import PULS_20180308

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / fs / aio.c

diff --git a/fs/aio.c b/fs/aio.c
index 2bbcacf74d0c64f8814cb68d8c4eff423dfe98d4..e6483800c73433a0ce4b7485be1f64f70f6d56cf 100644 (file)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -35,6 +35,7 @@
 #include <linux/eventfd.h>
 #include <linux/blkdev.h>
 #include <linux/compat.h>
+#include <linux/personality.h>
 
 #include <asm/kmap_types.h>
 #include <asm/uaccess.h>
@@ -153,6 +154,9 @@ static int aio_setup_ring(struct kioctx *ctx)
        unsigned long size, populate;
        int nr_pages;
 
+       if (current->personality & READ_IMPLIES_EXEC)
+               return -EPERM;
+
        /* Compensate for the ring buffer's head/tail overlap entry */
        nr_events += 2; /* 1 is required, 2 for good luck */
 
@@ -310,7 +314,6 @@ static void free_ioctx(struct kioctx *ctx)
 
                avail = (head <= ctx->tail ? ctx->tail : ctx->nr_events) - head;
 
-               atomic_sub(avail, &ctx->reqs_active);
                head += avail;
                head %= ctx->nr_events;
        }
@@ -423,10 +426,12 @@ static void kill_ioctx_rcu(struct rcu_head *head)
  *     when the processes owning a context have all exited to encourage
  *     the rapid destruction of the kioctx.
  */
-static void kill_ioctx(struct kioctx *ctx)
+static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx)
 {
        if (!atomic_xchg(&ctx->dead, 1)) {
+               spin_lock(&mm->ioctx_lock);
                hlist_del_rcu(&ctx->list);
+               spin_unlock(&mm->ioctx_lock);
 
                /*
                 * It'd be more correct to do this in free_ioctx(), after all
@@ -494,7 +499,7 @@ void exit_aio(struct mm_struct *mm)
                 */
                ctx->mmap_size = 0;
 
-               kill_ioctx(ctx);
+               kill_ioctx(mm, ctx);
        }
 }
 
@@ -676,6 +681,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
 put_rq:
        /* everything turned out well, dispose of the aiocb. */
        aio_put_req(iocb);
+       atomic_dec(&ctx->reqs_active);
 
        /*
         * We have to order our ring_info tail store above and test
@@ -715,6 +721,8 @@ static long aio_read_events_ring(struct kioctx *ctx,
        if (head == ctx->tail)
                goto out;
 
+       head %= ctx->nr_events;
+
        while (ret < nr) {
                long avail;
                struct io_event *ev;
@@ -753,8 +761,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
        flush_dcache_page(ctx->ring_pages[0]);
 
        pr_debug("%li  h%u t%u\n", ret, head, ctx->tail);
-
-       atomic_sub(ret, &ctx->reqs_active);
 out:
        mutex_unlock(&ctx->ring_lock);
 
@@ -852,7 +858,7 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp)
        if (!IS_ERR(ioctx)) {
                ret = put_user(ioctx->user_id, ctxp);
                if (ret)
-                       kill_ioctx(ioctx);
+                       kill_ioctx(current->mm, ioctx);
                put_ioctx(ioctx);
        }
 
@@ -870,7 +876,7 @@ SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx)
 {
        struct kioctx *ioctx = lookup_ioctx(ctx);
        if (likely(NULL != ioctx)) {
-               kill_ioctx(ioctx);
+               kill_ioctx(current->mm, ioctx);
                put_ioctx(ioctx);
                return 0;
        }
@@ -975,12 +981,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
 
 static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
 {
-       if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
+       size_t len = kiocb->ki_nbytes;
+
+       if (len > MAX_RW_COUNT)
+               len = MAX_RW_COUNT;
+
+       if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
                return -EFAULT;
 
        kiocb->ki_iovec = &kiocb->ki_inline_vec;
        kiocb->ki_iovec->iov_base = kiocb->ki_buf;
-       kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
+       kiocb->ki_iovec->iov_len = len;
        kiocb->ki_nr_segs = 1;
        return 0;
 }