Merge tag 'for-linus-6.18-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux

torvalds · torvalds · commit f2327dc8513d · 2025-10-03T13:59:56.000-07:00
Pull orangefs updates from Mike Marshall:
 "Two cleanups and a bug fix:

   - Remove unused type in macro fill_default_sys_attrs (Zhen Ni)

   - Replace kzalloc + copy_from_user with memdup_user_nul (Thorsten Blum)

   - Fix xattr related buffer overflow...

     A message was forwarded to me from Disclosure &lt;disclosure@aisle.com&gt;
     indicating a problem with a loop condition in our xattr code. When
     I fixed the problem it exposed a related memory leak problem, and I
     fixed that too"

* tag 'for-linus-6.18-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
  fs/orangefs: Replace kzalloc + copy_from_user with memdup_user_nul
  orangefs: fix xattr related buffer overflow...
  orangefs: Remove unused type in macro fill_default_sys_attrs
diff --git a/fs/orangefs/namei.c b/fs/orangefs/namei.c
@@ -38,8 +38,7 @@ static int orangefs_create(struct mnt_idmap *idmap,
 
 	new_op->upcall.req.create.parent_refn = parent->refn;
 
-	fill_default_sys_attrs(new_op->upcall.req.create.attributes,
-			       ORANGEFS_TYPE_METAFILE, mode);
+	fill_default_sys_attrs(new_op->upcall.req.create.attributes, mode);
 
 	strscpy(new_op->upcall.req.create.d_name, dentry->d_name.name);
 
@@ -240,9 +239,7 @@ static int orangefs_symlink(struct mnt_idmap *idmap,
 
 	new_op->upcall.req.sym.parent_refn = parent->refn;
 
-	fill_default_sys_attrs(new_op->upcall.req.sym.attributes,
-			       ORANGEFS_TYPE_SYMLINK,
-			       mode);
+	fill_default_sys_attrs(new_op->upcall.req.sym.attributes, mode);
 
 	strscpy(new_op->upcall.req.sym.entry_name, dentry->d_name.name);
 	strscpy(new_op->upcall.req.sym.target, symname);
@@ -316,8 +313,7 @@ static struct dentry *orangefs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
 
 	new_op->upcall.req.mkdir.parent_refn = parent->refn;
 
-	fill_default_sys_attrs(new_op->upcall.req.mkdir.attributes,
-			      ORANGEFS_TYPE_DIRECTORY, mode);
+	fill_default_sys_attrs(new_op->upcall.req.mkdir.attributes, mode);
 
 	strscpy(new_op->upcall.req.mkdir.d_name, dentry->d_name.name);
 
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
@@ -440,14 +440,13 @@ static ssize_t orangefs_debug_write(struct file *file,
 		count = ORANGEFS_MAX_DEBUG_STRING_LEN;
 	}
 
-	buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
-	if (!buf)
-		goto out;
-
-	if (copy_from_user(buf, ubuf, count - 1)) {
+	buf = memdup_user_nul(ubuf, count - 1);
+	if (IS_ERR(buf)) {
 		gossip_debug(GOSSIP_DEBUGFS_DEBUG,
-			     "%s: copy_from_user failed!\n",
+			     "%s: memdup_user_nul failed!\n",
 			     __func__);
+		rc = PTR_ERR(buf);
+		buf = NULL;
 		goto out;
 	}
 
diff --git a/fs/orangefs/orangefs-kernel.h b/fs/orangefs/orangefs-kernel.h
@@ -462,7 +462,7 @@ int service_operation(struct orangefs_kernel_op_s *op,
 	((ORANGEFS_SB(inode->i_sb)->flags & ORANGEFS_OPT_INTR) ? \
 		ORANGEFS_OP_INTERRUPTIBLE : 0)
 
-#define fill_default_sys_attrs(sys_attr, type, mode)			\
+#define fill_default_sys_attrs(sys_attr, mode)			\
 do {									\
 	sys_attr.owner = from_kuid(&init_user_ns, current_fsuid()); \
 	sys_attr.group = from_kgid(&init_user_ns, current_fsgid()); \
diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
@@ -54,7 +54,9 @@ static inline int convert_to_internal_xattr_flags(int setxattr_flags)
 static unsigned int xattr_key(const char *key)
 {
 	unsigned int i = 0;
-	while (key)
+	if (!key)
+		return 0;
+	while (*key)
 		i += *key++;
 	return i % 16;
 }
@@ -175,8 +177,8 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
 				cx->length = -1;
 				cx->timeout = jiffies +
 				    orangefs_getattr_timeout_msecs*HZ/1000;
-				hash_add(orangefs_inode->xattr_cache, &cx->node,
-				    xattr_key(cx->key));
+				hlist_add_head( &cx->node,
+                                   &orangefs_inode->xattr_cache[xattr_key(cx->key)]);
 			}
 		}
 		goto out_release_op;
@@ -229,8 +231,8 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
 			memcpy(cx->val, buffer, length);
 			cx->length = length;
 			cx->timeout = jiffies + HZ;
-			hash_add(orangefs_inode->xattr_cache, &cx->node,
-			    xattr_key(cx->key));
+			hlist_add_head(&cx->node,
+				&orangefs_inode->xattr_cache[xattr_key(cx->key)]);
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,9 @@ static inline int convert_to_internal_xattr_flags(int setxattr_flags)`
`54`	`54`	`static unsigned int xattr_key(const char *key)`
`55`	`55`	`{`
`56`	`56`	`unsigned int i = 0;`
`57`		`- while (key)`
	`57`	`+ if (!key)`
	`58`	`+ return 0;`
	`59`	`+ while (*key)`
`58`	`60`	`i += *key++;`
`59`	`61`	`return i % 16;`
`60`	`62`	`}`
`@@ -175,8 +177,8 @@ ssize_t orangefs_inode_getxattr(struct inode inode, const char name,`
`175`	`177`	`cx->length = -1;`
`176`	`178`	`cx->timeout = jiffies +`
`177`	`179`	`orangefs_getattr_timeout_msecs*HZ/1000;`
`178`		`- hash_add(orangefs_inode->xattr_cache, &cx->node,`
`179`		`- xattr_key(cx->key));`
	`180`	`+ hlist_add_head( &cx->node,`
	`181`	`+ &orangefs_inode->xattr_cache[xattr_key(cx->key)]);`
`180`	`182`	`}`
`181`	`183`	`}`
`182`	`184`	`goto out_release_op;`
`@@ -229,8 +231,8 @@ ssize_t orangefs_inode_getxattr(struct inode inode, const char name,`
`229`	`231`	`memcpy(cx->val, buffer, length);`
`230`	`232`	`cx->length = length;`
`231`	`233`	`cx->timeout = jiffies + HZ;`
`232`		`- hash_add(orangefs_inode->xattr_cache, &cx->node,`
`233`		`- xattr_key(cx->key));`
	`234`	`+ hlist_add_head(&cx->node,`
	`235`	`+ &orangefs_inode->xattr_cache[xattr_key(cx->key)]);`
`234`	`236`	`}`
`235`	`237`	`}`
`236`	`238`