Openwrt-EcoNet/kernel-49
1
0
Fork 0
Code Activity
Files
kernel-49/lib/strnlen_user.c
Greg Kroah-Hartman 47d7734823 Merge 4.9.180 into android-4.9 
Changes in 4.9.180
	ext4: do not delete unlinked inode from orphan list on failed truncate
	KVM: x86: fix return value for reserved EFER
	bio: fix improper use of smp_mb__before_atomic()
	Revert "scsi: sd: Keep disk read-only when re-reading partition"
	crypto: vmx - CTR: always increment IV as quadword
	kvm: svm/avic: fix off-by-one in checking host APIC ID
	libnvdimm/namespace: Fix label tracking error
	arm64: Save and restore OSDLR_EL1 across suspend/resume
	gfs2: Fix sign extension bug in gfs2_update_stats
	Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path
	Btrfs: fix race between ranged fsync and writeback of adjacent ranges
	btrfs: sysfs: don't leak memory when failing add fsid
	fbdev: fix divide error in fb_var_to_videomode
	hugetlb: use same fault hash key for shared and private mappings
	fbdev: fix WARNING in __alloc_pages_nodemask bug
	media: cpia2: Fix use-after-free in cpia2_exit
	media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
	ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
	at76c50x-usb: Don't register led_trigger if usb_register_driver failed
	perf tools: No need to include bitops.h in util.h
	tools include: Adopt linux/bits.h
	Revert "btrfs: Honour FITRIM range constraints during free space trim"
	gfs2: Fix lru_count going negative
	cxgb4: Fix error path in cxgb4_init_module
	mmc: core: Verify SD bus width
	dmaengine: tegra210-dma: free dma controller in remove()
	net: ena: gcc 8: fix compilation warning
	ASoC: hdmi-codec: unlock the device on startup errors
	powerpc/boot: Fix missing check of lseek() return value
	ASoC: imx: fix fiq dependencies
	spi: pxa2xx: fix SCR (divisor) calculation
	brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
	ARM: vdso: Remove dependency with the arch_timer driver internals
	arm64: Fix compiler warning from pte_unmap() with -Wunused-but-set-variable
	sched/cpufreq: Fix kobject memleak
	scsi: qla2xxx: Fix a qla24xx_enable_msix() error path
	iwlwifi: pcie: don't crash on invalid RX interrupt
	rtc: 88pm860x: prevent use-after-free on device remove
	w1: fix the resume command API
	dmaengine: pl330: _stop: clear interrupt status
	mac80211/cfg80211: update bss channel on channel switch
	ASoC: fsl_sai: Update is_slave_mode with correct value
	mwifiex: prevent an array overflow
	net: cw1200: fix a NULL pointer dereference
	crypto: sun4i-ss - Fix invalid calculation of hash end
	bcache: return error immediately in bch_journal_replay()
	bcache: fix failure in journal relplay
	bcache: add failure check to run_cache_set() for journal replay
	bcache: avoid clang -Wunintialized warning
	x86/build: Move _etext to actual end of .text
	smpboot: Place the __percpu annotation correctly
	x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
	mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
	HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
	pinctrl: pistachio: fix leaked of_node references
	dmaengine: at_xdmac: remove BUG_ON macro in tasklet
	media: coda: clear error return value before picture run
	media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
	media: au0828: stop video streaming only when last user stops
	media: ov2659: make S_FMT succeed even if requested format doesn't match
	audit: fix a memory leak bug
	media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
	media: pvrusb2: Prevent a buffer overflow
	powerpc/numa: improve control of topology updates
	sched/core: Check quota and period overflow at usec to nsec conversion
	sched/core: Handle overflow in cpu_shares_write_u64
	USB: core: Don't unbind interfaces following device reset failure
	x86/irq/64: Limit IST stack overflow check to #DB stack
	i40e: don't allow changes to HW VLAN stripping on active port VLANs
	arm64: vdso: Fix clock_getres() for CLOCK_REALTIME
	RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
	hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
	hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
	hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
	hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
	hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
	scsi: libsas: Do discovery on empty PHY to update PHY info
	mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers
	mmc_spi: add a status check for spi_sync_locked
	mmc: sdhci-of-esdhc: add erratum eSDHC5 support
	mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
	PM / core: Propagate dev->power.wakeup_path when no callbacks
	extcon: arizona: Disable mic detect if running when driver is removed
	s390: cio: fix cio_irb declaration
	cpufreq: ppc_cbe: fix possible object reference leak
	cpufreq/pasemi: fix possible object reference leak
	cpufreq: pmac32: fix possible object reference leak
	x86/build: Keep local relocations with ld.lld
	iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
	iio: hmc5843: fix potential NULL pointer dereferences
	iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
	rtlwifi: fix a potential NULL pointer dereference
	mwifiex: Fix mem leak in mwifiex_tm_cmd
	brcmfmac: fix missing checks for kmemdup
	b43: shut up clang -Wuninitialized variable warning
	brcmfmac: convert dev_init_lock mutex to completion
	brcmfmac: fix race during disconnect when USB completion is in progress
	brcmfmac: fix Oops when bringing up interface during USB disconnect
	scsi: ufs: Fix regulator load and icc-level configuration
	scsi: ufs: Avoid configuring regulator with undefined voltage range
	arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
	x86/uaccess, signal: Fix AC=1 bloat
	x86/ia32: Fix ia32_restore_sigcontext() AC leak
	chardev: add additional check for minor range overlap
	HID: core: move Usage Page concatenation to Main item
	ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
	ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
	cxgb3/l2t: Fix undefined behaviour
	spi: tegra114: reset controller on probe
	media: wl128x: prevent two potential buffer overflows
	virtio_console: initialize vtermno value for ports
	tty: ipwireless: fix missing checks for ioremap
	x86/mce: Fix machine_check_poll() tests for error types
	rcutorture: Fix cleanup path for invalid torture_type strings
	rcuperf: Fix cleanup path for invalid perf_type strings
	usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
	scsi: qla4xxx: avoid freeing unallocated dma memory
	dmaengine: tegra210-adma: use devm_clk_*() helpers
	media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
	media: go7007: avoid clang frame overflow warning with KASAN
	scsi: lpfc: Fix FDMI manufacturer attribute value
	media: saa7146: avoid high stack usage with clang
	scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
	spi : spi-topcliff-pch: Fix to handle empty DMA buffers
	spi: rspi: Fix sequencer reset during initialization
	spi: Fix zero length xfer bug
	ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
	drm: Wake up next in drm_read() chain if we are forced to putback the event
	Linux 4.9.180

