From: Oleg Drokin Date: Sun, 6 Apr 2014 02:38:30 +0000 (-0400) Subject: LU-4563 Fix unsafe userspace access in many proc files X-Git-Tag: 2.5.59~94 X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=ad1f3518fa418b75d83809ccfcf6dd1489493726 LU-4563 Fix unsafe userspace access in many proc files Also add a test to make sure no new ones are added in the future Change-Id: I2fe7d2cea5daef21f4279ce813ca35f6d91f68dc Signed-off-by: Oleg Drokin Reviewed-on: http://review.whamcloud.com/9059 Tested-by: Jenkins Reviewed-by: Dmitry Eremin Tested-by: Maloo Reviewed-by: James Simmons --- diff --git a/lustre/fid/lproc_fid.c b/lustre/fid/lproc_fid.c index 3b9d170..3f2cd68 100644 --- a/lustre/fid/lproc_fid.c +++ b/lustre/fid/lproc_fid.c @@ -53,6 +53,9 @@ #include #ifdef LPROCFS + +/* Format: [0x64BIT_INT - 0x64BIT_INT] + 32 bytes just in case */ +#define MAX_FID_RANGE_STRLEN (32 + 2 * 2 * sizeof(__u64)) /** * Reduce the SEQ range allocated to a node to a strict subset of the range * currently-allocated SEQ range. If the specified range is "clear", then @@ -62,22 +65,31 @@ * safe for production use. */ static int -lprocfs_fid_write_common(const char *buffer, unsigned long count, +lprocfs_fid_write_common(const char __user *buffer, size_t count, struct lu_seq_range *range) { struct lu_seq_range tmp = { 0, }; int rc; + char kernbuf[MAX_FID_RANGE_STRLEN]; ENTRY; LASSERT(range != NULL); - if (count == 5 && strcmp(buffer, "clear") == 0) { + if (count >= sizeof(kernbuf)) + RETURN(-EINVAL); + + if (copy_from_user(kernbuf, buffer, count)) + RETURN(-EFAULT); + + kernbuf[count] = 0; + + if (count == 5 && strcmp(kernbuf, "clear") == 0) { memset(range, 0, sizeof(*range)); RETURN(0); } /* of the form "[0x0000000240000400 - 0x000000028000400]" */ - rc = sscanf(buffer, "[%llx - %llx]\n", + rc = sscanf(kernbuf, "[%llx - %llx]\n", (long long unsigned *)&tmp.lsr_start, (long long unsigned *)&tmp.lsr_end); if (!range_is_sane(&tmp) || range_is_zero(&tmp) || @@ -92,7 +104,7 @@ lprocfs_fid_write_common(const char *buffer, unsigned long count, * Server side procfs stuff. */ static ssize_t -lprocfs_server_fid_space_seq_write(struct file *file, const char *buffer, +lprocfs_server_fid_space_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { struct lu_server_seq *seq = ((struct seq_file *)file->private_data)->private; @@ -155,7 +167,7 @@ lprocfs_server_fid_server_seq_show(struct seq_file *m, void *unused) } static ssize_t -lprocfs_server_fid_width_seq_write(struct file *file, const char *buffer, +lprocfs_server_fid_width_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { struct lu_server_seq *seq = ((struct seq_file *)file->private_data)->private; @@ -421,26 +433,27 @@ static int fldb_seq_release(struct inode *inode, struct file *file) return 0; } -static ssize_t fldb_seq_write(struct file *file, const char *buf, +static ssize_t fldb_seq_write(struct file *file, const char __user *buf, size_t len, loff_t *off) { struct seq_file *seq = file->private_data; struct fld_seq_param *param; struct lu_seq_range range; int rc = 0; - char *buffer, *_buffer; + char _buffer[MAX_FID_RANGE_STRLEN]; + char *buffer = _buffer; ENTRY; param = seq->private; if (param == NULL) RETURN(-EINVAL); - OBD_ALLOC(buffer, len + 1); - if (buffer == NULL) - RETURN(-ENOMEM); - memcpy(buffer, buf, len); + if (len >= sizeof(_buffer)) + RETURN(-EINVAL); + + if (copy_from_user(buffer, buf, len)) + GOTO(out, rc = -EFAULT); buffer[len] = 0; - _buffer = buffer; /* * format - [0x0000000200000007-0x0000000200000008):0:mdt @@ -478,7 +491,6 @@ static ssize_t fldb_seq_write(struct file *file, const char *buf, &range, ¶m->fsp_env); out: - OBD_FREE(_buffer, len + 1); RETURN(rc < 0 ? rc : len); } @@ -494,7 +506,7 @@ const struct file_operations seq_fld_proc_seq_fops = { /* Client side procfs stuff */ static ssize_t -lprocfs_client_fid_space_seq_write(struct file *file, const char *buffer, +lprocfs_client_fid_space_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { struct lu_client_seq *seq = ((struct seq_file *)file->private_data)->private; @@ -533,7 +545,7 @@ lprocfs_client_fid_space_seq_show(struct seq_file *m, void *unused) } static ssize_t -lprocfs_client_fid_width_seq_write(struct