LU-4563 Fix unsafe userspace access in many proc files

[fs/lustre-release.git] / lustre / mgs / mgs_nids.c

diff --git a/lustre/mgs/mgs_nids.c b/lustre/mgs/mgs_nids.c
index 4f46881..abeff63 100644 (file)
--- a/lustre/mgs/mgs_nids.c
+++ b/lustre/mgs/mgs_nids.c
@@ -253,7 +253,7 @@ static int nidtbl_update_version(const struct lu_env *env,
                GOTO(out_put, rc = PTR_ERR(th));
 
        th->th_sync = 1; /* update table synchronously */
-       rc = dt_declare_record_write(env, fsdb, buf.lb_len, off, th);
+       rc = dt_declare_record_write(env, fsdb, &buf, off, th);
        if (rc)
                GOTO(out, rc);
 
@@ -301,7 +301,7 @@ static int nidtbl_read_version(const struct lu_env *env,
        }
 
        fsdb = dt_locate_at(env, mgs->mgs_bottom, &fid,
-                           &mgs->mgs_dt_dev.dd_lu_dev);
+                           &mgs->mgs_dt_dev.dd_lu_dev, NULL);
        if (IS_ERR(fsdb))
                RETURN(PTR_ERR(fsdb));
 
@@ -414,10 +414,10 @@ static int mgs_nidtbl_init_fs(const struct lu_env *env, struct fs_db *fsdb)
 /* --------- Imperative Recovery relies on nidtbl stuff ------- */
 void mgs_ir_notify_complete(struct fs_db *fsdb)
 {
-        struct timeval tv;
-        cfs_duration_t delta;
+       struct timeval tv;
+       cfs_duration_t delta;
 
-        cfs_atomic_set(&fsdb->fsdb_notify_phase, 0);
+       atomic_set(&fsdb->fsdb_notify_phase, 0);
 
         /* do statistic */
         fsdb->fsdb_notify_count++;
@@ -445,47 +445,47 @@ static int mgs_ir_notify(void *arg)
 
         set_user_nice(current, -2);
 
-        mgc_fsname2resid(fsdb->fsdb_name, &resid, CONFIG_T_RECOVER);
-        while (1) {
-                struct l_wait_info   lwi = { 0 };
+       mgc_fsname2resid(fsdb->fsdb_name, &resid, CONFIG_T_RECOVER);
+       while (1) {
+               struct l_wait_info   lwi = { 0 };
 
-                l_wait_event(fsdb->fsdb_notify_waitq,
-                             fsdb->fsdb_notify_stop ||
-                             cfs_atomic_read(&fsdb->fsdb_notify_phase),
-                             &lwi);
-                if (fsdb->fsdb_notify_stop)
-                        break;
+               l_wait_event(fsdb->fsdb_notify_waitq,
+                            fsdb->fsdb_notify_stop ||
+                            atomic_read(&fsdb->fsdb_notify_phase),
+                            &lwi);
+               if (fsdb->fsdb_notify_stop)
+                       break;
 
-                CDEBUG(D_MGS, "%s woken up, phase is %d\n",
-                       name, cfs_atomic_read(&fsdb->fsdb_notify_phase));
+               CDEBUG(D_MGS, "%s woken up, phase is %d\n",
+                      name, atomic_read(&fsdb->fsdb_notify_phase));
 
-                fsdb->fsdb_notify_start = cfs_time_current();
+               fsdb->fsdb_notify_start = cfs_time_current();
                mgs_revoke_lock(fsdb->fsdb_mgs, fsdb, CONFIG_T_RECOVER);
-        }
+       }
 
        complete(&fsdb->fsdb_notify_comp);
-        return 0;
+       return 0;
 }
 
 int mgs_ir_init_fs(const struct lu_env *env, struct mgs_device *mgs,
                   struct fs_db *fsdb)
 {
-       cfs_task_t *task;
+       struct task_struct *task;
 
-        if (!ir_timeout)
-                ir_timeout = OBD_IR_MGS_TIMEOUT;
+       if (!ir_timeout)
+               ir_timeout = OBD_IR_MGS_TIMEOUT;
 
-        fsdb->fsdb_ir_state = IR_FULL;
-        if (cfs_time_before(cfs_time_current_sec(),
-                            mgs->mgs_start_time + ir_timeout))
-                fsdb->fsdb_ir_state = IR_STARTUP;
-        fsdb->fsdb_nonir_clients = 0;
-        CFS_INIT_LIST_HEAD(&fsdb->fsdb_clients);
+       fsdb->fsdb_ir_state = IR_FULL;
+       if (cfs_time_before(cfs_time_current_sec(),
+                           mgs->mgs_start_time + ir_timeout))
+               fsdb->fsdb_ir_state = IR_STARTUP;
+       fsdb->fsdb_nonir_clients = 0;
+       CFS_INIT_LIST_HEAD(&fsdb->fsdb_clients);
 
