[lustre-devel] [PATCH 16/42] lnet: selftest: lst read-outside of allocation
James Simmons
jsimmons at infradead.org
Mon Jan 23 15:00:29 PST 2023
From: Alexey Lyashkov <alexey.lyashkov at hpe.com>
lnet_selftest want a some parameters from userspace,
but it never sends. It caused a read of outside of allocation
like
BUG: KASAN: slab-out-of-bounds in lstcon_testrpc_prep+0x19e7/0x1bb0
Read of size 4 at addr ffff8888bbaa866c by task lt-lst/6371
WC-bug-id: https://jira.whamcloud.com/browse/LU-16157
Lustre-commit: 222fbed52e02122c7 ("LU-16157 lnet: lst read-outside of allocation")
Signed-off-by: Alexey Lyashkov <alexey.lyashkov at hpe.com>
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/48547
Reviewed-by: Andreas Dilger <adilger at whamcloud.com>
Reviewed-by: James Simmons <jsimmons at infradead.org>
Reviewed-by: Oleg Drokin <green at whamcloud.com>
Signed-off-by: James Simmons <jsimmons at infradead.org>
---
net/lnet/selftest/conrpc.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/net/lnet/selftest/conrpc.c b/net/lnet/selftest/conrpc.c
index 8096c467041a..4f427dd85265 100644
--- a/net/lnet/selftest/conrpc.c
+++ b/net/lnet/selftest/conrpc.c
@@ -780,8 +780,13 @@ lstcon_pingrpc_prep(struct lst_test_ping_param *param, struct srpc_test_reqst *r
{
struct test_ping_req *prq = &req->tsr_u.ping;
- prq->png_size = param->png_size;
- prq->png_flags = param->png_flags;
+ if (param) {
+ prq->png_size = param->png_size;
+ prq->png_flags = param->png_flags;
+ } else {
+ prq->png_size = 0;
+ prq->png_flags = 0;
+ }
/* TODO dest */
return 0;
}
@@ -896,12 +901,17 @@ lstcon_testrpc_prep(struct lstcon_node *nd, int transop, unsigned int feats,
trq->tsr_stop_onerr = !!test->tes_stop_onerr;
switch (test->tes_type) {
- case LST_TEST_PING:
+ case LST_TEST_PING: {
+ struct lst_test_ping_param *data = NULL;
+
trq->tsr_service = SRPC_SERVICE_PING;
- rc = lstcon_pingrpc_prep((struct lst_test_ping_param *)
- &test->tes_param[0], trq);
- break;
+ if (test->tes_paramlen)
+ data = ((struct lst_test_ping_param *)
+ &test->tes_param[0]);
+ rc = lstcon_pingrpc_prep(data, trq);
+ break;
+ }
case LST_TEST_BULK:
trq->tsr_service = SRPC_SERVICE_BRW;
if (!(feats & LST_FEAT_BULK_LEN)) {
--
2.27.0
More information about the lustre-devel
mailing list