autofs: work around unhappy compat problem on x86-64

commit a32744d4abae24572eff7269bc17895c41bd0085 upstream. When the autofs protocol version 5 packet type was added in commit 5c0a32fc2cd0 ("autofs4: add new packet type for v5 communications"), it obvously tried quite hard to be word-size agnostic, and uses explicitly sized fields that are all correctly aligned. However, with the final "char name[NAME_MAX+1]" array at the end, the actual size of the structure ends up being not very well defined: because the struct isn't marked 'packed', doing a "sizeof()" on it will align the size of the struct up to the biggest alignment of the members it has. And despite all the members being the same, the alignment of them is different: a "__u64" has 4-byte alignment on x86-32, but native 8-byte alignment on x86-64. And while 'NAME_MAX+1' ends up being a nice round number (256), the name[] array starts out a 4-byte aligned. End result: the "packed" size of the structure is 300 bytes: 4-byte, but not 8-byte aligned. As a result, despite all the fields being in the same place on all architectures, sizeof() will round up that size to 304 bytes on architectures that have 8-byte alignment for u64. Note that this is *not* a problem for 32-bit compat mode on POWER, since there __u64 is 8-byte aligned even in 32-bit mode. But on x86, 32-bit and 64-bit alignment is different for 64-bit entities, and as a result the structure that has exactly the same layout has different sizes. So on x86-64, but no other architecture, we will just subtract 4 from the size of the structure when running in a compat task. That way we will write the properly sized packet that user mode expects. Not pretty. Sadly, this very subtle, and unnecessary, size difference has been encoded in user space that wants to read packets of *exactly* the right size, and will refuse to touch anything else. Reported-and-tested-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

autofs: work around unhappy compat problem on x86-64
commit a32744d4abae24572eff7269bc17895c41bd0085 upstream. When the autofs protocol version 5 packet type was added in commit 5c0a32fc2cd0 ("autofs4: add new packet type for v5 communications"), it obvously tried quite hard to be word-size agnostic, and uses explicitly sized fields that are all correctly aligned. However, with the final "char name[NAME_MAX+1]" array at the end, the actual size of the structure ends up being not very well defined: because the struct isn't marked 'packed', doing a "sizeof()" on it will align the size of the struct up to the biggest alignment of the members it has. And despite all the members being the same, the alignment of them is different: a "__u64" has 4-byte alignment on x86-32, but native 8-byte alignment on x86-64. And while 'NAME_MAX+1' ends up being a nice round number (256), the name[] array starts out a 4-byte aligned. End result: the "packed" size of the structure is 300 bytes: 4-byte, but not 8-byte aligned. As a result, despite all the fields being in the same place on all architectures, sizeof() will round up that size to 304 bytes on architectures that have 8-byte alignment for u64. Note that this is *not* a problem for 32-bit compat mode on POWER, since there __u64 is 8-byte aligned even in 32-bit mode. But on x86, 32-bit and 64-bit alignment is different for 64-bit entities, and as a result the structure that has exactly the same layout has different sizes. So on x86-64, but no other architecture, we will just subtract 4 from the size of the structure when running in a compat task. That way we will write the properly sized packet that user mode expects. Not pretty. Sadly, this very subtle, and unnecessary, size difference has been encoded in user space that wants to read packets of *exactly* the right size, and will refuse to touch anything else. Reported-and-tested-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ian Kent · Greg Kroah-Hartman
1 parent 808288955e
Showing 4 changed files with 23 additions and 3 deletions Side-by-side Diff
fs/autofs4/autofs_i.h
fs/autofs4/dev-ioctl.c
fs/autofs4/inode.c
fs/autofs4/waitq.c
@@ -110,6 +110,7 @@
 	int sub_version;
 	int min_proto;
 	int max_proto;
+	int compat_daemon;
 	unsigned long exp_timeout;
 	unsigned int type;
 	int reghost_enabled;
@@ -385,6 +385,7 @@
 		sbi->pipefd = pipefd;
 		sbi->pipe = pipe;
 		sbi->catatonic = 0;
+		sbi->compat_daemon = is_compat_task();
 	}
 out:
 	mutex_unlock(&sbi->wq_mutex);
@@ -19,6 +19,7 @@
 #include <linux/parser.h>
 #include <linux/bitops.h>
 #include <linux/magic.h>
+#include <linux/compat.h>
 #include "autofs_i.h"
 #include <linux/module.h>
  
