Branch: HEAD

Before packing join_file req, all the related reference should be
checked carefully in case some malformed flags cause fake join_file
req on client.
b=14614
i=adilger,johann

diff --git a/lustre/ChangeLog b/lustre/ChangeLog
index 5eaa1fe..4fec361 100644 (file)
--- a/lustre/ChangeLog
+++ b/lustre/ChangeLog
@@ -580,6 +580,13 @@ Bugzilla   : 14398
 Description: Allow masking D_WARNING, D_ERROR messages from console
 Details    : Console messages can now be disabled via lnet.printk.
 
+Severity   : normal
+Bugzilla   : 14614
+Description: User code with malformed file open parameter crashes client node 
+Details    : Before packing join_file req, all the related reference should be
+            checked carefully in case some malformed flags cause fake
+            join_file req on client.
+
 --------------------------------------------------------------------------------
 
 2007-08-10         Cluster File Systems, Inc. <info@clusterfs.com>

diff --git a/lustre/mdc/mdc_locks.c b/lustre/mdc/mdc_locks.c
index c728797..73b3d73 100644 (file)
--- a/lustre/mdc/mdc_locks.c
+++ b/lustre/mdc/mdc_locks.c
@@ -276,7 +276,8 @@ int mdc_enqueue(struct obd_export *exp, struct ldlm_enqueue_info *einfo,
         LASSERTF(einfo->ei_type == LDLM_IBITS,"lock type %d\n", einfo->ei_type);
 
         if (it->it_op & IT_OPEN) {
-                int do_join = !!(it->it_flags & O_JOIN_FILE);
+                int do_join = (!!(it->it_flags & O_JOIN_FILE) && 
+                              op_data->op_data);
                 CFS_LIST_HEAD(cancels);
                 int count = 0;
                 int mode;
@@ -314,7 +315,7 @@ int mdc_enqueue(struct obd_export *exp, struct ldlm_enqueue_info *einfo,
                 }
 
                 /* If CREATE or JOIN_FILE, cancel parent's UPDATE lock. */
-                if (it->it_op & IT_CREAT || it->it_flags & O_JOIN_FILE)
+                if (it->it_op & IT_CREAT || do_join)
                         mode = LCK_EX;
                 else
                         mode = LCK_CR;
@@ -325,6 +326,8 @@ int mdc_enqueue(struct obd_export *exp, struct ldlm_enqueue_info *einfo,
                 if (do_join)
                         size[DLM_INTENT_REC_OFF + 5] =
                                                 sizeof(struct mdt_rec_join);
+                else
+                        it->it_flags &= ~O_JOIN_FILE;
 
                 req = ldlm_prep_enqueue_req(exp, 8 + do_join, size, &cancels,
                                             count);
@@ -334,7 +337,7 @@ int mdc_enqueue(struct obd_export *exp, struct ldlm_enqueue_info *einfo,
                 if (do_join) {
                         /* join is like an unlink of the tail */
                         policy.l_inodebits.bits = MDS_INODELOCK_UPDATE;
-                        mdc_join_pack(req, DLM_INTENT_REC_OFF + 5, op_data,
+                               mdc_join_pack(req, DLM_INTENT_REC_OFF + 5, op_data,
                                       (*(__u64 *)op_data->op_data));
                 }
 

diff --git a/lustre/tests/openfile.c b/lustre/tests/openfile.c
index 6cba76b..66aba74 100644 (file)
--- a/lustre/tests/openfile.c
+++ b/lustre/tests/openfile.c
@@ -83,6 +83,16 @@ int main(int argc, char** argv)
                         }
 
                         strncpy(cloned_flags, optarg, strlen(optarg)+1);
+                        flags = atoi(cloned_flags);
+                        if (flags > 0) {
+                                flag_set = 1;
+#ifdef DEBUG
+                                printf("flags = %d\n",flags);
+#endif
+                                break;
+                        } else 
+                                flags = 0;
+                        
                         for (tmp = strtok(cloned_flags, ":|"); tmp;
                              tmp = strtok(NULL, ":|")) {
                                 int i = 0;

diff --git a/lustre/tests/sanity.sh b/lustre/tests/sanity.sh
index bae0863..a20bcd6 100644 (file)
--- a/lustre/tests/sanity.sh
+++ b/lustre/tests/sanity.sh
@@ -1551,6 +1551,14 @@ test_33a() {
 }
 run_test 33a "test open file(mode=0444) with O_RDWR (should return error)"
 
+test_33b() {
+        rm -fr $DIR/d33
+        mkdir -p $DIR/d33
+        chown $RUNAS_ID $DIR/d33
+        $RUNAS $OPENFILE -f 1286739555 $DIR/d33/f33 && error "create" || true
+}
+run_test 33b "test open file with malformed flags (No panic and return error)"
+
 TEST_34_SIZE=${TEST_34_SIZE:-2000000000000}
 test_34a() {
        rm -f $DIR/f34