From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from zeniv.linux.org.uk ([195.92.253.2]:60680 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750757AbcFPICh (ORCPT
	<rfc822;stable@vger.kernel.org>); Thu, 16 Jun 2016 04:02:37 -0400
Date: Thu, 16 Jun 2016 09:02:29 +0100
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Andy Lutomirski <luto@kernel.org>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	Stephen Rothwell <sfr@canb.auug.org.au>,
	Andrew Morton <akpm@linux-foundation.org>,
	stable <stable@vger.kernel.org>
Subject: Re: [PATCH v2 1/2] fs: Improve and simplify copy_mount_options
Message-ID: <20160616080229.GC14480@ZenIV.linux.org.uk>
References: <cover.1465871650.git.luto@kernel.org>
 <f2ad616567c7666cbba22f51c97fac1d09cfd200.1465871650.git.luto@kernel.org>
 <20160615235047.GA14480@ZenIV.linux.org.uk>
 <CALCETrXie_5-Wz5o3aBxNCrDQwLmVyLHaa95S9YfTftpT5YtZA@mail.gmail.com>
 <CA+55aFy13+MYXU1tChx=Dysy_Ehhpc5Td+qrEaNv8smEygnuRQ@mail.gmail.com>
 <20160616054525.GA6803@1wt.eu>
 <CA+55aFwMpvtLbkMQqjA2FJa32FMuVX2Jtmevz9p=i8YOyKGZbA@mail.gmail.com>
 <20160616065738.GA7154@1wt.eu>
 <20160616070821.GB14480@ZenIV.linux.org.uk>
 <20160616072557.GA7336@1wt.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160616072557.GA7336@1wt.eu>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Thu, Jun 16, 2016 at 09:25:57AM +0200, Willy Tarreau wrote:
> On Thu, Jun 16, 2016 at 08:08:22AM +0100, Al Viro wrote:
> > On Thu, Jun 16, 2016 at 08:57:38AM +0200, Willy Tarreau wrote:
> > > +	type = get_fs_type(fstype);
> > > +	if (!type)
> > > +		return NULL;
> > > +
> > >  	copy = kmalloc(PAGE_SIZE, GFP_KERNEL);
> > >  	if (!copy)
> > >  		return ERR_PTR(-ENOMEM);
> > >  
> > > +	/* avoid reading a whole page if the FS only needs a string. */
> > > +	if (!(type->fs_flags & FS_BINARY_MOUNTDATA)) {
> > > +		strlcpy(copy, data, PAGE_SIZE);
> > > +		return copy;
> > 
> > a) it leaks a file_system_type reference
> 
> I was not sure about this one, thanks for confirming.
> 
> > b) data is a userland pointer, for crying out loud!
> 
> Yep I noticed it and fixed it after sending. I was focused on the
> data coming from kernel due to the discussion.
> 
> I also think that since there are only two call places for
> copy_mount_options(), we may move the test there and switch
> to copy_mount_string() instead depending on the fs type.

Another problem is that it will oops with NULL fstype, which is
absolutely normal both for mount --bind *and* mount -o remount.
And while mount --bind doesn't care about string options,
mount -o remount certainly does.  IMO the latter makes that
approach hopeless - with remount you don't know the type
until well into do_mount() guts and I'd really hate to carry
the userland pointer all the way into it.