[RFC,v10,11/48] ceph: decode alternate_name in lease info

Message ID	20220111191608.88762-12-jlayton@kernel.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <ceph-devel-owner@kernel.org> From: Jeff Layton <jlayton@kernel.org> To: ceph-devel@vger.kernel.org, linux-fscrypt@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org, idryomov@gmail.com Subject: [RFC PATCH v10 11/48] ceph: decode alternate_name in lease info Date: Tue, 11 Jan 2022 14:15:31 -0500 Message-Id: <20220111191608.88762-12-jlayton@kernel.org> In-Reply-To: <20220111191608.88762-1-jlayton@kernel.org> References: <20220111191608.88762-1-jlayton@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	ceph+fscrypt: full support \| expand [RFC,v10,00/48] ceph+fscrypt: full support [RFC,v10,01/48] vfs: export new_inode_pseudo [RFC,v10,02/48] fscrypt: export fscrypt_base64url_encode and fscrypt_base64url_decode [RFC,v10,03/48] fscrypt: export fscrypt_fname_encrypt and fscrypt_fname_encrypted_size [RFC,v10,04/48] fscrypt: add fscrypt_context_for_new_inode [RFC,v10,05/48] ceph: preallocate inode for ops that may create one [RFC,v10,06/48] ceph: crypto context handling for ceph [RFC,v10,07/48] ceph: parse new fscrypt_auth and fscrypt_file fields in inode traces [RFC,v10,08/48] ceph: add fscrypt_* handling to caps.c [RFC,v10,09/48] ceph: add ability to set fscrypt_auth via setattr [RFC,v10,10/48] ceph: implement -o test_dummy_encryption mount option [RFC,v10,11/48] ceph: decode alternate_name in lease info [RFC,v10,12/48] ceph: add fscrypt ioctls [RFC,v10,13/48] ceph: make ceph_msdc_build_path use ref-walk [RFC,v10,14/48] ceph: add encrypted fname handling to ceph_mdsc_build_path [RFC,v10,15/48] ceph: send altname in MClientRequest [RFC,v10,16/48] ceph: encode encrypted name in dentry release [RFC,v10,17/48] ceph: properly set DCACHE_NOKEY_NAME flag in lookup [RFC,v10,18/48] ceph: make d_revalidate call fscrypt revalidator for encrypted dentries [RFC,v10,19/48] ceph: add helpers for converting names for userland presentation [RFC,v10,20/48] ceph: add fscrypt support to ceph_fill_trace [RFC,v10,21/48] ceph: add support to readdir for encrypted filenames [RFC,v10,22/48] ceph: create symlinks with encrypted and base64-encoded targets [RFC,v10,23/48] ceph: make ceph_get_name decrypt filenames [RFC,v10,24/48] ceph: add a new ceph.fscrypt.auth vxattr [RFC,v10,25/48] ceph: add some fscrypt guardrails [RFC,v10,26/48] ceph: don't allow changing layout on encrypted files/directories [RFC,v10,27/48] libceph: add CEPH_OSD_OP_ASSERT_VER support [RFC,v10,28/48] ceph: size handling for encrypted inodes in cap updates [RFC,v10,29/48] ceph: fscrypt_file field handling in MClientRequest messages [RFC,v10,30/48] ceph: get file size from fscrypt_file when present in inode traces [RFC,v10,31/48] ceph: handle fscrypt fields in cap messages from MDS [RFC,v10,32/48] ceph: add __ceph_get_caps helper support [RFC,v10,33/48] ceph: add __ceph_sync_read helper support [RFC,v10,34/48] ceph: add object version support for sync read [RFC,v10,35/48] ceph: add infrastructure for file encryption and decryption [RFC,v10,36/48] ceph: add truncate size handling support for fscrypt [RFC,v10,37/48] libceph: allow ceph_osdc_new_request to accept a multi-op read [RFC,v10,38/48] ceph: disable fallocate for encrypted inodes [RFC,v10,39/48] ceph: disable copy offload on encrypted inodes [RFC,v10,40/48] ceph: don't use special DIO path for encrypted inodes [RFC,v10,41/48] ceph: set encryption context on open [RFC,v10,42/48] ceph: align data in pages in ceph_sync_write [RFC,v10,43/48] ceph: add read/modify/write to ceph_sync_write [RFC,v10,44/48] ceph: plumb in decryption during sync reads [RFC,v10,45/48] ceph: set i_blkbits to crypto block size for encrypted inodes [RFC,v10,46/48] ceph: add fscrypt decryption support to ceph_netfs_issue_op [RFC,v10,47/48] ceph: add encryption support to writepage [RFC,v10,48/48] ceph: fscrypt support for writepages

Jeff Layton Jan. 11, 2022, 7:15 p.m. UTC

Ceph is a bit different from local filesystems, in that we don't want
to store filenames as raw binary data, since we may also be dealing
with clients that don't support fscrypt.

We could just base64-encode the encrypted filenames, but that could
leave us with filenames longer than NAME_MAX. It turns out that the
MDS doesn't care much about filename length, but the clients do.

To manage this, we've added a new "alternate name" field that can be
optionally added to any dentry that we'll use to store the binary
crypttext of the filename if its base64-encoded value will be longer
than NAME_MAX. When a dentry has one of these names attached, the MDS
will send it along in the lease info, which we can then store for
later usage.

Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
 fs/ceph/mds_client.h | 11 +++++++----
 2 files changed, 37 insertions(+), 14 deletions(-)

Xiubo Li March 1, 2022, 10:57 a.m. UTC | #1

On 1/12/22 3:15 AM, Jeff Layton wrote:
> Ceph is a bit different from local filesystems, in that we don't want
> to store filenames as raw binary data, since we may also be dealing
> with clients that don't support fscrypt.
>
> We could just base64-encode the encrypted filenames, but that could
> leave us with filenames longer than NAME_MAX. It turns out that the
> MDS doesn't care much about filename length, but the clients do.
>
> To manage this, we've added a new "alternate name" field that can be
> optionally added to any dentry that we'll use to store the binary
> crypttext of the filename if its base64-encoded value will be longer
> than NAME_MAX. When a dentry has one of these names attached, the MDS
> will send it along in the lease info, which we can then store for
> later usage.
>
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
>   fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
>   fs/ceph/mds_client.h | 11 +++++++----
>   2 files changed, 37 insertions(+), 14 deletions(-)
>
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 34a4f6dbac9d..709f3f654555 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
>   
>   static int parse_reply_info_lease(void **p, void *end,
>   				  struct ceph_mds_reply_lease **lease,
> -				  u64 features)
> +				  u64 features, u32 *altname_len, u8 **altname)
>   {
> +	u8 struct_v;
> +	u32 struct_len;
> +
>   	if (features == (u64)-1) {
> -		u8 struct_v, struct_compat;
> -		u32 struct_len;
> +		u8 struct_compat;
> +
>   		ceph_decode_8_safe(p, end, struct_v, bad);
>   		ceph_decode_8_safe(p, end, struct_compat, bad);
> +
>   		/* struct_v is expected to be >= 1. we only understand
>   		 * encoding whose struct_compat == 1. */
>   		if (!struct_v || struct_compat != 1)
>   			goto bad;
> +
>   		ceph_decode_32_safe(p, end, struct_len, bad);
> -		ceph_decode_need(p, end, struct_len, bad);
> -		end = *p + struct_len;

Hi Jeff,

This is buggy, more detail please see https://tracker.ceph.com/issues/54430.

