Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
3
-
9223372036854775807
Description
In mdt_getxattr() we have the following:
if (valid == OBD_MD_FLXATTR) { const char *xattr_name = req_capsule_client_get(info->mti_pill, &RMF_NAME); rc = mo_xattr_get(info->mti_env, next, buf, xattr_name); rc = mdt_nodemap_map_acl(info, buf->lb_buf, rc, xattr_name, NODEMAP_FS_TO_CLIENT); } ...
If rc is negative then when passed to the size_t size parameter of mdt_nodemap_map_acl() it becomes very large and may be replaced with -ERANGE.
static int mdt_nodemap_map_acl(struct mdt_thread_info *info, void *buf, size_t size, const char *name, enum nodemap_tree_type tree_type) { struct lu_nodemap *nodemap; struct obd_export *exp = info->mti_exp; int rc = size; ENTRY; if (strcmp(name, XATTR_NAME_ACL_ACCESS) == 0 || strcmp(name, XATTR_NAME_ACL_DEFAULT) == 0) { if (size > info->mti_mdt->mdt_max_ea_size || (!exp_connect_large_acl(exp) && size > LUSTRE_POSIX_ACL_MAX_SIZE_OLD)) GOTO(out, rc = -ERANGE); nodemap = nodemap_get_from_exp(exp); if (IS_ERR(nodemap)) GOTO(out, rc = PTR_ERR(nodemap)); rc = nodemap_map_acl(nodemap, buf, size, tree_type); nodemap_putref(nodemap); if (rc < 0) GOTO(out, rc); } out: RETURN(rc); }
I noticed this while looking at LU-11074 but this is not the underlying cause of that bug.
Attachments
Activity
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/32743/
Subject: LU-11108 mdt: propagate errors in mdt_getxattr()
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: b6ebc92a899dcfeb76d343a22814343acd726592
Landed for 2.12