The patch titled
Subject: fs/namespace: untag user pointers in copy_mount_options
has been added to the -mm tree. Its filename is
fs-namespace-untag-user-pointers-in-copy_mount_options.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/fs-namespace-untag-user-pointers-in-copy_mount_options.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/fs-namespace-untag-user-pointers-in-copy_mount_options.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Subject: fs/namespace: untag user pointers in copy_mount_options
This patch is a part of a series that extends kernel ABI to allow to pass
tagged user pointers (with the top byte set to something else other than
0x00) as syscall arguments.
In copy_mount_options a user address is being subtracted from TASK_SIZE.
If the address is lower than TASK_SIZE, the size is calculated to not
allow the exact_copy_from_user() call to cross TASK_SIZE boundary.
However if the address is tagged, then the size will be calculated
incorrectly.
Untag the address before subtracting.
Link: http://lkml.kernel.org/r/1de225e4a54204bfd7f25dac2635e31aa4aa1d90.1563904656.git.andreyknvl@xxxxxxxxxx
Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Reviewed-by: Khalid Aziz <khalid.aziz@xxxxxxxxxx>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@xxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx>
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxx>
Cc: Eric Auger <eric.auger@xxxxxxxxxx>
Cc: Felix Kuehling <Felix.Kuehling@xxxxxxx>
Cc: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
Cc: Mauro Carvalho Chehab <mchehab+samsung@xxxxxxxxxx>
Cc: Mike Rapoport <rppt@xxxxxxxxxxxxx>
Cc: Will Deacon <will@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/namespace.c~fs-namespace-untag-user-pointers-in-copy_mount_options
+++ a/fs/namespace.c
@@ -2994,7 +2994,7 @@ void *copy_mount_options(const void __us
* the remainder of the page.
*/
/* copy_from_user cannot cross TASK_SIZE ! */
- size = TASK_SIZE - (unsigned long)data;
+ size = TASK_SIZE - (unsigned long)untagged_addr(data);
if (size > PAGE_SIZE)
size = PAGE_SIZE;
_
Patches currently in -mm which might be from andreyknvl@xxxxxxxxxx are
lib-untag-user-pointers-in-strn_user.patch
mm-untag-user-pointers-passed-to-memory-syscalls.patch
mm-untag-user-pointers-in-mm-gupc.patch
mm-untag-user-pointers-in-get_vaddr_frames.patch
fs-namespace-untag-user-pointers-in-copy_mount_options.patch
userfaultfd-untag-user-pointers.patch
drm-amdgpu-untag-user-pointers.patch
drm-radeon-untag-user-pointers-in-radeon_gem_userptr_ioctl.patch
media-v4l2-core-untag-user-pointers-in-videobuf_dma_contig_user_get.patch
tee-shm-untag-user-pointers-in-tee_shm_register.patch
vfio-type1-untag-user-pointers-in-vaddr_get_pfn.patch
