On Mon, Jun 13, 2016 at 07:36:04PM -0700, Andy Lutomirski wrote: > copy_mount_options always tries to copy a full page even if the > string is shorter than a page. If the string starts part-way into a > page and ends on the same page it started on, this means that > copy_mount_options can overrun the supplied buffer and read into the > next page. Have you considered the possibility that there might be a reason for having separate copy_mount_option() and copy_mount_string()? Such as options not being a string, perhaps? In some filesystems (including older NFS variants) it is not a string at all - a binary data structure, with quite a few zero bytes in it. And no, we fucking *can't* break mount.nfs(8), no matter how we'd like to get rid of that wart of an ABI. IOW, NAK with prejudice - don't bring that thing back, it's hard no-go. -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html