From 222fbed52e02122c752fcb7fca153e9d8fe487bf Mon Sep 17 00:00:00 2001
From: Alexey Lyashkov <alexey.lyashkov@hpe.com>
Date: Wed, 14 Sep 2022 22:59:11 +0300
Subject: [PATCH] LU-16157 lnet: lst read-outside of allocation

lnet_selftest want a some parameters from userspace,
but it never sends. It caused a read of outside of allocation
like
BUG: KASAN: slab-out-of-bounds in lstcon_testrpc_prep+0x19e7/0x1bb0
Read of size 4 at addr ffff8888bbaa866c by task lt-lst/6371

Signed-off-by: Alexey Lyashkov <alexey.lyashkov@hpe.com>
Change-Id: I2a98e60c4be65c49fa9da4b418e50f1c7309b69d
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/48547
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
---
 lnet/selftest/conrpc.c | 28 +++++++++++++++++++---------
 lnet/utils/lst.c       | 14 +++++++++++++-
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/lnet/selftest/conrpc.c b/lnet/selftest/conrpc.c
index 927d099..d9ce964 100644
--- a/lnet/selftest/conrpc.c
+++ b/lnet/selftest/conrpc.c
@@ -780,10 +780,15 @@ lstcon_pingrpc_prep(struct lst_test_ping_param *param,
 {
 	struct test_ping_req *prq = &req->tsr_u.ping;
 
-        prq->png_size   = param->png_size;
-        prq->png_flags  = param->png_flags;
-        /* TODO dest */
-        return 0;
+	if (param) {
+		prq->png_size   = param->png_size;
+		prq->png_flags  = param->png_flags;
+	} else {
+		prq->png_size   = 0;
+		prq->png_flags  = 0;
+	}
+	/* TODO dest */
+	return 0;
 }
 
 static int
@@ -898,12 +903,17 @@ lstcon_testrpc_prep(struct lstcon_node *nd, int transop, unsigned int feats,
         trq->tsr_stop_onerr = !!test->tes_stop_onerr;
 
         switch (test->tes_type) {
-        case LST_TEST_PING:
-                trq->tsr_service = SRPC_SERVICE_PING;
-		rc = lstcon_pingrpc_prep((struct lst_test_ping_param *)
-					 &test->tes_param[0], trq);
-		break;
+	case LST_TEST_PING: {
+		struct lst_test_ping_param *data = NULL;
+
+		trq->tsr_service = SRPC_SERVICE_PING;
+		if (test->tes_paramlen)
+			data = ((struct lst_test_ping_param *)
+				&test->tes_param[0]);
 
+		rc = lstcon_pingrpc_prep(data, trq);
+		break;
+	}
 	case LST_TEST_BULK:
 		trq->tsr_service = SRPC_SERVICE_BRW;
 		if ((feats & LST_FEAT_BULK_LEN) == 0) {
diff --git a/lnet/utils/lst.c b/lnet/utils/lst.c
index 1017b4e..efdbb50 100644
--- a/lnet/utils/lst.c
+++ b/lnet/utils/lst.c
@@ -3266,6 +3266,7 @@ int
 lst_get_test_param(char *test, int argc, char **argv, void **param, int *plen)
 {
 	struct lst_test_bulk_param *bulk = NULL;
+	struct lst_test_ping_param *ping = NULL;
         int                    type;
 
         type = lst_test_name2type(test);
@@ -3276,7 +3277,18 @@ lst_get_test_param(char *test, int argc, char **argv, void **param, int *plen)
 
         switch (type) {
         case LST_TEST_PING:
-                break;
+		/* unused but needs for kernel part */
+		ping = malloc(sizeof(*ping));
+		if (ping == NULL) {
+			fprintf(stderr, "Out of memory\n");
+			return -1;
+		}
+		memset(ping, 0, sizeof(*ping));
+
+		*param = ping;
+		*plen  = sizeof(*ping);
+
+		break;
 
         case LST_TEST_BULK:
                 bulk = malloc(sizeof(*bulk));
-- 
1.8.3.1