Acked-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

This replaces all code in fs/compat_ioctl.c that translated
ioctl arguments into a in-kernel structure, then performed
do_ioctl under set_fs(KERNEL_DS), with code that allocates
data on the user stack and can call the VFS ioctl handler
under USER_DS.

This is done as a hardening measure because the caller
does not know what kind of ioctl handler will be invoked,
only that no corresponding compat_ioctl handler exists and
what the ioctl command number is. The accidental
invocation of an unlocked_ioctl handler that unexpectedly
calls copy_to_user could be a severe security issue.
Signed-off-by: NJann Horn <jann@thejh.net>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

In code in fs/compat_ioctl.c that translates ioctl arguments
into a in-kernel structure, then performs sys_ioctl, possibly
under set_fs(KERNEL_DS), this commit changes the sys_ioctl
calls to do_ioctl calls. do_ioctl is a new function that does
the same thing as sys_ioctl, but doesn't look up the fd again.

This change is made to avoid (potential) security issues
because of ioctl handlers that accept one of the ioctl
commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
This can happen for multiple reasons:

 - The ioctl command number could be reused.
 - The ioctl handler might not check the full ioctl
   command. This is e.g. true for drm_ioctl.
 - The ioctl handler is very special, e.g. cuse_file_ioctl

The real issue is that set_fs(KERNEL_DS) is used here,
but that's fixed in a separate commit
"compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".

This change mitigates potential security issues by
preventing a race that permits invocation of
unlocked_ioctl handlers under KERNEL_DS through compat
code even if a corresponding compat_ioctl handler exists.

So far, no way has been identified to use this to damage
kernel memory without having CAP_SYS_ADMIN in the init ns
(with the capability, doing reads/writes at arbitrary
kernel addresses should be easy through CUSE's ioctl
handler with FUSE_IOCTL_UNRESTRICTED set).

[AV: two missed sys_ioctl() taken care of]
Signed-off-by: NJann Horn <jann@thejh.net>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NDmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

This allow to directly print block_device name.
Currently one should use bdevname() with temporal char buffer.
This is very ineffective because bloat stack usage for deep IO call-traces

Example:
	%pg  ->    sda, sda1 or loop0p1

[AV: fixed a minor braino - position updates should not be dependent
upon having reached the of buffer]
Signed-off-by: NDmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

gendisk with part==0 is obviously gendisk->disk_name.
Signed-off-by: NDmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Number of fds is already known based on passed list.

No functional changes.
Signed-off-by: NMateusz Guzik <mguzik@redhat.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

[folded a fix by Dan Carpenter]
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

... rather than play with __get_free_pages() (and figuring out the
allocation order, etc.)
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

get_zeroed_page does alloc_page and returns page_address of the result;
subsequent virt_to_page will recover the page, but since the caller
needs both page and its page_address() anyway, why bother going through
that wrapper at all?
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

... so virt_to_phys(p) & (PAGE_SIZE - 1) is a very odd way to
spell offset_in_page(p).
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

let it just return NULL, pointer to kernel copy or ERR_PTR().
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

When __get_user64() had been removed, its helper (__get_user64_nocheck)
got missed.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

they hadn't been used in last 15 years...
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

all we do to buffer is strncmp()...
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

again, it only parses the contents of the copied buffer, so
get_zeroed_page() might as well had been kmalloc(), which makes
it open-coded memdup_user_nul()
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Nothing in there gives a damn about the buffer alignment - it
just parses its contents.  So the use of get_zeroed_page()
doesn't buy us anything - might as well had been kmalloc(),
which makes that code equivalent to open-coded memdup_user_nul()
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

A _lot_ of ->write() instances were open-coding it; some are
converted to memdup_user_nul(), a lot more remain...
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Similar to memdup_user(), except that allocated buffer is one byte
longer and '\0' is stored after the copied data.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Pull MIPS build fix from Ralf Baechle:
 "Fix a makefile issue resulting in build breakage with older binutils.

  This has sat in -next for a few days, testers and buildbot are happy
  with it, too though if you are going for another -rc that'd certainly
  help ironing out a few more issues"

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: VDSO: Fix build error with binutils 2.24 and earlier

Pull i915 drm fixes from Jani Nikula:
 "Two display fixes still for v4.4.

  The new year's resolution is to start using signed tags per Linus'
  request.  This one is still unsigned; I want to fix this up in our
  maintainer scripts instead of doing it one-off"

* tag 'drm-intel-fixes-2016-01-02' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: increase the tries for HDMI hotplug live status checking
  drm/i915: Unbreak check_digital_port_conflicts()

Pull PCI bugfix from Bjorn Helgaas:
 "Here's another fix for v4.4.

  This fixes 32-bit config reads for the HiSilicon driver.  Obviously
  the driver is completely broken without this fix (apparently it
  actually was tested internally, but got broken somehow in the process
  of upstreaming it).

  Summary:

  HiSilicon host bridge driver
    Fix 32-bit config reads (Dongdong Liu)"

* tag 'pci-v4.4-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: hisi: Fix hisi_pcie_cfg_read() 32-bit reads