fs: fix overflow in sys_mount() for in-kernel calls

				 char __user * type, unsigned long flags,

				 void __user * data)

{

	unsigned long type_page;

	char *kernel_type;

	unsigned long data_page;

	unsigned long dev_page;

	char *kernel_dev;

	char *dir_page;

	int retval;

	retval = copy_mount_options (type, &type_page);

	retval = copy_mount_string(type, &kernel_type);

	if (retval < 0)

		goto out;

	if (IS_ERR(dir_page))

		goto out1;

	retval = copy_mount_options (dev_name, &dev_page);

	retval = copy_mount_string(dev_name, &kernel_dev);

	if (retval < 0)

		goto out2;

	retval = -EINVAL;

	if (type_page && data_page) {

		if (!strcmp((char *)type_page, SMBFS_NAME)) {

	if (kernel_type && data_page) {

		if (!strcmp(kernel_type, SMBFS_NAME)) {

			do_smb_super_data_conv((void *)data_page);

		} else if (!strcmp((char *)type_page, NCPFS_NAME)) {

		} else if (!strcmp(kernel_type, NCPFS_NAME)) {

			do_ncp_super_data_conv((void *)data_page);

		} else if (!strcmp((char *)type_page, NFS4_NAME)) {

		} else if (!strcmp(kernel_type, NFS4_NAME)) {

			if (do_nfs4_super_data_conv((void *) data_page))

				goto out4;

		}

	}

	retval = do_mount((char*)dev_page, dir_page, (char*)type_page,

	retval = do_mount(kernel_dev, dir_page, kernel_type,

			flags, (void*)data_page);

 out4:

	free_page(data_page);

 out3:

	free_page(dev_page);

	kfree(kernel_dev);

 out2:

	putname(dir_page);

 out1:

	free_page(type_page);

	kfree(kernel_type);

 out:

	return retval;

}

 * namespace.c

 */

extern int copy_mount_options(const void __user *, unsigned long *);

extern int copy_mount_string(const void __user *, char **);

extern void free_vfsmnt(struct vfsmount *);

extern struct vfsmount *alloc_vfsmnt(const char *);

{

	struct vfsmount *mnt;

	if (!type || !memchr(type, 0, PAGE_SIZE))

	if (!type)

		return -EINVAL;

	/* we need capabilities... */

	return 0;

}

int copy_mount_string(const void __user *data, char **where)

{

	char *tmp;

	if (!data) {

		*where = NULL;

		return 0;

	}

	tmp = strndup_user(data, PAGE_SIZE);

	if (IS_ERR(tmp))

		return PTR_ERR(tmp);

	*where = tmp;

	return 0;

}

/*

 * Flags is a 32-bit value that allows up to 31 non-fs dependent flags to

 * be given to the mount() call (ie: read-only, no-dev, no-suid etc).

	if (!dir_name || !*dir_name || !memchr(dir_name, 0, PAGE_SIZE))

		return -EINVAL;

	if (dev_name && !memchr(dev_name, 0, PAGE_SIZE))

		return -EINVAL;

	if (data_page)

		((char *)data_page)[PAGE_SIZE - 1] = 0;

SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,

		char __user *, type, unsigned long, flags, void __user *, data)

{

	int retval;

	int ret;

	char *kernel_type;

	char *kernel_dir;

	char *kernel_dev;

	unsigned long data_page;

	unsigned long type_page;

	unsigned long dev_page;

	char *dir_page;

	retval = copy_mount_options(type, &type_page);

	if (retval < 0)

		return retval;

	ret = copy_mount_string(type, &kernel_type);

	if (ret < 0)

		goto out_type;

	dir_page = getname(dir_name);

	retval = PTR_ERR(dir_page);

	if (IS_ERR(dir_page))

		goto out1;

	kernel_dir = getname(dir_name);

	if (IS_ERR(kernel_dir)) {

		ret = PTR_ERR(kernel_dir);

		goto out_dir;

	}

	retval = copy_mount_options(dev_name, &dev_page);

	if (retval < 0)

		goto out2;

	ret = copy_mount_string(dev_name, &kernel_dev);

	if (ret < 0)

		goto out_dev;

	retval = copy_mount_options(data, &data_page);

	if (retval < 0)

		goto out3;

	ret = copy_mount_options(data, &data_page);

	if (ret < 0)

		goto out_data;

	retval = do_mount((char *)dev_page, dir_page, (char *)type_page,

			  flags, (void *)data_page);

	free_page(data_page);

	ret = do_mount(kernel_dev, kernel_dir, kernel_type, flags,

		(void *) data_page);

out3:

	free_page(dev_page);

out2:

	putname(dir_page);

out1:

	free_page(type_page);

	return retval;

	free_page(data_page);

out_data:

	kfree(kernel_dev);

out_dev:

	putname(kernel_dir);

out_dir:

	kfree(kernel_type);

out_type:

	return ret;

}

/*