Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2661377yba;
        Mon, 6 May 2019 09:33:15 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxBrUUkRzGf9ox7QMHFRxYs3fO94TzypfOtqQlJv2GRTIdEbSocBm2zxf/Lr5LUltMS6QUS
X-Received: by 2002:a63:8f4b:: with SMTP id r11mr33419878pgn.271.1557160395587;
        Mon, 06 May 2019 09:33:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557160395; cv=none;
        d=google.com; s=arc-20160816;
        b=Bn4Km5rHxEYuHmKDCwbxNGPPYtb+53kCjNncTAsdzsihmxBczhQ9GosOfYi6V9OSww
         zS7r+S0V/ZlOXlspd2A9GJkvhDq/FIrpePMvOsJWyCEqBkaL5kJkeE+QlKzD3oQZl1XE
         fQsi4EbI0wNPqZaBxU+nGtMVYdwEbMDKtS7HtutbN5OqY+T4Ju01gmKQ4IKh7JtCJo0X
         SUwiAPzv81yUMFEy9vzJXXL/rXaA6D0BU07nZEdps8B2lL2g5TELqHSSJ3YQxvhF4cRf
         M+EPGOs+I+0ey6kB/FRyxGnVAiJRzJ9nQZfhmwa7RaokYGwy9Pl3yrG8tc6m9nQlq4mv
         ApHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=RiesdCLpp+R0f3O9XnLGGd6rw9hYPfKFlydZlXAyMMc=;
        b=zJAx34yFQtf/f8VCoW8KGF+D6CGTcCJg2+mulPDCHLGJ9ubNiL1B59CReZ6hbA+9X3
         ucSSWQcMSS1jA5mQzfqfeL0okTiOATDvq/wCRpGvxq2+thaJKlqZpXyuqkCnt6wkJGDN
         LchQuvXevqWy31SKtz8e5tgfVgDRg5QPYPlJRlq+eZe2BojZlbPHNaQjBBTEvXQbQSa3
         4wqkPAbbzyRCxnteuJg3Cs/Z1FQXUR6uHJvG7jnfPIkUgNZRTagu9HlGlE6QQy+dmlTQ
         pu1Xqjq6yIt0XhahDxbBtGt+A3KoO6blBCmcBlCruofufynqZhaKqNaTa7TcSSpjAUga
         YIXg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Q6QAvdDC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f8si7775898pgc.267.2019.05.06.09.32.59;
        Mon, 06 May 2019 09:33:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Q6QAvdDC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726297AbfEFQbl (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Mon, 6 May 2019 12:31:41 -0400
Received: from mail-qt1-f201.google.com ([209.85.160.201]:35167 "EHLO
        mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727144AbfEFQbf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 May 2019 12:31:35 -0400
Received: by mail-qt1-f201.google.com with SMTP id u21so15901414qtk.2
        for <linux-kernel@vger.kernel.org>; Mon, 06 May 2019 09:31:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=RiesdCLpp+R0f3O9XnLGGd6rw9hYPfKFlydZlXAyMMc=;
        b=Q6QAvdDCFNZuLS9ja3NkrMR3RvJ0S09G7HKj9q0ktYjp11DSu6sbwte4Z+MCgpdXSa
         OGL0kcCil/ti4co+BeFvhTmmJ7+RXsHFsfK1hhHv1eec6VZbNopqVkjLet50ydoaeiwT
         XvmlmBaXIzsx1T6Dyaajg7Bz5pq9Axsw6cJNm2DtIdCFs4IeQzb8CYH1eWRXRhTqPi8L
         9AZ0ieEA2P7xzH+IK3hHC6FzJl7z9XjQD9wvxFqfvRNHuz4Kvz+PKDcTznem4kO3i/YF
         7eAO6TlPEh3PGwlYJ/3xngzxB39JPbQ+aqDHIcDB8TtrzW/euZk2kR1+K4+g3OqdGfdF
         qJTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=RiesdCLpp+R0f3O9XnLGGd6rw9hYPfKFlydZlXAyMMc=;
        b=qEeNf5Hzw0LYBPRTjZ1uf19I34xM0GomCh8NDp3x8fzePes+cML/a9EsLltwVhoLCC
         dQCMv5CGhazWScZs/QqtlFHuLumQTKSzgyoYf39e3y/S+rjHBClTE2wiBFwXHHQy2Qxz
         PV2pUWpij2EHgnHeS7zuAZCf7QAfOxZSNg9P8vvZ0Do1HCGzSmBVTN/vsYqpfbBUNuI/
         0PsRteREP9/I63GV+XF4HcsX8mJhLxsfSpQtLDYefQjgE95ZhfbcZZGxxojweZUHKxri
         flqB/nyz14CHpOE0/ORrlByW/Wx8xSGQzdxpAfw2CxhXdFp4ocKhehTqCdhY+Z16dP+Q
         9TVA==
X-Gm-Message-State: APjAAAUxDX/1HQgSJrwEkEvIQou07PRtftVZSWMBRLbqmJyy3RvjA8Gk