@@ -224,6 +225,7 @@
 	set_autofs_type_indirect(&sbi->type);
 	sbi->min_proto = 0;
 	sbi->max_proto = 0;
+	sbi->compat_daemon = is_compat_task();
 	mutex_init(&sbi->wq_mutex);
 	spin_lock_init(&sbi->fs_lock);
 	sbi->queues = NULL;
@@ -90,7 +90,24 @@
  
 	return (bytes > 0);
 }
-	
+
+/*
+ * The autofs_v5 packet was misdesigned.
+ *
+ * The packets are identical on x86-32 and x86-64, but have different
+ * alignment. Which means that 'sizeof()' will give different results.
+ * Fix it up for the case of running 32-bit user mode on a 64-bit kernel.
+ */
+static noinline size_t autofs_v5_packet_size(struct autofs_sb_info *sbi)
+{
+	size_t pktsz = sizeof(struct autofs_v5_packet);
+#if defined(CONFIG_X86_64) && defined(CONFIG_COMPAT)
+	if (sbi->compat_daemon > 0)
+		pktsz -= 4;
+#endif
+	return pktsz;
+}
+
 static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
 				 struct autofs_wait_queue *wq,
 				 int type)
@@ -147,8 +164,7 @@
 	{
 		struct autofs_v5_packet *packet = &pkt.v5_pkt.v5_packet;
  
-		pktsz = sizeof(*packet);
-
+		pktsz = autofs_v5_packet_size(sbi);
 		packet->wait_queue_token = wq->wait_queue_token;
 		packet->len = wq->name.len;
 		memcpy(packet->name, wq->name.name, wq->name.len);
...	...	@@ -110,6 +110,7 @@
110	110	int sub_version;
111	111	int min_proto;
112	112	int max_proto;
	113	+ int compat_daemon;
113	114	unsigned long exp_timeout;
114	115	unsigned int type;
115	116	int reghost_enabled;
...	...	@@ -385,6 +385,7 @@
385	385	sbi->pipefd = pipefd;
386	386	sbi->pipe = pipe;
387	387	sbi->catatonic = 0;
	388	+ sbi->compat_daemon = is_compat_task();
388	389	}
389	390	out:
390	391	mutex_unlock(&sbi->wq_mutex);
...	...	@@ -19,6 +19,7 @@
19	19	#include <linux/parser.h>
20	20	#include <linux/bitops.h>
21	21	#include <linux/magic.h>
	22	+#include <linux/compat.h>
22	23	#include "autofs_i.h"
23	24	#include <linux/module.h>
24	25
...	...	@@ -224,6 +225,7 @@
224	225	set_autofs_type_indirect(&sbi->type);
225	226	sbi->min_proto = 0;
226	227	sbi->max_proto = 0;
	228	+ sbi->compat_daemon = is_compat_task();
227	229	mutex_init(&sbi->wq_mutex);
228	230	spin_lock_init(&sbi->fs_lock);
229	231	sbi->queues = NULL;
...	...	@@ -90,7 +90,24 @@
90	90
91	91	return (bytes > 0);
92	92	}
93		-
	93	+
	94	+/*
	95	+ * The autofs_v5 packet was misdesigned.
	96	+ *
	97	+ * The packets are identical on x86-32 and x86-64, but have different
	98	+ * alignment. Which means that 'sizeof()' will give different results.
	99	+ * Fix it up for the case of running 32-bit user mode on a 64-bit kernel.
	100	+ */
	101	+static noinline size_t autofs_v5_packet_size(struct autofs_sb_info *sbi)
	102	+{
	103	+ size_t pktsz = sizeof(struct autofs_v5_packet);
	104	+#if defined(CONFIG_X86_64) && defined(CONFIG_COMPAT)
	105	+ if (sbi->compat_daemon > 0)
	106	+ pktsz -= 4;
	107	+#endif
	108	+ return pktsz;
	109	+}
	110	+
94	111	static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
95	112	struct autofs_wait_queue *wq,
96	113	int type)
...	...	@@ -147,8 +164,7 @@
147	164	{
148	165	struct autofs_v5_packet *packet = &pkt.v5_pkt.v5_packet;
149	166
150		- pktsz = sizeof(*packet);
151		-
	167	+ pktsz = autofs_v5_packet_size(sbi);
152	168	packet->wait_queue_token = wq->wait_queue_token;
153	169	packet->len = wq->name.len;
154	170	memcpy(packet->name, wq->name.name, wq->name.len);