From: Oleg Drokin <green@whamcloud.com>
Date: Sat, 17 Aug 2019 05:36:07 +0000 (-0400)
Subject: LU-12603 ldlm: Check cancel lock count for correctness
X-Git-Tag: 2.12.58~20
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=7cc43aef98f6a759cbc5ae572123b44803c0ccd2

LU-12603 ldlm: Check cancel lock count for correctness

Make sure the number of locks we are going to cancel fits into
the supplied buffer first.

Change-Id: I93887133532bf7ee2be27114b1972aa64e06623c
Signed-off-by: Oleg Drokin <green@whamcloud.com>
Reported-by: Alibaba Cloud <yunye.ry@alibaba-inc.com>
Reviewed-on: https://review.whamcloud.com/35806
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Yunye Ry <yunye.ry@alibaba-inc.com>
---

diff --git a/lustre/ldlm/ldlm_lockd.c b/lustre/ldlm/ldlm_lockd.c
index 6fcc0a9..cef3857 100644
--- a/lustre/ldlm/ldlm_lockd.c
+++ b/lustre/ldlm/ldlm_lockd.c
@@ -1673,9 +1673,16 @@ int ldlm_request_cancel(struct ptlrpc_request *req,
 	struct ldlm_resource *res, *pres = NULL;
 	struct ldlm_lock *lock;
 	int i, count, done = 0;
+	unsigned int size;
 
 	ENTRY;
 
+	size = req_capsule_get_size(&req->rq_pill, &RMF_DLM_REQ, RCL_CLIENT);
+	if (size <= offsetof(struct ldlm_request, lock_handle) ||
+	    (size - offsetof(struct ldlm_request, lock_handle)) /
+	     sizeof(struct lustre_handle) < dlm_req->lock_count)
+		RETURN(0);
+
 	count = dlm_req->lock_count ? dlm_req->lock_count : 1;
 	if (first >= count)
 		RETURN(0);
@@ -1766,6 +1773,10 @@ int ldlm_handle_cancel(struct ptlrpc_request *req)
 		RETURN(-EFAULT);
 	}
 
+	if (req_capsule_get_size(&req->rq_pill, &RMF_DLM_REQ, RCL_CLIENT) <
+	    offsetof(struct ldlm_request, lock_handle[1]))
+		RETURN(-EPROTO);
+
 	if (req->rq_export && req->rq_export->exp_nid_stats &&
 	    req->rq_export->exp_nid_stats->nid_ldlm_stats)
 		lprocfs_counter_incr(req->rq_export->exp_nid_stats->nid_ldlm_stats,