The patch titled Subject: fs/namespace: untag user pointers in copy_mount_options has been added to the -mm tree. Its filename is fs-namespace-untag-user-pointers-in-copy_mount_options.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/fs-namespace-untag-user-pointers-in-copy_mount_options.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/fs-namespace-untag-user-pointers-in-copy_mount_options.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Andrey Konovalov <andreyknvl@xxxxxxxxxx> Subject: fs/namespace: untag user pointers in copy_mount_options This patch is a part of a series that extends kernel ABI to allow to pass tagged user pointers (with the top byte set to something else other than 0x00) as syscall arguments. In copy_mount_options a user address is being subtracted from TASK_SIZE. If the address is lower than TASK_SIZE, the size is calculated to not allow the exact_copy_from_user() call to cross TASK_SIZE boundary. However if the address is tagged, then the size will be calculated incorrectly. Untag the address before subtracting. Link: http://lkml.kernel.org/r/1de225e4a54204bfd7f25dac2635e31aa4aa1d90.1563904656.git.andreyknvl@xxxxxxxxxx Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> Reviewed-by: Khalid Aziz <khalid.aziz@xxxxxxxxxx> Reviewed-by: Vincenzo Frascino <vincenzo.frascino@xxxxxxx> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx> Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: Dave Hansen <dave.hansen@xxxxxxxxx> Cc: Eric Auger <eric.auger@xxxxxxxxxx> Cc: Felix Kuehling <Felix.Kuehling@xxxxxxx> Cc: Jens Wiklander <jens.wiklander@xxxxxxxxxx> Cc: Mauro Carvalho Chehab <mchehab+samsung@xxxxxxxxxx> Cc: Mike Rapoport <rppt@xxxxxxxxxxxxx> Cc: Will Deacon <will@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/namespace.c~fs-namespace-untag-user-pointers-in-copy_mount_options +++ a/fs/namespace.c @@ -2994,7 +2994,7 @@ void *copy_mount_options(const void __us * the remainder of the page. */ /* copy_from_user cannot cross TASK_SIZE ! */ - size = TASK_SIZE - (unsigned long)data; + size = TASK_SIZE - (unsigned long)untagged_addr(data); if (size > PAGE_SIZE) size = PAGE_SIZE; _ Patches currently in -mm which might be from andreyknvl@xxxxxxxxxx are lib-untag-user-pointers-in-strn_user.patch mm-untag-user-pointers-passed-to-memory-syscalls.patch mm-untag-user-pointers-in-mm-gupc.patch mm-untag-user-pointers-in-get_vaddr_frames.patch fs-namespace-untag-user-pointers-in-copy_mount_options.patch userfaultfd-untag-user-pointers.patch drm-amdgpu-untag-user-pointers.patch drm-radeon-untag-user-pointers-in-radeon_gem_userptr_ioctl.patch media-v4l2-core-untag-user-pointers-in-videobuf_dma_contig_user_get.patch tee-shm-untag-user-pointers-in-tee_shm_register.patch vfio-type1-untag-user-pointers-in-vaddr_get_pfn.patch