Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
None
-
3
-
9223372036854775807
Description
lprocfs_mds_evict_client_seq_write/lprocfs_evict_client_seq_write use UUID_MAX to determine the number of bytes to copy from userspace, but large NIDs can exceed this size.
#define BUFLEN (UUID_MAX + 4)
static ssize_t
lprocfs_mds_evict_client_seq_write(struct file *file, const char __user *buf,
size_t count, loff_t *off)
{
struct seq_file *m = file->private_data;
struct obd_device *obd = m->private;
struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev);
char *kbuf;
char *tmpbuf;
int rc = 0;
OBD_ALLOC(kbuf, BUFLEN);
if (kbuf == NULL)
return -ENOMEM;
/*
* OBD_ALLOC() will zero kbuf, but we only copy BUFLEN - 1
* bytes into kbuf, to ensure that the string is NUL-terminated.
* UUID_MAX should include a trailing NUL already.
*/
if (copy_from_user(kbuf, buf, min_t(unsigned long, BUFLEN - 1, count)))
GOTO(out, rc = -EFAULT);
LNet NIDs can be up to LNET_NIDSTR_SIZE (64) bytes, so a large NID will get truncated, no matching export found, and thus no eviction.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-