Details
-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
None
-
3
-
9223372036854775807
Description
In function cb_find_init():3003 requested the lmd structure but it filled partially and struct lov_user_mds_data becomes uninitialized because of following code in ll_dir_ioctl():
if (cmd == IOC_MDC_GETFILEINFO || cmd == IOC_MDC_GETFILESTRIPE) { filename = ll_getname((const char __user *)arg); if (IS_ERR(filename)) RETURN(PTR_ERR(filename)); rc = ll_lov_getstripe_ea_info(inode, filename, &lmm, &lmmsize, &request); } else { rc = ll_dir_getstripe(inode, (void **)&lmm, &lmmsize, &request, 0); } [...] if (rc < 0) { if (rc == -ENODATA && (cmd == IOC_MDC_GETFILEINFO || cmd == LL_IOC_MDC_GETINFO)) GOTO(skip_lmm, rc = 0); else GOTO(out_req, rc); } if (cmd == IOC_MDC_GETFILESTRIPE || cmd == LL_IOC_LOV_GETSTRIPE) { lump = (struct lov_user_md __user *)arg; } else { struct lov_user_mds_data __user *lmdp; lmdp = (struct lov_user_mds_data __user *)arg; lump = &lmdp->lmd_lmm; } if (copy_to_user(lump, lmm, lmmsize)) { if (copy_to_user(lump, lmm, sizeof(*lump))) GOTO(out_req, rc = -EFAULT); rc = -EOVERFLOW; } skip_lmm: