170extern const struct dentry_operations adfs_dentry_operations;
171extern struct adfs_dir_ops adfs_f_dir_ops; 171extern const struct adfs_dir_ops adfs_f_dir_ops;
172extern struct adfs_dir_ops adfs_fplus_dir_ops; 172extern const struct adfs_dir_ops adfs_fplus_dir_ops;
173 173
174extern int adfs_dir_update(struct super_block *sb, struct object_info *obj, 174extern int adfs_dir_update(struct super_block *sb, struct object_info *obj,
175 int wait); 175 int wait);
diff --git a/fs/adfs/dir.c b/fs/adfs/dir.c
index 51c279a29845..fd4cf2c48e48 100644
--- a/fs/adfs/dir.c
+++ b/fs/adfs/dir.c
@@ -21,7 +21,7 @@ adfs_readdir(struct file *file, struct dir_context *ctx)
21{ 21{
22 struct inode *inode = file_inode(file); 22 struct inode *inode = file_inode(file);
23 struct super_block *sb = inode->i_sb; 23 struct super_block *sb = inode->i_sb;
24 struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir; 24 const struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir;
25 struct object_info obj; 25 struct object_info obj;
26 struct adfs_dir dir; 26 struct adfs_dir dir;
27 int ret = 0; 27 int ret = 0;
@@ -69,7 +69,7 @@ adfs_dir_update(struct super_block *sb, struct object_info *obj, int wait)
69{ 69{
70 int ret = -EINVAL; 70 int ret = -EINVAL;
71#ifdef CONFIG_ADFS_FS_RW 71#ifdef CONFIG_ADFS_FS_RW
72 struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir; 72 const struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir;
73 struct adfs_dir dir; 73 struct adfs_dir dir;
74 74
75 printk(KERN_INFO "adfs_dir_update: object %06X in dir %06X\n", 75 printk(KERN_INFO "adfs_dir_update: object %06X in dir %06X\n",
@@ -129,7 +129,7 @@ static int
129adfs_dir_lookup_byname(struct inode *inode, struct qstr *name, struct object_info *obj) 129adfs_dir_lookup_byname(struct inode *inode, struct qstr *name, struct object_info *obj)
130{ 130{
131 struct super_block *sb = inode->i_sb; 131 struct super_block *sb = inode->i_sb;
132 struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir; 132 const struct adfs_dir_ops *ops = ADFS_SB(sb)->s_dir;
133 struct adfs_dir dir; 133 struct adfs_dir dir;
134 int ret; 134 int ret;
135 135
diff --git a/fs/adfs/dir_f.c b/fs/adfs/dir_f.c
index 4bbe853ee50a..0fbfd0b04ae0 100644
--- a/fs/adfs/dir_f.c
+++ b/fs/adfs/dir_f.c
@@ -476,7 +476,7 @@ adfs_f_free(struct adfs_dir *dir)
476 dir->sb = NULL; 476 dir->sb = NULL;
477} 477}
478 478
479struct adfs_dir_ops adfs_f_dir_ops = { 479const struct adfs_dir_ops adfs_f_dir_ops = {
480 .read = adfs_f_read, 480 .read = adfs_f_read,
481 .setpos = adfs_f_setpos, 481 .setpos = adfs_f_setpos,
482 .getnext = adfs_f_getnext, 482 .getnext = adfs_f_getnext,
diff --git a/fs/adfs/dir_fplus.c b/fs/adfs/dir_fplus.c
index 82d14cdf70f9..c92cfb638c18 100644
--- a/fs/adfs/dir_fplus.c
+++ b/fs/adfs/dir_fplus.c
@@ -256,7 +256,7 @@ adfs_fplus_free(struct adfs_dir *dir)
256 dir->sb = NULL; 256 dir->sb = NULL;
257} 257}
258 258
259struct adfs_dir_ops adfs_fplus_dir_ops = { 259const struct adfs_dir_ops adfs_fplus_dir_ops = {
260 .read = adfs_fplus_read, 260 .read = adfs_fplus_read,
261 .setpos = adfs_fplus_setpos, 261 .setpos = adfs_fplus_setpos,
262 .getnext = adfs_fplus_getnext, 262 .getnext = adfs_fplus_getnext,
diff --git a/fs/affs/affs.h b/fs/affs/affs.h
index c69a87eaf57d..cc2b2efc9211 100644
--- a/fs/affs/affs.h
+++ b/fs/affs/affs.h
@@ -138,7 +138,7 @@ extern int affs_remove_hash(struct inode *dir, struct buffer_head *rem_bh);
138extern int affs_remove_header(struct dentry *dentry); 138extern int affs_remove_header(struct dentry *dentry);
139extern u32 affs_checksum_block(struct super_block *sb, struct buffer_head *bh); 139extern u32 affs_checksum_block(struct super_block *sb, struct buffer_head *bh);
140extern void affs_fix_checksum(struct super_block *sb, struct buffer_head *bh); 140extern void affs_fix_checksum(struct super_block *sb, struct buffer_head *bh);
141extern void secs_to_datestamp(time_t secs, struct affs_date *ds); 141extern void secs_to_datestamp(time64_t secs, struct affs_date *ds);
142extern umode_t prot_to_mode(u32 prot); 142extern umode_t prot_to_mode(u32 prot);
143extern void mode_to_prot(struct inode *inode); 143extern void mode_to_prot(struct inode *inode);
144__printf(3, 4) 144__printf(3, 4)
diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c
index 5fa92bc790ef..d6c7a51c93e4 100644
--- a/fs/affs/amigaffs.c
+++ b/fs/affs/amigaffs.c
@@ -8,6 +8,7 @@
8 * Please send bug reports to: hjw@zvw.de 8 * Please send bug reports to: hjw@zvw.de
9 */ 9 */
10 10
11#include <linux/math64.h>
11#include "affs.h" 12#include "affs.h"
12 13
13/* 14/*
@@ -366,22 +367,22 @@ affs_fix_checksum(struct super_block *sb, struct buffer_head *bh)
366} 367}
367 368
368void 369void
369secs_to_datestamp(time_t secs, struct affs_date *ds) 370secs_to_datestamp(time64_t secs, struct affs_date *ds)
370{ 371{
371 u32 days; 372 u32 days;
372 u32 minute; 373 u32 minute;
374 s32 rem;
373 375
374 secs -= sys_tz.tz_minuteswest * 60 + ((8 * 365 + 2) * 24 * 60 * 60); 376 secs -= sys_tz.tz_minuteswest * 60 + ((8 * 365 + 2) * 24 * 60 * 60);
375 if (secs < 0) 377 if (secs < 0)
376 secs = 0; 378 secs = 0;
377 days = secs / 86400; 379 days = div_s64_rem(secs, 86400, &rem);
378 secs -= days * 86400; 380 minute = rem / 60;
379 minute = secs / 60; 381 rem -= minute * 60;
380 secs -= minute * 60;
381 382
382 ds->days = cpu_to_be32(days); 383 ds->days = cpu_to_be32(days);
383 ds->mins = cpu_to_be32(minute); 384 ds->mins = cpu_to_be32(minute);
384 ds->ticks = cpu_to_be32(secs * 50); 385 ds->ticks = cpu_to_be32(rem * 50);
385} 386}
386 387
387umode_t 388umode_t
diff --git a/fs/affs/super.c b/fs/affs/super.c
index 5b50c4ca43a7..8836df5f1e11 100644
--- a/fs/affs/super.c
+++ b/fs/affs/super.c
@@ -32,7 +32,7 @@ affs_commit_super(struct super_block *sb, int wait)
32 struct affs_root_tail *tail = AFFS_ROOT_TAIL(sb, bh); 32 struct affs_root_tail *tail = AFFS_ROOT_TAIL(sb, bh);
33 33
34 lock_buffer(bh); 34 lock_buffer(bh);
35 secs_to_datestamp(get_seconds(), &tail->disk_change); 35 secs_to_datestamp(ktime_get_real_seconds(), &tail->disk_change);
36 affs_fix_checksum(sb, bh); 36 affs_fix_checksum(sb, bh);
37 unlock_buffer(bh); 37 unlock_buffer(bh);
38 38
diff --git a/fs/afs/proc.c b/fs/afs/proc.c
index 24a905b076fd..2853b4095344 100644
--- a/fs/afs/proc.c
+++ b/fs/afs/proc.c
@@ -230,14 +230,9 @@ static ssize_t afs_proc_cells_write(struct file *file, const char __user *buf,
230 if (size <= 1 || size >= PAGE_SIZE) 230 if (size <= 1 || size >= PAGE_SIZE)
231 return -EINVAL; 231 return -EINVAL;
232 232
233 kbuf = kmalloc(size + 1, GFP_KERNEL); 233 kbuf = memdup_user_nul(buf, size);
234 if (!kbuf) 234 if (IS_ERR(kbuf))
235 return -ENOMEM; 235 return PTR_ERR(kbuf);
236
237 ret = -EFAULT;
238 if (copy_from_user(kbuf, buf, size) != 0)
239 goto done;
240 kbuf[size] = 0;
241 236
242 /* trim to first NL */ 237 /* trim to first NL */
243 name = memchr(kbuf, '\n', size); 238 name = memchr(kbuf, '\n', size);
@@ -315,15 +310,9 @@ static ssize_t afs_proc_rootcell_write(struct file *file,
315 if (size <= 1 || size >= PAGE_SIZE) 310 if (size <= 1 || size >= PAGE_SIZE)
316 return -EINVAL; 311 return -EINVAL;
317 312
318 ret = -ENOMEM; 313 kbuf = memdup_user_nul(buf, size);
319 kbuf = kmalloc(size + 1, GFP_KERNEL); 314 if (IS_ERR(kbuf))
320 if (!kbuf) 315 return PTR_ERR(kbuf);
321 goto nomem;
322
323 ret = -EFAULT;
324 if (copy_from_user(kbuf, buf, size) != 0)
325 goto infault;
326 kbuf[size] = 0;
327 316
328 /* trim to first NL */ 317 /* trim to first NL */
329 s = memchr(kbuf, '\n', size); 318 s = memchr(kbuf, '\n', size);
@@ -337,9 +326,7 @@ static ssize_t afs_proc_rootcell_write(struct file *file,
337 if (ret >= 0) 326 if (ret >= 0)
338 ret = size; /* consume everything, always */ 327 ret = size; /* consume everything, always */
339 328
340infault:
341 kfree(kbuf); 329 kfree(kbuf);
342nomem:
343 _leave(" = %d", ret); 330 _leave(" = %d", ret);
344 return ret; 331 return ret;
345} 332}
diff --git a/fs/bad_inode.c b/fs/bad_inode.c
index 861b1e1c4777..103f5d7c3083 100644
--- a/fs/bad_inode.c
+++ b/fs/bad_inode.c
@@ -192,7 +192,7 @@ EXPORT_SYMBOL(make_bad_inode);
192 * Returns true if the inode in question has been marked as bad. 192 * Returns true if the inode in question has been marked as bad.
193 */ 193 */
194 194
195int is_bad_inode(struct inode *inode) 195bool is_bad_inode(struct inode *inode)
196{ 196{
197 return (inode->i_op == &bad_inode_ops); 197 return (inode->i_op == &bad_inode_ops);
198} 198}
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 44d4a1e9244e..01b8e0d4b4ff 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1042,12 +1042,9 @@ EXPORT_SYMBOL_GPL(bd_unlink_disk_holder);
1042static void flush_disk(struct block_device *bdev, bool kill_dirty) 1042static void flush_disk(struct block_device *bdev, bool kill_dirty)
1043{ 1043{
1044 if (__invalidate_device(bdev, kill_dirty)) { 1044 if (__invalidate_device(bdev, kill_dirty)) {
1045 char name[BDEVNAME_SIZE] = "";
1046
1047 if (bdev->bd_disk)
1048 disk_name(bdev->bd_disk, 0, name);
1049 printk(KERN_WARNING "VFS: busy inodes on changed media or " 1045 printk(KERN_WARNING "VFS: busy inodes on changed media or "
1050 "resized disk %s\n", name); 1046 "resized disk %s\n",
1047 bdev->bd_disk ? bdev->bd_disk->disk_name : "");
1051 } 1048 }
1052 1049
1053 if (!bdev->bd_disk) 1050 if (!bdev->bd_disk)
@@ -1071,12 +1068,9 @@ void check_disk_size_change(struct gendisk *disk, struct block_device *bdev)
1071 disk_size = (loff_t)get_capacity(disk) << 9; 1068 disk_size = (loff_t)get_capacity(disk) << 9;
1072 bdev_size = i_size_read(bdev->bd_inode); 1069 bdev_size = i_size_read(bdev->bd_inode);
1073 if (disk_size != bdev_size) { 1070 if (disk_size != bdev_size) {
1074 char name[BDEVNAME_SIZE];
1075
1076 disk_name(disk, 0, name);
1077 printk(KERN_INFO 1071 printk(KERN_INFO
1078 "%s: detected capacity change from %lld to %lld\n", 1072 "%s: detected capacity change from %lld to %lld\n",
1079 name, bdev_size, disk_size); 1073 disk->disk_name, bdev_size, disk_size);
1080 i_size_write(bdev->bd_inode, disk_size); 1074 i_size_write(bdev->bd_inode, disk_size);
1081 flush_disk(bdev, false); 1075 flush_disk(bdev, false);
1082 } 1076 }
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 24154e422945..a0434c179ea9 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1514,9 +1514,7 @@ static struct dentry *btrfs_mount(struct file_system_type *fs_type, int flags,
1514 if ((flags ^ s->s_flags) & MS_RDONLY) 1514 if ((flags ^ s->s_flags) & MS_RDONLY)
1515 error = -EBUSY; 1515 error = -EBUSY;
1516 } else { 1516 } else {
1517 char b[BDEVNAME_SIZE]; 1517 snprintf(s->s_id, sizeof(s->s_id), "%pg", bdev);
1518
1519 strlcpy(s->s_id, bdevname(bdev, b), sizeof(s->s_id));
1520 btrfs_sb(s)->bdev_holder = fs_type; 1518 btrfs_sb(s)->bdev_holder = fs_type;
1521 error = btrfs_fill_super(s, fs_devices, data, 1519 error = btrfs_fill_super(s, fs_devices, data,
1522 flags & MS_SILENT ? 1 : 0); 1520 flags & MS_SILENT ? 1 : 0);
diff --git a/fs/buffer.c b/fs/buffer.c
index 4f4cd959da7c..e1632abb4ca9 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -134,13 +134,10 @@ __clear_page_buffers(struct page *page)
134 134
135static void buffer_io_error(struct buffer_head *bh, char *msg) 135static void buffer_io_error(struct buffer_head *bh, char *msg)
136{ 136{
137 char b[BDEVNAME_SIZE];
138
139 if (!test_bit(BH_Quiet, &bh->b_state)) 137 if (!test_bit(BH_Quiet, &bh->b_state))
140 printk_ratelimited(KERN_ERR 138 printk_ratelimited(KERN_ERR
141 "Buffer I/O error on dev %s, logical block %llu%s\n", 139 "Buffer I/O error on dev %pg, logical block %llu%s\n",
142 bdevname(bh->b_bdev, b), 140 bh->b_bdev, (unsigned long long)bh->b_blocknr, msg);
143 (unsigned long long)bh->b_blocknr, msg);
144} 141}
145 142
146/* 143/*
@@ -237,15 +234,13 @@ __find_get_block_slow(struct block_device *bdev, sector_t block)
237 * elsewhere, don't buffer_error if we had some unmapped buffers 234 * elsewhere, don't buffer_error if we had some unmapped buffers
238 */ 235 */
239 if (all_mapped) { 236 if (all_mapped) {
240 char b[BDEVNAME_SIZE];
241
242 printk("__find_get_block_slow() failed. " 237 printk("__find_get_block_slow() failed. "
243 "block=%llu, b_blocknr=%llu\n", 238 "block=%llu, b_blocknr=%llu\n",
244 (unsigned long long)block, 239 (unsigned long long)block,
245 (unsigned long long)bh->b_blocknr); 240 (unsigned long long)bh->b_blocknr);
246 printk("b_state=0x%08lx, b_size=%zu\n", 241 printk("b_state=0x%08lx, b_size=%zu\n",
247 bh->b_state, bh->b_size); 242 bh->b_state, bh->b_size);
248 printk("device %s blocksize: %d\n", bdevname(bdev, b), 243 printk("device %pg blocksize: %d\n", bdev,
249 1 << bd_inode->i_blkbits); 244 1 << bd_inode->i_blkbits);
250 } 245 }
251out_unlock: 246out_unlock:
@@ -531,10 +526,8 @@ repeat:
531 526
532static void do_thaw_one(struct super_block *sb, void *unused) 527static void do_thaw_one(struct super_block *sb, void *unused)
533{ 528{
534 char b[BDEVNAME_SIZE];
535 while (sb->s_bdev && !thaw_bdev(sb->s_bdev, sb)) 529 while (sb->s_bdev && !thaw_bdev(sb->s_bdev, sb))
536 printk(KERN_WARNING "Emergency Thaw on %s\n", 530 printk(KERN_WARNING "Emergency Thaw on %pg\n", sb->s_bdev);
537 bdevname(sb->s_bdev, b));
538} 531}
539 532
540static void do_thaw_all(struct work_struct *work) 533static void do_thaw_all(struct work_struct *work)
@@ -1074,12 +1067,10 @@ grow_buffers(struct block_device *bdev, sector_t block, int size, gfp_t gfp)
1074 * pagecache index. (this comparison is done using sector_t types). 1067 * pagecache index. (this comparison is done using sector_t types).
