From 8d1a81a852f58c5708cd607dcbe36eb32da5cbeb Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 2 May 2017 12:46:27 -0400
Subject: [PATCH 1/2] sanitize do_i2c_smbus_ioctl()

no need to mess with __copy_in_user()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 fs/compat_ioctl.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index 6116d5275a3e..2237e28fd5e1 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -739,23 +739,22 @@ static int do_i2c_smbus_ioctl(struct file *file,
 		unsigned int cmd, struct i2c_smbus_ioctl_data32   __user *udata)
 {
 	struct i2c_smbus_ioctl_data	__user *tdata;
-	compat_caddr_t			datap;
+	union {
+		/* beginnings of those have identical layouts */
+		struct i2c_smbus_ioctl_data32	data32;
+		struct i2c_smbus_ioctl_data	data;
+	} v;
 
 	tdata = compat_alloc_user_space(sizeof(*tdata));
 	if (tdata == NULL)
 		return -ENOMEM;
-	if (!access_ok(VERIFY_WRITE, tdata, sizeof(*tdata)))
-		return -EFAULT;
 
-	if (!access_ok(VERIFY_READ, udata, sizeof(*udata)))
+	memset(&v, 0, sizeof(v));
+	if (copy_from_user(&v.data32, udata, sizeof(v.data32)))
 		return -EFAULT;
+	v.data.data = compat_ptr(v.data32.data);
 
-	if (__copy_in_user(&tdata->read_write, &udata->read_write, 2 * sizeof(u8)))
-		return -EFAULT;
-	if (__copy_in_user(&tdata->size, &udata->size, 2 * sizeof(u32)))
-		return -EFAULT;
-	if (__get_user(datap, &udata->data) ||
-	    __put_user(compat_ptr(datap), &tdata->data))
+	if (copy_to_user(tdata, &v.data, sizeof(v.data)))
 		return -EFAULT;
 
 	return do_ioctl(file, cmd, (unsigned long)tdata);

From 119d0312c766773ca3238b9d926077664eed22be Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu, 25 May 2017 16:28:49 -0400
Subject: [PATCH 2/2] kill __copy_in_user()

no users left

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 include/linux/uaccess.h | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index 201418d5e15c..97c93bc6f72a 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -180,12 +180,6 @@ copy_to_user(void __user *to, const void *from, unsigned long n)
 }
 #ifdef CONFIG_COMPAT
 static __always_inline unsigned long __must_check
-__copy_in_user(void __user *to, const void *from, unsigned long n)
-{
-	might_fault();
-	return raw_copy_in_user(to, from, n);
-}
-static __always_inline unsigned long __must_check
 copy_in_user(void __user *to, const void *from, unsigned long n)
 {
 	might_fault();