        wN8pvsbG2XTRBvLvPBS+8weFtZ8nITuuLQ1m
X-Received: by 2002:a37:9ed6:: with SMTP id h205mr2433459qke.152.1557160294772;
 Mon, 06 May 2019 09:31:34 -0700 (PDT)
Date:   Mon,  6 May 2019 18:30:55 +0200
In-Reply-To: <cover.1557160186.git.andreyknvl@google.com>
Message-Id: <ac2ca3454b1ae8856ea2e29a1316fea50a30c788.1557160186.git.andreyknvl@google.com>
Mime-Version: 1.0
References: <cover.1557160186.git.andreyknvl@google.com>
X-Mailer: git-send-email 2.21.0.1020.gf2820cf01a-goog
Subject: [PATCH v15 09/17] fs, arm64: untag user pointers in copy_mount_options
From:   Andrey Konovalov <andreyknvl@google.com>
To:     linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org,
        dri-devel@lists.freedesktop.org, linux-rdma@vger.kernel.org,
        linux-media@vger.kernel.org, kvm@vger.kernel.org,
        linux-kselftest@vger.kernel.org
Cc:     Catalin Marinas <catalin.marinas@arm.com>,
        Vincenzo Frascino <vincenzo.frascino@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Mark Rutland <mark.rutland@arm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>,
        Yishai Hadas <yishaih@mellanox.com>,
        Felix Kuehling <Felix.Kuehling@amd.com>,
        Alexander Deucher <Alexander.Deucher@amd.com>,
        Christian Koenig <Christian.Koenig@amd.com>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Jens Wiklander <jens.wiklander@linaro.org>,
        Alex Williamson <alex.williamson@redhat.com>,
        Leon Romanovsky <leon@kernel.org>,
        Dmitry Vyukov <dvyukov@google.com>,
        Kostya Serebryany <kcc@google.com>,
        Evgeniy Stepanov <eugenis@google.com>,
        Lee Smith <Lee.Smith@arm.com>,
        Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
        Jacob Bramley <Jacob.Bramley@arm.com>,
        Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
        Robin Murphy <robin.murphy@arm.com>,
        Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
        Dave Martin <Dave.Martin@arm.com>,
        Kevin Brodsky <kevin.brodsky@arm.com>,
        Szabolcs Nagy <Szabolcs.Nagy@arm.com>,
        Andrey Konovalov <andreyknvl@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch is a part of a series that extends arm64 kernel ABI to allow to
pass tagged user pointers (with the top byte set to something else other
than 0x00) as syscall arguments.

In copy_mount_options a user address is being subtracted from TASK_SIZE.
If the address is lower than TASK_SIZE, the size is calculated to not
allow the exact_copy_from_user() call to cross TASK_SIZE boundary.
However if the address is tagged, then the size will be calculated
incorrectly.

Untag the address before subtracting.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 fs/namespace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index c9cab307fa77..c27e5713bf04 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2825,7 +2825,7 @@ void *copy_mount_options(const void __user * data)
 	 * the remainder of the page.
 	 */
 	/* copy_from_user cannot cross TASK_SIZE ! */
-	size = TASK_SIZE - (unsigned long)data;
+	size = TASK_SIZE - (unsigned long)untagged_addr(data);
 	if (size > PAGE_SIZE)
 		size = PAGE_SIZE;
 
-- 
2.21.0.1020.gf2820cf01a-goog