1075 */ 1068 */
1076 if (unlikely(index != block >> sizebits)) { 1069 if (unlikely(index != block >> sizebits)) {
1077 char b[BDEVNAME_SIZE];
1078
1079 printk(KERN_ERR "%s: requested out-of-range block %llu for " 1070 printk(KERN_ERR "%s: requested out-of-range block %llu for "
1080 "device %s\n", 1071 "device %pg\n",
1081 __func__, (unsigned long long)block, 1072 __func__, (unsigned long long)block,
1082 bdevname(bdev, b)); 1073 bdev);
1083 return -EIO; 1074 return -EIO;
1084 } 1075 }
1085 1076
diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
index f601def05bdf..452e98dd7560 100644
--- a/fs/cachefiles/daemon.c
+++ b/fs/cachefiles/daemon.c
@@ -226,15 +226,9 @@ static ssize_t cachefiles_daemon_write(struct file *file,
226 return -EOPNOTSUPP; 226 return -EOPNOTSUPP;
227 227
228 /* drag the command string into the kernel so we can parse it */ 228 /* drag the command string into the kernel so we can parse it */
229 data = kmalloc(datalen + 1, GFP_KERNEL); 229 data = memdup_user_nul(_data, datalen);
230 if (!data) 230 if (IS_ERR(data))
231 return -ENOMEM; 231 return PTR_ERR(data);
232
233 ret = -EFAULT;
234 if (copy_from_user(data, _data, datalen) != 0)
235 goto error;
236
237 data[datalen] = '\0';
238 232
239 ret = -EINVAL; 233 ret = -EINVAL;
240 if (memchr(data, '\0', datalen)) 234 if (memchr(data, '\0', datalen))
diff --git a/fs/compat.c b/fs/compat.c
index 6fd272d455e4..a71936a3f4cb 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -792,7 +792,7 @@ COMPAT_SYSCALL_DEFINE5(mount, const char __user *, dev_name,
792 const void __user *, data) 792 const void __user *, data)
793{ 793{
794 char *kernel_type; 794 char *kernel_type;
795 unsigned long data_page; 795 void *options;
796 char *kernel_dev; 796 char *kernel_dev;
797 int retval; 797 int retval;
798 798
@@ -806,26 +806,25 @@ COMPAT_SYSCALL_DEFINE5(mount, const char __user *, dev_name,
806 if (IS_ERR(kernel_dev)) 806 if (IS_ERR(kernel_dev))
807 goto out1; 807 goto out1;
808 808
809 retval = copy_mount_options(data, &data_page); 809 options = copy_mount_options(data);
810 if (retval < 0) 810 retval = PTR_ERR(options);
811 if (IS_ERR(options))
811 goto out2; 812 goto out2;
812 813
813 retval = -EINVAL; 814 if (kernel_type && options) {
814
815 if (kernel_type && data_page) {
816 if (!strcmp(kernel_type, NCPFS_NAME)) { 815 if (!strcmp(kernel_type, NCPFS_NAME)) {
817 do_ncp_super_data_conv((void *)data_page); 816 do_ncp_super_data_conv(options);
818 } else if (!strcmp(kernel_type, NFS4_NAME)) { 817 } else if (!strcmp(kernel_type, NFS4_NAME)) {
819 if (do_nfs4_super_data_conv((void *) data_page)) 818 retval = -EINVAL;
819 if (do_nfs4_super_data_conv(options))
820 goto out3; 820 goto out3;
821 } 821 }
822 } 822 }
823 823
824 retval = do_mount(kernel_dev, dir_name, kernel_type, 824 retval = do_mount(kernel_dev, dir_name, kernel_type, flags, options);
825 flags, (void*)data_page);
826 825
827 out3: 826 out3:
828 free_page(data_page); 827 kfree(options);
829 out2: 828 out2:
830 kfree(kernel_dev); 829 kfree(kernel_dev);
831 out1: 830 out1:
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index 647ee0b03dc0..a5b8eb69a8f4 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -1305,12 +1305,6 @@ COMPATIBLE_IOCTL(PCIIOC_CONTROLLER)
1305COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_IO) 1305COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_IO)
1306COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_MEM) 1306COMPATIBLE_IOCTL(PCIIOC_MMAP_IS_MEM)
1307COMPATIBLE_IOCTL(PCIIOC_WRITE_COMBINE) 1307COMPATIBLE_IOCTL(PCIIOC_WRITE_COMBINE)
1308/* NBD */
1309COMPATIBLE_IOCTL(NBD_DO_IT)
1310COMPATIBLE_IOCTL(NBD_CLEAR_SOCK)
1311COMPATIBLE_IOCTL(NBD_CLEAR_QUE)
1312COMPATIBLE_IOCTL(NBD_PRINT_DEBUG)
1313COMPATIBLE_IOCTL(NBD_DISCONNECT)
1314/* i2c */ 1308/* i2c */
1315COMPATIBLE_IOCTL(I2C_SLAVE) 1309COMPATIBLE_IOCTL(I2C_SLAVE)
1316COMPATIBLE_IOCTL(I2C_SLAVE_FORCE) 1310COMPATIBLE_IOCTL(I2C_SLAVE_FORCE)
@@ -1529,11 +1523,6 @@ static long do_ioctl_trans(unsigned int cmd,
1529 case KDSKBMETA: 1523 case KDSKBMETA:
1530 case KDSKBLED: 1524 case KDSKBLED:
1531 case KDSETLED: 1525 case KDSETLED:
1532 /* NBD */
1533 case NBD_SET_SOCK:
1534 case NBD_SET_BLKSIZE:
1535 case NBD_SET_SIZE:
1536 case NBD_SET_SIZE_BLOCKS:
1537 return vfs_ioctl(file, cmd, arg); 1526 return vfs_ioctl(file, cmd, arg);
1538 } 1527 }
1539 1528
diff --git a/fs/coredump.c b/fs/coredump.c
index 1777331eee76..b3c153ca435d 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -32,6 +32,7 @@
32#include <linux/pipe_fs_i.h> 32#include <linux/pipe_fs_i.h>
33#include <linux/oom.h> 33#include <linux/oom.h>
34#include <linux/compat.h> 34#include <linux/compat.h>
35#include <linux/timekeeping.h>
35 36
36#include <asm/uaccess.h> 37#include <asm/uaccess.h>
37#include <asm/mmu_context.h> 38#include <asm/mmu_context.h>
@@ -232,9 +233,10 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm)
232 break; 233 break;
233 /* UNIX time of coredump */ 234 /* UNIX time of coredump */
234 case 't': { 235 case 't': {
235 struct timeval tv; 236 time64_t time;
236 do_gettimeofday(&tv); 237
237 err = cn_printf(cn, "%lu", tv.tv_sec); 238 time = ktime_get_real_seconds();
239 err = cn_printf(cn, "%lld", time);
238 break; 240 break;
239 } 241 }
240 /* hostname */ 242 /* hostname */
diff --git a/fs/dcache.c b/fs/dcache.c
index d27f0909d9f6..8d38cd07b207 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3303,18 +3303,18 @@ out:
3303 * @new_dentry: new dentry 3303 * @new_dentry: new dentry
3304 * @old_dentry: old dentry 3304 * @old_dentry: old dentry
3305 * 3305 *
3306 * Returns 1 if new_dentry is a subdirectory of the parent (at any depth). 3306 * Returns true if new_dentry is a subdirectory of the parent (at any depth).
3307 * Returns 0 otherwise. 3307 * Returns false otherwise.
3308 * Caller must ensure that "new_dentry" is pinned before calling is_subdir() 3308 * Caller must ensure that "new_dentry" is pinned before calling is_subdir()
3309 */ 3309 */
3310 3310
3311int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry) 3311bool is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
3312{ 3312{
3313 int result; 3313 bool result;
3314 unsigned seq; 3314 unsigned seq;
3315 3315
3316 if (new_dentry == old_dentry) 3316 if (new_dentry == old_dentry)
3317 return 1; 3317 return true;
3318 3318
3319 do { 3319 do {
3320 /* for restarting inner loop in case of seq retry */ 3320 /* for restarting inner loop in case of seq retry */
@@ -3325,9 +3325,9 @@ int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
3325 */ 3325 */
3326 rcu_read_lock(); 3326 rcu_read_lock();
3327 if (d_ancestor(old_dentry, new_dentry)) 3327 if (d_ancestor(old_dentry, new_dentry))
3328 result = 1; 3328 result = true;
3329 else 3329 else
3330 result = 0; 3330 result = false;
3331 rcu_read_unlock(); 3331 rcu_read_unlock();
3332 } while (read_seqretry(&rename_lock, seq)); 3332 } while (read_seqretry(&rename_lock, seq));
3333 3333
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 173b3873a4f4..1925d6d222b8 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -515,14 +515,9 @@ static ssize_t device_write(struct file *file, const char __user *buf,
515 if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN) 515 if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
516 return -EINVAL; 516 return -EINVAL;
517 517
518 kbuf = kzalloc(count + 1, GFP_NOFS); 518 kbuf = memdup_user_nul(buf, count);
519 if (!kbuf) 519 if (!IS_ERR(kbuf))
520 return -ENOMEM; 520 return PTR_ERR(kbuf);
521
522 if (copy_from_user(kbuf, buf, count)) {
523 error = -EFAULT;
524 goto out_free;
525 }
526 521
527 if (check_version(kbuf)) { 522 if (check_version(kbuf)) {
528 error = -EBADE; 523 error = -EBADE;
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index a4dddc61594c..040aa879d634 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -282,9 +282,7 @@ ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry,
282 if (rc) { 282 if (rc) {
283 ecryptfs_do_unlink(directory_inode, ecryptfs_dentry, 283 ecryptfs_do_unlink(directory_inode, ecryptfs_dentry,
284 ecryptfs_inode); 284 ecryptfs_inode);
285 make_bad_inode(ecryptfs_inode); 285 iget_failed(ecryptfs_inode);
286 unlock_new_inode(ecryptfs_inode);
287 iput(ecryptfs_inode);
288 goto out; 286 goto out;
289 } 287 }
290 unlock_new_inode(ecryptfs_inode); 288 unlock_new_inode(ecryptfs_inode);
diff --git a/fs/exec.c b/fs/exec.c
index b06623a9347f..828ec5f07de0 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -119,7 +119,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
119 int error = PTR_ERR(tmp); 119 int error = PTR_ERR(tmp);
120 static const struct open_flags uselib_flags = { 120 static const struct open_flags uselib_flags = {
121 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 121 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
122 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN, 122 .acc_mode = MAY_READ | MAY_EXEC,
123 .intent = LOOKUP_OPEN, 123 .intent = LOOKUP_OPEN,
124 .lookup_flags = LOOKUP_FOLLOW, 124 .lookup_flags = LOOKUP_FOLLOW,
125 }; 125 };
@@ -763,7 +763,7 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
763 int err; 763 int err;
764 struct open_flags open_exec_flags = { 764 struct open_flags open_exec_flags = {
765 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 765 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
766 .acc_mode = MAY_EXEC | MAY_OPEN, 766 .acc_mode = MAY_EXEC,
767 .intent = LOOKUP_OPEN, 767 .intent = LOOKUP_OPEN,
768 .lookup_flags = LOOKUP_FOLLOW, 768 .lookup_flags = LOOKUP_FOLLOW,
769 }; 769 };
diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
index cd95d14f9cc2..f57a7aba32eb 100644
--- a/fs/ext2/xattr.c
+++ b/fs/ext2/xattr.c
@@ -77,10 +77,8 @@
77 printk("\n"); \ 77 printk("\n"); \
78 } while (0) 78 } while (0)
79# define ea_bdebug(bh, f...) do { \ 79# define ea_bdebug(bh, f...) do { \
80 char b[BDEVNAME_SIZE]; \ 80 printk(KERN_DEBUG "block %pg:%lu: ", \
81 printk(KERN_DEBUG "block %s:%lu: ", \ 81 bh->b_bdev, (unsigned long) bh->b_blocknr); \
82 bdevname(bh->b_bdev, b), \
83 (unsigned long) bh->b_blocknr); \
84 printk(f); \ 82 printk(f); \
85 printk("\n"); \ 83 printk("\n"); \
86 } while (0) 84 } while (0)
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index 17fbe3882b8e..090b3498638e 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -52,9 +52,8 @@ void ext4_exit_pageio(void)
52 */ 52 */
53static void buffer_io_error(struct buffer_head *bh) 53static void buffer_io_error(struct buffer_head *bh)
54{ 54{
55 char b[BDEVNAME_SIZE]; 55 printk_ratelimited(KERN_ERR "Buffer I/O error on device %pg, logical block %llu\n",
56 printk_ratelimited(KERN_ERR "Buffer I/O error on device %s, logical block %llu\n", 56 bh->b_bdev,
57 bdevname(bh->b_bdev, b),
58 (unsigned long long)bh->b_blocknr); 57 (unsigned long long)bh->b_blocknr);
59} 58}
60 59
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index e9b9afdd1d96..a95151e875bd 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -68,10 +68,8 @@
68 printk("\n"); \ 68 printk("\n"); \
69 } while (0) 69 } while (0)
70# define ea_bdebug(bh, f...) do { \ 70# define ea_bdebug(bh, f...) do { \
71 char b[BDEVNAME_SIZE]; \ 71 printk(KERN_DEBUG "block %pg:%lu: ", \
72 printk(KERN_DEBUG "block %s:%lu: ", \ 72 bh->b_bdev, (unsigned long) bh->b_blocknr); \
73 bdevname(bh->b_bdev, b), \
74 (unsigned long) bh->b_blocknr); \
75 printk(f); \ 73 printk(f); \
76 printk("\n"); \ 74 printk("\n"); \
77 } while (0) 75 } while (0)
diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
index 478e5d54154f..ad1b18a7705b 100644
--- a/fs/f2fs/debug.c
+++ b/fs/f2fs/debug.c
@@ -211,12 +211,10 @@ static int stat_show(struct seq_file *s, void *v)
211 211
212 mutex_lock(&f2fs_stat_mutex); 212 mutex_lock(&f2fs_stat_mutex);
213 list_for_each_entry(si, &f2fs_stat_list, stat_list) { 213 list_for_each_entry(si, &f2fs_stat_list, stat_list) {
214 char devname[BDEVNAME_SIZE];
215
216 update_general_status(si->sbi); 214 update_general_status(si->sbi);
217 215
218 seq_printf(s, "\n=====[ partition info(%s). #%d ]=====\n", 216 seq_printf(s, "\n=====[ partition info(%pg). #%d ]=====\n",
219 bdevname(si->sbi->sb->s_bdev, devname), i++); 217 si->sbi->sb->s_bdev, i++);
220 seq_printf(s, "[SB: 1] [CP: 2] [SIT: %d] [NAT: %d] ", 218 seq_printf(s, "[SB: 1] [CP: 2] [SIT: %d] [NAT: %d] ",
221 si->sit_area_segs, si->nat_area_segs); 219 si->sit_area_segs, si->nat_area_segs);
222 seq_printf(s, "[SSA: %d] [MAIN: %d", 220 seq_printf(s, "[SSA: %d] [MAIN: %d",
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 9db5500d63d9..ec6067c33a3f 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1602,13 +1602,11 @@ static inline bool is_dot_dotdot(const struct qstr *str)
1602 1602
1603static inline bool f2fs_may_extent_tree(struct inode *inode) 1603static inline bool f2fs_may_extent_tree(struct inode *inode)
1604{ 1604{
1605 mode_t mode = inode->i_mode;
1606
1607 if (!test_opt(F2FS_I_SB(inode), EXTENT_CACHE) || 1605 if (!test_opt(F2FS_I_SB(inode), EXTENT_CACHE) ||
1608 is_inode_flag_set(F2FS_I(inode), FI_NO_EXTENT)) 1606 is_inode_flag_set(F2FS_I(inode), FI_NO_EXTENT))
1609 return false; 1607 return false;
1610 1608
1611 return S_ISREG(mode); 1609 return S_ISREG(inode->i_mode);
1612} 1610}
1613 1611
1614static inline void *f2fs_kvmalloc(size_t size, gfp_t flags) 1612static inline void *f2fs_kvmalloc(size_t size, gfp_t flags)
@@ -2121,7 +2119,7 @@ static inline int f2fs_sb_has_crypto(struct super_block *sb)
2121static inline bool f2fs_may_encrypt(struct inode *inode) 2119static inline bool f2fs_may_encrypt(struct inode *inode)
2122{ 2120{
2123#ifdef CONFIG_F2FS_FS_ENCRYPTION 2121#ifdef CONFIG_F2FS_FS_ENCRYPTION
2124 mode_t mode = inode->i_mode; 2122 umode_t mode = inode->i_mode;
2125 2123
2126 return (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)); 2124 return (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode));
2127#else 2125#else
diff --git a/fs/fcntl.c b/fs/fcntl.c
index ee85cd4e136a..350a2c8cfd28 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -51,7 +51,8 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
51 if (arg & O_NDELAY) 51 if (arg & O_NDELAY)
52 arg |= O_NONBLOCK; 52 arg |= O_NONBLOCK;
53 53
54 if (arg & O_DIRECT) { 54 /* Pipe packetized mode is controlled by O_DIRECT flag */
55 if (!S_ISFIFO(filp->f_inode->i_mode) && (arg & O_DIRECT)) {
55 if (!filp->f_mapping || !filp->f_mapping->a_ops || 56 if (!filp->f_mapping || !filp->f_mapping->a_ops ||
56 !filp->f_mapping->a_ops->direct_IO) 57 !filp->f_mapping->a_ops->direct_IO)
57 return -EINVAL; 58 return -EINVAL;
diff --git a/fs/file.c b/fs/file.c
index 39f8f15921da..1aed0add16a2 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -25,9 +25,9 @@
25 25
26int sysctl_nr_open __read_mostly = 1024*1024; 26int sysctl_nr_open __read_mostly = 1024*1024;
27int sysctl_nr_open_min = BITS_PER_LONG; 27int sysctl_nr_open_min = BITS_PER_LONG;
28/* our max() is unusable in constant expressions ;-/ */ 28/* our min() is unusable in constant expressions ;-/ */
29#define __const_max(x, y) ((x) < (y) ? (x) : (y)) 29#define __const_min(x, y) ((x) < (y) ? (x) : (y))
30int sysctl_nr_open_max = __const_max(INT_MAX, ~(size_t)0/sizeof(void *)) & 30int sysctl_nr_open_max = __const_min(INT_MAX, ~(size_t)0/sizeof(void *)) &
31 -BITS_PER_LONG; 31 -BITS_PER_LONG;
32 32
33static void *alloc_fdmem(size_t size) 33static void *alloc_fdmem(size_t size)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index baab99b69d8a..001c66641243 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1315,9 +1315,7 @@ static struct dentry *gfs2_mount(struct file_system_type *fs_type, int flags,
1315 if ((flags ^ s->s_flags) & MS_RDONLY) 1315 if ((flags ^ s->s_flags) & MS_RDONLY)
1316 goto error_super; 1316 goto error_super;
1317 } else { 1317 } else {
1318 char b[BDEVNAME_SIZE]; 1318 snprintf(s->s_id, sizeof(s->s_id), "%pg", bdev);
1319
1320 strlcpy(s->s_id, bdevname(bdev, b), sizeof(s->s_id));
1321 sb_set_blocksize(s, block_size(bdev)); 1319 sb_set_blocksize(s, block_size(bdev));
1322 error = fill_super(s, &args, flags & MS_SILENT ? 1 : 0); 1320 error = fill_super(s, &args, flags & MS_SILENT ? 1 : 0);
1323 if (error) 1321 if (error)
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index aa3f0d6d043c..a3ec3ae7d347 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -166,7 +166,7 @@ int hfs_mdb_get(struct super_block *sb)
166 pr_warn("continuing without an alternate MDB\n"); 166 pr_warn("continuing without an alternate MDB\n");
167 } 167 }
168 168
169 HFS_SB(sb)->bitmap = (__be32 *)__get_free_pages(GFP_KERNEL, PAGE_SIZE < 8192 ? 1 : 0); 169 HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
170 if (!HFS_SB(sb)->bitmap) 170 if (!HFS_SB(sb)->bitmap)
171 goto out; 171 goto out;
172 172
@@ -360,7 +360,7 @@ void hfs_mdb_put(struct super_block *sb)
360 unload_nls(HFS_SB(sb)->nls_io); 360 unload_nls(HFS_SB(sb)->nls_io);
361 unload_nls(HFS_SB(sb)->nls_disk); 361 unload_nls(HFS_SB(sb)->nls_disk);
362 362
363 free_pages((unsigned long)HFS_SB(sb)->bitmap, PAGE_SIZE < 8192 ? 1 : 0); 363 kfree(HFS_SB(sb)->bitmap);
364 kfree(HFS_SB(sb)); 364 kfree(HFS_SB(sb));
365 sb->s_fs_info = NULL; 365 sb->s_fs_info = NULL;
366} 366}
diff --git a/fs/hpfs/map.c b/fs/hpfs/map.c
index a69bbc1e87f8..a136929189f0 100644
--- a/fs/hpfs/map.c
+++ b/fs/hpfs/map.c
@@ -133,7 +133,7 @@ __le32 *hpfs_load_bitmap_directory(struct super_block *s, secno bmp)
133void hpfs_load_hotfix_map(struct super_block *s, struct hpfs_spare_block *spareblock) 133void hpfs_load_hotfix_map(struct super_block *s, struct hpfs_spare_block *spareblock)
134{ 134{
135 struct quad_buffer_head qbh; 135 struct quad_buffer_head qbh;
136 u32 *directory; 136 __le32 *directory;
137 u32 n_hotfixes, n_used_hotfixes; 137 u32 n_hotfixes, n_used_hotfixes;
138 unsigned i; 138 unsigned i;
139 139
diff --git a/fs/internal.h b/fs/internal.h
index e38c08ca437d..b71deeecea17 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -55,7 +55,7 @@ extern int vfs_path_lookup(struct dentry *, struct vfsmount *,
55/* 55/*
56 * namespace.c 56 * namespace.c
57 */ 57 */
58extern int copy_mount_options(const void __user *, unsigned long *); 58extern void *copy_mount_options(const void __user *);
