From: Wang Shilong <wshilong@ddn.com>
Date: Mon, 8 Apr 2019 13:22:45 +0000 (+0800)
Subject: LU-12169 llite: fill copied dentry name's ending char properly
X-Git-Tag: 2.12.53~13
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=bc9cc327983c45e6255e0d6475b8bdbdcd82c938

LU-12169 llite: fill copied dentry name's ending char properly

Dentry name expect an extra '\0'. and dentry_len won't calcualte
extra '\0' for it, but we should allocate memory and fill it
when copying dentry name by ourselves.

Otherwise, lu_name_is_valid_2() will try to access @name[len]
and check whether it is '\0'. this is invalid memory access.
We will possibly hit a crash if the first access that bit is '\0'.
and the bit overwritten by someone else, and finally we failed
sanity check in mdc_name_pack().

LustreError: 157839:0:(mdc_lib.c:137:mdc_pack_name()) LBUG

Fixes: f575b65("LU-12020 llite: make sure name pack atomic")
Change-Id: I533e19a0e6efb0fca5a46bcdbdb0006d1b1bedab
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Reviewed-on: https://review.whamcloud.com/34611
Tested-by: Jenkins
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Gu Zheng <gzheng@ddn.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---

diff --git a/lustre/include/obd_support.h b/lustre/include/obd_support.h
index d4a2029..f2a07ef 100644
--- a/lustre/include/obd_support.h
+++ b/lustre/include/obd_support.h
@@ -562,6 +562,7 @@ extern char obd_jobid_var[];
 #define OBD_FAIL_LLITE_CREATE_NODE_PAUSE	    0x140c
 #define OBD_FAIL_LLITE_IMUTEX_SEC		    0x140e
 #define OBD_FAIL_LLITE_IMUTEX_NOSEC		    0x140f
+#define OBD_FAIL_LLITE_OPEN_BY_NAME		    0x1410
 
 #define OBD_FAIL_FID_INDIR	0x1501
 #define OBD_FAIL_FID_INLMA	0x1502
diff --git a/lustre/llite/file.c b/lustre/llite/file.c
index 4e063f5..4d39246 100644
--- a/lustre/llite/file.c
+++ b/lustre/llite/file.c
@@ -509,12 +509,14 @@ static int ll_intent_file_open(struct dentry *de, void *lmm, int lmmsize,
 
 	/* if server supports open-by-fid, or file name is invalid, don't pack
 	 * name in open request */
-	if (!(exp_connect_flags(sbi->ll_md_exp) & OBD_CONNECT_OPEN_BY_FID)) {
+	if (OBD_FAIL_CHECK(OBD_FAIL_LLITE_OPEN_BY_NAME) ||
+	    !(exp_connect_flags(sbi->ll_md_exp) & OBD_CONNECT_OPEN_BY_FID)) {
 retry:
 		len = de->d_name.len;
-		name = kmalloc(len, GFP_NOFS);
+		name = kmalloc(len + 1, GFP_NOFS);
 		if (!name)
 			RETURN(-ENOMEM);
+
 		/* race here */
 		spin_lock(&de->d_lock);
 		if (len != de->d_name.len) {
@@ -523,12 +525,12 @@ retry:
 			goto retry;
 		}
 		memcpy(name, de->d_name.name, len);
+		name[len] = '\0';
 		spin_unlock(&de->d_lock);
 
 		if (!lu_name_is_valid_2(name, len)) {
 			kfree(name);
-			name = NULL;
-			len = 0;
+			RETURN(-ESTALE);
 		}
 	}
 
diff --git a/lustre/tests/sanity.sh b/lustre/tests/sanity.sh
index 8724c8f..c60de09 100755
--- a/lustre/tests/sanity.sh
+++ b/lustre/tests/sanity.sh
@@ -19690,6 +19690,23 @@ test_418() {
 }
 run_test 418 "df and lfs df outputs match"
 
+test_419()
+{
+	local dir=$DIR/$tdir
+
+	mkdir -p $dir
+	touch $dir/file
+
+	cancel_lru_locks mdc
+
+	#OBD_FAIL_LLITE_OPEN_BY_NAME	0x1410
+	$LCTL set_param fail_loc=0x1410
+	cat $dir/file
+	$LCTL set_param fail_loc=0
+	rm -rf $dir
+}
+run_test 419 "Verify open file by name doesn't crash kernel"
+
 prep_801() {
 	[[ $(lustre_version_code mds1) -lt $(version_code 2.9.55) ]] ||
 	[[ $OST1_VERSION -lt $(version_code 2.9.55) ]] &&