The following patch will fix it. We should skip the extra memories anyway.


diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 94b4c6508044..3dea96df4769 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
                         goto bad;

                 ceph_decode_32_safe(p, end, struct_len, bad);
+               end = *p + struct_len;
         } else {
                 struct_len = sizeof(**lease);
                 *altname_len = 0;
@@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
                         *altname = NULL;
                         *altname_len = 0;
                 }
+               *p = end;
         }
         return 0;
  bad:



> +	} else {
> +		struct_len = sizeof(**lease);
> +		*altname_len = 0;
> +		*altname = NULL;
>   	}
>   
> -	ceph_decode_need(p, end, sizeof(**lease), bad);
> +	ceph_decode_need(p, end, struct_len, bad);
>   	*lease = *p;
>   	*p += sizeof(**lease);
> -	if (features == (u64)-1)
> -		*p = end;
> +
> +	if (features == (u64)-1) {
> +		if (struct_v >= 2) {
> +			ceph_decode_32_safe(p, end, *altname_len, bad);
> +			ceph_decode_need(p, end, *altname_len, bad);
> +			*altname = *p;
> +			*p += *altname_len;
> +		} else {
> +			*altname = NULL;
> +			*altname_len = 0;
> +		}
> +	}
>   	return 0;
>   bad:
>   	return -EIO;
> @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
>   		info->dname = *p;
>   		*p += info->dname_len;
>   
> -		err = parse_reply_info_lease(p, end, &info->dlease, features);
> +		err = parse_reply_info_lease(p, end, &info->dlease, features,
> +					     &info->altname_len, &info->altname);
>   		if (err < 0)
>   			goto out_bad;
>   	}
> @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
>   		dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
>   
>   		/* dentry lease */
> -		err = parse_reply_info_lease(p, end, &rde->lease, features);
> +		err = parse_reply_info_lease(p, end, &rde->lease, features,
> +					     &rde->altname_len, &rde->altname);
>   		if (err)
>   			goto out_bad;
> +
>   		/* inode */
>   		err = parse_reply_info_in(p, end, &rde->inode, features);
>   		if (err < 0)
> diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
> index e7d2c8a1b9c1..128901a847af 100644
> --- a/fs/ceph/mds_client.h
> +++ b/fs/ceph/mds_client.h
> @@ -29,8 +29,8 @@ enum ceph_feature_type {
>   	CEPHFS_FEATURE_MULTI_RECONNECT,
>   	CEPHFS_FEATURE_DELEG_INO,
>   	CEPHFS_FEATURE_METRIC_COLLECT,
> -
> -	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
> +	CEPHFS_FEATURE_ALTERNATE_NAME,
> +	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
>   };
>   
>   /*
> @@ -45,8 +45,7 @@ enum ceph_feature_type {
>   	CEPHFS_FEATURE_MULTI_RECONNECT,		\
>   	CEPHFS_FEATURE_DELEG_INO,		\
>   	CEPHFS_FEATURE_METRIC_COLLECT,		\
> -						\
> -	CEPHFS_FEATURE_MAX,			\
> +	CEPHFS_FEATURE_ALTERNATE_NAME,		\
>   }
>   #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
>   
> @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
>   
>   struct ceph_mds_reply_dir_entry {
>   	char                          *name;
> +	u8			      *altname;
>   	u32                           name_len;
> +	u32			      altname_len;
>   	struct ceph_mds_reply_lease   *lease;
>   	struct ceph_mds_reply_info_in inode;
>   	loff_t			      offset;
> @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
>   	struct ceph_mds_reply_info_in diri, targeti;
>   	struct ceph_mds_reply_dirfrag *dirfrag;
>   	char                          *dname;
> +	u8			      *altname;
>   	u32                           dname_len;
> +	u32                           altname_len;
>   	struct ceph_mds_reply_lease   *dlease;
>   
>   	/* extra */

Xiubo Li March 1, 2022, 11:18 a.m. UTC | #2

On 3/1/22 6:57 PM, Xiubo Li wrote:
>
> On 1/12/22 3:15 AM, Jeff Layton wrote:
>> Ceph is a bit different from local filesystems, in that we don't want
>> to store filenames as raw binary data, since we may also be dealing
>> with clients that don't support fscrypt.
>>
>> We could just base64-encode the encrypted filenames, but that could
>> leave us with filenames longer than NAME_MAX. It turns out that the
>> MDS doesn't care much about filename length, but the clients do.
>>
>> To manage this, we've added a new "alternate name" field that can be
>> optionally added to any dentry that we'll use to store the binary
>> crypttext of the filename if its base64-encoded value will be longer
>> than NAME_MAX. When a dentry has one of these names attached, the MDS
>> will send it along in the lease info, which we can then store for
>> later usage.
>>
>> Signed-off-by: Jeff Layton <jlayton@kernel.org>
>> ---
>>   fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
>>   fs/ceph/mds_client.h | 11 +++++++----
>>   2 files changed, 37 insertions(+), 14 deletions(-)
>>
>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>> index 34a4f6dbac9d..709f3f654555 100644
>> --- a/fs/ceph/mds_client.c
>> +++ b/fs/ceph/mds_client.c
>> @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void 
>> *end,
>>     static int parse_reply_info_lease(void **p, void *end,
>>                     struct ceph_mds_reply_lease **lease,
>> -                  u64 features)
>> +                  u64 features, u32 *altname_len, u8 **altname)
>>   {
>> +    u8 struct_v;
>> +    u32 struct_len;
>> +
>>       if (features == (u64)-1) {
>> -        u8 struct_v, struct_compat;
>> -        u32 struct_len;
>> +        u8 struct_compat;
>> +
>>           ceph_decode_8_safe(p, end, struct_v, bad);
>>           ceph_decode_8_safe(p, end, struct_compat, bad);
>> +
>>           /* struct_v is expected to be >= 1. we only understand
>>            * encoding whose struct_compat == 1. */
>>           if (!struct_v || struct_compat != 1)
>>               goto bad;
>> +
>>           ceph_decode_32_safe(p, end, struct_len, bad);
>> -        ceph_decode_need(p, end, struct_len, bad);
>> -        end = *p + struct_len;
>
> Hi Jeff,
>
> This is buggy, more detail please see 
> https://tracker.ceph.com/issues/54430.
>
> The following patch will fix it. We should skip the extra memories 
> anyway.
>
>
Hi Jeff,

I will send out a patch series to fix this later.

And we could merge the new patch to this one.