59extern char *copy_mount_string(const void __user *); 59extern char *copy_mount_string(const void __user *);
60 60
61extern struct vfsmount *lookup_mnt(struct path *); 61extern struct vfsmount *lookup_mnt(struct path *);
diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
index ca181e81c765..081dff087fc0 100644
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -764,13 +764,11 @@ void jbd2_journal_unlock_updates (journal_t *journal)
764 764
765static void warn_dirty_buffer(struct buffer_head *bh) 765static void warn_dirty_buffer(struct buffer_head *bh)
766{ 766{
767 char b[BDEVNAME_SIZE];
768
769 printk(KERN_WARNING 767 printk(KERN_WARNING
770 "JBD2: Spotted dirty metadata buffer (dev = %s, blocknr = %llu). " 768 "JBD2: Spotted dirty metadata buffer (dev = %pg, blocknr = %llu). "
771 "There's a risk of filesystem corruption in case of system " 769 "There's a risk of filesystem corruption in case of system "
772 "crash.\n", 770 "crash.\n",
773 bdevname(bh->b_bdev, b), (unsigned long long)bh->b_blocknr); 771 bh->b_bdev, (unsigned long long)bh->b_blocknr);
774} 772}
775 773
776/* Call t_frozen trigger and copy buffer data into jh->b_frozen_data. */ 774/* Call t_frozen trigger and copy buffer data into jh->b_frozen_data. */
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index a69bdf2a1085..a270cb7ff4e0 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1835,17 +1835,16 @@ static int lbmLogInit(struct jfs_log * log)
1835 for (i = 0; i < LOGPAGES;) { 1835 for (i = 0; i < LOGPAGES;) {
1836 char *buffer; 1836 char *buffer;
1837 uint offset; 1837 uint offset;
1838 struct page *page; 1838 struct page *page = alloc_page(GFP_KERNEL | __GFP_ZERO);
1839 1839
1840 buffer = (char *) get_zeroed_page(GFP_KERNEL); 1840 if (!page)
1841 if (buffer == NULL)
1842 goto error; 1841 goto error;
1843 page = virt_to_page(buffer); 1842 buffer = page_address(page);
1844 for (offset = 0; offset < PAGE_SIZE; offset += LOGPSIZE) { 1843 for (offset = 0; offset < PAGE_SIZE; offset += LOGPSIZE) {
1845 lbuf = kmalloc(sizeof(struct lbuf), GFP_KERNEL); 1844 lbuf = kmalloc(sizeof(struct lbuf), GFP_KERNEL);
1846 if (lbuf == NULL) { 1845 if (lbuf == NULL) {
1847 if (offset == 0) 1846 if (offset == 0)
1848 free_page((unsigned long) buffer); 1847 __free_page(page);
1849 goto error; 1848 goto error;
1850 } 1849 }
1851 if (offset) /* we already have one reference */ 1850 if (offset) /* we already have one reference */
diff --git a/fs/logfs/logfs.h b/fs/logfs/logfs.h
index 209a26d84c38..39d91f86cd35 100644
--- a/fs/logfs/logfs.h
+++ b/fs/logfs/logfs.h
@@ -302,7 +302,7 @@ struct logfs_block {
302 struct inode *inode; 302 struct inode *inode;
303 struct logfs_transaction *ta; 303 struct logfs_transaction *ta;
304 unsigned long alias_map[LOGFS_BLOCK_FACTOR / BITS_PER_LONG]; 304 unsigned long alias_map[LOGFS_BLOCK_FACTOR / BITS_PER_LONG];
305 struct logfs_block_ops *ops; 305 const struct logfs_block_ops *ops;
306 int full; 306 int full;
307 int partial; 307 int partial;
308 int reserved_bytes; 308 int reserved_bytes;
@@ -578,7 +578,7 @@ int logfs_exist_block(struct inode *inode, u64 bix);
578int get_page_reserve(struct inode *inode, struct page *page); 578int get_page_reserve(struct inode *inode, struct page *page);
579void logfs_get_wblocks(struct super_block *sb, struct page *page, int lock); 579void logfs_get_wblocks(struct super_block *sb, struct page *page, int lock);
580void logfs_put_wblocks(struct super_block *sb, struct page *page, int lock); 580void logfs_put_wblocks(struct super_block *sb, struct page *page, int lock);
581extern struct logfs_block_ops indirect_block_ops; 581extern const struct logfs_block_ops indirect_block_ops;
582 582
583/* segment.c */ 583/* segment.c */
584int logfs_erase_segment(struct super_block *sb, u32 ofs, int ensure_erase); 584int logfs_erase_segment(struct super_block *sb, u32 ofs, int ensure_erase);
diff --git a/fs/logfs/readwrite.c b/fs/logfs/readwrite.c
index 380d86e1ab45..20973c9e52f8 100644
--- a/fs/logfs/readwrite.c
+++ b/fs/logfs/readwrite.c
@@ -569,13 +569,13 @@ static void indirect_free_block(struct super_block *sb,
569} 569}
570 570
571 571
572static struct logfs_block_ops inode_block_ops = { 572static const struct logfs_block_ops inode_block_ops = {
573 .write_block = inode_write_block, 573 .write_block = inode_write_block,
574 .free_block = inode_free_block, 574 .free_block = inode_free_block,
575 .write_alias = inode_write_alias, 575 .write_alias = inode_write_alias,
576}; 576};
577 577
578struct logfs_block_ops indirect_block_ops = { 578const struct logfs_block_ops indirect_block_ops = {
579 .write_block = indirect_write_block, 579 .write_block = indirect_write_block,
580 .free_block = indirect_free_block, 580 .free_block = indirect_free_block,
581 .write_alias = indirect_write_alias, 581 .write_alias = indirect_write_alias,
diff --git a/fs/logfs/segment.c b/fs/logfs/segment.c
index 6de0fbfc6c00..d270e4b2ab6b 100644
--- a/fs/logfs/segment.c
+++ b/fs/logfs/segment.c
@@ -197,7 +197,7 @@ static int btree_write_alias(struct super_block *sb, struct logfs_block *block,
197 return 0; 197 return 0;
198} 198}
199 199
200static struct logfs_block_ops btree_block_ops = { 200static const struct logfs_block_ops btree_block_ops = {
201 .write_block = btree_write_block, 201 .write_block = btree_write_block,
202 .free_block = __free_block, 202 .free_block = __free_block,
203 .write_alias = btree_write_alias, 203 .write_alias = btree_write_alias,
diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c
index 282e15ad8cd8..46ca39d6c735 100644
--- a/fs/minix/itree_v1.c
+++ b/fs/minix/itree_v1.c
@@ -24,16 +24,15 @@ static inline block_t *i_data(struct inode *inode)
24static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) 24static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
25{ 25{
26 int n = 0; 26 int n = 0;
27 char b[BDEVNAME_SIZE];
28 27
29 if (block < 0) { 28 if (block < 0) {
30 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", 29 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
31 block, bdevname(inode->i_sb->s_bdev, b)); 30 block, inode->i_sb->s_bdev);
32 } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { 31 } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
33 if (printk_ratelimit()) 32 if (printk_ratelimit())
34 printk("MINIX-fs: block_to_path: " 33 printk("MINIX-fs: block_to_path: "
35 "block %ld too big on dev %s\n", 34 "block %ld too big on dev %pg\n",
36 block, bdevname(inode->i_sb->s_bdev, b)); 35 block, inode->i_sb->s_bdev);
37 } else if (block < 7) { 36 } else if (block < 7) {
38 offsets[n++] = block; 37 offsets[n++] = block;
39 } else if ((block -= 7) < 512) { 38 } else if ((block -= 7) < 512) {
diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c
index 78e2d93e5c83..1ee101352586 100644
--- a/fs/minix/itree_v2.c
+++ b/fs/minix/itree_v2.c
@@ -26,18 +26,17 @@ static inline block_t *i_data(struct inode *inode)
26static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) 26static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
27{ 27{
28 int n = 0; 28 int n = 0;
29 char b[BDEVNAME_SIZE];
30 struct super_block *sb = inode->i_sb; 29 struct super_block *sb = inode->i_sb;
31 30
32 if (block < 0) { 31 if (block < 0) {
33 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", 32 printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
34 block, bdevname(sb->s_bdev, b)); 33 block, sb->s_bdev);
35 } else if ((u64)block * (u64)sb->s_blocksize >= 34 } else if ((u64)block * (u64)sb->s_blocksize >=
36 minix_sb(sb)->s_max_size) { 35 minix_sb(sb)->s_max_size) {
37 if (printk_ratelimit()) 36 if (printk_ratelimit())
38 printk("MINIX-fs: block_to_path: " 37 printk("MINIX-fs: block_to_path: "
39 "block %ld too big on dev %s\n", 38 "block %ld too big on dev %pg\n",
40 block, bdevname(sb->s_bdev, b)); 39 block, sb->s_bdev);
41 } else if (block < DIRCOUNT) { 40 } else if (block < DIRCOUNT) {
42 offsets[n++] = block; 41 offsets[n++] = block;
43 } else if ((block -= DIRCOUNT) < INDIRCOUNT(sb)) { 42 } else if ((block -= DIRCOUNT) < INDIRCOUNT(sb)) {
diff --git a/fs/namei.c b/fs/namei.c
index 3c909aebef70..bceefd5588a2 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -534,10 +534,8 @@ static void restore_nameidata(void)
534 current->nameidata = old; 534 current->nameidata = old;
535 if (old) 535 if (old)
536 old->total_link_count = now->total_link_count; 536 old->total_link_count = now->total_link_count;
537 if (now->stack != now->internal) { 537 if (now->stack != now->internal)
538 kfree(now->stack); 538 kfree(now->stack);
539 now->stack = now->internal;
540 }
541} 539}
542 540
543static int __nd_alloc_stack(struct nameidata *nd) 541static int __nd_alloc_stack(struct nameidata *nd)
@@ -654,7 +652,7 @@ static bool legitimize_links(struct nameidata *nd)
654 * Path walking has 2 modes, rcu-walk and ref-walk (see 652 * Path walking has 2 modes, rcu-walk and ref-walk (see
655 * Documentation/filesystems/path-lookup.txt). In situations when we can't 653 * Documentation/filesystems/path-lookup.txt). In situations when we can't
656 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab 654 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab
657 * normal reference counts on dentries and vfsmounts to transition to rcu-walk 655 * normal reference counts on dentries and vfsmounts to transition to ref-walk
658 * mode. Refcounts are grabbed at the last known good point before rcu-walk 656 * mode. Refcounts are grabbed at the last known good point before rcu-walk
659 * got stuck, so ref-walk may continue from there. If this is not successful 657 * got stuck, so ref-walk may continue from there. If this is not successful
660 * (eg. a seqcount has changed), then failure is returned and it's up to caller 658 * (eg. a seqcount has changed), then failure is returned and it's up to caller
@@ -804,19 +802,19 @@ static int complete_walk(struct nameidata *nd)
804 802
805static void set_root(struct nameidata *nd) 803static void set_root(struct nameidata *nd)
806{ 804{
807 get_fs_root(current->fs, &nd->root);
808}
809
810static void set_root_rcu(struct nameidata *nd)
811{
812 struct fs_struct *fs = current->fs; 805 struct fs_struct *fs = current->fs;
813 unsigned seq;
814 806
815 do { 807 if (nd->flags & LOOKUP_RCU) {
816 seq = read_seqcount_begin(&fs->seq); 808 unsigned seq;
817 nd->root = fs->root; 809
818 nd->root_seq = __read_seqcount_begin(&nd->root.dentry->d_seq); 810 do {
819 } while (read_seqcount_retry(&fs->seq, seq)); 811 seq = read_seqcount_begin(&fs->seq);
812 nd->root = fs->root;
813 nd->root_seq = __read_seqcount_begin(&nd->root.dentry->d_seq);
814 } while (read_seqcount_retry(&fs->seq, seq));
815 } else {
816 get_fs_root(fs, &nd->root);
817 }
820} 818}
821 819
822static void path_put_conditional(struct path *path, struct nameidata *nd) 820static void path_put_conditional(struct path *path, struct nameidata *nd)
@@ -838,6 +836,26 @@ static inline void path_to_nameidata(const struct path *path,
838 nd->path.dentry = path->dentry; 836 nd->path.dentry = path->dentry;
839} 837}
840 838
839static int nd_jump_root(struct nameidata *nd)
840{
841 if (nd->flags & LOOKUP_RCU) {
842 struct dentry *d;
843 nd->path = nd->root;
844 d = nd->path.dentry;
845 nd->inode = d->d_inode;
846 nd->seq = nd->root_seq;
847 if (unlikely(read_seqcount_retry(&d->d_seq, nd->seq)))
848 return -ECHILD;
849 } else {
850 path_put(&nd->path);
851 nd->path = nd->root;
852 path_get(&nd->path);
853 nd->inode = nd->path.dentry->d_inode;
854 }
855 nd->flags |= LOOKUP_JUMPED;
856 return 0;
857}
858
841/* 859/*
842 * Helper to directly jump to a known parsed path from ->get_link, 860 * Helper to directly jump to a known parsed path from ->get_link,
843 * caller must have taken a reference to path beforehand. 861 * caller must have taken a reference to path beforehand.
@@ -1016,25 +1034,10 @@ const char *get_link(struct nameidata *nd)
1016 return res; 1034 return res;
1017 } 1035 }
1018 if (*res == '/') { 1036 if (*res == '/') {
1019 if (nd->flags & LOOKUP_RCU) { 1037 if (!nd->root.mnt)
1020 struct dentry *d; 1038 set_root(nd);
1021 if (!nd->root.mnt) 1039 if (unlikely(nd_jump_root(nd)))
1022 set_root_rcu(nd); 1040 return ERR_PTR(-ECHILD);
1023 nd->path = nd->root;
1024 d = nd->path.dentry;
1025 nd->inode = d->d_inode;
1026 nd->seq = nd->root_seq;
1027 if (unlikely(read_seqcount_retry(&d->d_seq, nd->seq)))
1028 return ERR_PTR(-ECHILD);
1029 } else {
1030 if (!nd->root.mnt)
1031 set_root(nd);
1032 path_put(&nd->path);
1033 nd->path = nd->root;
1034 path_get(&nd->root);
1035 nd->inode = nd->path.dentry->d_inode;
1036 }
1037 nd->flags |= LOOKUP_JUMPED;
1038 while (unlikely(*++res == '/')) 1041 while (unlikely(*++res == '/'))
1039 ; 1042 ;
1040 } 1043 }
@@ -1295,8 +1298,6 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
1295static int follow_dotdot_rcu(struct nameidata *nd) 1298static int follow_dotdot_rcu(struct nameidata *nd)
1296{ 1299{
1297 struct inode *inode = nd->inode; 1300 struct inode *inode = nd->inode;
1298 if (!nd->root.mnt)
1299 set_root_rcu(nd);
1300 1301
1301 while (1) { 1302 while (1) {
1302 if (path_equal(&nd->path, &nd->root)) 1303 if (path_equal(&nd->path, &nd->root))
@@ -1416,9 +1417,6 @@ static void follow_mount(struct path *path)
1416 1417
1417static int follow_dotdot(struct nameidata *nd) 1418static int follow_dotdot(struct nameidata *nd)
1418{ 1419{
1419 if (!nd->root.mnt)
1420 set_root(nd);
1421
1422 while(1) { 1420 while(1) {
1423 struct dentry *old = nd->path.dentry; 1421 struct dentry *old = nd->path.dentry;
1424 1422
@@ -1656,6 +1654,8 @@ static inline int may_lookup(struct nameidata *nd)
1656static inline int handle_dots(struct nameidata *nd, int type) 1654static inline int handle_dots(struct nameidata *nd, int type)
1657{ 1655{
1658 if (type == LAST_DOTDOT) { 1656 if (type == LAST_DOTDOT) {
1657 if (!nd->root.mnt)
1658 set_root(nd);
1659 if (nd->flags & LOOKUP_RCU) { 1659 if (nd->flags & LOOKUP_RCU) {
1660 return follow_dotdot_rcu(nd); 1660 return follow_dotdot_rcu(nd);
1661 } else 1661 } else
@@ -2021,18 +2021,19 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
2021 } 2021 }
2022 2022
2023 nd->root.mnt = NULL; 2023 nd->root.mnt = NULL;
2024 nd->path.mnt = NULL;
2025 nd->path.dentry = NULL;
2024 2026
2025 nd->m_seq = read_seqbegin(&mount_lock); 2027 nd->m_seq = read_seqbegin(&mount_lock);
2026 if (*s == '/') { 2028 if (*s == '/') {
2027 if (flags & LOOKUP_RCU) { 2029 if (flags & LOOKUP_RCU)
2028 rcu_read_lock(); 2030 rcu_read_lock();
2029 set_root_rcu(nd); 2031 set_root(nd);
2030 nd->seq = nd->root_seq; 2032 if (likely(!nd_jump_root(nd)))
2031 } else { 2033 return s;
2032 set_root(nd); 2034 nd->root.mnt = NULL;
2033 path_get(&nd->root); 2035 rcu_read_unlock();
2034 } 2036 return ERR_PTR(-ECHILD);
2035 nd->path = nd->root;
2036 } else if (nd->dfd == AT_FDCWD) { 2037 } else if (nd->dfd == AT_FDCWD) {
2037 if (flags & LOOKUP_RCU) { 2038 if (flags & LOOKUP_RCU) {
2038 struct fs_struct *fs = current->fs; 2039 struct fs_struct *fs = current->fs;
@@ -2043,11 +2044,14 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
2043 do { 2044 do {
2044 seq = read_seqcount_begin(&fs->seq); 2045 seq = read_seqcount_begin(&fs->seq);
2045 nd->path = fs->pwd; 2046 nd->path = fs->pwd;
2047 nd->inode = nd->path.dentry->d_inode;
2046 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq); 2048 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
2047 } while (read_seqcount_retry(&fs->seq, seq)); 2049 } while (read_seqcount_retry(&fs->seq, seq));
2048 } else { 2050 } else {
2049 get_fs_pwd(current->fs, &nd->path); 2051 get_fs_pwd(current->fs, &nd->path);
2052 nd->inode = nd->path.dentry->d_inode;
2050 } 2053 }
2054 return s;
2051 } else { 2055 } else {
2052 /* Caller must check execute permissions on the starting path component */ 2056 /* Caller must check execute permissions on the starting path component */
2053 struct fd f = fdget_raw(nd->dfd); 2057 struct fd f = fdget_raw(nd->dfd);
@@ -2077,16 +2081,6 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
2077 fdput(f); 2081 fdput(f);
2078 return s; 2082 return s;
2079 } 2083 }
2080
2081 nd->inode = nd->path.dentry->d_inode;
2082 if (!(flags & LOOKUP_RCU))
2083 return s;
2084 if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq)))
2085 return s;
2086 if (!(nd->flags & LOOKUP_ROOT))
2087 nd->root.mnt = NULL;
2088 rcu_read_unlock();
2089 return ERR_PTR(-ECHILD);
2090} 2084}
2091 2085
2092static const char *trailing_symlink(struct nameidata *nd) 2086static const char *trailing_symlink(struct nameidata *nd)
@@ -2279,6 +2273,8 @@ EXPORT_SYMBOL(vfs_path_lookup);
2279 * 2273 *
2280 * Note that this routine is purely a helper for filesystem usage and should 2274 * Note that this routine is purely a helper for filesystem usage and should
2281 * not be called by generic code. 2275 * not be called by generic code.
2276 *
2277 * The caller must hold base->i_mutex.
2282 */ 2278 */
2283struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) 2279struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2284{ 2280{
@@ -2322,6 +2318,75 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2322} 2318}
2323EXPORT_SYMBOL(lookup_one_len); 2319EXPORT_SYMBOL(lookup_one_len);
2324 2320
2321/**
2322 * lookup_one_len_unlocked - filesystem helper to lookup single pathname component
2323 * @name: pathname component to lookup
2324 * @base: base directory to lookup from
2325 * @len: maximum length @len should be interpreted to
2326 *
2327 * Note that this routine is purely a helper for filesystem usage and should
2328 * not be called by generic code.
2329 *
2330 * Unlike lookup_one_len, it should be called without the parent
2331 * i_mutex held, and will take the i_mutex itself if necessary.
2332 */
2333struct dentry *lookup_one_len_unlocked(const char *name,
2334 struct dentry *base, int len)
2335{
2336 struct qstr this;
2337 unsigned int c;
2338 int err;
2339 struct dentry *ret;
2340
2341 this.name = name;
2342 this.len = len;
2343 this.hash = full_name_hash(name, len);
2344 if (!len)
2345 return ERR_PTR(-EACCES);
2346
2347 if (unlikely(name[0] == '.')) {
2348 if (len < 2 || (len == 2 && name[1] == '.'))
