On Wed, Jun 15, 2016 at 02:42:33PM -1000, Linus Torvalds wrote: > On Wed, Jun 15, 2016 at 2:01 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > > > > devtmpfsd does: > > > > *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options); > > > > where options points to the kernel stack. This is bad. do_mount_root > > is similarly broken. > > > > Is there any reason that these things use sys_mount instead of do_mount? > > Not that I can see. But maybe copy_mount_options could also check for > KERNEL_DS, and use a strncpy instead of a copy_from_user() for that > case? Well, strncpy() would make the function behave differently depending on the FS being used if called from the kernel for the reason Al mentionned. OK devtmpfsd() passes a string, but if it's the FS itself which decides to stop on a zero when parsing mount options, we'd probably rather use memcpy() instead to ensure a consistent behaviour, like this maybe ? Willy diff --git a/fs/namespace.c b/fs/namespace.c index 4fb1691..058b856 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2622,6 +2622,12 @@ void *copy_mount_options(const void __user * data) if (!copy) return ERR_PTR(-ENOMEM); + /* do_mount() may be called from the kernel */ + if (segment_eq(get_fs(), KERNEL_DS)) { + memcpy(copy, data, PAGE_SIZE); + return copy; + } + /* We only care that *some* data at the address the user * gave us is valid. Just in case, we'll zero * the remainder of the page. -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html