file *file, const char *buffer, +lprocfs_client_fid_width_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { struct lu_client_seq *seq = ((struct seq_file *)file->private_data)->private; diff --git a/lustre/llite/lproc_llite.c b/lustre/llite/lproc_llite.c index 9937cdf..97cfc09 100644 --- a/lustre/llite/lproc_llite.c +++ b/lustre/llite/lproc_llite.c @@ -400,7 +400,7 @@ static int ll_max_cached_mb_seq_show(struct seq_file *m, void *v) } static ssize_t -ll_max_cached_mb_seq_write(struct file *file, const char *buffer, +ll_max_cached_mb_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { struct seq_file *m = file->private_data; @@ -412,10 +412,19 @@ ll_max_cached_mb_seq_write(struct file *file, const char *buffer, int mult, rc, pages_number; int diff = 0; int nrpages = 0; + char kernbuf[128]; ENTRY; + if (count >= sizeof(kernbuf)) + RETURN(-EINVAL); + + if (copy_from_user(kernbuf, buffer, count)) + RETURN(-EFAULT); + kernbuf[count] = 0; + mult = 1 << (20 - PAGE_CACHE_SHIFT); - buffer = lprocfs_find_named_value(buffer, "max_cached_mb:", &count); + buffer += lprocfs_find_named_value(kernbuf, "max_cached_mb:", &count) - + kernbuf; rc = lprocfs_write_frac_helper(buffer, count, &pages_number, mult); if (rc) RETURN(rc); @@ -1216,24 +1225,39 @@ static int ll_rw_extents_stats_pp_seq_show(struct seq_file *seq, void *v) } static ssize_t ll_rw_extents_stats_pp_seq_write(struct file *file, - const char *buf, size_t len, - loff_t *off) + const char __user *buf, + size_t len, + loff_t *off) { - struct seq_file *seq = file->private_data; - struct ll_sb_info *sbi = seq->private; - struct ll_rw_extents_info *io_extents = &sbi->ll_rw_extents_info; - int i; - int value = 1, rc = 0; + struct seq_file *seq = file->private_data; + struct ll_sb_info *sbi = seq->private; + struct ll_rw_extents_info *io_extents = &sbi->ll_rw_extents_info; + int i; + int value = 1, rc = 0; - rc = lprocfs_write_helper(buf, len, &value); - if (rc < 0 && (strcmp(buf, "disabled") == 0 || - strcmp(buf, "Disabled") == 0)) - value = 0; + if (len == 0) + return -EINVAL; - if (value == 0) - sbi->ll_rw_stats_on = 0; - else - sbi->ll_rw_stats_on = 1; + rc = lprocfs_write_helper(buf, len, &value); + if (rc < 0 && len < 16) { + char kernbuf[16]; + + if (copy_from_user(kernbuf, buf, len)) + return -EFAULT; + kernbuf[len] = 0; + + if (kernbuf[len - 1] == '\n') + kernbuf[len - 1] = 0; + + if (strcmp(kernbuf, "disabled") == 0 || + strcmp(kernbuf, "Disabled") == 0) + value = 0; + } + + if (value == 0) + sbi->ll_rw_stats_on = 0; + else + sbi->ll_rw_stats_on = 1; spin_lock(&sbi->ll_pp_extent_lock); for (i = 0; i < LL_PROCESS_HIST_MAX; i++) { @@ -1275,24 +1299,40 @@ static int ll_rw_extents_stats_seq_show(struct seq_file *seq, void *v) return 0; } -static ssize_t ll_rw_extents_stats_seq_write(struct file *file, const char *buf, - size_t len, loff_t *off) +static ssize_t ll_rw_extents_stats_seq_write(struct file *file, + const char __user *buf, + size_t len, loff_t *off) { - struct seq_file *seq = file->private_data; - struct ll_sb_info *sbi = seq->private; - struct ll_rw_extents_info *io_extents = &sbi->ll_rw_extents_info; - int i; - int value = 1, rc = 0; + struct seq_file *seq = file->private_data; + struct ll_sb_info *sbi = seq->private; + struct ll_rw_extents_info *io_extents = &sbi->ll_rw_extents_info; + int i; + int value = 1, rc = 0; - rc = lprocfs_write_helper(buf, len, &value); - if (rc < 0 && (strcmp(buf, "disabled") == 0 || - strcmp(buf, "Disabled") == 0)) - value = 0; + if (len == 0) + return -EINVAL; + + rc = lprocfs_write_helper(buf, len, &value); + if (rc < 0 && len < 16) { + char kernbuf[16]; + + if (copy_from_user(kernbuf, buf, len)) + return -EFAULT; + kernbuf[len] = 0; + + if (kernbuf[len - 1] == '\n') + kernbuf[len - 1] = 0; + + if (strcmp(kernbuf, "disabled") == 0 || + strcmp(kernbuf, "Disabled") == 0) + value = 0; + } + + if (value == 0) + sbi->ll_rw_stats_on = 0; + else + sbi->ll_rw_stats_on = 1; - if (value == 0) - sbi->ll_rw_stats_on = 0; - else - sbi->ll_rw_stats_on = 1; spin_lock(&sbi->ll_pp_extent_lock); for (i = 0; i <= LL_PROCESS_HIST_MAX; i++) { io_extents->pp_extents[i].pid = 0; @@ -1303,7 +1343,6 @@ static ssize_t ll_rw_extents_stats_seq_write(struct file *file, const char *buf, return len; } - LPROC_SEQ_FOPS(ll_rw_extents_stats); void ll_rw_stats_tally(struct ll_sb_info *sbi, pid_t pid, @@ -1465,25 +1504,40 @@ static int ll_rw_offset_stats_seq_show(struct seq_file *seq, void *v) return 0; } -static ssize_t ll_rw_offset_stats_seq_write(struct file *file, const char *buf, - size_t len, loff_t *off) +static ssize_t ll_rw_offset_stats_seq_write(struct file *file, + const char __user *buf, + size_t len, loff_t *off) { - struct seq_file *seq = file->private_data; - struct ll_sb_info *sbi = seq->private; - struct ll_rw_process_info *process_info = sbi->ll_rw_process_info; - struct ll_rw_process_info *offset_info = sbi->ll_rw_offset_info; - int value = 1, rc = 0; + struct seq_file *seq = file->private_data; + struct ll_sb_info *sbi = seq->private; + struct ll_rw_process_info *process_info = sbi->ll_rw_process_info; + struct ll_rw_process_info *offset_info = sbi->ll_rw_offset_info; + int value = 1, rc = 0; - rc = lprocfs_write_helper(buf, len, &value); + if (len == 0) + return -EINVAL; - if (rc < 0 && (strcmp(buf, "disabled") == 0 || - strcmp(buf, "Disabled") == 0)) - value = 0; + rc = lprocfs_write_helper(buf, len, &value); - if (value == 0) - sbi->ll_rw_stats_on = 0; - else - sbi->ll_rw_stats_on = 1; + if (rc < 0 && len < 16) { + char kernbuf[16]; + + if (copy_from_user(kernbuf, buf, len)) + return -EFAULT; + kernbuf[len] = 0; + + if (kernbuf[len - 1] == '\n') + kernbuf[len - 1] = 0; + + if (strcmp(kernbuf, "disabled") == 0 || + strcmp(kernbuf, "Disabled") == 0) + value = 0; + } + + if (value == 0) + sbi->ll_rw_stats_on = 0; + else + sbi->ll_rw_stats_on = 1; spin_lock(&sbi->ll_process_lock); sbi->ll_offset_process_count = 0; diff --git a/lustre/mdt/mdt_coordinator.c b/lustre/mdt/mdt_coordinator.c index a9ee560..651ed7a 100644 --- a/lustre/mdt/mdt_coordinator.c +++ b/lustre/mdt/mdt_coordinator.c @@ -1982,25 +1982,37 @@ GENERATE_PROC_METHOD(cdt_default_archive_id) #define CDT_DISABLE_CMD "disabled" #define CDT_PURGE_CMD "purge" #define CDT_HELP_CMD "help" +#define CDT_MAX_CMD_LEN 10 -int lprocfs_wr_hsm_cdt_control(struct file *file, const char *buffer, +int lprocfs_wr_hsm_cdt_control(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); struct coordinator *cdt = &(mdt->mdt_coordinator); int rc, usage = 0; + char kernbuf[CDT_MAX_CMD_LEN]; ENTRY; + if (count == 0 || count >= sizeof(kernbuf)) + RETURN(-EINVAL); + + if (copy_from_user(kernbuf, buffer, count)) + RETURN(-EFAULT); + kernbuf[count] = 0; + + if (kernbuf[count - 1] == '\n') + kernbuf[count - 1] = 0; + rc = 0; - if (strncmp(buffer, CDT_ENABLE_CMD, strlen(CDT_ENABLE_CMD)) == 0) { + if (strcmp(kernbuf, CDT_ENABLE_CMD) == 0) { if (cdt->cdt_state == CDT_DISABLE) { cdt->cdt_state = CDT_RUNNING; mdt_hsm_cdt_wakeup(mdt); } else { rc = mdt_hsm_cdt_start(mdt); } - } else if (strncmp(buffer, CDT_STOP_CMD, strlen(CDT_STOP_CMD)) == 0) { + } else if (strcmp(kernbuf, CDT_STOP_CMD) == 0) { if ((cdt->cdt_state == CDT_STOPPING) || (cdt->cdt_state == CDT_STOPPED)) { CERROR("%s: Coordinator already stopped\n", @@ -2009,8 +2021,7 @@ int lprocfs_wr_hsm_cdt_control(struct file *file, const char *buffer, } else { cdt->cdt_state = CDT_STOPPING; } - } else if (strncmp(buffer, CDT_DISABLE_CMD, - strlen(CDT_DISABLE_CMD)) == 0) { + } else if (strcmp(kernbuf, CDT_DISABLE_CMD) == 0) { if ((cdt->cdt_state == CDT_STOPPING) || (cdt->cdt_state == CDT_STOPPED)) { CERROR("%s: Coordinator is stopped\n", @@ -2019,9 +2030,9 @@ int lprocfs_wr_hsm_cdt_control(struct file *file, const char *buffer, } else { cdt->cdt_state = CDT_DISABLE; } - } else if (strncmp(buffer, CDT_PURGE_CMD, strlen(CDT_PURGE_CMD)) == 0) { + } else if (strcmp(kernbuf, CDT_PURGE_CMD) == 0) { rc = hsm_cancel_all_actions(mdt); - } else if (strncmp(buffer, CDT_HELP_CMD, strlen(CDT_HELP_CMD)) == 0) { + } else if (strcmp(kernbuf, CDT_HELP_CMD) == 0) { usage = 1; } else { usage = 1; diff --git a/lustre/mdt/mdt_lproc.c b/lustre/mdt/mdt_lproc.c index 0ee5148..2603c79 100644 --- a/lustre/mdt/mdt_lproc.c +++ b/lustre/mdt/mdt_lproc.c @@ -287,8 +287,9 @@ static int lprocfs_rd_identity_expire(char *page, char **start, off_t off, mdt->mdt_identity_cache->uc_entry_expire); } -static int lprocfs_wr_identity_expire(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_wr_identity_expire(struct file *file, + const char __user *buffer, + unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); @@ -315,9 +316,9 @@ static int lprocfs_rd_identity_acquire_expire(char *page, char **start, } static int lprocfs_wr_identity_acquire_expire(struct file *file, - const char *buffer, - unsigned long count, - void *data) + const char __user *buffer, + unsigned long count, + void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); @@ -346,7 +347,8 @@ static int lprocfs_rd_identity_upcall(char *page, char **start, off_t off, return len; } -static int lprocfs_wr_identity_upcall(struct file *file, const char *buffer, +static int lprocfs_wr_identity_upcall(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -389,8 +391,9 @@ static int lprocfs_wr_identity_upcall(struct file *file, const char *buffer, RETURN(rc); } -static int lprocfs_wr_identity_flush(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_wr_identity_flush(struct file *file, + const char __user *buffer, + unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); @@ -404,7 +407,8 @@ static int lprocfs_wr_identity_flush(struct file *file, const char *buffer, return count; } -static int lprocfs_wr_identity_info(struct file *file, const char *buffer, +static int lprocfs_wr_identity_info(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -481,7 +485,7 @@ static int lprocfs_rd_capa(char *page, char **start, off_t off, mdt->mdt_lut.lut_mds_capa ? "mds" : ""); } -static int lprocfs_wr_capa(struct file *file, const char *buffer, +static int lprocfs_wr_capa(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -548,8 +552,8 @@ static int lprocfs_rd_capa_timeout(char *page, char **start, off_t off, return snprintf(page, count, "%lu\n", mdt->mdt_capa_timeout); } -static int lprocfs_wr_capa_timeout(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_wr_capa_timeout(struct file *file, const char __user *buffer, + unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); @@ -573,8 +577,8 @@ static int lprocfs_rd_ck_timeout(char *page, char **start, off_t off, int count, return snprintf(page, count, "%lu\n", mdt->mdt_ck_timeout); } -static int lprocfs_wr_ck_timeout(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_wr_ck_timeout(struct file *file, const char __user *buffer, + unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); @@ -591,8 +595,9 @@ static int lprocfs_wr_ck_timeout(struct file *file, const char *buffer, #define BUFLEN (UUID_MAX + 4) -static int lprocfs_mdt_wr_evict_client(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_mdt_wr_evict_client(struct file *file, + const char __user *buffer, + unsigned long count, void *data) { char *kbuf; char *tmpbuf; @@ -636,8 +641,8 @@ static int lprocfs_rd_sec_level(char *page, char **start, off_t off, return snprintf(page, count, "%d\n", mdt->mdt_lut.lut_sec_level); } -static int lprocfs_wr_sec_level(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_wr_sec_level(struct file *file, const char __user *buffer, + unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); @@ -669,8 +674,8 @@ static int lprocfs_rd_cos(char *page, char **start, off_t off, return snprintf(page, count, "%u\n", mdt_cos_is_enabled(mdt)); } -static int lprocfs_wr_cos(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_wr_cos(struct file *file, const char __user *buffer, + unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); @@ -708,29 +713,29 @@ static int safe_strtoul(const char *str, char **endp, unsigned long *res) return 0; } -static int lprocfs_wr_root_squash(struct file *file, const char *buffer, +static int lprocfs_wr_root_squash(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev); int rc; - char kernbuf[50], *tmp, *end, *errmsg; + char kernbuf[64], *tmp, *end, *errmsg; unsigned long uid, gid; int nouid, nogid; ENTRY; if (count >= sizeof(kernbuf)) { errmsg = "string too long"; - GOTO(failed, rc = -EINVAL); + GOTO(failed_noprint, rc = -EINVAL); } if (copy_from_user(kernbuf, buffer, count)) { errmsg = "bad address"; - GOTO(failed, rc = -EFAULT); + GOTO(failed_noprint, rc = -EFAULT); } kernbuf[count] = '\0'; nouid = nogid = 0; - if (safe_strtoul(buffer, &tmp, &uid)) { + if (safe_strtoul(kernbuf, &tmp, &uid)) { uid = mdt->mdt_squash_uid; nouid = 1; } @@ -762,7 +767,11 @@ static int lprocfs_wr_root_squash(struct file *file, const char *buffer, failed: CWARN("%s: failed to set root_squash to \"%s\", %s: rc %d\n", - mdt_obd_name(mdt), buffer, errmsg, rc); + mdt_obd_name(mdt), kernbuf, errmsg, rc); + RETURN(rc); +failed_noprint: + CWARN("%s: failed to set root_squash due to %s: rc %d\n", + mdt_obd_name(mdt), errmsg, rc); RETURN(rc); } @@ -777,7 +786,8 @@ static int lprocfs_rd_nosquash_nids(char *page, char **start, off_t off, return snprintf(page, count, "NONE\n"); } -static int lprocfs_wr_nosquash_nids(struct file *file, const char *buffer, +static int lprocfs_wr_nosquash_nids(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -853,8 +863,8 @@ static int lprocfs_rd_mdt_som(char *page, char **start, off_t off, mdt->mdt_som_conf ? "en" : "dis"); } -static int lprocfs_wr_mdt_som(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_wr_mdt_som(struct file *file, const char __user *buffer, + unsigned long count, void *data) { struct obd_export *exp; struct obd_device *obd = data; @@ -912,7 +922,8 @@ static int lprocfs_rd_enable_remote_dir(char *page, char **start, off_t off, return snprintf(page, count, "%u\n", mdt->mdt_enable_remote_dir); } -static int lprocfs_wr_enable_remote_dir(struct file *file, const char *buffer, +static int lprocfs_wr_enable_remote_dir(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -942,7 +953,7 @@ static int lprocfs_rd_enable_remote_dir_gid(char *page, char **start, off_t off, } static int lprocfs_wr_enable_remote_dir_gid(struct file *file, - const char *buffer, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; diff --git a/lustre/mgs/mgs_internal.h b/lustre/mgs/mgs_internal.h index d3baacd..457fbbb 100644 --- a/lustre/mgs/mgs_internal.h +++ b/lustre/mgs/mgs_internal.h @@ -227,7 +227,7 @@ void mgs_ir_fini_fs(struct mgs_device *mgs, struct fs_db *fsdb); void mgs_ir_notify_complete(struct fs_db *fsdb); int mgs_get_ir_logs(struct ptlrpc_request *req); int lprocfs_wr_ir_state(struct file *file, const char *buffer, - unsigned long count, void *data); + size_t count, void *data); int lprocfs_rd_ir_state(struct seq_file *seq, void *data); ssize_t lprocfs_ir_timeout_seq_write(struct file *file, const char *buffer, diff --git a/lustre/mgs/mgs_nids.c b/lustre/mgs/mgs_nids.c index a4d8800..abeff63 100644 --- a/lustre/mgs/mgs_nids.c +++ b/lustre/mgs/mgs_nids.c @@ -748,25 +748,25 @@ static struct lproc_ir_cmd { { "0", 1, lprocfs_ir_clear_stats } }; -int lprocfs_wr_ir_state(struct file *file, const char *buffer, - unsigned long count, void *data) +int lprocfs_wr_ir_state(struct file *file, const char __user *buffer, + size_t count, void *data) { struct fs_db *fsdb = data; char *kbuf; char *ptr; int rc = 0; - if (count > PAGE_CACHE_SIZE) - return -EINVAL; + if (count == 0 || count >= PAGE_CACHE_SIZE) + return -EINVAL; - OBD_ALLOC(kbuf, count + 1); - if (kbuf == NULL) - return -ENOMEM; + OBD_ALLOC(kbuf, count + 1); + if (kbuf == NULL) + return -ENOMEM; - if (copy_from_user(kbuf, buffer, count)) { - OBD_FREE(kbuf, count); - return -EFAULT; - } + if (copy_from_user(kbuf, buffer, count)) { + OBD_FREE(kbuf, count + 1); + return -EFAULT; + } kbuf[count] = 0; /* buffer is supposed to end with 0 */ if (kbuf[count - 1] == '\n') @@ -843,9 +843,9 @@ int lprocfs_ir_timeout_seq_show(struct seq_file *m, void *data) return lprocfs_uint_seq_show(m, &ir_timeout); } -ssize_t -lprocfs_ir_timeout_seq_write(struct file *file, const char *buffer, - size_t count, loff_t *off) +ssize_t lprocfs_ir_timeout_seq_write(struct file *file, + const char __user *buffer, + size_t count, loff_t *off) { return lprocfs_wr_uint(file, buffer, count, &ir_timeout); } diff --git a/lustre/obdclass/linux/linux-module.c b/lustre/obdclass/linux/linux-module.c index e96802d..1642123 100644 --- a/lustre/obdclass/linux/linux-module.c +++ b/lustre/obdclass/linux/linux-module.c @@ -300,15 +300,22 @@ static int obd_proc_jobid_var_seq_show(struct seq_file *m, void *v) } static ssize_t -obd_proc_jobid_var_seq_write(struct file *file, const char *buffer, - size_t count, loff_t *off) +obd_proc_jobid_var_seq_write(struct file *file, const char __user *buffer, + size_t count, loff_t *off) { if (!count || count > JOBSTATS_JOBID_VAR_MAX_LEN) return -EINVAL; memset(obd_jobid_var, 0, JOBSTATS_JOBID_VAR_MAX_LEN + 1); + + /* This might leave the var invalid on error, which is probably fine.*/ + if (copy_from_user(obd_jobid_var, buffer, count)) + return -EFAULT; + /* Trim the trailing '\n' if any */ - memcpy(obd_jobid_var, buffer, count - (buffer[count - 1] == '\n')); + if (obd_jobid_var[count - 1] == '\n') + obd_jobid_var[count - 1] = 0; + return count; } LPROC_SEQ_FOPS(obd_proc_jobid_var); diff --git a/lustre/obdclass/lprocfs_jobstats.c b/lustre/obdclass/lprocfs_jobstats.c index d443841..87a1303 100644 --- a/lustre/obdclass/lprocfs_jobstats.c +++ b/lustre/obdclass/lprocfs_jobstats.c @@ -430,7 +430,8 @@ static int lprocfs_jobstats_seq_open(struct inode *inode, struct file *file) return 0; } -static ssize_t lprocfs_jobstats_seq_write(struct file *file, const char *buf, +static ssize_t lprocfs_jobstats_seq_write(struct file *file, + const char __user *buf, size_t len, loff_t *off) { struct seq_file *seq = file->private_data; @@ -439,18 +440,19 @@ static ssize_t lprocfs_jobstats_seq_write(struct file *file, const char *buf, int all = 0; struct job_stat *job; - if (!memcmp(buf, "clear", strlen("clear"))) { - all = 1; - } else if (len < JOBSTATS_JOBID_SIZE) { - memset(jobid, 0, JOBSTATS_JOBID_SIZE); - /* Trim '\n' if any */ - if (buf[len - 1] == '\n') - memcpy(jobid, buf, len - 1); - else - memcpy(jobid, buf, len); - } else { + if (len == 0 || len >= JOBSTATS_JOBID_SIZE) return -EINVAL; - } + + if (copy_from_user(jobid, buf, len)) + return -EFAULT; + jobid[len] = 0; + + /* Trim '\n' if any */ + if (jobid[len - 1] == '\n') + jobid[len - 1] = 0; + + if (strcmp(jobid, "clear") == 0) + all = 1; LASSERT(stats->ojs_hash); if (all) { @@ -544,7 +546,7 @@ int lprocfs_rd_job_interval(char *page, char **start, off_t off, } EXPORT_SYMBOL(lprocfs_rd_job_interval); -int lprocfs_wr_job_interval(struct file *file, const char *buffer, +int lprocfs_wr_job_interval(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = (struct obd_device *)data; diff --git a/lustre/obdclass/lprocfs_status.c b/lustre/obdclass/lprocfs_status.c index 30d9f59..8b8effa 100644 --- a/lustre/obdclass/lprocfs_status.c +++ b/lustre/obdclass/lprocfs_status.c @@ -307,7 +307,7 @@ int lprocfs_evict_client_release(struct inode *inode, struct file *f) #define BUFLEN (UUID_MAX + 5) #ifndef HAVE_ONLY_PROCFS_SEQ -int lprocfs_wr_evict_client(struct file *file, const char *buffer, +int lprocfs_wr_evict_client(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; diff --git a/lustre/ofd/lproc_ofd.c b/lustre/ofd/lproc_ofd.c index 000d4ae..359b373 100644 --- a/lustre/ofd/lproc_ofd.c +++ b/lustre/ofd/lproc_ofd.c @@ -117,7 +117,8 @@ static int lprocfs_ofd_rd_grant_ratio(char *page, char **start, off_t off, (int) ofd_grant_reserved(ofd, 100)); } -static int lprocfs_ofd_wr_grant_ratio(struct file *file, const char *buffer, +static int lprocfs_ofd_wr_grant_ratio(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = (struct obd_device *)data; @@ -157,7 +158,8 @@ static int lprocfs_ofd_rd_precreate_batch(char *page, char **start, off_t off, return snprintf(page, count, "%d\n", ofd->ofd_precreate_batch); } -static int lprocfs_ofd_wr_precreate_batch(struct file *file, const char *buffer, +static int lprocfs_ofd_wr_precreate_batch(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = (struct obd_device *)data; @@ -224,7 +226,7 @@ int lprocfs_ofd_rd_fmd_max_num(char *page, char **start, off_t off, return rc; } -int lprocfs_ofd_wr_fmd_max_num(struct file *file, const char *buffer, +int lprocfs_ofd_wr_fmd_max_num(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -254,7 +256,7 @@ int lprocfs_ofd_rd_fmd_max_age(char *page, char **start, off_t off, return rc; } -int lprocfs_ofd_wr_fmd_max_age(struct file *file, const char *buffer, +int lprocfs_ofd_wr_fmd_max_age(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -284,7 +286,7 @@ static int lprocfs_ofd_rd_capa(char *page, char **start, off_t off, return rc; } -static int lprocfs_ofd_wr_capa(struct