Merge tag 'for-linus-6.18-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull orangefs updates from Mike Marshall:
"Two cleanups and a bug fix:

- Remove unused type in macro fill_default_sys_attrs (Zhen Ni)

- Replace kzalloc + copy_from_user with memdup_user_nul (Thorsten Blum)

- Fix xattr related buffer overflow...

A message was forwarded to me from Disclosure <disclosure@aisle.com>
indicating a problem with a loop condition in our xattr code. When
I fixed the problem it exposed a related memory leak problem, and I
fixed that too"

* tag 'for-linus-6.18-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
fs/orangefs: Replace kzalloc + copy_from_user with memdup_user_nul
orangefs: fix xattr related buffer overflow...
orangefs: Remove unused type in macro fill_default_sys_attrs

Linus Torvalds 6 months ago f2327dc8 a9b38767

+16 -19

4 changed files

expand all

orangefs

namei.c

orangefs-debugfs.c

orangefs-kernel.h

xattr.c

+3 -7

fs/orangefs/namei.c

··· 38 38 39 39 new_op->upcall.req.create.parent_refn = parent->refn; 40 40 41 - fill_default_sys_attrs(new_op->upcall.req.create.attributes, 42 - ORANGEFS_TYPE_METAFILE, mode); 41 + fill_default_sys_attrs(new_op->upcall.req.create.attributes, mode); 43 42 44 43 strscpy(new_op->upcall.req.create.d_name, dentry->d_name.name); 45 44 ··· 239 240 240 241 new_op->upcall.req.sym.parent_refn = parent->refn; 241 242 242 - fill_default_sys_attrs(new_op->upcall.req.sym.attributes, 243 - ORANGEFS_TYPE_SYMLINK, 244 - mode); 243 + fill_default_sys_attrs(new_op->upcall.req.sym.attributes, mode); 245 244 246 245 strscpy(new_op->upcall.req.sym.entry_name, dentry->d_name.name); 247 246 strscpy(new_op->upcall.req.sym.target, symname); ··· 313 316 314 317 new_op->upcall.req.mkdir.parent_refn = parent->refn; 315 318 316 - fill_default_sys_attrs(new_op->upcall.req.mkdir.attributes, 317 - ORANGEFS_TYPE_DIRECTORY, mode); 319 + fill_default_sys_attrs(new_op->upcall.req.mkdir.attributes, mode); 318 320 319 321 strscpy(new_op->upcall.req.mkdir.d_name, dentry->d_name.name); 320 322

+5 -6

fs/orangefs/orangefs-debugfs.c

··· 440 440 count = ORANGEFS_MAX_DEBUG_STRING_LEN; 441 441 } 442 442 443 - buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL); 444 - if (!buf) 445 - goto out; 446 - 447 - if (copy_from_user(buf, ubuf, count - 1)) { 443 + buf = memdup_user_nul(ubuf, count - 1); 444 + if (IS_ERR(buf)) { 448 445 gossip_debug(GOSSIP_DEBUGFS_DEBUG, 449 - "%s: copy_from_user failed!\n", 446 + "%s: memdup_user_nul failed!\n", 450 447 __func__); 448 + rc = PTR_ERR(buf); 449 + buf = NULL; 451 450 goto out; 452 451 } 453 452

+1 -1

fs/orangefs/orangefs-kernel.h

··· 462 462 ((ORANGEFS_SB(inode->i_sb)->flags & ORANGEFS_OPT_INTR) ? \ 463 463 ORANGEFS_OP_INTERRUPTIBLE : 0) 464 464 465 - #define fill_default_sys_attrs(sys_attr, type, mode) \ 465 + #define fill_default_sys_attrs(sys_attr, mode) \ 466 466 do { \ 467 467 sys_attr.owner = from_kuid(&init_user_ns, current_fsuid()); \ 468 468 sys_attr.group = from_kgid(&init_user_ns, current_fsgid()); \

+7 -5

fs/orangefs/xattr.c

··· 54 54 static unsigned int xattr_key(const char *key) 55 55 { 56 56 unsigned int i = 0; 57 - while (key) 57 + if (!key) 58 + return 0; 59 + while (*key) 58 60 i += *key++; 59 61 return i % 16; 60 62 } ··· 177 175 cx->length = -1; 178 176 cx->timeout = jiffies + 179 177 orangefs_getattr_timeout_msecs*HZ/1000; 180 - hash_add(orangefs_inode->xattr_cache, &cx->node, 181 - xattr_key(cx->key)); 178 + hlist_add_head( &cx->node, 179 + &orangefs_inode->xattr_cache[xattr_key(cx->key)]); 182 180 } 183 181 } 184 182 goto out_release_op; ··· 231 229 memcpy(cx->val, buffer, length); 232 230 cx->length = length; 233 231 cx->timeout = jiffies + HZ; 234 - hash_add(orangefs_inode->xattr_cache, &cx->node, 235 - xattr_key(cx->key)); 232 + hlist_add_head(&cx->node, 233 + &orangefs_inode->xattr_cache[xattr_key(cx->key)]); 236 234 } 237 235 } 238 236