- XIubo



> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 94b4c6508044..3dea96df4769 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void 
> *end,
>                         goto bad;
>
>                 ceph_decode_32_safe(p, end, struct_len, bad);
> +               end = *p + struct_len;
>         } else {
>                 struct_len = sizeof(**lease);
>                 *altname_len = 0;
> @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void 
> *end,
>                         *altname = NULL;
>                         *altname_len = 0;
>                 }
> +               *p = end;
>         }
>         return 0;
>  bad:
>
>
>
>> +    } else {
>> +        struct_len = sizeof(**lease);
>> +        *altname_len = 0;
>> +        *altname = NULL;
>>       }
>>   -    ceph_decode_need(p, end, sizeof(**lease), bad);
>> +    ceph_decode_need(p, end, struct_len, bad);
>>       *lease = *p;
>>       *p += sizeof(**lease);
>> -    if (features == (u64)-1)
>> -        *p = end;
>> +
>> +    if (features == (u64)-1) {
>> +        if (struct_v >= 2) {
>> +            ceph_decode_32_safe(p, end, *altname_len, bad);
>> +            ceph_decode_need(p, end, *altname_len, bad);
>> +            *altname = *p;
>> +            *p += *altname_len;
>> +        } else {
>> +            *altname = NULL;
>> +            *altname_len = 0;
>> +        }
>> +    }
>>       return 0;
>>   bad:
>>       return -EIO;
>> @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void 
>> *end,
>>           info->dname = *p;
>>           *p += info->dname_len;
>>   -        err = parse_reply_info_lease(p, end, &info->dlease, 
>> features);
>> +        err = parse_reply_info_lease(p, end, &info->dlease, features,
>> +                         &info->altname_len, &info->altname);
>>           if (err < 0)
>>               goto out_bad;
>>       }
>> @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, 
>> void *end,
>>           dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
>>             /* dentry lease */
>> -        err = parse_reply_info_lease(p, end, &rde->lease, features);
>> +        err = parse_reply_info_lease(p, end, &rde->lease, features,
>> +                         &rde->altname_len, &rde->altname);
>>           if (err)
>>               goto out_bad;
>> +
>>           /* inode */
>>           err = parse_reply_info_in(p, end, &rde->inode, features);
>>           if (err < 0)
>> diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
>> index e7d2c8a1b9c1..128901a847af 100644
>> --- a/fs/ceph/mds_client.h
>> +++ b/fs/ceph/mds_client.h
>> @@ -29,8 +29,8 @@ enum ceph_feature_type {
>>       CEPHFS_FEATURE_MULTI_RECONNECT,
>>       CEPHFS_FEATURE_DELEG_INO,
>>       CEPHFS_FEATURE_METRIC_COLLECT,
>> -
>> -    CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
>> +    CEPHFS_FEATURE_ALTERNATE_NAME,
>> +    CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
>>   };
>>     /*
>> @@ -45,8 +45,7 @@ enum ceph_feature_type {
>>       CEPHFS_FEATURE_MULTI_RECONNECT,        \
>>       CEPHFS_FEATURE_DELEG_INO,        \
>>       CEPHFS_FEATURE_METRIC_COLLECT,        \
>> -                        \
>> -    CEPHFS_FEATURE_MAX,            \
>> +    CEPHFS_FEATURE_ALTERNATE_NAME,        \
>>   }
>>   #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
>>   @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
>>     struct ceph_mds_reply_dir_entry {
>>       char                          *name;
>> +    u8                  *altname;
>>       u32                           name_len;
>> +    u32                  altname_len;
>>       struct ceph_mds_reply_lease   *lease;
>>       struct ceph_mds_reply_info_in inode;
>>       loff_t                  offset;
>> @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
>>       struct ceph_mds_reply_info_in diri, targeti;
>>       struct ceph_mds_reply_dirfrag *dirfrag;
>>       char                          *dname;
>> +    u8                  *altname;
>>       u32                           dname_len;
>> +    u32                           altname_len;
>>       struct ceph_mds_reply_lease   *dlease;
>>         /* extra */

Jeff Layton March 1, 2022, 1:10 p.m. UTC | #3

On Tue, 2022-03-01 at 18:57 +0800, Xiubo Li wrote:
> On 1/12/22 3:15 AM, Jeff Layton wrote:
> > Ceph is a bit different from local filesystems, in that we don't want
> > to store filenames as raw binary data, since we may also be dealing
> > with clients that don't support fscrypt.
> > 
> > We could just base64-encode the encrypted filenames, but that could
> > leave us with filenames longer than NAME_MAX. It turns out that the
> > MDS doesn't care much about filename length, but the clients do.
> > 
> > To manage this, we've added a new "alternate name" field that can be
> > optionally added to any dentry that we'll use to store the binary
> > crypttext of the filename if its base64-encoded value will be longer
> > than NAME_MAX. When a dentry has one of these names attached, the MDS
> > will send it along in the lease info, which we can then store for
> > later usage.
> > 
> > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > ---
> >   fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
> >   fs/ceph/mds_client.h | 11 +++++++----
> >   2 files changed, 37 insertions(+), 14 deletions(-)
> > 
> > diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> > index 34a4f6dbac9d..709f3f654555 100644
> > --- a/fs/ceph/mds_client.c
> > +++ b/fs/ceph/mds_client.c
> > @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
> >   
> >   static int parse_reply_info_lease(void **p, void *end,
> >   				  struct ceph_mds_reply_lease **lease,
> > -				  u64 features)
> > +				  u64 features, u32 *altname_len, u8 **altname)
> >   {
> > +	u8 struct_v;
> > +	u32 struct_len;
> > +
> >   	if (features == (u64)-1) {
> > -		u8 struct_v, struct_compat;
> > -		u32 struct_len;
> > +		u8 struct_compat;
> > +
> >   		ceph_decode_8_safe(p, end, struct_v, bad);
> >   		ceph_decode_8_safe(p, end, struct_compat, bad);
> > +
> >   		/* struct_v is expected to be >= 1. we only understand
> >   		 * encoding whose struct_compat == 1. */
> >   		if (!struct_v || struct_compat != 1)
> >   			goto bad;
> > +
> >   		ceph_decode_32_safe(p, end, struct_len, bad);
> > -		ceph_decode_need(p, end, struct_len, bad);
> > -		end = *p + struct_len;
> 
> Hi Jeff,
> 
> This is buggy, more detail please see https://tracker.ceph.com/issues/54430.
> 
> The following patch will fix it. We should skip the extra memories anyway.
> 
> 
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 94b4c6508044..3dea96df4769 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
>                          goto bad;
> 
>                  ceph_decode_32_safe(p, end, struct_len, bad);
> +               end = *p + struct_len;


There may be a bug here, but this doesn't look like the right fix. "end"
denotes the end of the buffer we're decoding. We don't generally want to
go changing it like this. Consider what would happen if the original
"end" was shorter than *p + struct_len.


>          } else {
>                  struct_len = sizeof(**lease);
>                  *altname_len = 0;
> @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
>                          *altname = NULL;
>                          *altname_len = 0;
>                  }
> +               *p = end;


I think we just have to do the math here. Maybe this should be something
like this?