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2019-06-10 13:09:45 +03:00

158 lines
4.3 KiB
C
Raw Permalink Blame History

#include <linux/kernel.h>
#include <linux/export.h>
#include <linux/uaccess.h>
#include <asm/word-at-a-time.h>
/* Set bits in the first 'n' bytes when loaded from memory */
#ifdef __LITTLE_ENDIAN
# define aligned_byte_mask(n) ((1ul << 8*(n))-1)
#else
# define aligned_byte_mask(n) (~0xfful << (BITS_PER_LONG - 8 - 8*(n)))
#endif
/*
* Do a strnlen, return length of string *with* final '\0'.
* 'count' is the user-supplied count, while 'max' is the
* address space maximum.
*
* Return 0 for exceptions (which includes hitting the address
* space maximum), or 'count+1' if hitting the user-supplied
* maximum count.
*
* NOTE! We can sometimes overshoot the user-supplied maximum
* if it fits in a aligned 'long'. The caller needs to check
* the return value against "> max".
*/
static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
{
const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
unsigned long align, res = 0;
unsigned long c;
/*
* Truncate 'max' to the user-specified limit, so that
* we only have one limit we need to check in the loop
*/
if (max > count)
max = count;
/*
* Do everything aligned. But that means that we
* need to also expand the maximum..
*/
align = (sizeof(unsigned long) - 1) & (unsigned long)src;
src -= align;
max += align;
unsafe_get_user(c, (unsigned long __user *)src, efault);
c |= aligned_byte_mask(align);
for (;;) {
unsigned long data;
if (has_zero(c, &data, &constants)) {
data = prep_zero_mask(c, data, &constants);
data = create_zero_mask(data);
return res + find_zero(data) + 1 - align;
}
res += sizeof(unsigned long);
/* We already handled 'unsigned long' bytes. Did we do it all ? */
if (unlikely(max <= sizeof(unsigned long)))
break;
max -= sizeof(unsigned long);
unsafe_get_user(c, (unsigned long __user *)(src+res), efault);
}
res -= align;
/*
* Uhhuh. We hit 'max'. But was that the user-specified maximum
* too? If so, return the marker for "too long".
*/
if (res >= count)
return count+1;
/*
* Nope: we hit the address space limit, and we still had more
* characters the caller would have wanted. That's 0.
*/
efault:
return 0;
}
/**
* strnlen_user: - Get the size of a user string INCLUDING final NUL.
* @str: The string to measure.
* @count: Maximum count (including NUL character)
*
* Context: User context only. This function may sleep if pagefaults are
* enabled.
*
* Get the size of a NUL-terminated string in user space.
*
* Returns the size of the string INCLUDING the terminating NUL.
* If the string is too long, returns a number larger than @count. User
* has to check the return value against "> count".
* On exception (or invalid count), returns 0.
*
* NOTE! You should basically never use this function. There is
* almost never any valid case for using the length of a user space
* string, since the string can be changed at any time by other
* threads. Use "strncpy_from_user()" instead to get a stable copy
* of the string.
*/
long strnlen_user(const char __user *str, long count)
{
unsigned long max_addr, src_addr;
if (unlikely(count <= 0))
return 0;
max_addr = user_addr_max();
src_addr = (unsigned long)str;
if (likely(src_addr < max_addr)) {
unsigned long max = max_addr - src_addr;
long retval;
user_access_begin();
retval = do_strnlen_user(str, count, max);
user_access_end();
return retval;
}
return 0;
}
EXPORT_SYMBOL(strnlen_user);
/**
* strlen_user: - Get the size of a user string INCLUDING final NUL.
* @str: The string to measure.
*
* Context: User context only. This function may sleep if pagefaults are
* enabled.
*
* Get the size of a NUL-terminated string in user space.
*
* Returns the size of the string INCLUDING the terminating NUL.
* On exception, returns 0.
*
* If there is a limit on the length of a valid string, you may wish to
* consider using strnlen_user() instead.
*/
long strlen_user(const char __user *str)
{
unsigned long max_addr, src_addr;
max_addr = user_addr_max();
src_addr = (unsigned long)str;
if (likely(src_addr < max_addr)) {
unsigned long max = max_addr - src_addr;
long retval;
user_access_begin();
retval = do_strnlen_user(str, ~0ul, max);
user_access_end();
return retval;
}
return 0;
}
EXPORT_SYMBOL(strlen_user);
View Git Blame Copy Permalink