Merge tag 'lsk-v4.4-17.05-android' of git://git.linaro.org/kernel/linux-linaro-stable.git

LSK 17.05 v4.4-android

* tag 'lsk-v4.4-17.05-android': (266 commits)
  BACKPORT: mm/slab: clean up DEBUG_PAGEALLOC processing code
  Linux 4.4.70
  UPSTREAM: arm64: hibernate: Support DEBUG_PAGEALLOC
  BACKPORT: arm64: vmlinux.ld: Add mmuoff data sections and move mmuoff text into idmap
  BACKPORT: arm64: Create sections.h
  ANDROID: uid_sys_stats: defer io stats calulation for dead tasks
  ANDROID: AVB: Fix linter errors.
  ANDROID: AVB: Fix invalidate_vbmeta_submit().
  drivers: char: mem: Check for address space wraparound with mmap()
  nfsd: encoders mustn't use unitialized values in error cases
  drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
  PCI: Freeze PME scan before suspending devices
  PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
  tracing/kprobes: Enforce kprobes teardown after testing
  osf_wait4(): fix infoleak
  genirq: Fix chained interrupt data ordering
  uwb: fix device quirk on big-endian hosts
  metag/uaccess: Check access_ok in strncpy_from_user
  metag/uaccess: Fix access_ok()
  iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings
  ...

1 files changed, 31 insertions, 18 deletions

diff --git a/arch/metag/include/asm/uaccess.h b/arch/metag/include/asm/uaccess.h
index 07238b39638c..3db381205928 100644
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -28,24 +28,32 @@
 
 #define segment_eq(a, b)	((a).seg == (b).seg)
 
-#define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
-/*
- * Explicitly allow NULL pointers here. Parts of the kernel such
- * as readv/writev use access_ok to validate pointers, but want
- * to allow NULL pointers for various reasons. NULL pointers are
- * safe to allow through because the first page is not mappable on
- * Meta.
- *
- * We also wish to avoid letting user code access the system area
- * and the kernel half of the address space.
- */
-#define __user_bad(addr, size) (((addr) > 0 && (addr) < META_MEMORY_BASE) || \
-				((addr) > PAGE_OFFSET &&		\
-				 (addr) < LINCORE_BASE))
-
 static inline int __access_ok(unsigned long addr, unsigned long size)
 {
-	return __kernel_ok || !__user_bad(addr, size);
+	/*
+	 * Allow access to the user mapped memory area, but not the system area
+	 * before it. The check extends to the top of the address space when
+	 * kernel access is allowed (there's no real reason to user copy to the
+	 * system area in any case).
+	 */
+	if (likely(addr >= META_MEMORY_BASE && addr < get_fs().seg &&
+		   size <= get_fs().seg - addr))
+		return true;
+	/*
+	 * Explicitly allow NULL pointers here. Parts of the kernel such
+	 * as readv/writev use access_ok to validate pointers, but want
+	 * to allow NULL pointers for various reasons. NULL pointers are
+	 * safe to allow through because the first page is not mappable on
+	 * Meta.
+	 */
+	if (!addr)
+		return true;
+	/* Allow access to core code memory area... */
+	if (addr >= LINCORE_CODE_BASE && addr <= LINCORE_CODE_LIMIT &&
+	    size <= LINCORE_CODE_LIMIT + 1 - addr)
+		return true;
+	/* ... but no other areas. */
+	return false;
 }
 
 #define access_ok(type, addr, size) __access_ok((unsigned long)(addr),	\
@@ -186,8 +194,13 @@ do {                                                            \
 extern long __must_check __strncpy_from_user(char *dst, const char __user *src,
 					     long count);
 
-#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count)
-
+static inline long
+strncpy_from_user(char *dst, const char __user *src, long count)
+{
+	if (!access_ok(VERIFY_READ, src, 1))
+		return -EFAULT;
+	return __strncpy_from_user(dst, src, count);
+}
 /*
  * Return the size of a string (including the ending 0)
  *