    *p += struct_len - sizeof(**lease) - *altname_len;

>          }
>          return 0;
>   bad:
> 
> 
> 


> > +	} else {
> > +		struct_len = sizeof(**lease);
> > +		*altname_len = 0;
> > +		*altname = NULL;
> >   	}
> >   
> > -	ceph_decode_need(p, end, sizeof(**lease), bad);
> > +	ceph_decode_need(p, end, struct_len, bad);
> >   	*lease = *p;
> >   	*p += sizeof(**lease);
> > -	if (features == (u64)-1)
> > -		*p = end;
> > +
> > +	if (features == (u64)-1) {
> > +		if (struct_v >= 2) {
> > +			ceph_decode_32_safe(p, end, *altname_len, bad);
> > +			ceph_decode_need(p, end, *altname_len, bad);
> > +			*altname = *p;
> > +			*p += *altname_len;
> > +		} else {
> > +			*altname = NULL;
> > +			*altname_len = 0;
> > +		}
> > +	}
> >   	return 0;
> >   bad:
> >   	return -EIO;
> > @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
> >   		info->dname = *p;
> >   		*p += info->dname_len;
> >   
> > -		err = parse_reply_info_lease(p, end, &info->dlease, features);
> > +		err = parse_reply_info_lease(p, end, &info->dlease, features,
> > +					     &info->altname_len, &info->altname);
> >   		if (err < 0)
> >   			goto out_bad;
> >   	}
> > @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
> >   		dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
> >   
> >   		/* dentry lease */
> > -		err = parse_reply_info_lease(p, end, &rde->lease, features);
> > +		err = parse_reply_info_lease(p, end, &rde->lease, features,
> > +					     &rde->altname_len, &rde->altname);
> >   		if (err)
> >   			goto out_bad;
> > +
> >   		/* inode */
> >   		err = parse_reply_info_in(p, end, &rde->inode, features);
> >   		if (err < 0)
> > diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
> > index e7d2c8a1b9c1..128901a847af 100644
> > --- a/fs/ceph/mds_client.h
> > +++ b/fs/ceph/mds_client.h
> > @@ -29,8 +29,8 @@ enum ceph_feature_type {
> >   	CEPHFS_FEATURE_MULTI_RECONNECT,
> >   	CEPHFS_FEATURE_DELEG_INO,
> >   	CEPHFS_FEATURE_METRIC_COLLECT,
> > -
> > -	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
> > +	CEPHFS_FEATURE_ALTERNATE_NAME,
> > +	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
> >   };
> >   
> >   /*
> > @@ -45,8 +45,7 @@ enum ceph_feature_type {
> >   	CEPHFS_FEATURE_MULTI_RECONNECT,		\
> >   	CEPHFS_FEATURE_DELEG_INO,		\
> >   	CEPHFS_FEATURE_METRIC_COLLECT,		\
> > -						\
> > -	CEPHFS_FEATURE_MAX,			\
> > +	CEPHFS_FEATURE_ALTERNATE_NAME,		\
> >   }
> >   #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
> >   
> > @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
> >   
> >   struct ceph_mds_reply_dir_entry {
> >   	char                          *name;
> > +	u8			      *altname;
> >   	u32                           name_len;
> > +	u32			      altname_len;
> >   	struct ceph_mds_reply_lease   *lease;
> >   	struct ceph_mds_reply_info_in inode;
> >   	loff_t			      offset;
> > @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
> >   	struct ceph_mds_reply_info_in diri, targeti;
> >   	struct ceph_mds_reply_dirfrag *dirfrag;
> >   	char                          *dname;
> > +	u8			      *altname;
> >   	u32                           dname_len;
> > +	u32                           altname_len;
> >   	struct ceph_mds_reply_lease   *dlease;
> >   
> >   	/* extra */
>

Xiubo Li March 1, 2022, 1:51 p.m. UTC | #4

On 3/1/22 9:10 PM, Jeff Layton wrote:
> On Tue, 2022-03-01 at 18:57 +0800, Xiubo Li wrote:
>> On 1/12/22 3:15 AM, Jeff Layton wrote:
>>> Ceph is a bit different from local filesystems, in that we don't want
>>> to store filenames as raw binary data, since we may also be dealing
>>> with clients that don't support fscrypt.
>>>
>>> We could just base64-encode the encrypted filenames, but that could
>>> leave us with filenames longer than NAME_MAX. It turns out that the
>>> MDS doesn't care much about filename length, but the clients do.
>>>
>>> To manage this, we've added a new "alternate name" field that can be
>>> optionally added to any dentry that we'll use to store the binary
>>> crypttext of the filename if its base64-encoded value will be longer
>>> than NAME_MAX. When a dentry has one of these names attached, the MDS
>>> will send it along in the lease info, which we can then store for
>>> later usage.
>>>
>>> Signed-off-by: Jeff Layton <jlayton@kernel.org>
>>> ---
>>>    fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
>>>    fs/ceph/mds_client.h | 11 +++++++----
>>>    2 files changed, 37 insertions(+), 14 deletions(-)
>>>
>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>> index 34a4f6dbac9d..709f3f654555 100644
>>> --- a/fs/ceph/mds_client.c
>>> +++ b/fs/ceph/mds_client.c
>>> @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
>>>    
>>>    static int parse_reply_info_lease(void **p, void *end,
>>>    				  struct ceph_mds_reply_lease **lease,
>>> -				  u64 features)
>>> +				  u64 features, u32 *altname_len, u8 **altname)
>>>    {
>>> +	u8 struct_v;
>>> +	u32 struct_len;
>>> +
>>>    	if (features == (u64)-1) {
>>> -		u8 struct_v, struct_compat;
>>> -		u32 struct_len;
>>> +		u8 struct_compat;
>>> +
>>>    		ceph_decode_8_safe(p, end, struct_v, bad);
>>>    		ceph_decode_8_safe(p, end, struct_compat, bad);
>>> +
>>>    		/* struct_v is expected to be >= 1. we only understand
>>>    		 * encoding whose struct_compat == 1. */
>>>    		if (!struct_v || struct_compat != 1)
>>>    			goto bad;
>>> +
>>>    		ceph_decode_32_safe(p, end, struct_len, bad);
>>> -		ceph_decode_need(p, end, struct_len, bad);
>>> -		end = *p + struct_len;
>> Hi Jeff,
>>
>> This is buggy, more detail please see https://tracker.ceph.com/issues/54430.
>>
>> The following patch will fix it. We should skip the extra memories anyway.
>>
>>
>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>> index 94b4c6508044..3dea96df4769 100644
>> --- a/fs/ceph/mds_client.c
>> +++ b/fs/ceph/mds_client.c
>> @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>                           goto bad;
>>
>>                   ceph_decode_32_safe(p, end, struct_len, bad);
>> +               end = *p + struct_len;
>
> There may be a bug here,

Yeah, this will be crash when I use the PR 
https://github.com/ceph/ceph/pull/45208.


> but this doesn't look like the right fix. "end"
> denotes the end of the buffer we're decoding. We don't generally want to
> go changing it like this. Consider what would happen if the original
> "end" was shorter than *p + struct_len.
I missed you have also set the struct_len in the else branch.
>
>>           } else {
>>                   struct_len = sizeof(**lease);
>>                   *altname_len = 0;
>> @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>                           *altname = NULL;
>>                           *altname_len = 0;
>>                   }
>> +               *p = end;
>
> I think we just have to do the math here. Maybe this should be something
> like this?
>
>      *p += struct_len - sizeof(**lease) - *altname_len;

This is correct, but in future if we are adding tens of new fields we 
must minus them all here.

How about this one:


diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 94b4c6508044..608d077f2eeb 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -313,6 +313,7 @@ static int parse_reply_info_lease(void **p, void *end,
  {
         u8 struct_v;
         u32 struct_len;
+       void *lend;

         if (features == (u64)-1) {
                 u8 struct_compat;
@@ -332,6 +333,7 @@ static int parse_reply_info_lease(void **p, void *end,
                 *altname = NULL;
         }

+       lend = *p + struct_len;
         ceph_decode_need(p, end, struct_len, bad);
         *lease = *p;
         *p += sizeof(**lease);
@@ -347,6 +349,7 @@ static int parse_reply_info_lease(void **p, void *end,
                         *altname_len = 0;
                 }
         }
+       *p = lend;
         return 0;
  bad:
         return -EIO;


>>           }
>>           return 0;
>>    bad:
>>
>>
>>
>
>>> +	} else {
>>> +		struct_len = sizeof(**lease);
>>> +		*altname_len = 0;
>>> +		*altname = NULL;
>>>    	}
>>>    
>>> -	ceph_decode_need(p, end, sizeof(**lease), bad);
>>> +	ceph_decode_need(p, end, struct_len, bad);
>>>    	*lease = *p;
>>>    	*p += sizeof(**lease);
>>> -	if (features == (u64)-1)
>>> -		*p = end;
>>> +
>>> +	if (features == (u64)-1) {
>>> +		if (struct_v >= 2) {
>>> +			ceph_decode_32_safe(p, end, *altname_len, bad);
>>> +			ceph_decode_need(p, end, *altname_len, bad);
>>> +			*altname = *p;
>>> +			*p += *altname_len;
>>> +		} else {
>>> +			*altname = NULL;
>>> +			*altname_len = 0;
>>> +		}
>>> +	}
>>>    	return 0;
>>>    bad:
>>>    	return -EIO;
>>> @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
>>>    		info->dname = *p;
>>>    		*p += info->dname_len;
>>>    
>>> -		err = parse_reply_info_lease(p, end, &info->dlease, features);
>>> +		err = parse_reply_info_lease(p, end, &info->dlease, features,
>>> +					     &info->altname_len, &info->altname);
>>>    		if (err < 0)
>>>    			goto out_bad;
>>>    	}
>>> @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
>>>    		dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
>>>    
>>>    		/* dentry lease */
>>> -		err = parse_reply_info_lease(p, end, &rde->lease, features);
>>> +		err = parse_reply_info_lease(p, end, &rde->lease, features,
>>> +					     &rde->altname_len, &rde->altname);
>>>    		if (err)
>>>    			goto out_bad;
>>> +
>>>    		/* inode */
>>>    		err = parse_reply_info_in(p, end, &rde->inode, features);
>>>    		if (err < 0)
>>> diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
>>> index e7d2c8a1b9c1..128901a847af 100644
>>> --- a/fs/ceph/mds_client.h
>>> +++ b/fs/ceph/mds_client.h
>>> @@ -29,8 +29,8 @@ enum ceph_feature_type {
>>>    	CEPHFS_FEATURE_MULTI_RECONNECT,
>>>    	CEPHFS_FEATURE_DELEG_INO,
>>>    	CEPHFS_FEATURE_METRIC_COLLECT,
>>> -
>>> -	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
>>> +	CEPHFS_FEATURE_ALTERNATE_NAME,
>>> +	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
>>>    };
>>>    
>>>    /*
>>> @@ -45,8 +45,7 @@ enum ceph_feature_type {
>>>    	CEPHFS_FEATURE_MULTI_RECONNECT,		\
>>>    	CEPHFS_FEATURE_DELEG_INO,		\
>>>    	CEPHFS_FEATURE_METRIC_COLLECT,		\
>>> -						\
>>> -	CEPHFS_FEATURE_MAX,			\
>>> +	CEPHFS_FEATURE_ALTERNATE_NAME,		\
>>>    }
>>>    #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
>>>    
>>> @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
>>>    
>>>    struct ceph_mds_reply_dir_entry {
>>>    	char                          *name;
>>> +	u8			      *altname;
>>>    	u32                           name_len;
>>> +	u32			      altname_len;
>>>    	struct ceph_mds_reply_lease   *lease;
>>>    	struct ceph_mds_reply_info_in inode;
>>>    	loff_t			      offset;
>>> @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
>>>    	struct ceph_mds_reply_info_in diri, targeti;
>>>    	struct ceph_mds_reply_dirfrag *dirfrag;
>>>    	char                          *dname;
>>> +	u8			      *altname;
>>>    	u32                           dname_len;
>>> +	u32                           altname_len;
>>>    	struct ceph_mds_reply_lease   *dlease;
>>>    
>>>    	/* extra */

Jeff Layton March 1, 2022, 1:57 p.m. UTC | #5

On Tue, 2022-03-01 at 21:51 +0800, Xiubo Li wrote:
> On 3/1/22 9:10 PM, Jeff Layton wrote:
> > On Tue, 2022-03-01 at 18:57 +0800, Xiubo Li wrote:
> > > On 1/12/22 3:15 AM, Jeff Layton wrote:
> > > > Ceph is a bit different from local filesystems, in that we don't want
> > > > to store filenames as raw binary data, since we may also be dealing
> > > > with clients that don't support fscrypt.
> > > > 
> > > > We could just base64-encode the encrypted filenames, but that could
> > > > leave us with filenames longer than NAME_MAX. It turns out that the
> > > > MDS doesn't care much about filename length, but the clients do.
> > > > 
> > > > To manage this, we've added a new "alternate name" field that can be
> > > > optionally added to any dentry that we'll use to store the binary
> > > > crypttext of the filename if its base64-encoded value will be longer
> > > > than NAME_MAX. When a dentry has one of these names attached, the MDS
> > > > will send it along in the lease info, which we can then store for
> > > > later usage.
> > > > 
> > > > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > > > ---
> > > >    fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
> > > >    fs/ceph/mds_client.h | 11 +++++++----
> > > >    2 files changed, 37 insertions(+), 14 deletions(-)
> > > > 
> > > > diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> > > > index 34a4f6dbac9d..709f3f654555 100644
> > > > --- a/fs/ceph/mds_client.c
> > > > +++ b/fs/ceph/mds_client.c
> > > > @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
> > > >    
> > > >    static int parse_reply_info_lease(void **p, void *end,
> > > >    				  struct ceph_mds_reply_lease **lease,
> > > > -				  u64 features)
> > > > +				  u64 features, u32 *altname_len, u8 **altname)
> > > >    {
> > > > +	u8 struct_v;
> > > > +	u32 struct_len;
> > > > +
> > > >    	if (features == (u64)-1) {
> > > > -		u8 struct_v, struct_compat;
> > > > -		u32 struct_len;
> > > > +		u8 struct_compat;
> > > > +
> > > >    		ceph_decode_8_safe(p, end, struct_v, bad);
> > > >    		ceph_decode_8_safe(p, end, struct_compat, bad);
> > > > +
> > > >    		/* struct_v is expected to be >= 1. we only understand
> > > >    		 * encoding whose struct_compat == 1. */
> > > >    		if (!struct_v || struct_compat != 1)
> > > >    			goto bad;
> > > > +
> > > >    		ceph_decode_32_safe(p, end, struct_len, bad);
> > > > -		ceph_decode_need(p, end, struct_len, bad);
> > > > -		end = *p + struct_len;
> > > Hi Jeff,
> > > 
> > > This is buggy, more detail please see https://tracker.ceph.com/issues/54430.
> > > 
> > > The following patch will fix it. We should skip the extra memories anyway.
> > > 
> > > 
> > > diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> > > index 94b4c6508044..3dea96df4769 100644
> > > --- a/fs/ceph/mds_client.c
> > > +++ b/fs/ceph/mds_client.c
> > > @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
> > >                           goto bad;
> > > 
> > >                   ceph_decode_32_safe(p, end, struct_len, bad);
> > > +               end = *p + struct_len;
> > 
> > There may be a bug here,
> 
> Yeah, this will be crash when I use the PR 
> https://github.com/ceph/ceph/pull/45208.
> 
> 
> > but this doesn't look like the right fix. "end"
> > denotes the end of the buffer we're decoding. We don't generally want to
> > go changing it like this. Consider what would happen if the original
> > "end" was shorter than *p + struct_len.
> I missed you have also set the struct_len in the else branch.
> > 
> > >           } else {
> > >                   struct_len = sizeof(**lease);
> > >                   *altname_len = 0;
> > > @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
> > >                           *altname = NULL;
> > >                           *altname_len = 0;
> > >                   }
> > > +               *p = end;
> > 
> > I think we just have to do the math here. Maybe this should be something
> > like this?
> > 
> >      *p += struct_len - sizeof(**lease) - *altname_len;
> 
> This is correct, but in future if we are adding tens of new fields we 
> must minus them all here.
> 
> How about this one:
> 
> 
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 94b4c6508044..608d077f2eeb 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -313,6 +313,7 @@ static int parse_reply_info_lease(void **p, void *end,
>   {
>          u8 struct_v;
>          u32 struct_len;
> +       void *lend;
> 
>          if (features == (u64)-1) {
>                  u8 struct_compat;
> @@ -332,6 +333,7 @@ static int parse_reply_info_lease(void **p, void *end,
>                  *altname = NULL;
>          }
> 
> +       lend = *p + struct_len;


