[PATCH] fs: Fix uninitialized 'offp' in statmount

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] fs: Fix uninitialized 'offp' in statmount_string()
@ 2025-10-11  9:13 Zhen Ni
  2025-10-13 10:21 ` Jan Kara
  2025-10-13 11:41 ` [PATCH v2] " Zhen Ni
  0 siblings, 2 replies; 4+ messages in thread
From: Zhen Ni @ 2025-10-11  9:13 UTC (permalink / raw)
  To: viro, brauner, jack; +Cc: linux-fsdevel, Zhen Ni, stable

In statmount_string(), most flags assign an output offset pointer (offp)
which is later updated with the string offset. However, the
STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
struct fields instead of using offp. This leaves offp uninitialized,
leading to a possible uninitialized dereference when *offp is updated.

Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
path consistent.

Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
---
 fs/namespace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index d82910f33dc4..5b5ab2ae238b 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5454,11 +5454,11 @@ static int statmount_string(struct kstatmount *s, u64 flag)
 		ret = statmount_sb_source(s, seq);
 		break;
 	case STATMOUNT_MNT_UIDMAP:
-		sm->mnt_uidmap = start;
+		offp = &sm->mnt_uidmap;
 		ret = statmount_mnt_uidmap(s, seq);
 		break;
 	case STATMOUNT_MNT_GIDMAP:
-		sm->mnt_gidmap = start;
+		offp = &sm->mnt_gidmap;
 		ret = statmount_mnt_gidmap(s, seq);
 		break;
 	default:
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] fs: Fix uninitialized 'offp' in statmount_string()
  2025-10-11  9:13 [PATCH] fs: Fix uninitialized 'offp' in statmount_string() Zhen Ni
@ 2025-10-13 10:21 ` Jan Kara
  2025-10-13 11:41 ` [PATCH v2] " Zhen Ni
  1 sibling, 0 replies; 4+ messages in thread
From: Jan Kara @ 2025-10-13 10:21 UTC (permalink / raw)
  To: Zhen Ni; +Cc: viro, brauner, jack, linux-fsdevel, stable

On Sat 11-10-25 17:13:53, Zhen Ni wrote:
> In statmount_string(), most flags assign an output offset pointer (offp)
> which is later updated with the string offset. However, the
> STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
> struct fields instead of using offp. This leaves offp uninitialized,
> leading to a possible uninitialized dereference when *offp is updated.
> 
> Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
> path consistent.
> 
> Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>

The bug happened because of mismerge between commits 37c4a9590e1e and
e52e97f09fb6 so I think we should also add:

Fixes: e52e97f09fb6 ("statmount: let unset strings be empty")

Otherwise the patch looks good. Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> ---
>  fs/namespace.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index d82910f33dc4..5b5ab2ae238b 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -5454,11 +5454,11 @@ static int statmount_string(struct kstatmount *s, u64 flag)
>  		ret = statmount_sb_source(s, seq);
>  		break;
>  	case STATMOUNT_MNT_UIDMAP:
> -		sm->mnt_uidmap = start;
> +		offp = &sm->mnt_uidmap;
>  		ret = statmount_mnt_uidmap(s, seq);
>  		break;
>  	case STATMOUNT_MNT_GIDMAP:
> -		sm->mnt_gidmap = start;
> +		offp = &sm->mnt_gidmap;
>  		ret = statmount_mnt_gidmap(s, seq);
>  		break;
>  	default:
> -- 
> 2.20.1
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2] fs: Fix uninitialized 'offp' in statmount_string()
  2025-10-11  9:13 [PATCH] fs: Fix uninitialized 'offp' in statmount_string() Zhen Ni
  2025-10-13 10:21 ` Jan Kara
@ 2025-10-13 11:41 ` Zhen Ni
  2025-10-21 12:23   ` Christian Brauner
  1 sibling, 1 reply; 4+ messages in thread
From: Zhen Ni @ 2025-10-13 11:41 UTC (permalink / raw)
  To: viro, brauner, jack; +Cc: linux-fsdevel, Zhen Ni, stable

In statmount_string(), most flags assign an output offset pointer (offp)
which is later updated with the string offset. However, the
STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
struct fields instead of using offp. This leaves offp uninitialized,
leading to a possible uninitialized dereference when *offp is updated.

Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
path consistent.

Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings")
Fixes: e52e97f09fb6 ("statmount: let unset strings be empty")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Reviewed-by: Jan Kara <jack@suse.cz>
---
Changes in v2:
- Add Fixes: e52e97f09fb6 ("statmount: let unset strings be empty")
---
 fs/namespace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index d82910f33dc4..5b5ab2ae238b 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5454,11 +5454,11 @@ static int statmount_string(struct kstatmount *s, u64 flag)
 		ret = statmount_sb_source(s, seq);
 		break;
 	case STATMOUNT_MNT_UIDMAP:
-		sm->mnt_uidmap = start;
+		offp = &sm->mnt_uidmap;
 		ret = statmount_mnt_uidmap(s, seq);
 		break;
 	case STATMOUNT_MNT_GIDMAP:
-		sm->mnt_gidmap = start;
+		offp = &sm->mnt_gidmap;
 		ret = statmount_mnt_gidmap(s, seq);
 		break;
 	default:
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] fs: Fix uninitialized 'offp' in statmount_string()
  2025-10-13 11:41 ` [PATCH v2] " Zhen Ni
@ 2025-10-21 12:23   ` Christian Brauner
  0 siblings, 0 replies; 4+ messages in thread
From: Christian Brauner @ 2025-10-21 12:23 UTC (permalink / raw)
  To: Zhen Ni; +Cc: Christian Brauner, linux-fsdevel, stable, viro, jack

On Mon, 13 Oct 2025 19:41:51 +0800, Zhen Ni wrote:
> In statmount_string(), most flags assign an output offset pointer (offp)
> which is later updated with the string offset. However, the
> STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
> struct fields instead of using offp. This leaves offp uninitialized,
> leading to a possible uninitialized dereference when *offp is updated.
> 
> Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
> path consistent.
> 
> [...]

Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes

[1/1] fs: Fix uninitialized 'offp' in statmount_string()
      https://git.kernel.org/vfs/vfs/c/0778ac7df513

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-10-21 12:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-11  9:13 [PATCH] fs: Fix uninitialized 'offp' in statmount_string() Zhen Ni
2025-10-13 10:21 ` Jan Kara
2025-10-13 11:41 ` [PATCH v2] " Zhen Ni
2025-10-21 12:23   ` Christian Brauner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).