2349 return ERR_PTR(-EACCES);
2350 }
2351
2352 while (len--) {
2353 c = *(const unsigned char *)name++;
2354 if (c == '/' || c == '\0')
2355 return ERR_PTR(-EACCES);
2356 }
2357 /*
2358 * See if the low-level filesystem might want
2359 * to use its own hash..
2360 */
2361 if (base->d_flags & DCACHE_OP_HASH) {
2362 int err = base->d_op->d_hash(base, &this);
2363 if (err < 0)
2364 return ERR_PTR(err);
2365 }
2366
2367 err = inode_permission(base->d_inode, MAY_EXEC);
2368 if (err)
2369 return ERR_PTR(err);
2370
2371 /*
2372 * __d_lookup() is used to try to get a quick answer and avoid the
2373 * mutex. A false-negative does no harm.
2374 */
2375 ret = __d_lookup(base, &this);
2376 if (ret && unlikely(ret->d_flags & DCACHE_OP_REVALIDATE)) {
2377 dput(ret);
2378 ret = NULL;
2379 }
2380 if (ret)
2381 return ret;
2382
2383 mutex_lock(&base->d_inode->i_mutex);
2384 ret = __lookup_hash(&this, base, 0);
2385 mutex_unlock(&base->d_inode->i_mutex);
2386 return ret;
2387}
2388EXPORT_SYMBOL(lookup_one_len_unlocked);
2389
2325int user_path_at_empty(int dfd, const char __user *name, unsigned flags, 2390int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
2326 struct path *path, int *empty) 2391 struct path *path, int *empty)
2327{ 2392{
@@ -2670,10 +2735,6 @@ static int may_open(struct path *path, int acc_mode, int flag)
2670 struct inode *inode = dentry->d_inode; 2735 struct inode *inode = dentry->d_inode;
2671 int error; 2736 int error;
2672 2737
2673 /* O_PATH? */
2674 if (!acc_mode)
2675 return 0;
2676
2677 if (!inode) 2738 if (!inode)
2678 return -ENOENT; 2739 return -ENOENT;
2679 2740
@@ -2695,7 +2756,7 @@ static int may_open(struct path *path, int acc_mode, int flag)
2695 break; 2756 break;
2696 } 2757 }
2697 2758
2698 error = inode_permission(inode, acc_mode); 2759 error = inode_permission(inode, MAY_OPEN | acc_mode);
2699 if (error) 2760 if (error)
2700 return error; 2761 return error;
2701 2762
@@ -2887,7 +2948,7 @@ static int atomic_open(struct nameidata *nd, struct dentry *dentry,
2887 if (*opened & FILE_CREATED) { 2948 if (*opened & FILE_CREATED) {
2888 WARN_ON(!(open_flag & O_CREAT)); 2949 WARN_ON(!(open_flag & O_CREAT));
2889 fsnotify_create(dir, dentry); 2950 fsnotify_create(dir, dentry);
2890 acc_mode = MAY_OPEN; 2951 acc_mode = 0;
2891 } 2952 }
2892 error = may_open(&file->f_path, acc_mode, open_flag); 2953 error = may_open(&file->f_path, acc_mode, open_flag);
2893 if (error) 2954 if (error)
@@ -3100,7 +3161,7 @@ retry_lookup:
3100 /* Don't check for write permission, don't truncate */ 3161 /* Don't check for write permission, don't truncate */
3101 open_flag &= ~O_TRUNC; 3162 open_flag &= ~O_TRUNC;
3102 will_truncate = false; 3163 will_truncate = false;
3103 acc_mode = MAY_OPEN; 3164 acc_mode = 0;
3104 path_to_nameidata(&path, nd); 3165 path_to_nameidata(&path, nd);
3105 goto finish_open_created; 3166 goto finish_open_created;
3106 } 3167 }
@@ -3184,10 +3245,11 @@ finish_open:
3184 got_write = true; 3245 got_write = true;
3185 } 3246 }
3186finish_open_created: 3247finish_open_created:
3187 error = may_open(&nd->path, acc_mode, open_flag); 3248 if (likely(!(open_flag & O_PATH))) {
3188 if (error) 3249 error = may_open(&nd->path, acc_mode, open_flag);
3189 goto out; 3250 if (error)
3190 3251 goto out;
3252 }
3191 BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */ 3253 BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
3192 error = vfs_open(&nd->path, file, current_cred()); 3254 error = vfs_open(&nd->path, file, current_cred());
3193 if (!error) { 3255 if (!error) {
@@ -3274,7 +3336,7 @@ static int do_tmpfile(struct nameidata *nd, unsigned flags,
3274 goto out2; 3336 goto out2;
3275 audit_inode(nd->name, child, 0); 3337 audit_inode(nd->name, child, 0);
3276 /* Don't check for other permissions, the inode was just created */ 3338 /* Don't check for other permissions, the inode was just created */
3277 error = may_open(&path, MAY_OPEN, op->open_flag); 3339 error = may_open(&path, 0, op->open_flag);
3278 if (error) 3340 if (error)
3279 goto out2; 3341 goto out2;
3280 file->f_path.mnt = path.mnt; 3342 file->f_path.mnt = path.mnt;
diff --git a/fs/namespace.c b/fs/namespace.c
index 4d2c8f64b7bf..a830e1463704 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2609,18 +2609,18 @@ static long exact_copy_from_user(void *to, const void __user * from,
2609 return n; 2609 return n;
2610} 2610}
2611 2611
2612int copy_mount_options(const void __user * data, unsigned long *where) 2612void *copy_mount_options(const void __user * data)
2613{ 2613{
2614 int i; 2614 int i;
2615 unsigned long page;
2616 unsigned long size; 2615 unsigned long size;
2616 char *copy;
2617 2617
2618 *where = 0;
2619 if (!data) 2618 if (!data)
2620 return 0; 2619 return NULL;
2621 2620
2622 if (!(page = __get_free_page(GFP_KERNEL))) 2621 copy = kmalloc(PAGE_SIZE, GFP_KERNEL);
2623 return -ENOMEM; 2622 if (!copy)
2623 return ERR_PTR(-ENOMEM);
2624 2624
2625 /* We only care that *some* data at the address the user 2625 /* We only care that *some* data at the address the user
2626 * gave us is valid. Just in case, we'll zero 2626 * gave us is valid. Just in case, we'll zero
@@ -2631,15 +2631,14 @@ int copy_mount_options(const void __user * data, unsigned long *where)
2631 if (size > PAGE_SIZE) 2631 if (size > PAGE_SIZE)
2632 size = PAGE_SIZE; 2632 size = PAGE_SIZE;
2633 2633
2634 i = size - exact_copy_from_user((void *)page, data, size); 2634 i = size - exact_copy_from_user(copy, data, size);
2635 if (!i) { 2635 if (!i) {
2636 free_page(page); 2636 kfree(copy);
2637 return -EFAULT; 2637 return ERR_PTR(-EFAULT);
2638 } 2638 }
2639 if (i != PAGE_SIZE) 2639 if (i != PAGE_SIZE)
2640 memset((char *)page + i, 0, PAGE_SIZE - i); 2640 memset(copy + i, 0, PAGE_SIZE - i);
2641 *where = page; 2641 return copy;
2642 return 0;
2643} 2642}
2644 2643
2645char *copy_mount_string(const void __user *data) 2644char *copy_mount_string(const void __user *data)
@@ -2906,7 +2905,7 @@ SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
2906 int ret; 2905 int ret;
2907 char *kernel_type; 2906 char *kernel_type;
2908 char *kernel_dev; 2907 char *kernel_dev;
2909 unsigned long data_page; 2908 void *options;
2910 2909
2911 kernel_type = copy_mount_string(type); 2910 kernel_type = copy_mount_string(type);
2912 ret = PTR_ERR(kernel_type); 2911 ret = PTR_ERR(kernel_type);
@@ -2918,14 +2917,14 @@ SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
2918 if (IS_ERR(kernel_dev)) 2917 if (IS_ERR(kernel_dev))
2919 goto out_dev; 2918 goto out_dev;
2920 2919
2921 ret = copy_mount_options(data, &data_page); 2920 options = copy_mount_options(data);
2922 if (ret < 0) 2921 ret = PTR_ERR(options);
2922 if (IS_ERR(options))
2923 goto out_data; 2923 goto out_data;
2924 2924
2925 ret = do_mount(kernel_dev, dir_name, kernel_type, flags, 2925 ret = do_mount(kernel_dev, dir_name, kernel_type, flags, options);
2926 (void *) data_page);
2927 2926
2928 free_page(data_page); 2927 kfree(options);
2929out_data: 2928out_data:
2930 kfree(kernel_dev); 2929 kfree(kernel_dev);
2931out_dev: 2930out_dev:
@@ -2949,9 +2948,9 @@ bool is_path_reachable(struct mount *mnt, struct dentry *dentry,
2949 return &mnt->mnt == root->mnt && is_subdir(dentry, root->dentry); 2948 return &mnt->mnt == root->mnt && is_subdir(dentry, root->dentry);
2950} 2949}
2951 2950
2952int path_is_under(struct path *path1, struct path *path2) 2951bool path_is_under(struct path *path1, struct path *path2)
2953{ 2952{
2954 int res; 2953 bool res;
2955 read_seqlock_excl(&mount_lock); 2954 read_seqlock_excl(&mount_lock);
2956 res = is_path_reachable(real_mount(path1->mnt), path1->dentry, path2); 2955 res = is_path_reachable(real_mount(path1->mnt), path1->dentry, path2);
2957 read_sequnlock_excl(&mount_lock); 2956 read_sequnlock_excl(&mount_lock);
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index 00575d776d91..2246454dec76 100644
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -823,7 +823,7 @@ compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp,
823 } else 823 } else
824 dchild = dget(dparent); 824 dchild = dget(dparent);
825 } else 825 } else
826 dchild = lookup_one_len(name, dparent, namlen); 826 dchild = lookup_one_len_unlocked(name, dparent, namlen);
827 if (IS_ERR(dchild)) 827 if (IS_ERR(dchild))
828 return rv; 828 return rv;
829 if (d_mountpoint(dchild)) 829 if (d_mountpoint(dchild))
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 924416f91fdd..d6ef0955a979 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2858,14 +2858,14 @@ nfsd4_encode_dirent_fattr(struct xdr_stream *xdr, struct nfsd4_readdir *cd,
2858 __be32 nfserr; 2858 __be32 nfserr;
2859 int ignore_crossmnt = 0; 2859 int ignore_crossmnt = 0;
2860 2860
2861 dentry = lookup_one_len(name, cd->rd_fhp->fh_dentry, namlen); 2861 dentry = lookup_one_len_unlocked(name, cd->rd_fhp->fh_dentry, namlen);
2862 if (IS_ERR(dentry)) 2862 if (IS_ERR(dentry))
2863 return nfserrno(PTR_ERR(dentry)); 2863 return nfserrno(PTR_ERR(dentry));
2864 if (d_really_is_negative(dentry)) { 2864 if (d_really_is_negative(dentry)) {
2865 /* 2865 /*
2866 * nfsd_buffered_readdir drops the i_mutex between 2866 * we're not holding the i_mutex here, so there's
2867 * readdir and calling this callback, leaving a window 2867 * a window where this directory entry could have gone
2868 * where this directory entry could have gone away. 2868 * away.
2869 */ 2869 */
2870 dput(dentry); 2870 dput(dentry);
2871 return nfserr_noent; 2871 return nfserr_noent;
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 5411bf09b810..d41c149fae75 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -218,10 +218,16 @@ nfsd_lookup_dentry(struct svc_rqst *rqstp, struct svc_fh *fhp,
218 host_err = PTR_ERR(dentry); 218 host_err = PTR_ERR(dentry);
219 if (IS_ERR(dentry)) 219 if (IS_ERR(dentry))
220 goto out_nfserr; 220 goto out_nfserr;
221 /*
222 * check if we have crossed a mount point ...
223 */
224 if (nfsd_mountpoint(dentry, exp)) { 221 if (nfsd_mountpoint(dentry, exp)) {
222 /*
223 * We don't need the i_mutex after all. It's
224 * still possible we could open this (regular
225 * files can be mountpoints too), but the
226 * i_mutex is just there to prevent renames of
227 * something that we might be about to delegate,
228 * and a mountpoint won't be renamed:
229 */
230 fh_unlock(fhp);
225 if ((host_err = nfsd_cross_mnt(rqstp, &dentry, &exp))) { 231 if ((host_err = nfsd_cross_mnt(rqstp, &dentry, &exp))) {
226 dput(dentry); 232 dput(dentry);
227 goto out_nfserr; 233 goto out_nfserr;
@@ -1817,7 +1823,6 @@ static __be32 nfsd_buffered_readdir(struct file *file, nfsd_filldir_t func,
1817 offset = *offsetp; 1823 offset = *offsetp;
1818 1824
1819 while (1) { 1825 while (1) {
1820 struct inode *dir_inode = file_inode(file);
1821 unsigned int reclen; 1826 unsigned int reclen;
1822 1827
1823 cdp->err = nfserr_eof; /* will be cleared on successful read */ 1828 cdp->err = nfserr_eof; /* will be cleared on successful read */
@@ -1836,15 +1841,6 @@ static __be32 nfsd_buffered_readdir(struct file *file, nfsd_filldir_t func,
1836 if (!size) 1841 if (!size)
1837 break; 1842 break;
1838 1843
1839 /*
1840 * Various filldir functions may end up calling back into
1841 * lookup_one_len() and the file system's ->lookup() method.
1842 * These expect i_mutex to be held, as it would within readdir.
1843 */
1844 host_err = mutex_lock_killable(&dir_inode->i_mutex);
1845 if (host_err)
1846 break;
1847
1848 de = (struct buffered_dirent *)buf.dirent; 1844 de = (struct buffered_dirent *)buf.dirent;
1849 while (size > 0) { 1845 while (size > 0) {
1850 offset = de->offset; 1846 offset = de->offset;
@@ -1861,7 +1857,6 @@ static __be32 nfsd_buffered_readdir(struct file *file, nfsd_filldir_t func,
1861 size -= reclen; 1857 size -= reclen;
1862 de = (struct buffered_dirent *)((char *)de + reclen); 1858 de = (struct buffered_dirent *)((char *)de + reclen);
1863 } 1859 }
1864 mutex_unlock(&dir_inode->i_mutex);
1865 if (size > 0) /* We bailed out early */ 1860 if (size > 0) /* We bailed out early */
1866 break; 1861 break;
1867 1862
diff --git a/fs/nilfs2/super.c b/fs/nilfs2/super.c
index 354013ea22ec..c7343844e6b6 100644
--- a/fs/nilfs2/super.c
+++ b/fs/nilfs2/super.c
@@ -1316,13 +1316,11 @@ nilfs_mount(struct file_system_type *fs_type, int flags,
1316 } 1316 }
1317 1317
1318 if (!s->s_root) { 1318 if (!s->s_root) {
1319 char b[BDEVNAME_SIZE]; 1319 s_new = true;
1320
1321 s_new = true;
1322 1320
1323 /* New superblock instance created */ 1321 /* New superblock instance created */
1324 s->s_mode = mode; 1322 s->s_mode = mode;
1325 strlcpy(s->s_id, bdevname(sd.bdev, b), sizeof(s->s_id)); 1323 snprintf(s->s_id, sizeof(s->s_id), "%pg", sd.bdev);
1326 sb_set_blocksize(s, block_size(sd.bdev)); 1324 sb_set_blocksize(s, block_size(sd.bdev));
1327 1325
1328 err = nilfs_fill_super(s, data, flags & MS_SILENT ? 1 : 0); 1326 err = nilfs_fill_super(s, data, flags & MS_SILENT ? 1 : 0);
diff --git a/fs/open.c b/fs/open.c
index b6f1e96a7c0b..b25b1542c530 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -887,7 +887,7 @@ EXPORT_SYMBOL(dentry_open);
887static inline int build_open_flags(int flags, umode_t mode, struct open_flags *op) 887static inline int build_open_flags(int flags, umode_t mode, struct open_flags *op)
888{ 888{
889 int lookup_flags = 0; 889 int lookup_flags = 0;
890 int acc_mode; 890 int acc_mode = ACC_MODE(flags);
891 891
892 if (flags & (O_CREAT | __O_TMPFILE)) 892 if (flags & (O_CREAT | __O_TMPFILE))
893 op->mode = (mode & S_IALLUGO) | S_IFREG; 893 op->mode = (mode & S_IALLUGO) | S_IFREG;
@@ -909,7 +909,6 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o
909 if (flags & __O_TMPFILE) { 909 if (flags & __O_TMPFILE) {
910 if ((flags & O_TMPFILE_MASK) != O_TMPFILE) 910 if ((flags & O_TMPFILE_MASK) != O_TMPFILE)
911 return -EINVAL; 911 return -EINVAL;
912 acc_mode = MAY_OPEN | ACC_MODE(flags);
913 if (!(acc_mode & MAY_WRITE)) 912 if (!(acc_mode & MAY_WRITE))
914 return -EINVAL; 913 return -EINVAL;
915 } else if (flags & O_PATH) { 914 } else if (flags & O_PATH) {
@@ -919,8 +918,6 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o
919 */ 918 */
920 flags &= O_DIRECTORY | O_NOFOLLOW | O_PATH; 919 flags &= O_DIRECTORY | O_NOFOLLOW | O_PATH;
921 acc_mode = 0; 920 acc_mode = 0;
922 } else {
923 acc_mode = MAY_OPEN | ACC_MODE(flags);
924 } 921 }
925 922
926 op->open_flag = flags; 923 op->open_flag = flags;
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 55e01f88eac9..2cf5d7e37375 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2365,7 +2365,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
2365 size_t count, loff_t *ppos) 2365 size_t count, loff_t *ppos)
2366{ 2366{
2367 struct inode * inode = file_inode(file); 2367 struct inode * inode = file_inode(file);
2368 char *page; 2368 void *page;
2369 ssize_t length; 2369 ssize_t length;
2370 struct task_struct *task = get_proc_task(inode); 2370 struct task_struct *task = get_proc_task(inode);
2371 2371
@@ -2380,14 +2380,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
2380 if (*ppos != 0) 2380 if (*ppos != 0)
2381 goto out; 2381 goto out;
2382 2382
2383 length = -ENOMEM; 2383 page = memdup_user(buf, count);
2384 page = (char*)__get_free_page(GFP_TEMPORARY); 2384 if (IS_ERR(page)) {
2385 if (!page) 2385 length = PTR_ERR(page);
2386 goto out; 2386 goto out;
2387 2387 }
2388 length = -EFAULT;
2389 if (copy_from_user(page, buf, count))
2390 goto out_free;
2391 2388
2392 /* Guard against adverse ptrace interaction */ 2389 /* Guard against adverse ptrace interaction */
2393 length = mutex_lock_interruptible(&task->signal->cred_guard_mutex); 2390 length = mutex_lock_interruptible(&task->signal->cred_guard_mutex);
@@ -2396,10 +2393,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
2396 2393
2397 length = security_setprocattr(task, 2394 length = security_setprocattr(task,
2398 (char*)file->f_path.dentry->d_name.name, 2395 (char*)file->f_path.dentry->d_name.name,
2399 (void*)page, count); 2396 page, count);
2400 mutex_unlock(&task->signal->cred_guard_mutex); 2397 mutex_unlock(&task->signal->cred_guard_mutex);
2401out_free: 2398out_free:
2402 free_page((unsigned long) page); 2399 kfree(page);
2403out: 2400out:
2404 put_task_struct(task); 2401 put_task_struct(task);
2405out_no_task: 2402out_no_task:
diff --git a/fs/proc/fd.c b/fs/proc/fd.c
index 3c2a915c695a..56afa5ef08f2 100644
--- a/fs/proc/fd.c
+++ b/fs/proc/fd.c
@@ -258,6 +258,7 @@ static int proc_readfd_common(struct file *file, struct dir_context *ctx,
258 name, len, instantiate, p, 258 name, len, instantiate, p,
259 (void *)(unsigned long)fd)) 259 (void *)(unsigned long)fd))
260 goto out_fd_loop; 260 goto out_fd_loop;
261 cond_resched();
261 rcu_read_lock(); 262 rcu_read_lock();
262 } 263 }
263 rcu_read_unlock(); 264 rcu_read_unlock();
diff --git a/fs/proc_namespace.c b/fs/proc_namespace.c
index 8ebd9a334085..2256e7e23e67 100644
--- a/fs/proc_namespace.c
+++ b/fs/proc_namespace.c
@@ -95,9 +95,9 @@ static int show_vfsmnt(struct seq_file *m, struct vfsmount *mnt)
95{ 95{
96 struct proc_mounts *p = m->private; 96 struct proc_mounts *p = m->private;
97 struct mount *r = real_mount(mnt); 97 struct mount *r = real_mount(mnt);
98 int err = 0;
99 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt }; 98 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt };
100 struct super_block *sb = mnt_path.dentry->d_sb; 99 struct super_block *sb = mnt_path.dentry->d_sb;
100 int err;
101 101
102 if (sb->s_op->show_devname) { 102 if (sb->s_op->show_devname) {
103 err = sb->s_op->show_devname(m, mnt_path.dentry); 103 err = sb->s_op->show_devname(m, mnt_path.dentry);
@@ -131,16 +131,17 @@ static int show_mountinfo(struct seq_file *m, struct vfsmount *mnt)
131 struct mount *r = real_mount(mnt); 131 struct mount *r = real_mount(mnt);
132 struct super_block *sb = mnt->mnt_sb; 132 struct super_block *sb = mnt->mnt_sb;
133 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt }; 133 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt };
134 int err = 0; 134 int err;
135 135
136 seq_printf(m, "%i %i %u:%u ", r->mnt_id, r->mnt_parent->mnt_id, 136 seq_printf(m, "%i %i %u:%u ", r->mnt_id, r->mnt_parent->mnt_id,
137 MAJOR(sb->s_dev), MINOR(sb->s_dev)); 137 MAJOR(sb->s_dev), MINOR(sb->s_dev));
138 if (sb->s_op->show_path) 138 if (sb->s_op->show_path) {
139 err = sb->s_op->show_path(m, mnt->mnt_root); 139 err = sb->s_op->show_path(m, mnt->mnt_root);
140 else 140 if (err)
141 goto out;
142 } else {
141 seq_dentry(m, mnt->mnt_root, " \t\n\\"); 143 seq_dentry(m, mnt->mnt_root, " \t\n\\");
142 if (err) 144 }
143 goto out;
144 seq_putc(m, ' '); 145 seq_putc(m, ' ');
145 146
146 /* mountpoints outside of chroot jail will give SEQ_SKIP on this */ 147 /* mountpoints outside of chroot jail will give SEQ_SKIP on this */
@@ -168,12 +169,13 @@ static int show_mountinfo(struct seq_file *m, struct vfsmount *mnt)
168 seq_puts(m, " - "); 169 seq_puts(m, " - ");
169 show_type(m, sb); 170 show_type(m, sb);
170 seq_putc(m, ' '); 171 seq_putc(m, ' ');
171 if (sb->s_op->show_devname) 172 if (sb->s_op->show_devname) {
172 err = sb->s_op->show_devname(m, mnt->mnt_root); 173 err = sb->s_op->show_devname(m, mnt->mnt_root);
173 else 174 if (err)
175 goto out;
176 } else {
174 mangle(m, r->mnt_devname ? r->mnt_devname : "none"); 177 mangle(m, r->mnt_devname ? r->mnt_devname : "none");
175 if (err) 178 }
176 goto out;
177 seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw"); 179 seq_puts(m, sb->s_flags & MS_RDONLY ? " ro" : " rw");
178 err = show_sb_opts(m, sb); 180 err = show_sb_opts(m, sb);
179 if (err) 181 if (err)
@@ -191,7 +193,7 @@ static int show_vfsstat(struct seq_file *m, struct vfsmount *mnt)
191 struct mount *r = real_mount(mnt); 193 struct mount *r = real_mount(mnt);
192 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt }; 194 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt };
193 struct super_block *sb = mnt_path.dentry->d_sb; 195 struct super_block *sb = mnt_path.dentry->d_sb;
194 int err = 0; 196 int err;
195 197
196 /* device */ 198 /* device */
197 if (sb->s_op->show_devname) { 199 if (sb->s_op->show_devname) {
@@ -220,8 +222,7 @@ static int show_vfsstat(struct seq_file *m, struct vfsmount *mnt)
220 /* optional statistics */ 222 /* optional statistics */
221 if (sb->s_op->show_stats) { 223 if (sb->s_op->show_stats) {
222 seq_putc(m, ' '); 224 seq_putc(m, ' ');
223 if (!err) 225 err = sb->s_op->show_stats(m, mnt_path.dentry);
224 err = sb->s_op->show_stats(m, mnt_path.dentry);
225 } 226 }
226 227
227 seq_putc(m, '\n'); 228 seq_putc(m, '\n');
diff --git a/fs/read_write.c b/fs/read_write.c
index 2116e74a83d3..06b07d5a08fe 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -172,6 +172,45 @@ loff_t fixed_size_llseek(struct file *file, loff_t offset, int whence, loff_t si
172EXPORT_SYMBOL(fixed_size_llseek); 172EXPORT_SYMBOL(fixed_size_llseek);
173 173
174/** 174/**
175 * no_seek_end_llseek - llseek implementation for fixed-sized devices
176 * @file: file structure to seek on
177 * @offset: file offset to seek to
178 * @whence: type of seek
179 *
180 */
181loff_t no_seek_end_llseek(struct file *file, loff_t offset, int whence)
182{
183 switch (whence) {
184 case SEEK_SET: case SEEK_CUR:
185 return generic_file_llseek_size(file, offset, whence,
186 ~0ULL, 0);
187 default:
188 return -EINVAL;
189 }
190}
191EXPORT_SYMBOL(no_seek_end_llseek);
192
193/**
194 * no_seek_end_llseek_size - llseek implementation for fixed-sized devices
195 * @file: file structure to seek on
196 * @offset: file offset to seek to
197 * @whence: type of seek
198 * @size: maximal offset allowed
199 *
200 */
201loff_t no_seek_end_llseek_size(struct file *file, loff_t offset, int whence, loff_t size)
202{
203 switch (whence) {
204 case SEEK_SET: case SEEK_CUR:
205 return generic_file_llseek_size(file, offset, whence,
206 size, 0);
207 default:
208 return -EINVAL;
209 }
210}
211EXPORT_SYMBOL(no_seek_end_llseek_size);
212
213/**
175 * noop_llseek - No Operation Performed llseek implementation 214 * noop_llseek - No Operation Performed llseek implementation
176 * @file: file structure to seek on 215 * @file: file structure to seek on
177 * @offset: file offset to seek to 216 * @offset: file offset to seek to
diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index 9d6486d416a3..44c2bdced1c8 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -618,12 +618,10 @@ static void release_buffer_page(struct buffer_head *bh)
618 618
619static void reiserfs_end_buffer_io_sync(struct buffer_head *bh, int uptodate) 619static void reiserfs_end_buffer_io_sync(struct buffer_head *bh, int uptodate)
620{ 620{
621 char b[BDEVNAME_SIZE];
622
623 if (buffer_journaled(bh)) { 621 if (buffer_journaled(bh)) {
624 reiserfs_warning(NULL, "clm-2084", 622 reiserfs_warning(NULL, "clm-2084",
625 "pinned buffer %lu:%s sent to disk", 623 "pinned buffer %lu:%pg sent to disk",
626 bh->b_blocknr, bdevname(bh->b_bdev, b)); 624 bh->b_blocknr, bh->b_bdev);
627 } 625 }
628 if (uptodate) 626 if (uptodate)
629 set_buffer_uptodate(bh); 627 set_buffer_uptodate(bh);
@@ -2387,11 +2385,10 @@ static int journal_read(struct super_block *sb)
2387 int replay_count = 0; 2385 int replay_count = 0;
2388 int continue_replay = 1; 2386 int continue_replay = 1;
2389 int ret; 2387 int ret;
2390 char b[BDEVNAME_SIZE];
2391 2388
2392 cur_dblock = SB_ONDISK_JOURNAL_1st_BLOCK(sb); 2389 cur_dblock = SB_ONDISK_JOURNAL_1st_BLOCK(sb);
2393 reiserfs_info(sb, "checking transaction log (%s)\n", 2390 reiserfs_info(sb, "checking transaction log (%pg)\n",
2394 bdevname(journal->j_dev_bd, b)); 2391 journal->j_dev_bd);
2395 start = get_seconds(); 2392 start = get_seconds();
2396 2393
2397 /* 2394 /*
@@ -2651,8 +2648,8 @@ static int journal_init_dev(struct super_block *super,
2651 2648
2652 set_blocksize(journal->j_dev_bd, super->s_blocksize); 2649 set_blocksize(journal->j_dev_bd, super->s_blocksize);
2653 reiserfs_info(super, 2650 reiserfs_info(super,
2654 "journal_init_dev: journal device: %s\n", 2651 "journal_init_dev: journal device: %pg\n",
2655 bdevname(journal->j_dev_bd, b)); 2652 journal->j_dev_bd);
2656 return 0; 2653 return 0;
2657} 2654}
2658 2655
@@ -2724,7 +2721,6 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
2724 struct reiserfs_journal_header *jh; 2721 struct reiserfs_journal_header *jh;
2725 struct reiserfs_journal *journal; 2722 struct reiserfs_journal *journal;
2726 struct reiserfs_journal_list *jl; 2723 struct reiserfs_journal_list *jl;
2727 char b[BDEVNAME_SIZE];
2728 int ret; 2724 int ret;
2729 2725
2730 journal = SB_JOURNAL(sb) = vzalloc(sizeof(struct reiserfs_journal)); 2726 journal = SB_JOURNAL(sb) = vzalloc(sizeof(struct reiserfs_journal));
@@ -2794,10 +2790,10 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
2794 && (le32_to_cpu(jh->jh_journal.jp_journal_magic) != 2790 && (le32_to_cpu(jh->jh_journal.jp_journal_magic) !=
2795 sb_jp_journal_magic(rs))) { 2791 sb_jp_journal_magic(rs))) {
2796 reiserfs_warning(sb, "sh-460", 2792 reiserfs_warning(sb, "sh-460",
2797 "journal header magic %x (device %s) does " 2793 "journal header magic %x (device %pg) does "
2798 "not match to magic found in super block %x", 2794 "not match to magic found in super block %x",
2799 jh->jh_journal.jp_journal_magic, 2795 jh->jh_journal.jp_journal_magic,
2800 bdevname(journal->j_dev_bd, b), 2796 journal->j_dev_bd,
2801 sb_jp_journal_magic(rs)); 2797 sb_jp_journal_magic(rs));
2802 brelse(bhjh); 2798 brelse(bhjh);
2803 goto free_and_return; 2799 goto free_and_return;
@@ -2818,10 +2814,10 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
2818 journal->j_max_trans_age = commit_max_age; 2814 journal->j_max_trans_age = commit_max_age;
2819 } 2815 }
2820 2816
2821 reiserfs_info(sb, "journal params: device %s, size %u, " 2817 reiserfs_info(sb, "journal params: device %pg, size %u, "
2822 "journal first block %u, max trans len %u, max batch %u, " 2818 "journal first block %u, max trans len %u, max batch %u, "
2823 "max commit age %u, max trans age %u\n", 2819 "max commit age %u, max trans age %u\n",
2824 bdevname(journal->j_dev_bd, b), 2820 journal->j_dev_bd,
2825 SB_ONDISK_JOURNAL_SIZE(sb), 2821 SB_ONDISK_JOURNAL_SIZE(sb),
2826 SB_ONDISK_JOURNAL_1st_BLOCK(sb), 2822 SB_ONDISK_JOURNAL_1st_BLOCK(sb),
2827 journal->j_trans_max, 2823 journal->j_trans_max,
diff --git a/fs/reiserfs/prints.c b/fs/reiserfs/prints.c
index ae1dc841db3a..4f3f928076f3 100644
--- a/fs/reiserfs/prints.c
+++ b/fs/reiserfs/prints.c
@@ -139,11 +139,9 @@ static void sprintf_block_head(char *buf, struct buffer_head *bh)
139 139
140static void sprintf_buffer_head(char *buf, struct buffer_head *bh) 140static void sprintf_buffer_head(char *buf, struct buffer_head *bh)
141{ 141{
142 char b[BDEVNAME_SIZE];
143
144 sprintf(buf, 142 sprintf(buf,
145 "dev %s, size %zd, blocknr %llu, count %d, state 0x%lx, page %p, (%s, %s, %s)", 143 "dev %pg, size %zd, blocknr %llu, count %d, state 0x%lx, page %p, (%s, %s, %s)",
146 bdevname(bh->b_bdev, b), bh->b_size, 144 bh->b_bdev, bh->b_size,
147 (unsigned long long)bh->b_blocknr, atomic_read(&(bh->b_count)), 145 (unsigned long long)bh->b_blocknr, atomic_read(&(bh->b_count)),
148 bh->b_state, bh->b_page, 146 bh->b_state, bh->b_page,
149 buffer_uptodate(bh) ? "UPTODATE" : "!UPTODATE", 147 buffer_uptodate(bh) ? "UPTODATE" : "!UPTODATE",
@@ -530,7 +528,6 @@ static int print_super_block(struct buffer_head *bh)
530 (struct reiserfs_super_block *)(bh->b_data); 528 (struct reiserfs_super_block *)(bh->b_data);
531 int skipped, data_blocks; 529 int skipped, data_blocks;
532 char *version; 530 char *version;
533 char b[BDEVNAME_SIZE];
534 531
535 if (is_reiserfs_3_5(rs)) { 532 if (is_reiserfs_3_5(rs)) {
536 version = "3.5"; 533 version = "3.5";
@@ -543,7 +540,7 @@ static int print_super_block(struct buffer_head *bh)
543 return 1; 540 return 1;
544 } 541 }
545 542
546 printk("%s\'s super block is in block %llu\n", bdevname(bh->b_bdev, b), 543 printk("%pg\'s super block is in block %llu\n", bh->b_bdev,
547 (unsigned long long)bh->b_blocknr); 544 (unsigned long long)bh->b_blocknr);
548 printk("Reiserfs version %s\n", version); 545 printk("Reiserfs version %s\n", version);
549 printk("Block count %u\n", sb_block_count(rs)); 546 printk("Block count %u\n", sb_block_count(rs));
diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
index 621b9f381fe1..fe999157dd97 100644
--- a/fs/reiserfs/procfs.c
+++ b/fs/reiserfs/procfs.c
@@ -303,11 +303,10 @@ static int show_journal(struct seq_file *m, void *unused)
303 struct reiserfs_sb_info *r = REISERFS_SB(sb); 303 struct reiserfs_sb_info *r = REISERFS_SB(sb);
304 struct reiserfs_super_block *rs = r->s_rs; 304 struct reiserfs_super_block *rs = r->s_rs;
305 struct journal_params *jp = &rs->s_v1.s_journal; 305 struct journal_params *jp = &rs->s_v1.s_journal;
306 char b[BDEVNAME_SIZE];
307 306
308 seq_printf(m, /* on-disk fields */ 307 seq_printf(m, /* on-disk fields */
309 "jp_journal_1st_block: \t%i\n" 308 "jp_journal_1st_block: \t%i\n"
310 "jp_journal_dev: \t%s[%x]\n" 309 "jp_journal_dev: \t%pg[%x]\n"
311 "jp_journal_size: \t%i\n" 310 "jp_journal_size: \t%i\n"
312 "jp_journal_trans_max: \t%i\n" 311 "jp_journal_trans_max: \t%i\n"
313 "jp_journal_magic: \t%i\n" 312 "jp_journal_magic: \t%i\n"
@@ -348,7 +347,7 @@ static int show_journal(struct seq_file *m, void *unused)
348 "prepare: \t%12lu\n" 347 "prepare: \t%12lu\n"
349 "prepare_retry: \t%12lu\n", 348 "prepare_retry: \t%12lu\n",
350 DJP(jp_journal_1st_block), 349 DJP(jp_journal_1st_block),
351 bdevname(SB_JOURNAL(sb)->j_dev_bd, b), 350 SB_JOURNAL(sb)->j_dev_bd,
352 DJP(jp_journal_dev), 351 DJP(jp_journal_dev),
353 DJP(jp_journal_size), 352 DJP(jp_journal_size),
354 DJP(jp_journal_trans_max), 353 DJP(jp_journal_trans_max),
diff --git a/fs/select.c b/fs/select.c
index 015547330e88..79d0d4953cad 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -778,8 +778,8 @@ static inline unsigned int do_pollfd(struct pollfd *pollfd, poll_table *pwait,
778 return mask; 778 return mask;
779} 779}
780 780
781static int do_poll(unsigned int nfds, struct poll_list *list, 781static int do_poll(struct poll_list *list, struct poll_wqueues *wait,
782 struct poll_wqueues *wait, struct timespec *end_time) 782 struct timespec *end_time)
783{ 783{
784 poll_table* pt = &wait->pt; 784 poll_table* pt = &wait->pt;
785 ktime_t expire, *to = NULL; 785 ktime_t expire, *to = NULL;
@@ -908,7 +908,7 @@ int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
908 } 908 }
909 909
910 poll_initwait(&table); 910 poll_initwait(&table);
911 fdcount = do_poll(nfds, head, &table, end_time); 911 fdcount = do_poll(head, &table, end_time);
912 poll_freewait(&table); 912 poll_freewait(&table);
913 913
914 for (walk = head; walk; walk = walk->next) { 914 for (walk = head; walk; walk = walk->next) {
diff --git a/fs/splice.c b/fs/splice.c
index 4cf700d50b40..82bc0d64fc38 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -415,6 +415,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos,
415 */ 415 */
416 if (!page->mapping) { 416 if (!page->mapping) {
417 unlock_page(page); 417 unlock_page(page);
418retry_lookup:
418 page = find_or_create_page(mapping, index, 419 page = find_or_create_page(mapping, index,
419 mapping_gfp_mask(mapping)); 420 mapping_gfp_mask(mapping));
420 421
@@ -439,13 +440,10 @@ __generic_file_splice_read(struct file *in, loff_t *ppos,
439 error = mapping->a_ops->readpage(in, page); 440 error = mapping->a_ops->readpage(in, page);
440 if (unlikely(error)) { 441 if (unlikely(error)) {
441 /* 442 /*
442 * We really should re-lookup the page here, 443 * Re-lookup the page
443 * but it complicates things a lot. Instead
444 * lets just do what we already stored, and
445 * we'll get it the next time we are called.