file *file, const char *buffer, +static int lprocfs_ofd_wr_capa(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -324,7 +326,7 @@ int lprocfs_ofd_rd_degraded(char *page, char **start, off_t off, return snprintf(page, count, "%u\n", ofd->ofd_raid_degraded); } -int lprocfs_ofd_wr_degraded(struct file *file, const char *buffer, +int lprocfs_ofd_wr_degraded(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -366,7 +368,7 @@ int lprocfs_ofd_rd_syncjournal(char *page, char **start, off_t off, return rc; } -int lprocfs_ofd_wr_syncjournal(struct file *file, const char *buffer, +int lprocfs_ofd_wr_syncjournal(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -389,6 +391,8 @@ int lprocfs_ofd_wr_syncjournal(struct file *file, const char *buffer, return count; } +/* This must be longer than the longest string below */ +#define SYNC_STATES_MAXLEN 16 static char *sync_on_cancel_states[] = {"never", "blocking", "always" }; @@ -405,24 +409,39 @@ int lprocfs_ofd_rd_sync_lock_cancel(char *page, char **start, off_t off, return rc; } -int lprocfs_ofd_wr_sync_lock_cancel(struct file *file, const char *buffer, +int lprocfs_ofd_wr_sync_lock_cancel(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; struct lu_target *tgt = obd->u.obt.obt_lut; + char kernbuf[SYNC_STATES_MAXLEN]; int val = -1; int i; + if (count == 0 || count >= sizeof(kernbuf)) + return -EINVAL; + + if (copy_from_user(kernbuf, buffer, count)) + return -EFAULT; + kernbuf[count] = 0; + + if (kernbuf[count - 1] == '\n') + kernbuf[count - 1] = 0; + for (i = 0 ; i < NUM_SYNC_ON_CANCEL_STATES; i++) { - if (memcmp(buffer, sync_on_cancel_states[i], - strlen(sync_on_cancel_states[i])) == 0) { + if (strcmp(kernbuf, sync_on_cancel_states[i]) == 0) { val = i; break; } } + + /* Legacy numeric codes */ if (val == -1) { int rc; + /* Safe to use userspace buffer as lprocfs_write_helper will + * use copy from user for parsing */ rc = lprocfs_write_helper(buffer, count, &val); if (rc) return rc; @@ -448,7 +467,8 @@ int lprocfs_ofd_rd_grant_compat_disable(char *page, char **start, off_t off, return rc; } -int lprocfs_ofd_wr_grant_compat_disable(struct file *file, const char *buffer, +int lprocfs_ofd_wr_grant_compat_disable(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -480,7 +500,7 @@ int lprocfs_ofd_rd_soft_sync_limit(char *page, char **start, off_t off, &ofd->ofd_soft_sync_limit); } -int lprocfs_ofd_wr_soft_sync_limit(struct file *file, const char *buffer, +int lprocfs_ofd_wr_soft_sync_limit(struct file *file, const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -500,7 +520,8 @@ static int lprocfs_rd_lfsck_speed_limit(char *page, char **start, off_t off, return lfsck_get_speed(ofd->ofd_osd, page, count); } -static int lprocfs_wr_lfsck_speed_limit(struct file *file, const char *buffer, +static int lprocfs_wr_lfsck_speed_limit(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; @@ -543,7 +564,8 @@ static int lprocfs_rd_lfsck_verify_pfid(char *page, char **start, off_t off, ofd->ofd_inconsistency_self_repaired); } -static int lprocfs_wr_lfsck_verify_pfid(struct file *file, const char *buffer, +static int lprocfs_wr_lfsck_verify_pfid(struct file *file, + const char __user *buffer, unsigned long count, void *data) { struct obd_device *obd = data; diff --git a/lustre/osc/lproc_osc.c b/lustre/osc/lproc_osc.c index ccfc212..2f8da8c 100644 --- a/lustre/osc/lproc_osc.c +++ b/lustre/osc/lproc_osc.c @@ -178,15 +178,24 @@ static int osc_cached_mb_seq_show(struct seq_file *m, void *v) /* shrink the number of caching pages to a specific number */ static ssize_t -osc_cached_mb_seq_write(struct file *file, const char *buffer, +osc_cached_mb_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { struct obd_device *dev = ((struct seq_file *)file->private_data)->private; struct client_obd *cli = &dev->u.cli; int pages_number, mult, rc; + char kernbuf[128]; + + if (count >= sizeof(kernbuf)) + return -EINVAL; + + if (copy_from_user(kernbuf, buffer, count)) + return -EFAULT; + kernbuf[count] = 0; mult = 1 << (20 - PAGE_CACHE_SHIFT); - buffer = lprocfs_find_named_value(buffer, "used_mb:", &count); + buffer += lprocfs_find_named_value(kernbuf, "used_mb:", &count) - + kernbuf; rc = lprocfs_write_frac_helper(buffer, count, &pages_number, mult); if (rc) return rc; diff --git a/lustre/osd-zfs/osd_lproc.c b/lustre/osd-zfs/osd_lproc.c index 0854ce6..bc8a807 100644 --- a/lustre/osd-zfs/osd_lproc.c +++ b/lustre/osd-zfs/osd_lproc.c @@ -140,8 +140,8 @@ static int lprocfs_osd_wr_force_sync(struct file *file, const char *buffer, return rc == 0 ? count : rc; } -static int lprocfs_osd_rd_iused_est(char *page, char **start, off_t off, int count, - int *eof, void *data) +static int lprocfs_osd_rd_iused_est(char *page, char **start, off_t off, + int count, int *eof, void *data) { struct osd_device *osd = osd_dt_dev((struct dt_device *)data); LASSERT(osd != NULL); @@ -149,8 +149,9 @@ static int lprocfs_osd_rd_iused_est(char *page, char **start, off_t off, int cou return snprintf(page, count, "%d\n", osd->od_quota_iused_est); } -static int lprocfs_osd_wr_iused_est(struct file *file, const char *buffer, - unsigned long count, void *data) +static int lprocfs_osd_wr_iused_est(struct file *file, + const char __user *buffer, + unsigned long count, void *data) { struct osd_device *osd = osd_dt_dev((struct dt_device *)data); int rc, val; diff --git a/lustre/tests/Makefile.am b/lustre/tests/Makefile.am index 8d1833e..d0e657c 100644 --- a/lustre/tests/Makefile.am +++ b/lustre/tests/Makefile.am @@ -72,7 +72,7 @@ noinst_PROGRAMS += ll_sparseness_write mrename ll_dirstripe_verify mkdirmany noinst_PROGRAMS += openfilleddirunlink rename_many memhog noinst_PROGRAMS += mmap_sanity writemany reads flocks_test flock_deadlock noinst_PROGRAMS += write_time_limit rwv lgetxattr_size_check checkfiemap -noinst_PROGRAMS += listxattr_size_check check_fhandle_syscalls +noinst_PROGRAMS += listxattr_size_check check_fhandle_syscalls badarea_io bin_PROGRAMS = mcreate munlink testdir = $(libdir)/lustre/tests diff --git a/lustre/tests/badarea_io.c b/lustre/tests/badarea_io.c new file mode 100644 index 0000000..b926ce9 --- /dev/null +++ b/lustre/tests/badarea_io.c @@ -0,0 +1,59 @@ +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + int rc; + int fd = open(argv[1], O_WRONLY); + + if (fd == -1) { + perror(argv[1]); + goto read; + } + + /* We need rc because Sles11 compiler warns against unchecked + * return value of read and write */ + rc = write(fd, (void *)0x4096000, 5); + if (rc != 5) + perror("write badarea (Should have failed)"); + + rc = write(fd, &fd, 0); + if (rc != 0) + perror("write zero bytes"); + + rc = write(fd, &fd, 1); + if (rc != 1) + perror("write one byte"); + + rc = write(fd, &fd, 2UL*1024*1024); + if (rc != 2UL*1024*1024) + perror("write 2M"); + + rc = write(fd, &fd, 2UL*1024*1024*1024); + if (rc != 2UL*1024*1024*1024) + perror("write 2G"); + + rc = write(fd, &fd, -2); + if (rc != -2) + perror("write -2"); + + close(fd); + +read: + fd = open(argv[1], O_RDONLY); + if (fd == -1) + return 0; + rc = read(fd, (void *)0x4096000, 5); + perror("read"); + + close(fd); + + /* Tame the compiler spooked about rc assigned, but not used */ + if (!rc) + return -1; /* Not really important. */ + + return 0; +} diff --git a/lustre/tests/sanity.sh b/lustre/tests/sanity.sh index ff1e5bb..d81cf53 100644 --- a/lustre/tests/sanity.sh +++ b/lustre/tests/sanity.sh @@ -8960,6 +8960,36 @@ test_133f() { } run_test 133f "Check for LBUGs/Oopses/unreadable files in /proc" +test_133g() { + local proc_dirs="/proc/fs/lustre/ /proc/sys/lnet/ /proc/sys/lustre/" + local facet + + # Second verifying readability. + find $proc_dirs \ + -type f \ + -not -name force_lbug \ + -not -name changelog_mask \ + -exec badarea_io '{}' \; > /dev/null + + [ $(lustre_version_code $SINGLEMDS) -le $(version_code 2.5.54) ] && + skip "Too old lustre on MDS" + + [ $(lustre_version_code ost1) -le $(version_code 2.5.54) ] && + skip "Too old lustre on ost1" + + for facet in $SINGLEMDS ost1; do + do_facet $facet find $proc_dirs \ + -type f \ + -not -name force_lbug \ + -not -name changelog_mask \ + -exec badarea_io '{}' \\\; &> /dev/null + + done + + true +} +run_test 133g "Check for Oopses on bad io area writes/reads in /proc" + test_140() { #bug-17379 [ $PARALLEL == "yes" ] && skip "skip parallel run" && return test_mkdir -p $DIR/$tdir || error "Creating dir $DIR/$tdir"