Looks reasonable. Maybe also add a check like this?

    if (lend > end)
	    return -EIO;


>          ceph_decode_need(p, end, struct_len, bad);
>          *lease = *p;
>          *p += sizeof(**lease);
> @@ -347,6 +349,7 @@ static int parse_reply_info_lease(void **p, void *end,
>                          *altname_len = 0;
>                  }
>          }
> +       *p = lend;
>          return 0;
>   bad:
>          return -EIO;
> 
> 

> > >           }
> > >           return 0;
> > >    bad:
> > > 
> > > 
> > > 
> > 
> > > > +	} else {
> > > > +		struct_len = sizeof(**lease);
> > > > +		*altname_len = 0;
> > > > +		*altname = NULL;
> > > >    	}
> > > >    
> > > > -	ceph_decode_need(p, end, sizeof(**lease), bad);
> > > > +	ceph_decode_need(p, end, struct_len, bad);
> > > >    	*lease = *p;
> > > >    	*p += sizeof(**lease);
> > > > -	if (features == (u64)-1)
> > > > -		*p = end;
> > > > +
> > > > +	if (features == (u64)-1) {
> > > > +		if (struct_v >= 2) {
> > > > +			ceph_decode_32_safe(p, end, *altname_len, bad);
> > > > +			ceph_decode_need(p, end, *altname_len, bad);
> > > > +			*altname = *p;
> > > > +			*p += *altname_len;
> > > > +		} else {
> > > > +			*altname = NULL;
> > > > +			*altname_len = 0;
> > > > +		}
> > > > +	}
> > > >    	return 0;
> > > >    bad:
> > > >    	return -EIO;
> > > > @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
> > > >    		info->dname = *p;
> > > >    		*p += info->dname_len;
> > > >    
> > > > -		err = parse_reply_info_lease(p, end, &info->dlease, features);
> > > > +		err = parse_reply_info_lease(p, end, &info->dlease, features,
> > > > +					     &info->altname_len, &info->altname);
> > > >    		if (err < 0)
> > > >    			goto out_bad;
> > > >    	}
> > > > @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
> > > >    		dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
> > > >    
> > > >    		/* dentry lease */
> > > > -		err = parse_reply_info_lease(p, end, &rde->lease, features);
> > > > +		err = parse_reply_info_lease(p, end, &rde->lease, features,
> > > > +					     &rde->altname_len, &rde->altname);
> > > >    		if (err)
> > > >    			goto out_bad;
> > > > +
> > > >    		/* inode */
> > > >    		err = parse_reply_info_in(p, end, &rde->inode, features);
> > > >    		if (err < 0)
> > > > diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
> > > > index e7d2c8a1b9c1..128901a847af 100644
> > > > --- a/fs/ceph/mds_client.h
> > > > +++ b/fs/ceph/mds_client.h
> > > > @@ -29,8 +29,8 @@ enum ceph_feature_type {
> > > >    	CEPHFS_FEATURE_MULTI_RECONNECT,
> > > >    	CEPHFS_FEATURE_DELEG_INO,
> > > >    	CEPHFS_FEATURE_METRIC_COLLECT,
> > > > -
> > > > -	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
> > > > +	CEPHFS_FEATURE_ALTERNATE_NAME,
> > > > +	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
> > > >    };
> > > >    
> > > >    /*
> > > > @@ -45,8 +45,7 @@ enum ceph_feature_type {
> > > >    	CEPHFS_FEATURE_MULTI_RECONNECT,		\
> > > >    	CEPHFS_FEATURE_DELEG_INO,		\
> > > >    	CEPHFS_FEATURE_METRIC_COLLECT,		\
> > > > -						\
> > > > -	CEPHFS_FEATURE_MAX,			\
> > > > +	CEPHFS_FEATURE_ALTERNATE_NAME,		\
> > > >    }
> > > >    #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
> > > >    
> > > > @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
> > > >    
> > > >    struct ceph_mds_reply_dir_entry {
> > > >    	char                          *name;
> > > > +	u8			      *altname;
> > > >    	u32                           name_len;
> > > > +	u32			      altname_len;
> > > >    	struct ceph_mds_reply_lease   *lease;
> > > >    	struct ceph_mds_reply_info_in inode;
> > > >    	loff_t			      offset;
> > > > @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
> > > >    	struct ceph_mds_reply_info_in diri, targeti;
> > > >    	struct ceph_mds_reply_dirfrag *dirfrag;
> > > >    	char                          *dname;
> > > > +	u8			      *altname;
> > > >    	u32                           dname_len;
> > > > +	u32                           altname_len;
> > > >    	struct ceph_mds_reply_lease   *dlease;
> > > >    
> > > >    	/* extra */
>

Xiubo Li March 1, 2022, 2:07 p.m. UTC | #6

On 3/1/22 9:57 PM, Jeff Layton wrote:
> On Tue, 2022-03-01 at 21:51 +0800, Xiubo Li wrote:
>> On 3/1/22 9:10 PM, Jeff Layton wrote:
>>> On Tue, 2022-03-01 at 18:57 +0800, Xiubo Li wrote:
>>>> On 1/12/22 3:15 AM, Jeff Layton wrote:
>>>>> Ceph is a bit different from local filesystems, in that we don't want
>>>>> to store filenames as raw binary data, since we may also be dealing
>>>>> with clients that don't support fscrypt.
>>>>>
>>>>> We could just base64-encode the encrypted filenames, but that could
>>>>> leave us with filenames longer than NAME_MAX. It turns out that the
>>>>> MDS doesn't care much about filename length, but the clients do.
>>>>>
>>>>> To manage this, we've added a new "alternate name" field that can be
>>>>> optionally added to any dentry that we'll use to store the binary
>>>>> crypttext of the filename if its base64-encoded value will be longer
>>>>> than NAME_MAX. When a dentry has one of these names attached, the MDS
>>>>> will send it along in the lease info, which we can then store for
>>>>> later usage.
>>>>>
>>>>> Signed-off-by: Jeff Layton <jlayton@kernel.org>
>>>>> ---
>>>>>     fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
>>>>>     fs/ceph/mds_client.h | 11 +++++++----
>>>>>     2 files changed, 37 insertions(+), 14 deletions(-)
>>>>>
>>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>>> index 34a4f6dbac9d..709f3f654555 100644
>>>>> --- a/fs/ceph/mds_client.c
>>>>> +++ b/fs/ceph/mds_client.c
>>>>> @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
>>>>>     
>>>>>     static int parse_reply_info_lease(void **p, void *end,
>>>>>     				  struct ceph_mds_reply_lease **lease,
>>>>> -				  u64 features)
>>>>> +				  u64 features, u32 *altname_len, u8 **altname)
>>>>>     {
>>>>> +	u8 struct_v;
>>>>> +	u32 struct_len;
>>>>> +
>>>>>     	if (features == (u64)-1) {
>>>>> -		u8 struct_v, struct_compat;
>>>>> -		u32 struct_len;
>>>>> +		u8 struct_compat;
>>>>> +
>>>>>     		ceph_decode_8_safe(p, end, struct_v, bad);
>>>>>     		ceph_decode_8_safe(p, end, struct_compat, bad);
>>>>> +
>>>>>     		/* struct_v is expected to be >= 1. we only understand
>>>>>     		 * encoding whose struct_compat == 1. */
>>>>>     		if (!struct_v || struct_compat != 1)
>>>>>     			goto bad;
>>>>> +
>>>>>     		ceph_decode_32_safe(p, end, struct_len, bad);
>>>>> -		ceph_decode_need(p, end, struct_len, bad);
>>>>> -		end = *p + struct_len;
>>>> Hi Jeff,
>>>>
>>>> This is buggy, more detail please see https://tracker.ceph.com/issues/54430.
>>>>
>>>> The following patch will fix it. We should skip the extra memories anyway.
>>>>
>>>>
>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>> index 94b4c6508044..3dea96df4769 100644
>>>> --- a/fs/ceph/mds_client.c
>>>> +++ b/fs/ceph/mds_client.c
>>>> @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>                            goto bad;
>>>>
>>>>                    ceph_decode_32_safe(p, end, struct_len, bad);
>>>> +               end = *p + struct_len;
>>> There may be a bug here,
>> Yeah, this will be crash when I use the PR
>> https://github.com/ceph/ceph/pull/45208.
>>
>>
>>> but this doesn't look like the right fix. "end"
>>> denotes the end of the buffer we're decoding. We don't generally want to
>>> go changing it like this. Consider what would happen if the original
>>> "end" was shorter than *p + struct_len.
>> I missed you have also set the struct_len in the else branch.
>>>>            } else {
>>>>                    struct_len = sizeof(**lease);
>>>>                    *altname_len = 0;
>>>> @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>                            *altname = NULL;
>>>>                            *altname_len = 0;
>>>>                    }
>>>> +               *p = end;
>>> I think we just have to do the math here. Maybe this should be something
>>> like this?
>>>
>>>       *p += struct_len - sizeof(**lease) - *altname_len;
>> This is correct, but in future if we are adding tens of new fields we
>> must minus them all here.
>>
>> How about this one:
>>
>>
>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>> index 94b4c6508044..608d077f2eeb 100644
>> --- a/fs/ceph/mds_client.c
>> +++ b/fs/ceph/mds_client.c
>> @@ -313,6 +313,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>    {
>>           u8 struct_v;
>>           u32 struct_len;
>> +       void *lend;
>>
>>           if (features == (u64)-1) {
>>                   u8 struct_compat;
>> @@ -332,6 +333,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>                   *altname = NULL;
>>           }
>>
>> +       lend = *p + struct_len;
>
> Looks reasonable. Maybe also add a check like this?
>
>      if (lend > end)
> 	    return -EIO;

I don't think this is needed because the:

   ceph_decode_need(p, end, struct_len, bad);

before it will help check it ?


>
>
>>           ceph_decode_need(p, end, struct_len, bad);
>>           *lease = *p;
>>           *p += sizeof(**lease);
>> @@ -347,6 +349,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>                           *altname_len = 0;
>>                   }
>>           }
>> +       *p = lend;
>>           return 0;
>>    bad:
>>           return -EIO;
>>
>>
>>>>            }
>>>>            return 0;
>>>>     bad:
>>>>
>>>>
>>>>
>>>>> +	} else {
>>>>> +		struct_len = sizeof(**lease);
>>>>> +		*altname_len = 0;
>>>>> +		*altname = NULL;
>>>>>     	}
>>>>>     
>>>>> -	ceph_decode_need(p, end, sizeof(**lease), bad);
>>>>> +	ceph_decode_need(p, end, struct_len, bad);
>>>>>     	*lease = *p;
>>>>>     	*p += sizeof(**lease);
>>>>> -	if (features == (u64)-1)
>>>>> -		*p = end;
>>>>> +
>>>>> +	if (features == (u64)-1) {
>>>>> +		if (struct_v >= 2) {
>>>>> +			ceph_decode_32_safe(p, end, *altname_len, bad);
>>>>> +			ceph_decode_need(p, end, *altname_len, bad);
>>>>> +			*altname = *p;
>>>>> +			*p += *altname_len;
>>>>> +		} else {
>>>>> +			*altname = NULL;
>>>>> +			*altname_len = 0;
>>>>> +		}
>>>>> +	}
>>>>>     	return 0;
>>>>>     bad:
>>>>>     	return -EIO;
>>>>> @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
>>>>>     		info->dname = *p;
>>>>>     		*p += info->dname_len;
>>>>>     
>>>>> -		err = parse_reply_info_lease(p, end, &info->dlease, features);
>>>>> +		err = parse_reply_info_lease(p, end, &info->dlease, features,
>>>>> +					     &info->altname_len, &info->altname);
>>>>>     		if (err < 0)
>>>>>     			goto out_bad;
>>>>>     	}
>>>>> @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
>>>>>     		dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
>>>>>     
>>>>>     		/* dentry lease */
>>>>> -		err = parse_reply_info_lease(p, end, &rde->lease, features);
>>>>> +		err = parse_reply_info_lease(p, end, &rde->lease, features,
>>>>> +					     &rde->altname_len, &rde->altname);
>>>>>     		if (err)
>>>>>     			goto out_bad;
>>>>> +
>>>>>     		/* inode */
>>>>>     		err = parse_reply_info_in(p, end, &rde->inode, features);
>>>>>     		if (err < 0)
>>>>> diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
>>>>> index e7d2c8a1b9c1..128901a847af 100644
>>>>> --- a/fs/ceph/mds_client.h
>>>>> +++ b/fs/ceph/mds_client.h
>>>>> @@ -29,8 +29,8 @@ enum ceph_feature_type {
>>>>>     	CEPHFS_FEATURE_MULTI_RECONNECT,
>>>>>     	CEPHFS_FEATURE_DELEG_INO,
>>>>>     	CEPHFS_FEATURE_METRIC_COLLECT,
>>>>> -
>>>>> -	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
>>>>> +	CEPHFS_FEATURE_ALTERNATE_NAME,
>>>>> +	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
>>>>>     };
>>>>>     
>>>>>     /*
>>>>> @@ -45,8 +45,7 @@ enum ceph_feature_type {
>>>>>     	CEPHFS_FEATURE_MULTI_RECONNECT,		\
>>>>>     	CEPHFS_FEATURE_DELEG_INO,		\
>>>>>     	CEPHFS_FEATURE_METRIC_COLLECT,		\
>>>>> -						\
>>>>> -	CEPHFS_FEATURE_MAX,			\
>>>>> +	CEPHFS_FEATURE_ALTERNATE_NAME,		\
>>>>>     }
>>>>>     #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
>>>>>     
>>>>> @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
>>>>>     
>>>>>     struct ceph_mds_reply_dir_entry {
>>>>>     	char                          *name;
>>>>> +	u8			      *altname;
>>>>>     	u32                           name_len;
>>>>> +	u32			      altname_len;
>>>>>     	struct ceph_mds_reply_lease   *lease;
>>>>>     	struct ceph_mds_reply_info_in inode;
>>>>>     	loff_t			      offset;
>>>>> @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
>>>>>     	struct ceph_mds_reply_info_in diri, targeti;
>>>>>     	struct ceph_mds_reply_dirfrag *dirfrag;
>>>>>     	char                          *dname;
>>>>> +	u8			      *altname;
>>>>>     	u32                           dname_len;
>>>>> +	u32                           altname_len;
>>>>>     	struct ceph_mds_reply_lease   *dlease;
>>>>>     
>>>>>     	/* extra */