446 */ 444 */
447 if (error == AOP_TRUNCATED_PAGE) 445 if (error == AOP_TRUNCATED_PAGE)
448 error = 0; 446 goto retry_lookup;
449 447
450 break; 448 break;
451 } 449 }
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
index 5056babe00df..dded920cbc8f 100644
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -80,7 +80,6 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
80{ 80{
81 struct squashfs_sb_info *msblk; 81 struct squashfs_sb_info *msblk;
82 struct squashfs_super_block *sblk = NULL; 82 struct squashfs_super_block *sblk = NULL;
83 char b[BDEVNAME_SIZE];
84 struct inode *root; 83 struct inode *root;
85 long long root_inode; 84 long long root_inode;
86 unsigned short flags; 85 unsigned short flags;
@@ -124,8 +123,8 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
124 sb->s_magic = le32_to_cpu(sblk->s_magic); 123 sb->s_magic = le32_to_cpu(sblk->s_magic);
125 if (sb->s_magic != SQUASHFS_MAGIC) { 124 if (sb->s_magic != SQUASHFS_MAGIC) {
126 if (!silent) 125 if (!silent)
127 ERROR("Can't find a SQUASHFS superblock on %s\n", 126 ERROR("Can't find a SQUASHFS superblock on %pg\n",
128 bdevname(sb->s_bdev, b)); 127 sb->s_bdev);
129 goto failed_mount; 128 goto failed_mount;
130 } 129 }
131 130
@@ -178,7 +177,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
178 msblk->inodes = le32_to_cpu(sblk->inodes); 177 msblk->inodes = le32_to_cpu(sblk->inodes);
179 flags = le16_to_cpu(sblk->flags); 178 flags = le16_to_cpu(sblk->flags);
180 179
181 TRACE("Found valid superblock on %s\n", bdevname(sb->s_bdev, b)); 180 TRACE("Found valid superblock on %pg\n", sb->s_bdev);
182 TRACE("Inodes are %scompressed\n", SQUASHFS_UNCOMPRESSED_INODES(flags) 181 TRACE("Inodes are %scompressed\n", SQUASHFS_UNCOMPRESSED_INODES(flags)
183 ? "un" : ""); 182 ? "un" : "");
184 TRACE("Data is %scompressed\n", SQUASHFS_UNCOMPRESSED_DATA(flags) 183 TRACE("Data is %scompressed\n", SQUASHFS_UNCOMPRESSED_DATA(flags)
diff --git a/fs/super.c b/fs/super.c
index 954aeb80e202..cc658a20a29e 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1012,10 +1012,8 @@ struct dentry *mount_bdev(struct file_system_type *fs_type,
1012 blkdev_put(bdev, mode); 1012 blkdev_put(bdev, mode);
1013 down_write(&s->s_umount); 1013 down_write(&s->s_umount);
1014 } else { 1014 } else {
1015 char b[BDEVNAME_SIZE];
1016
1017 s->s_mode = mode; 1015 s->s_mode = mode;
1018 strlcpy(s->s_id, bdevname(bdev, b), sizeof(s->s_id)); 1016 snprintf(s->s_id, sizeof(s->s_id), "%pg", bdev);
1019 sb_set_blocksize(s, block_size(bdev)); 1017 sb_set_blocksize(s, block_size(bdev));
1020 error = fill_super(s, data, flags & MS_SILENT ? 1 : 0); 1018 error = fill_super(s, data, flags & MS_SILENT ? 1 : 0);
1021 if (error) { 1019 if (error) {
diff --git a/fs/xattr.c b/fs/xattr.c
index d7f5037a17b5..d5dd6c8b82a7 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -305,7 +305,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
305{ 305{
306 int error; 306 int error;
307 void *kvalue = NULL; 307 void *kvalue = NULL;
308 void *vvalue = NULL; /* If non-NULL, we used vmalloc() */
309 char kname[XATTR_NAME_MAX + 1]; 308 char kname[XATTR_NAME_MAX + 1];
310 309
311 if (flags & ~(XATTR_CREATE|XATTR_REPLACE)) 310 if (flags & ~(XATTR_CREATE|XATTR_REPLACE))
@@ -322,10 +321,9 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
322 return -E2BIG; 321 return -E2BIG;
323 kvalue = kmalloc(size, GFP_KERNEL | __GFP_NOWARN); 322 kvalue = kmalloc(size, GFP_KERNEL | __GFP_NOWARN);
324 if (!kvalue) { 323 if (!kvalue) {
325 vvalue = vmalloc(size); 324 kvalue = vmalloc(size);
326 if (!vvalue) 325 if (!kvalue)
327 return -ENOMEM; 326 return -ENOMEM;
328 kvalue = vvalue;
329 } 327 }
330 if (copy_from_user(kvalue, value, size)) { 328 if (copy_from_user(kvalue, value, size)) {
331 error = -EFAULT; 329 error = -EFAULT;
@@ -338,10 +336,8 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
338 336
339 error = vfs_setxattr(d, kname, kvalue, size, flags); 337 error = vfs_setxattr(d, kname, kvalue, size, flags);
340out: 338out:
341 if (vvalue) 339 kvfree(kvalue);
342 vfree(vvalue); 340
343 else
344 kfree(kvalue);
345 return error; 341 return error;
346} 342}
347 343
@@ -409,7 +405,6 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
409{ 405{
410 ssize_t error; 406 ssize_t error;
411 void *kvalue = NULL; 407 void *kvalue = NULL;
412 void *vvalue = NULL;
413 char kname[XATTR_NAME_MAX + 1]; 408 char kname[XATTR_NAME_MAX + 1];
414 409
415 error = strncpy_from_user(kname, name, sizeof(kname)); 410 error = strncpy_from_user(kname, name, sizeof(kname));
@@ -423,10 +418,9 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
423 size = XATTR_SIZE_MAX; 418 size = XATTR_SIZE_MAX;
424 kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); 419 kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
425 if (!kvalue) { 420 if (!kvalue) {
426 vvalue = vmalloc(size); 421 kvalue = vmalloc(size);
427 if (!vvalue) 422 if (!kvalue)
428 return -ENOMEM; 423 return -ENOMEM;
429 kvalue = vvalue;
430 } 424 }
431 } 425 }
432 426
@@ -442,10 +436,9 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
442 than XATTR_SIZE_MAX bytes. Not possible. */ 436 than XATTR_SIZE_MAX bytes. Not possible. */
443 error = -E2BIG; 437 error = -E2BIG;
444 } 438 }
445 if (vvalue) 439
446 vfree(vvalue); 440 kvfree(kvalue);
447 else 441
448 kfree(kvalue);
449 return error; 442 return error;
450} 443}
451 444
@@ -502,17 +495,15 @@ listxattr(struct dentry *d, char __user *list, size_t size)
502{ 495{
503 ssize_t error; 496 ssize_t error;
504 char *klist = NULL; 497 char *klist = NULL;
505 char *vlist = NULL; /* If non-NULL, we used vmalloc() */
506 498
507 if (size) { 499 if (size) {
508 if (size > XATTR_LIST_MAX) 500 if (size > XATTR_LIST_MAX)
509 size = XATTR_LIST_MAX; 501 size = XATTR_LIST_MAX;
510 klist = kmalloc(size, __GFP_NOWARN | GFP_KERNEL); 502 klist = kmalloc(size, __GFP_NOWARN | GFP_KERNEL);
511 if (!klist) { 503 if (!klist) {
512 vlist = vmalloc(size); 504 klist = vmalloc(size);
513 if (!vlist) 505 if (!klist)
514 return -ENOMEM; 506 return -ENOMEM;
515 klist = vlist;
516 } 507 }
517 } 508 }
518 509
@@ -525,10 +516,9 @@ listxattr(struct dentry *d, char __user *list, size_t size)
525 than XATTR_LIST_MAX bytes. Not possible. */ 516 than XATTR_LIST_MAX bytes. Not possible. */
526 error = -E2BIG; 517 error = -E2BIG;
527 } 518 }
528 if (vlist) 519
529 vfree(vlist); 520 kvfree(klist);
530 else 521
531 kfree(klist);
532 return error; 522 return error;
533} 523}
534 524
diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index 3243cdf97f33..ace91e7c713e 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -1632,13 +1632,9 @@ xfs_setsize_buftarg(
1632 btp->bt_meta_sectormask = sectorsize - 1; 1632 btp->bt_meta_sectormask = sectorsize - 1;
1633 1633
1634 if (set_blocksize(btp->bt_bdev, sectorsize)) { 1634 if (set_blocksize(btp->bt_bdev, sectorsize)) {
1635 char name[BDEVNAME_SIZE];
1636
1637 bdevname(btp->bt_bdev, name);
1638
1639 xfs_warn(btp->bt_mount, 1635 xfs_warn(btp->bt_mount,
1640 "Cannot set_blocksize to %u on device %s", 1636 "Cannot set_blocksize to %u on device %pg",
1641 sectorsize, name); 1637 sectorsize, btp->bt_bdev);
1642 return -EINVAL; 1638 return -EINVAL;
1643 } 1639 }
1644 1640
diff --git a/include/linux/fs.h b/include/linux/fs.h
index ec43a24bf63d..731262c3fbb7 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2307,9 +2307,9 @@ static inline void iterate_bdevs(void (*f)(struct block_device *, void *), void
2307{ 2307{
2308} 2308}
2309 2309
2310static inline int sb_is_blkdev_sb(struct super_block *sb) 2310static inline bool sb_is_blkdev_sb(struct super_block *sb)
2311{ 2311{
2312 return 0; 2312 return false;
2313} 2313}
2314#endif 2314#endif
2315extern int sync_filesystem(struct super_block *); 2315extern int sync_filesystem(struct super_block *);
@@ -2387,7 +2387,7 @@ extern void init_special_inode(struct inode *, umode_t, dev_t);
2387 2387
2388/* Invalid inode operations -- fs/bad_inode.c */ 2388/* Invalid inode operations -- fs/bad_inode.c */
2389extern void make_bad_inode(struct inode *); 2389extern void make_bad_inode(struct inode *);
2390extern int is_bad_inode(struct inode *); 2390extern bool is_bad_inode(struct inode *);
2391 2391
2392#ifdef CONFIG_BLOCK 2392#ifdef CONFIG_BLOCK
2393/* 2393/*
@@ -2548,8 +2548,8 @@ extern ssize_t __kernel_write(struct file *, const char *, size_t, loff_t *);
2548extern struct file * open_exec(const char *); 2548extern struct file * open_exec(const char *);
2549 2549
2550/* fs/dcache.c -- generic fs support functions */ 2550/* fs/dcache.c -- generic fs support functions */
2551extern int is_subdir(struct dentry *, struct dentry *); 2551extern bool is_subdir(struct dentry *, struct dentry *);
2552extern int path_is_under(struct path *, struct path *); 2552extern bool path_is_under(struct path *, struct path *);
2553 2553
2554extern char *file_path(struct file *, char *, int); 2554extern char *file_path(struct file *, char *, int);
2555 2555
@@ -2676,6 +2676,8 @@ extern loff_t generic_file_llseek_size(struct file *file, loff_t offset,
2676 int whence, loff_t maxsize, loff_t eof); 2676 int whence, loff_t maxsize, loff_t eof);
2677extern loff_t fixed_size_llseek(struct file *file, loff_t offset, 2677extern loff_t fixed_size_llseek(struct file *file, loff_t offset,
2678 int whence, loff_t size); 2678 int whence, loff_t size);
2679extern loff_t no_seek_end_llseek_size(struct file *, loff_t, int, loff_t);
2680extern loff_t no_seek_end_llseek(struct file *, loff_t, int);
2679extern int generic_file_open(struct inode * inode, struct file * filp); 2681extern int generic_file_open(struct inode * inode, struct file * filp);
2680extern int nonseekable_open(struct inode * inode, struct file * filp); 2682extern int nonseekable_open(struct inode * inode, struct file * filp);
2681 2683
@@ -2978,7 +2980,7 @@ int __init get_filesystem_list(char *buf);
2978#define OPEN_FMODE(flag) ((__force fmode_t)(((flag + 1) & O_ACCMODE) | \ 2980#define OPEN_FMODE(flag) ((__force fmode_t)(((flag + 1) & O_ACCMODE) | \
2979 (flag & __FMODE_NONOTIFY))) 2981 (flag & __FMODE_NONOTIFY)))
2980 2982
2981static inline int is_sxid(umode_t mode) 2983static inline bool is_sxid(umode_t mode)
2982{ 2984{
2983 return (mode & S_ISUID) || ((mode & S_ISGID) && (mode & S_IXGRP)); 2985 return (mode & S_ISUID) || ((mode & S_ISGID) && (mode & S_IXGRP));
2984} 2986}
diff --git a/include/linux/namei.h b/include/linux/namei.h
index d8c6334cd150..d0f25d81b46a 100644
--- a/include/linux/namei.h
+++ b/include/linux/namei.h
@@ -77,6 +77,7 @@ extern struct dentry *kern_path_locked(const char *, struct path *);
77extern int kern_path_mountpoint(int, const char *, struct path *, unsigned int); 77extern int kern_path_mountpoint(int, const char *, struct path *, unsigned int);
78 78
79extern struct dentry *lookup_one_len(const char *, struct dentry *, int); 79extern struct dentry *lookup_one_len(const char *, struct dentry *, int);
80extern struct dentry *lookup_one_len_unlocked(const char *, struct dentry *, int);
80 81
81extern int follow_down_one(struct path *); 82extern int follow_down_one(struct path *);
82extern int follow_down(struct path *); 83extern int follow_down(struct path *);
diff --git a/include/linux/string.h b/include/linux/string.h
index 9ef7795e65e4..9eebc66d957a 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -10,6 +10,7 @@
10 10
11extern char *strndup_user(const char __user *, long); 11extern char *strndup_user(const char __user *, long);
12extern void *memdup_user(const void __user *, size_t); 12extern void *memdup_user(const void __user *, size_t);
13extern void *memdup_user_nul(const void __user *, size_t);
13 14
14/* 15/*
15 * Include machine specific inline routines 16 * Include machine specific inline routines
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index dc6858d6639e..5faf89ac9ec0 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2047,9 +2047,8 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2047 void *data) 2047 void *data)
2048{ 2048{
2049 int *i, vleft, first = 1, err = 0; 2049 int *i, vleft, first = 1, err = 0;
2050 unsigned long page = 0;
2051 size_t left; 2050 size_t left;
2052 char *kbuf; 2051 char *kbuf = NULL, *p;
2053 2052
2054 if (!tbl_data || !table->maxlen || !*lenp || (*ppos && !write)) { 2053 if (!tbl_data || !table->maxlen || !*lenp || (*ppos && !write)) {
2055 *lenp = 0; 2054 *lenp = 0;
@@ -2078,15 +2077,9 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2078 2077
2079 if (left > PAGE_SIZE - 1) 2078 if (left > PAGE_SIZE - 1)
2080 left = PAGE_SIZE - 1; 2079 left = PAGE_SIZE - 1;
2081 page = __get_free_page(GFP_TEMPORARY); 2080 p = kbuf = memdup_user_nul(buffer, left);
2082 kbuf = (char *) page; 2081 if (IS_ERR(kbuf))
2083 if (!kbuf) 2082 return PTR_ERR(kbuf);
2084 return -ENOMEM;
2085 if (copy_from_user(kbuf, buffer, left)) {
2086 err = -EFAULT;
2087 goto free;
2088 }
2089 kbuf[left] = 0;
2090 } 2083 }
2091 2084
2092 for (; left && vleft--; i++, first=0) { 2085 for (; left && vleft--; i++, first=0) {
@@ -2094,11 +2087,11 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2094 bool neg; 2087 bool neg;
2095 2088
2096 if (write) { 2089 if (write) {
2097 left -= proc_skip_spaces(&kbuf); 2090 left -= proc_skip_spaces(&p);
2098 2091
2099 if (!left) 2092 if (!left)
2100 break; 2093 break;
2101 err = proc_get_long(&kbuf, &left, &lval, &neg, 2094 err = proc_get_long(&p, &left, &lval, &neg,
2102 proc_wspace_sep, 2095 proc_wspace_sep,
2103 sizeof(proc_wspace_sep), NULL); 2096 sizeof(proc_wspace_sep), NULL);
2104 if (err) 2097 if (err)
@@ -2125,10 +2118,9 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
2125 if (!write && !first && left && !err) 2118 if (!write && !first && left && !err)
2126 err = proc_put_char(&buffer, &left, '\n'); 2119 err = proc_put_char(&buffer, &left, '\n');
2127 if (write && !err && left) 2120 if (write && !err && left)
2128 left -= proc_skip_spaces(&kbuf); 2121 left -= proc_skip_spaces(&p);
2129free:
2130 if (write) { 2122 if (write) {
2131 free_page(page); 2123 kfree(kbuf);
2132 if (first) 2124 if (first)
2133 return err ? : -EINVAL; 2125 return err ? : -EINVAL;
2134 } 2126 }
@@ -2310,9 +2302,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2310{ 2302{
2311 unsigned long *i, *min, *max; 2303 unsigned long *i, *min, *max;
2312 int vleft, first = 1, err = 0; 2304 int vleft, first = 1, err = 0;
2313 unsigned long page = 0;
2314 size_t left; 2305 size_t left;
2315 char *kbuf; 2306 char *kbuf = NULL, *p;
2316 2307
2317 if (!data || !table->maxlen || !*lenp || (*ppos && !write)) { 2308 if (!data || !table->maxlen || !*lenp || (*ppos && !write)) {
2318 *lenp = 0; 2309 *lenp = 0;
@@ -2340,15 +2331,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2340 2331
2341 if (left > PAGE_SIZE - 1) 2332 if (left > PAGE_SIZE - 1)
2342 left = PAGE_SIZE - 1; 2333 left = PAGE_SIZE - 1;
2343 page = __get_free_page(GFP_TEMPORARY); 2334 p = kbuf = memdup_user_nul(buffer, left);
2344 kbuf = (char *) page; 2335 if (IS_ERR(kbuf))
2345 if (!kbuf) 2336 return PTR_ERR(kbuf);
2346 return -ENOMEM;
2347 if (copy_from_user(kbuf, buffer, left)) {
2348 err = -EFAULT;
2349 goto free;
2350 }
2351 kbuf[left] = 0;
2352 } 2337 }
2353 2338
2354 for (; left && vleft--; i++, first = 0) { 2339 for (; left && vleft--; i++, first = 0) {
@@ -2357,9 +2342,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2357 if (write) { 2342 if (write) {
2358 bool neg; 2343 bool neg;
2359 2344
2360 left -= proc_skip_spaces(&kbuf); 2345 left -= proc_skip_spaces(&p);
2361 2346
2362 err = proc_get_long(&kbuf, &left, &val, &neg, 2347 err = proc_get_long(&p, &left, &val, &neg,
2363 proc_wspace_sep, 2348 proc_wspace_sep,
2364 sizeof(proc_wspace_sep), NULL); 2349 sizeof(proc_wspace_sep), NULL);
2365 if (err) 2350 if (err)
@@ -2385,10 +2370,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
2385 if (!write && !first && left && !err) 2370 if (!write && !first && left && !err)
2386 err = proc_put_char(&buffer, &left, '\n'); 2371 err = proc_put_char(&buffer, &left, '\n');
2387 if (write && !err) 2372 if (write && !err)
2388 left -= proc_skip_spaces(&kbuf); 2373 left -= proc_skip_spaces(&p);
2389free:
2390 if (write) { 2374 if (write) {
2391 free_page(page); 2375 kfree(kbuf);
2392 if (first) 2376 if (first)
2393 return err ? : -EINVAL; 2377 return err ? : -EINVAL;
2394 } 2378 }
@@ -2650,34 +2634,27 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
2650 } 2634 }
2651 2635
2652 if (write) { 2636 if (write) {
2653 unsigned long page = 0; 2637 char *kbuf, *p;
2654 char *kbuf;
2655 2638
2656 if (left > PAGE_SIZE - 1) 2639 if (left > PAGE_SIZE - 1)
2657 left = PAGE_SIZE - 1; 2640 left = PAGE_SIZE - 1;
2658 2641
2659 page = __get_free_page(GFP_TEMPORARY); 2642 p = kbuf = memdup_user_nul(buffer, left);
2660 kbuf = (char *) page; 2643 if (IS_ERR(kbuf))
2661 if (!kbuf) 2644 return PTR_ERR(kbuf);
2662 return -ENOMEM;
2663 if (copy_from_user(kbuf, buffer, left)) {
2664 free_page(page);
2665 return -EFAULT;
2666 }
2667 kbuf[left] = 0;
2668 2645
2669 tmp_bitmap = kzalloc(BITS_TO_LONGS(bitmap_len) * sizeof(unsigned long), 2646 tmp_bitmap = kzalloc(BITS_TO_LONGS(bitmap_len) * sizeof(unsigned long),
2670 GFP_KERNEL); 2647 GFP_KERNEL);
2671 if (!tmp_bitmap) { 2648 if (!tmp_bitmap) {
2672 free_page(page); 2649 kfree(kbuf);
2673 return -ENOMEM; 2650 return -ENOMEM;
2674 } 2651 }
2675 proc_skip_char(&kbuf, &left, '\n'); 2652 proc_skip_char(&p, &left, '\n');
2676 while (!err && left) { 2653 while (!err && left) {
2677 unsigned long val_a, val_b; 2654 unsigned long val_a, val_b;
2678 bool neg; 2655 bool neg;
2679 2656
2680 err = proc_get_long(&kbuf, &left, &val_a, &neg, tr_a, 2657 err = proc_get_long(&p, &left, &val_a, &neg, tr_a,
2681 sizeof(tr_a), &c); 2658 sizeof(tr_a), &c);
2682 if (err) 2659 if (err)
2683 break; 2660 break;
@@ -2688,12 +2665,12 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
2688 2665
2689 val_b = val_a; 2666 val_b = val_a;
2690 if (left) { 2667 if (left) {
2691 kbuf++; 2668 p++;
2692 left--; 2669 left--;
2693 } 2670 }
2694 2671
2695 if (c == '-') { 2672 if (c == '-') {
2696 err = proc_get_long(&kbuf, &left, &val_b, 2673 err = proc_get_long(&p, &left, &val_b,
2697 &neg, tr_b, sizeof(tr_b), 2674 &neg, tr_b, sizeof(tr_b),
2698 &c); 2675 &c);
2699 if (err) 2676 if (err)
@@ -2704,16 +2681,16 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
2704 break; 2681 break;
2705 } 2682 }
2706 if (left) { 2683 if (left) {
2707 kbuf++; 2684 p++;
2708 left--; 2685 left--;
2709 } 2686 }
2710 } 2687 }
2711 2688
2712 bitmap_set(tmp_bitmap, val_a, val_b - val_a + 1); 2689 bitmap_set(tmp_bitmap, val_a, val_b - val_a + 1);
2713 first = 0; 2690 first = 0;
2714 proc_skip_char(&kbuf, &left, '\n'); 2691 proc_skip_char(&p, &left, '\n');
2715 } 2692 }
2716 free_page(page); 2693 kfree(kbuf);
2717 } else { 2694 } else {
2718 unsigned long bit_a, bit_b = 0; 2695 unsigned long bit_a, bit_b = 0;
2719 2696
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index a990824c8604..2aeb6ffc0a1e 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -349,16 +349,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
349 if (count >= BLK_TN_MAX_MSG) 349 if (count >= BLK_TN_MAX_MSG)
350 return -EINVAL; 350 return -EINVAL;
351 351
352 msg = kmalloc(count + 1, GFP_KERNEL); 352 msg = memdup_user_nul(buffer, count);
353 if (msg == NULL) 353 if (IS_ERR(msg))
354 return -ENOMEM; 354 return PTR_ERR(msg);
355
356 if (copy_from_user(msg, buffer, count)) {
357 kfree(msg);
358 return -EFAULT;
359 }
360 355
361 msg[count] = '\0';
362 bt = filp->private_data; 356 bt = filp->private_data;
363 __trace_note_message(bt, "%s", msg); 357 __trace_note_message(bt, "%s", msg);
364 kfree(msg); 358 kfree(msg);
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 4f6ef6912e00..f333e57c4614 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -1340,15 +1340,9 @@ event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,
1340 if (cnt >= PAGE_SIZE) 1340 if (cnt >= PAGE_SIZE)
1341 return -EINVAL; 1341 return -EINVAL;
1342 1342
1343 buf = (char *)__get_free_page(GFP_TEMPORARY); 1343 buf = memdup_user_nul(ubuf, cnt);
1344 if (!buf) 1344 if (IS_ERR(buf))
1345 return -ENOMEM; 1345 return PTR_ERR(buf);
1346
1347 if (copy_from_user(buf, ubuf, cnt)) {
1348 free_page((unsigned long) buf);
1349 return -EFAULT;
1350 }
1351 buf[cnt] = '\0';
1352 1346
1353 mutex_lock(&event_mutex); 1347 mutex_lock(&event_mutex);
1354 file = event_file_data(filp); 1348 file = event_file_data(filp);
@@ -1356,7 +1350,7 @@ event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,
1356 err = apply_event_filter(file, buf); 1350 err = apply_event_filter(file, buf);
1357 mutex_unlock(&event_mutex); 1351 mutex_unlock(&event_mutex);
1358 1352
1359 free_page((unsigned long) buf); 1353 kfree(buf);
1360 if (err < 0) 1354 if (err < 0)
1361 return err; 1355 return err;
1362 1356
@@ -1507,18 +1501,12 @@ subsystem_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,
1507 if (cnt >= PAGE_SIZE) 1501 if (cnt >= PAGE_SIZE)
1508 return -EINVAL; 1502 return -EINVAL;
1509 1503
1510 buf = (char *)__get_free_page(GFP_TEMPORARY); 1504 buf = memdup_user_nul(ubuf, cnt);
1511 if (!buf) 1505 if (IS_ERR(buf))
1512 return -ENOMEM; 1506 return PTR_ERR(buf);
1513
1514 if (copy_from_user(buf, ubuf, cnt)) {
1515 free_page((unsigned long) buf);
1516 return -EFAULT;
1517 }
1518 buf[cnt] = '\0';
1519 1507
1520 err = apply_subsystem_event_filter(dir, buf); 1508 err = apply_subsystem_event_filter(dir, buf);
1521 free_page((unsigned long) buf); 1509 kfree(buf);
1522 if (err < 0) 1510 if (err < 0)
1523 return err; 1511 return err;
1524 1512
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 42a4009fd75a..4b5e8ed68d77 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -237,28 +237,23 @@ static ssize_t event_trigger_regex_write(struct file *file,
237 if (cnt >= PAGE_SIZE) 237 if (cnt >= PAGE_SIZE)
238 return -EINVAL; 238 return -EINVAL;
239 239
240 buf = (char *)__get_free_page(GFP_TEMPORARY); 240 buf = memdup_user_nul(ubuf, cnt);
241 if (!buf) 241 if (IS_ERR(buf))
242 return -ENOMEM; 242 return PTR_ERR(buf);
243 243
244 if (copy_from_user(buf, ubuf, cnt)) {
245 free_page((unsigned long)buf);
246 return -EFAULT;
247 }
248 buf[cnt] = '\0';
249 strim(buf); 244 strim(buf);
250 245
251 mutex_lock(&event_mutex); 246 mutex_lock(&event_mutex);
252 event_file = event_file_data(file); 247 event_file = event_file_data(file);
253 if (unlikely(!event_file)) { 248 if (unlikely(!event_file)) {
254 mutex_unlock(&event_mutex); 249 mutex_unlock(&event_mutex);
255 free_page((unsigned long)buf); 250 kfree(buf);
256 return -ENODEV; 251 return -ENODEV;
257 } 252 }
258 ret = trigger_process_regex(event_file, buf); 253 ret = trigger_process_regex(event_file, buf);
259 mutex_unlock(&event_mutex); 254 mutex_unlock(&event_mutex);
260 255
261 free_page((unsigned long)buf); 256 kfree(buf);
262 if (ret < 0) 257 if (ret < 0)
263 goto out; 258 goto out;
264 259
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 88fefa68c516..9bafc211930c 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -602,8 +602,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
602 struct uid_gid_map new_map; 602 struct uid_gid_map new_map;
603 unsigned idx; 603 unsigned idx;
604 struct uid_gid_extent *extent = NULL; 604 struct uid_gid_extent *extent = NULL;
605 unsigned long page = 0; 605 char *kbuf = NULL, *pos, *next_line;
606 char *kbuf, *pos, *next_line;
607 ssize_t ret = -EINVAL; 606 ssize_t ret = -EINVAL;
608 607
609 /* 608 /*
@@ -638,23 +637,18 @@ static ssize_t map_write(struct file *file, const char __user *buf,
638 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN)) 637 if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
639 goto out; 638 goto out;
640 639
641 /* Get a buffer */
642 ret = -ENOMEM;
643 page = __get_free_page(GFP_TEMPORARY);
644 kbuf = (char *) page;
645 if (!page)
646 goto out;
647
648 /* Only allow < page size writes at the beginning of the file */ 640 /* Only allow < page size writes at the beginning of the file */
649 ret = -EINVAL; 641 ret = -EINVAL;
650 if ((*ppos != 0) || (count >= PAGE_SIZE)) 642 if ((*ppos != 0) || (count >= PAGE_SIZE))
651 goto out; 643 goto out;
652 644
653 /* Slurp in the user data */ 645 /* Slurp in the user data */
654 ret = -EFAULT; 646 kbuf = memdup_user_nul(buf, count);
655 if (copy_from_user(kbuf, buf, count)) 647 if (IS_ERR(kbuf)) {
648 ret = PTR_ERR(kbuf);
649 kbuf = NULL;
656 goto out; 650 goto out;
657 kbuf[count] = '\0'; 651 }
658 652
659 /* Parse the user data */ 653 /* Parse the user data */
660 ret = -EINVAL; 654 ret = -EINVAL;
@@ -756,8 +750,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
756 ret = count; 750 ret = count;
757out: 751out:
758 mutex_unlock(&userns_state_mutex); 752 mutex_unlock(&userns_state_mutex);
759 if (page) 753 kfree(kbuf);
760 free_page(page);
761 return ret; 754 return ret;
762} 755}
763 756
diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
index e3952e9c8ec0..fe42b6ec3f0c 100644
--- a/lib/dynamic_debug.c
+++ b/lib/dynamic_debug.c
@@ -657,14 +657,9 @@ static ssize_t ddebug_proc_write(struct file *file, const char __user *ubuf,
657 pr_warn("expected <%d bytes into control\n", USER_BUF_PAGE); 657 pr_warn("expected <%d bytes into control\n", USER_BUF_PAGE);
658 return -E2BIG; 658 return -E2BIG;
659 } 659 }
660 tmpbuf = kmalloc(len + 1, GFP_KERNEL); 660 tmpbuf = memdup_user_nul(ubuf, len);
661 if (!tmpbuf) 661 if (IS_ERR(tmpbuf))
662 return -ENOMEM; 662 return PTR_ERR(tmpbuf);
663 if (copy_from_user(tmpbuf, ubuf, len)) {
664 kfree(tmpbuf);
665 return -EFAULT;
666 }
667 tmpbuf[len] = '\0';
668 vpr_info("read %d bytes from userspace\n", (int)len); 663 vpr_info("read %d bytes from userspace\n", (int)len);
669 664
670 ret = ddebug_exec_queries(tmpbuf, NULL); 665 ret = ddebug_exec_queries(tmpbuf, NULL);
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index f9cee8e1233c..ac3f9476b776 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -31,6 +31,9 @@
31#include <linux/dcache.h> 31#include <linux/dcache.h>
32#include <linux/cred.h> 32#include <linux/cred.h>
33#include <net/addrconf.h> 33#include <net/addrconf.h>
34#ifdef CONFIG_BLOCK
35#include <linux/blkdev.h>
36#endif
34 37
35#include <asm/page.h> /* for PAGE_SIZE */ 38#include <asm/page.h> /* for PAGE_SIZE */
36#include <asm/sections.h> /* for dereference_function_descriptor() */ 39#include <asm/sections.h> /* for dereference_function_descriptor() */
@@ -613,6 +616,26 @@ char *dentry_name(char *buf, char *end, const struct dentry *d, struct printf_sp
613 return buf; 616 return buf;
614} 617}
615 618
619#ifdef CONFIG_BLOCK
620static noinline_for_stack
621char *bdev_name(char *buf, char *end, struct block_device *bdev,
622 struct printf_spec spec, const char *fmt)
623{
624 struct gendisk *hd = bdev->bd_disk;
625
626 buf = string(buf, end, hd->disk_name, spec);
627 if (bdev->bd_part->partno) {
628 if (isdigit(hd->disk_name[strlen(hd->disk_name)-1])) {
629 if (buf < end)
630 *buf = 'p';
631 buf++;
632 }
633 buf = number(buf, end, bdev->bd_part->partno, spec);
634 }
635 return buf;
636}
637#endif
638
616static noinline_for_stack 639static noinline_for_stack
617char *symbol_string(char *buf, char *end, void *ptr, 640char *symbol_string(char *buf, char *end, void *ptr,
618 struct printf_spec spec, const char *fmt) 641 struct printf_spec spec, const char *fmt)
@@ -1443,6 +1466,7 @@ int kptr_restrict __read_mostly;
1443 * (default assumed to be phys_addr_t, passed by reference) 1466 * (default assumed to be phys_addr_t, passed by reference)
1444 * - 'd[234]' For a dentry name (optionally 2-4 last components) 1467 * - 'd[234]' For a dentry name (optionally 2-4 last components)
1445 * - 'D[234]' Same as 'd' but for a struct file 1468 * - 'D[234]' Same as 'd' but for a struct file
1469 * - 'g' For block_device name (gendisk + partition number)
1446 * - 'C' For a clock, it prints the name (Common Clock Framework) or address 1470 * - 'C' For a clock, it prints the name (Common Clock Framework) or address
1447 * (legacy clock framework) of the clock 1471 * (legacy clock framework) of the clock
1448 * - 'Cn' For a clock, it prints the name (Common Clock Framework) or address 1472 * - 'Cn' For a clock, it prints the name (Common Clock Framework) or address
@@ -1600,6 +1624,11 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
1600 return dentry_name(buf, end, 1624 return dentry_name(buf, end,
1601 ((const struct file *)ptr)->f_path.dentry, 1625 ((const struct file *)ptr)->f_path.dentry,
1602 spec, fmt); 1626 spec, fmt);
1627#ifdef CONFIG_BLOCK
1628 case 'g':
1629 return bdev_name(buf, end, ptr, spec, fmt);
1630#endif
1631
1603 } 1632 }
1604 spec.flags |= SMALL; 1633 spec.flags |= SMALL;
1605 if (spec.field_width == -1) { 1634 if (spec.field_width == -1) {
diff --git a/mm/util.c b/mm/util.c
index 9af1c12b310c..2d28f7930043 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -176,6 +176,37 @@ char *strndup_user(const char __user *s, long n)
176} 176}
177EXPORT_SYMBOL(strndup_user); 177EXPORT_SYMBOL(strndup_user);
178 178
179/**
180 * memdup_user_nul - duplicate memory region from user space and NUL-terminate
181 *
182 * @src: source address in user space
183 * @len: number of bytes to copy
184 *
185 * Returns an ERR_PTR() on failure.
186 */
187void *memdup_user_nul(const void __user *src, size_t len)
188{
189 char *p;
190
191 /*
192 * Always use GFP_KERNEL, since copy_from_user() can sleep and
193 * cause pagefault, which makes it pointless to use GFP_NOFS
194 * or GFP_ATOMIC.
