This patch is a part of a series that extends kernel ABI to allow to pass tagged user pointers (with the top byte set to something else other than 0x00) as syscall arguments. In copy_mount_options a user address is being subtracted from TASK_SIZE. If the address is lower than TASK_SIZE, the size is calculated to not allow the exact_copy_from_user() call to cross TASK_SIZE boundary. However if the address is tagged, then the size will be calculated incorrectly. Untag the address before subtracting. Reviewed-by: Khalid Aziz <khalid.aziz@xxxxxxxxxx> Reviewed-by: Vincenzo Frascino <vincenzo.frascino@xxxxxxx> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx> Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 7660c2749c96..ec78f7223917 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2994,7 +2994,7 @@ void *copy_mount_options(const void __user * data) * the remainder of the page. */ /* copy_from_user cannot cross TASK_SIZE ! */ - size = TASK_SIZE - (unsigned long)data; + size = TASK_SIZE - (unsigned long)untagged_addr(data); if (size > PAGE_SIZE) size = PAGE_SIZE; -- 2.22.0.410.gd8fdbe21b5-goog