-        /* start notify thread */
+       /* start notify thread */
        fsdb->fsdb_mgs = mgs;
-        cfs_atomic_set(&fsdb->fsdb_notify_phase, 0);
-        cfs_waitq_init(&fsdb->fsdb_notify_waitq);
+       atomic_set(&fsdb->fsdb_notify_phase, 0);
+       init_waitqueue_head(&fsdb->fsdb_notify_waitq);
        init_completion(&fsdb->fsdb_notify_comp);
 
        task = kthread_run(mgs_ir_notify, fsdb,
@@ -496,22 +496,22 @@ int mgs_ir_init_fs(const struct lu_env *env, struct mgs_device *mgs,
                CERROR("Start notify thread error %ld\n", PTR_ERR(task));
 
        mgs_nidtbl_init_fs(env, fsdb);
-        return 0;
+       return 0;
 }
 
 void mgs_ir_fini_fs(struct mgs_device *mgs, struct fs_db *fsdb)
 {
        if (test_bit(FSDB_MGS_SELF, &fsdb->fsdb_flags))
-                return;
+               return;
 
-        mgs_fsc_cleanup_by_fsdb(fsdb);
+       mgs_fsc_cleanup_by_fsdb(fsdb);
 
-        mgs_nidtbl_fini_fs(fsdb);
+       mgs_nidtbl_fini_fs(fsdb);
 
-        LASSERT(cfs_list_empty(&fsdb->fsdb_clients));
+       LASSERT(cfs_list_empty(&fsdb->fsdb_clients));
 
-        fsdb->fsdb_notify_stop = 1;
-        cfs_waitq_signal(&fsdb->fsdb_notify_waitq);
+       fsdb->fsdb_notify_stop = 1;
+       wake_up(&fsdb->fsdb_notify_waitq);
        wait_for_completion(&fsdb->fsdb_notify_comp);
 }
 
@@ -563,14 +563,14 @@ int mgs_ir_update(const struct lu_env *env, struct mgs_device *mgs,
         }
        mutex_unlock(&fsdb->fsdb_mutex);
 
-        LASSERT(ergo(mti->mti_flags & LDD_F_IR_CAPABLE, notify));
-        if (notify) {
-                CDEBUG(D_MGS, "Try to revoke recover lock of %s\n",
-                       fsdb->fsdb_name);
-                cfs_atomic_inc(&fsdb->fsdb_notify_phase);
-                cfs_waitq_signal(&fsdb->fsdb_notify_waitq);
-        }
-        return 0;
+       LASSERT(ergo(mti->mti_flags & LDD_F_IR_CAPABLE, notify));
+       if (notify) {
+               CDEBUG(D_MGS, "Try to revoke recover lock of %s\n",
+                      fsdb->fsdb_name);
+               atomic_inc(&fsdb->fsdb_notify_phase);
+               wake_up(&fsdb->fsdb_notify_waitq);
+       }
+       return 0;
 }
 
 /* NID table can be cached by two entities: Clients and MDTs */
@@ -658,10 +658,6 @@ int mgs_get_ir_logs(struct ptlrpc_request *req)
         if (pages == NULL)
                 RETURN(-ENOMEM);
 
-        rc = req_capsule_server_pack(&req->rq_pill);
-        if (rc)
-                GOTO(out, rc);
-
         res = req_capsule_server_get(&req->rq_pill, &RMF_MGS_CONFIG_RES);
         if (res == NULL)
                 GOTO(out, rc = -EINVAL);
@@ -752,25 +748,25 @@ static struct lproc_ir_cmd {
         { "0",        1, lprocfs_ir_clear_stats }
 };
 
-int lprocfs_wr_ir_state(struct file *file, const char *buffer,
-                         unsigned long count, void *data)
+int lprocfs_wr_ir_state(struct file *file, const char __user *buffer,
+                       size_t count, void *data)
 {
         struct fs_db *fsdb = data;
         char *kbuf;
         char *ptr;
         int rc = 0;
 
-       if (count > PAGE_CACHE_SIZE)
-                return -EINVAL;
+       if (count == 0 || count >= PAGE_CACHE_SIZE)
+               return -EINVAL;
 
-        OBD_ALLOC(kbuf, count + 1);
-        if (kbuf == NULL)
-                return -ENOMEM;
+       OBD_ALLOC(kbuf, count + 1);
+       if (kbuf == NULL)
+               return -ENOMEM;
 
-        if (copy_from_user(kbuf, buffer, count)) {
-                OBD_FREE(kbuf, count);
-                return -EFAULT;
-        }
+       if (copy_from_user(kbuf, buffer, count)) {
+               OBD_FREE(kbuf, count + 1);
+               return -EFAULT;
+       }
 
         kbuf[count] = 0; /* buffer is supposed to end with 0 */
         if (kbuf[count - 1] == '\n')
@@ -842,15 +838,14 @@ int lprocfs_rd_ir_state(struct seq_file *seq, void *data)
         return 0;
 }
 
-int lprocfs_rd_ir_timeout(char *page, char **start, off_t off, int count,
-                          int *eof, void *data)
+int lprocfs_ir_timeout_seq_show(struct seq_file *m, void *data)
 {
-        *eof = 1;
-        return snprintf(page, count, "%d\n", ir_timeout);
+       return lprocfs_uint_seq_show(m, &ir_timeout);
 }
 
-int lprocfs_wr_ir_timeout(struct file *file, const char *buffer,
-                          unsigned long count, void *data)
+ssize_t lprocfs_ir_timeout_seq_write(struct file *file,
+                                    const char __user *buffer,
+                                    size_t count, loff_t *off)
 {
         return lprocfs_wr_uint(file, buffer, count, &ir_timeout);
 }