195 */
196 p = kmalloc_track_caller(len + 1, GFP_KERNEL);
197 if (!p)
198 return ERR_PTR(-ENOMEM);
199
200 if (copy_from_user(p, src, len)) {
201 kfree(p);
202 return ERR_PTR(-EFAULT);
203 }
204 p[len] = '\0';
205
206 return p;
207}
208EXPORT_SYMBOL(memdup_user_nul);
209
179void __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma, 210void __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma,
180 struct vm_area_struct *prev, struct rb_node *rb_parent) 211 struct vm_area_struct *prev, struct rb_node *rb_parent)
181{ 212{
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 6e70ddb158b4..199bc76202d2 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -105,7 +105,7 @@ static struct list_head virtio_chan_list;
105/* How many bytes left in this page. */ 105/* How many bytes left in this page. */
106static unsigned int rest_of_page(void *data) 106static unsigned int rest_of_page(void *data)
107{ 107{
108 return PAGE_SIZE - ((unsigned long)data % PAGE_SIZE); 108 return PAGE_SIZE - offset_in_page(data);
109} 109}
110 110
111/** 111/**
@@ -143,7 +143,6 @@ static void p9_virtio_close(struct p9_client *client)
143static void req_done(struct virtqueue *vq) 143static void req_done(struct virtqueue *vq)
144{ 144{
145 struct virtio_chan *chan = vq->vdev->priv; 145 struct virtio_chan *chan = vq->vdev->priv;
146 struct p9_fcall *rc;
147 unsigned int len; 146 unsigned int len;
148 struct p9_req_t *req; 147 struct p9_req_t *req;
149 unsigned long flags; 148 unsigned long flags;
@@ -152,8 +151,8 @@ static void req_done(struct virtqueue *vq)
152 151
153 while (1) { 152 while (1) {
154 spin_lock_irqsave(&chan->lock, flags); 153 spin_lock_irqsave(&chan->lock, flags);
155 rc = virtqueue_get_buf(chan->vq, &len); 154 req = virtqueue_get_buf(chan->vq, &len);
156 if (rc == NULL) { 155 if (req == NULL) {
157 spin_unlock_irqrestore(&chan->lock, flags); 156 spin_unlock_irqrestore(&chan->lock, flags);
158 break; 157 break;
159 } 158 }
@@ -161,9 +160,6 @@ static void req_done(struct virtqueue *vq)
161 spin_unlock_irqrestore(&chan->lock, flags); 160 spin_unlock_irqrestore(&chan->lock, flags);
162 /* Wakeup if anyone waiting for VirtIO ring space. */ 161 /* Wakeup if anyone waiting for VirtIO ring space. */
163 wake_up(chan->vc_wq); 162 wake_up(chan->vc_wq);
164 p9_debug(P9_DEBUG_TRANS, ": rc %p\n", rc);
165 p9_debug(P9_DEBUG_TRANS, ": lookup tag %d\n", rc->tag);
166 req = p9_tag_lookup(chan->client, rc->tag);
167 p9_client_cb(chan->client, req, REQ_STATUS_RCVD); 163 p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
168 } 164 }
169} 165}
@@ -284,7 +280,7 @@ req_retry:
284 if (in) 280 if (in)
285 sgs[out_sgs + in_sgs++] = chan->sg + out; 281 sgs[out_sgs + in_sgs++] = chan->sg + out;
286 282
287 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req->tc, 283 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req,
288 GFP_ATOMIC); 284 GFP_ATOMIC);
289 if (err < 0) { 285 if (err < 0) {
290 if (err == -ENOSPC) { 286 if (err == -ENOSPC) {
@@ -369,7 +365,7 @@ static int p9_get_mapped_pages(struct virtio_chan *chan,
369 return -ENOMEM; 365 return -ENOMEM;
370 366
371 *need_drop = 0; 367 *need_drop = 0;
372 p -= (*offs = (unsigned long)p % PAGE_SIZE); 368 p -= (*offs = offset_in_page(p));
373 for (index = 0; index < nr_pages; index++) { 369 for (index = 0; index < nr_pages; index++) {
374 if (is_vmalloc_addr(p)) 370 if (is_vmalloc_addr(p))
375 (*pages)[index] = vmalloc_to_page(p); 371 (*pages)[index] = vmalloc_to_page(p);
@@ -469,7 +465,7 @@ req_retry_pinned:
469 } 465 }
470 466
471 BUG_ON(out_sgs + in_sgs > ARRAY_SIZE(sgs)); 467 BUG_ON(out_sgs + in_sgs > ARRAY_SIZE(sgs));
472 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req->tc, 468 err = virtqueue_add_sgs(chan->vq, sgs, out_sgs, in_sgs, req,
473 GFP_ATOMIC); 469 GFP_ATOMIC);
474 if (err < 0) { 470 if (err < 0) {
475 if (err == -ENOSPC) { 471 if (err == -ENOSPC) {
diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
index da3cc09f683e..3f6571651d32 100644
--- a/net/rxrpc/ar-key.c
+++ b/net/rxrpc/ar-key.c
@@ -896,15 +896,9 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
896 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 896 if (optlen <= 0 || optlen > PAGE_SIZE - 1)
897 return -EINVAL; 897 return -EINVAL;
898 898
899 description = kmalloc(optlen + 1, GFP_KERNEL); 899 description = memdup_user_nul(optval, optlen);
900 if (!description) 900 if (IS_ERR(description))
901 return -ENOMEM; 901 return PTR_ERR(description);
902
903 if (copy_from_user(description, optval, optlen)) {
904 kfree(description);
905 return -EFAULT;
906 }
907 description[optlen] = 0;
908 902
909 key = request_key(&key_type_rxrpc, description, NULL); 903 key = request_key(&key_type_rxrpc, description, NULL);
910 if (IS_ERR(key)) { 904 if (IS_ERR(key)) {
@@ -933,15 +927,9 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval,
933 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 927 if (optlen <= 0 || optlen > PAGE_SIZE - 1)
934 return -EINVAL; 928 return -EINVAL;
935 929
936 description = kmalloc(optlen + 1, GFP_KERNEL); 930 description = memdup_user_nul(optval, optlen);
937 if (!description) 931 if (IS_ERR(description))
938 return -ENOMEM; 932 return PTR_ERR(description);
939
940 if (copy_from_user(description, optval, optlen)) {
941 kfree(description);
942 return -EFAULT;
943 }
944 description[optlen] = 0;
945 933
946 key = request_key(&key_type_keyring, description, NULL); 934 key = request_key(&key_type_keyring, description, NULL);
947 if (IS_ERR(key)) { 935 if (IS_ERR(key)) {
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 3d2f5b45c8cb..c2e3ccd4b510 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -234,12 +234,13 @@ int __init integrity_read_file(const char *path, char **data)
234 } 234 }
235 235
236 rc = integrity_kernel_read(file, 0, buf, size); 236 rc = integrity_kernel_read(file, 0, buf, size);
237 if (rc < 0) 237 if (rc == size) {
238 kfree(buf);
239 else if (rc != size)
240 rc = -EIO;
241 else
242 *data = buf; 238 *data = buf;
239 } else {
240 kfree(buf);
241 if (rc >= 0)
242 rc = -EIO;
243 }
243out: 244out:
244 fput(file); 245 fput(file);
245 return rc; 246 return rc;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c02da25d7b63..73c60baa90a4 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -147,23 +147,16 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
147 ssize_t length; 147 ssize_t length;
148 int new_value; 148 int new_value;
149 149
150 length = -ENOMEM;
151 if (count >= PAGE_SIZE) 150 if (count >= PAGE_SIZE)
152 goto out; 151 return -ENOMEM;
153 152
154 /* No partial writes. */ 153 /* No partial writes. */
155 length = -EINVAL;
156 if (*ppos != 0) 154 if (*ppos != 0)
157 goto out; 155 return -EINVAL;
158
159 length = -ENOMEM;
160 page = (char *)get_zeroed_page(GFP_KERNEL);
161 if (!page)
162 goto out;
163 156
164 length = -EFAULT; 157 page = memdup_user_nul(buf, count);
165 if (copy_from_user(page, buf, count)) 158 if (IS_ERR(page))
166 goto out; 159 return PTR_ERR(page);
167 160
168 length = -EINVAL; 161 length = -EINVAL;
169 if (sscanf(page, "%d", &new_value) != 1) 162 if (sscanf(page, "%d", &new_value) != 1)
@@ -186,7 +179,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
186 } 179 }
187 length = count; 180 length = count;
188out: 181out:
189 free_page((unsigned long) page); 182 kfree(page);
190 return length; 183 return length;
191} 184}
192#else 185#else
@@ -275,27 +268,20 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
275 size_t count, loff_t *ppos) 268 size_t count, loff_t *ppos)
276 269
277{ 270{
278 char *page = NULL; 271 char *page;
279 ssize_t length; 272 ssize_t length;
280 int new_value; 273 int new_value;
281 274
282 length = -ENOMEM;
283 if (count >= PAGE_SIZE) 275 if (count >= PAGE_SIZE)
284 goto out; 276 return -ENOMEM;
285 277
286 /* No partial writes. */ 278 /* No partial writes. */
287 length = -EINVAL;
288 if (*ppos != 0) 279 if (*ppos != 0)
289 goto out; 280 return -EINVAL;
290
291 length = -ENOMEM;
292 page = (char *)get_zeroed_page(GFP_KERNEL);
293 if (!page)
294 goto out;
295 281
296 length = -EFAULT; 282 page = memdup_user_nul(buf, count);
297 if (copy_from_user(page, buf, count)) 283 if (IS_ERR(page))
298 goto out; 284 return PTR_ERR(page);
299 285
300 length = -EINVAL; 286 length = -EINVAL;
301 if (sscanf(page, "%d", &new_value) != 1) 287 if (sscanf(page, "%d", &new_value) != 1)
@@ -313,7 +299,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
313 299
314 length = count; 300 length = count;
315out: 301out:
316 free_page((unsigned long) page); 302 kfree(page);
317 return length; 303 return length;
318} 304}
319#else 305#else
@@ -611,31 +597,24 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
611static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, 597static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
612 size_t count, loff_t *ppos) 598 size_t count, loff_t *ppos)
613{ 599{
614 char *page = NULL; 600 char *page;
615 ssize_t length; 601 ssize_t length;
616 unsigned int new_value; 602 unsigned int new_value;
617 603
618 length = task_has_security(current, SECURITY__SETCHECKREQPROT); 604 length = task_has_security(current, SECURITY__SETCHECKREQPROT);
619 if (length) 605 if (length)
620 goto out; 606 return length;
621 607
622 length = -ENOMEM;
623 if (count >= PAGE_SIZE) 608 if (count >= PAGE_SIZE)
624 goto out; 609 return -ENOMEM;
625 610
626 /* No partial writes. */ 611 /* No partial writes. */
627 length = -EINVAL;
628 if (*ppos != 0) 612 if (*ppos != 0)
629 goto out; 613 return -EINVAL;
630
631 length = -ENOMEM;
632 page = (char *)get_zeroed_page(GFP_KERNEL);
633 if (!page)
634 goto out;
635 614
636 length = -EFAULT; 615 page = memdup_user_nul(buf, count);
637 if (copy_from_user(page, buf, count)) 616 if (IS_ERR(page))
638 goto out; 617 return PTR_ERR(page);
639 618
640 length = -EINVAL; 619 length = -EINVAL;
641 if (sscanf(page, "%u", &new_value) != 1) 620 if (sscanf(page, "%u", &new_value) != 1)
@@ -644,7 +623,7 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
644 selinux_checkreqprot = new_value ? 1 : 0; 623 selinux_checkreqprot = new_value ? 1 : 0;
645 length = count; 624 length = count;
646out: 625out:
647 free_page((unsigned long) page); 626 kfree(page);
648 return length; 627 return length;
649} 628}
650static const struct file_operations sel_checkreqprot_ops = { 629static const struct file_operations sel_checkreqprot_ops = {
@@ -1100,14 +1079,12 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
1100 if (*ppos != 0) 1079 if (*ppos != 0)
1101 goto out; 1080 goto out;
1102 1081
1103 length = -ENOMEM; 1082 page = memdup_user_nul(buf, count);
1104 page = (char *)get_zeroed_page(GFP_KERNEL); 1083 if (IS_ERR(page)) {
1105 if (!page) 1084 length = PTR_ERR(page);
1106 goto out; 1085 page = NULL;
1107
1108 length = -EFAULT;
1109 if (copy_from_user(page, buf, count))
1110 goto out; 1086 goto out;
1087 }
1111 1088
1112 length = -EINVAL; 1089 length = -EINVAL;
1113 if (sscanf(page, "%d", &new_value) != 1) 1090 if (sscanf(page, "%d", &new_value) != 1)
@@ -1121,7 +1098,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
1121 1098
1122out: 1099out:
1123 mutex_unlock(&sel_mutex); 1100 mutex_unlock(&sel_mutex);
1124 free_page((unsigned long) page); 1101 kfree(page);
1125 return length; 1102 return length;
1126} 1103}
1127 1104
@@ -1154,14 +1131,12 @@ static ssize_t sel_commit_bools_write(struct file *filep,
1154 if (*ppos != 0) 1131 if (*ppos != 0)
1155 goto out; 1132 goto out;
1156 1133
1157 length = -ENOMEM; 1134 page = memdup_user_nul(buf, count);
1158 page = (char *)get_zeroed_page(GFP_KERNEL); 1135 if (IS_ERR(page)) {
1159 if (!page) 1136 length = PTR_ERR(page);
1160 goto out; 1137 page = NULL;
1161
1162 length = -EFAULT;
1163 if (copy_from_user(page, buf, count))
1164 goto out; 1138 goto out;
1139 }
1165 1140
1166 length = -EINVAL; 1141 length = -EINVAL;
1167 if (sscanf(page, "%d", &new_value) != 1) 1142 if (sscanf(page, "%d", &new_value) != 1)
@@ -1176,7 +1151,7 @@ static ssize_t sel_commit_bools_write(struct file *filep,
1176 1151
1177out: 1152out:
1178 mutex_unlock(&sel_mutex); 1153 mutex_unlock(&sel_mutex);
1179 free_page((unsigned long) page); 1154 kfree(page);
1180 return length; 1155 return length;
1181} 1156}
1182 1157
@@ -1292,31 +1267,24 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
1292 size_t count, loff_t *ppos) 1267 size_t count, loff_t *ppos)
1293 1268
1294{ 1269{
1295 char *page = NULL; 1270 char *page;
1296 ssize_t ret; 1271 ssize_t ret;
1297 int new_value; 1272 int new_value;
1298 1273
1299 ret = task_has_security(current, SECURITY__SETSECPARAM); 1274 ret = task_has_security(current, SECURITY__SETSECPARAM);
1300 if (ret) 1275 if (ret)
1301 goto out; 1276 return ret;
1302 1277
1303 ret = -ENOMEM;
1304 if (count >= PAGE_SIZE) 1278 if (count >= PAGE_SIZE)
1305 goto out; 1279 return -ENOMEM;
1306 1280
1307 /* No partial writes. */ 1281 /* No partial writes. */
1308 ret = -EINVAL;
1309 if (*ppos != 0) 1282 if (*ppos != 0)
1310 goto out; 1283 return -EINVAL;
1311
1312 ret = -ENOMEM;
1313 page = (char *)get_zeroed_page(GFP_KERNEL);
1314 if (!page)
1315 goto out;
1316 1284
1317 ret = -EFAULT; 1285 page = memdup_user_nul(buf, count);
1318 if (copy_from_user(page, buf, count)) 1286 if (IS_ERR(page))
1319 goto out; 1287 return PTR_ERR(page);
1320 1288
1321 ret = -EINVAL; 1289 ret = -EINVAL;
1322 if (sscanf(page, "%u", &new_value) != 1) 1290 if (sscanf(page, "%u", &new_value) != 1)
@@ -1326,7 +1294,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
1326 1294
1327 ret = count; 1295 ret = count;
1328out: 1296out:
1329 free_page((unsigned long)page); 1297 kfree(page);
1330 return ret; 1298 return ret;
1331} 1299}
1332 1300
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 94bd9e41c9ec..e249a66db533 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -497,14 +497,9 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
497 } 497 }
498 } 498 }
499 499
500 data = kmalloc(count + 1, GFP_KERNEL); 500 data = memdup_user_nul(buf, count);
501 if (data == NULL) 501 if (IS_ERR(data))
502 return -ENOMEM; 502 return PTR_ERR(data);
503
504 if (copy_from_user(data, buf, count) != 0) {
505 rc = -EFAULT;
506 goto out;
507 }
508 503
509 /* 504 /*
510 * In case of parsing only part of user buf, 505 * In case of parsing only part of user buf,
@@ -884,16 +879,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
884 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) 879 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
885 return -EINVAL; 880 return -EINVAL;
886 881
887 data = kzalloc(count + 1, GFP_KERNEL); 882 data = memdup_user_nul(buf, count);
888 if (data == NULL) 883 if (IS_ERR(data))
889 return -ENOMEM; 884 return PTR_ERR(data);
890
891 if (copy_from_user(data, buf, count) != 0) {
892 rc = -EFAULT;
893 goto unlockedout;
894 }
895 885
896 data[count] = '\0';
897 rule = data; 886 rule = data;
898 /* 887 /*
899 * Only allow one writer at a time. Writes should be 888 * Only allow one writer at a time. Writes should be
@@ -946,7 +935,6 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
946 935
947out: 936out:
948 mutex_unlock(&smack_cipso_lock); 937 mutex_unlock(&smack_cipso_lock);
949unlockedout:
950 kfree(data); 938 kfree(data);
951 return rc; 939 return rc;
952} 940}
@@ -1187,14 +1175,9 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
1187 if (count < SMK_NETLBLADDRMIN) 1175 if (count < SMK_NETLBLADDRMIN)
1188 return -EINVAL; 1176 return -EINVAL;
1189 1177
1190 data = kzalloc(count + 1, GFP_KERNEL); 1178 data = memdup_user_nul(buf, count);
1191 if (data == NULL) 1179 if (IS_ERR(data))
1192 return -ENOMEM; 1180 return PTR_ERR(data);
1193
1194 if (copy_from_user(data, buf, count) != 0) {
1195 rc = -EFAULT;
1196 goto free_data_out;
1197 }
1198 1181
1199 smack = kzalloc(count + 1, GFP_KERNEL); 1182 smack = kzalloc(count + 1, GFP_KERNEL);
1200 if (smack == NULL) { 1183 if (smack == NULL) {
@@ -1202,8 +1185,6 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
1202 goto free_data_out; 1185 goto free_data_out;
1203 } 1186 }
1204 1187
1205 data[count] = '\0';
1206
1207 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s", 1188 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
1208 &host[0], &host[1], &host[2], &host[3], &masks, smack); 1189 &host[0], &host[1], &host[2], &host[3], &masks, smack);
1209 if (rc != 6) { 1190 if (rc != 6) {
@@ -1454,14 +1435,9 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
1454 if (count < SMK_NETLBLADDRMIN) 1435 if (count < SMK_NETLBLADDRMIN)
1455 return -EINVAL; 1436 return -EINVAL;
1456 1437
1457 data = kzalloc(count + 1, GFP_KERNEL); 1438 data = memdup_user_nul(buf, count);
1458 if (data == NULL) 1439 if (IS_ERR(data))
1459 return -ENOMEM; 1440 return PTR_ERR(data);
1460
1461 if (copy_from_user(data, buf, count) != 0) {
1462 rc = -EFAULT;
1463 goto free_data_out;
1464 }
1465 1441
1466 smack = kzalloc(count + 1, GFP_KERNEL); 1442 smack = kzalloc(count + 1, GFP_KERNEL);
1467 if (smack == NULL) { 1443 if (smack == NULL) {
@@ -1469,8 +1445,6 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
1469 goto free_data_out; 1445 goto free_data_out;
1470 } 1446 }
1471 1447
1472 data[count] = '\0';
1473
1474 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s", 1448 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s",
1475 &scanned[0], &scanned[1], &scanned[2], &scanned[3], 1449 &scanned[0], &scanned[1], &scanned[2], &scanned[3],
1476 &scanned[4], &scanned[5], &scanned[6], &scanned[7], 1450 &scanned[4], &scanned[5], &scanned[6], &scanned[7],
@@ -1865,14 +1839,9 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1865 if (!smack_privileged(CAP_MAC_ADMIN)) 1839 if (!smack_privileged(CAP_MAC_ADMIN))
1866 return -EPERM; 1840 return -EPERM;
1867 1841
1868 data = kzalloc(count + 1, GFP_KERNEL); 1842 data = memdup_user_nul(buf, count);
1869 if (data == NULL) 1843 if (IS_ERR(data))
1870 return -ENOMEM; 1844 return PTR_ERR(data);
1871
1872 if (copy_from_user(data, buf, count) != 0) {
1873 rc = -EFAULT;
1874 goto out;
1875 }
1876 1845
1877 skp = smk_import_entry(data, count); 1846 skp = smk_import_entry(data, count);
1878 if (IS_ERR(skp)) { 1847 if (IS_ERR(skp)) {
@@ -2041,14 +2010,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
2041 if (!smack_privileged(CAP_MAC_ADMIN)) 2010 if (!smack_privileged(CAP_MAC_ADMIN))
2042 return -EPERM; 2011 return -EPERM;
2043 2012
2044 data = kzalloc(count + 1, GFP_KERNEL); 2013 data = memdup_user_nul(buf, count);
2045 if (data == NULL) 2014 if (IS_ERR(data))
2046 return -ENOMEM; 2015 return PTR_ERR(data);
2047
2048 if (copy_from_user(data, buf, count) != 0) {
2049 kfree(data);
2050 return -EFAULT;
2051 }
2052 2016
2053 rc = smk_parse_label_list(data, &list_tmp); 2017 rc = smk_parse_label_list(data, &list_tmp);
2054 kfree(data); 2018 kfree(data);
@@ -2133,14 +2097,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
2133 if (!smack_privileged(CAP_MAC_ADMIN)) 2097 if (!smack_privileged(CAP_MAC_ADMIN))
2134 return -EPERM; 2098 return -EPERM;
2135 2099
2136 data = kzalloc(count + 1, GFP_KERNEL); 2100 data = memdup_user_nul(buf, count);
2137 if (data == NULL) 2101 if (IS_ERR(data))
2138 return -ENOMEM; 2102 return PTR_ERR(data);
2139
2140 if (copy_from_user(data, buf, count) != 0) {
2141 rc = -EFAULT;
2142 goto freeout;
2143 }
2144 2103
2145 /* 2104 /*
2146 * Clear the smack_unconfined on invalid label errors. This means 2105 * Clear the smack_unconfined on invalid label errors. This means
@@ -2696,19 +2655,15 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
2696 if (!smack_privileged(CAP_MAC_ADMIN)) 2655 if (!smack_privileged(CAP_MAC_ADMIN))
2697 return -EPERM; 2656 return -EPERM;
2698 2657
2699 data = kzalloc(count + 1, GFP_KERNEL); 2658 data = memdup_user_nul(buf, count);
2700 if (data == NULL) 2659 if (IS_ERR(data))
2701 return -ENOMEM; 2660 return PTR_ERR(data);
2702 2661
2703 if (copy_from_user(data, buf, count) != 0) 2662 skp = smk_import_entry(data, count);
2704 rc = -EFAULT; 2663 if (IS_ERR(skp))
2705 else { 2664 rc = PTR_ERR(skp);
2706 skp = smk_import_entry(data, count); 2665 else
2707 if (IS_ERR(skp)) 2666 smack_syslog_label = skp;
2708 rc = PTR_ERR(skp);
2709 else
2710 smack_syslog_label = skp;
2711 }
2712 2667
2713 kfree(data); 2668 kfree(data);
2714 return rc; 2669 return rc;
@@ -2798,14 +2753,9 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
2798 if (*ppos != 0) 2753 if (*ppos != 0)
2799 return -EINVAL; 2754 return -EINVAL;
2800 2755
2801 data = kzalloc(count + 1, GFP_KERNEL); 2756 data = memdup_user_nul(buf, count);
2802 if (data == NULL) 2757 if (IS_ERR(data))
2803 return -ENOMEM; 2758 return PTR_ERR(data);
2804
2805 if (copy_from_user(data, buf, count) != 0) {
2806 kfree(data);
2807 return -EFAULT;
2808 }
2809 2759
2810 rc = smk_parse_label_list(data, &list_tmp); 2760 rc = smk_parse_label_list(data, &list_tmp);
2811 kfree(data); 2761 kfree(data);
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 179a955b319d..06ab41b1ff28 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -43,13 +43,9 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
43 int error; 43 int error;
44 if (!count || count >= TOMOYO_EXEC_TMPSIZE - 10) 44 if (!count || count >= TOMOYO_EXEC_TMPSIZE - 10)
45 return -ENOMEM; 45 return -ENOMEM;
46 data = kzalloc(count + 1, GFP_NOFS); 46 data = memdup_user_nul(buf, count);
47 if (!data) 47 if (IS_ERR(data))
48 return -ENOMEM; 48 return PTR_ERR(data);
49 if (copy_from_user(data, buf, count)) {
50 error = -EFAULT;
51 goto out;
52 }
53 tomoyo_normalize_line(data); 49 tomoyo_normalize_line(data);
54 if (tomoyo_correct_domain(data)) { 50 if (tomoyo_correct_domain(data)) {
55 const int idx = tomoyo_read_lock(); 51 const int idx = tomoyo_read_lock();
@@ -87,7 +83,6 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
87 tomoyo_read_unlock(idx); 83 tomoyo_read_unlock(idx);
88 } else 84 } else
89 error = -EINVAL; 85 error = -EINVAL;
90out:
91 kfree(data); 86 kfree(data);
92 return error ? error : count; 87 return error ? error : count;
93} 88}
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-25 12:23:08 -0400