Jeff Layton March 1, 2022, 2:14 p.m. UTC | #7

On Tue, 2022-03-01 at 22:07 +0800, Xiubo Li wrote:
> On 3/1/22 9:57 PM, Jeff Layton wrote:
> > On Tue, 2022-03-01 at 21:51 +0800, Xiubo Li wrote:
> > > On 3/1/22 9:10 PM, Jeff Layton wrote:
> > > > On Tue, 2022-03-01 at 18:57 +0800, Xiubo Li wrote:
> > > > > On 1/12/22 3:15 AM, Jeff Layton wrote:
> > > > > > Ceph is a bit different from local filesystems, in that we don't want
> > > > > > to store filenames as raw binary data, since we may also be dealing
> > > > > > with clients that don't support fscrypt.
> > > > > > 
> > > > > > We could just base64-encode the encrypted filenames, but that could
> > > > > > leave us with filenames longer than NAME_MAX. It turns out that the
> > > > > > MDS doesn't care much about filename length, but the clients do.
> > > > > > 
> > > > > > To manage this, we've added a new "alternate name" field that can be
> > > > > > optionally added to any dentry that we'll use to store the binary
> > > > > > crypttext of the filename if its base64-encoded value will be longer
> > > > > > than NAME_MAX. When a dentry has one of these names attached, the MDS
> > > > > > will send it along in the lease info, which we can then store for
> > > > > > later usage.
> > > > > > 
> > > > > > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > > > > > ---
> > > > > >     fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
> > > > > >     fs/ceph/mds_client.h | 11 +++++++----
> > > > > >     2 files changed, 37 insertions(+), 14 deletions(-)
> > > > > > 
> > > > > > diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> > > > > > index 34a4f6dbac9d..709f3f654555 100644
> > > > > > --- a/fs/ceph/mds_client.c
> > > > > > +++ b/fs/ceph/mds_client.c
> > > > > > @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
> > > > > >     
> > > > > >     static int parse_reply_info_lease(void **p, void *end,
> > > > > >     				  struct ceph_mds_reply_lease **lease,
> > > > > > -				  u64 features)
> > > > > > +				  u64 features, u32 *altname_len, u8 **altname)
> > > > > >     {
> > > > > > +	u8 struct_v;
> > > > > > +	u32 struct_len;
> > > > > > +
> > > > > >     	if (features == (u64)-1) {
> > > > > > -		u8 struct_v, struct_compat;
> > > > > > -		u32 struct_len;
> > > > > > +		u8 struct_compat;
> > > > > > +
> > > > > >     		ceph_decode_8_safe(p, end, struct_v, bad);
> > > > > >     		ceph_decode_8_safe(p, end, struct_compat, bad);
> > > > > > +
> > > > > >     		/* struct_v is expected to be >= 1. we only understand
> > > > > >     		 * encoding whose struct_compat == 1. */
> > > > > >     		if (!struct_v || struct_compat != 1)
> > > > > >     			goto bad;
> > > > > > +
> > > > > >     		ceph_decode_32_safe(p, end, struct_len, bad);
> > > > > > -		ceph_decode_need(p, end, struct_len, bad);
> > > > > > -		end = *p + struct_len;
> > > > > Hi Jeff,
> > > > > 
> > > > > This is buggy, more detail please see https://tracker.ceph.com/issues/54430.
> > > > > 
> > > > > The following patch will fix it. We should skip the extra memories anyway.
> > > > > 
> > > > > 
> > > > > diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> > > > > index 94b4c6508044..3dea96df4769 100644
> > > > > --- a/fs/ceph/mds_client.c
> > > > > +++ b/fs/ceph/mds_client.c
> > > > > @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
> > > > >                            goto bad;
> > > > > 
> > > > >                    ceph_decode_32_safe(p, end, struct_len, bad);
> > > > > +               end = *p + struct_len;
> > > > There may be a bug here,
> > > Yeah, this will be crash when I use the PR
> > > https://github.com/ceph/ceph/pull/45208.
> > > 
> > > 
> > > > but this doesn't look like the right fix. "end"
> > > > denotes the end of the buffer we're decoding. We don't generally want to
> > > > go changing it like this. Consider what would happen if the original
> > > > "end" was shorter than *p + struct_len.
> > > I missed you have also set the struct_len in the else branch.
> > > > >            } else {
> > > > >                    struct_len = sizeof(**lease);
> > > > >                    *altname_len = 0;
> > > > > @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
> > > > >                            *altname = NULL;
> > > > >                            *altname_len = 0;
> > > > >                    }
> > > > > +               *p = end;
> > > > I think we just have to do the math here. Maybe this should be something
> > > > like this?
> > > > 
> > > >       *p += struct_len - sizeof(**lease) - *altname_len;
> > > This is correct, but in future if we are adding tens of new fields we
> > > must minus them all here.
> > > 
> > > How about this one:
> > > 
> > > 
> > > diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> > > index 94b4c6508044..608d077f2eeb 100644
> > > --- a/fs/ceph/mds_client.c
> > > +++ b/fs/ceph/mds_client.c
> > > @@ -313,6 +313,7 @@ static int parse_reply_info_lease(void **p, void *end,
> > >    {
> > >           u8 struct_v;
> > >           u32 struct_len;
> > > +       void *lend;
> > > 
> > >           if (features == (u64)-1) {
> > >                   u8 struct_compat;
> > > @@ -332,6 +333,7 @@ static int parse_reply_info_lease(void **p, void *end,
> > >                   *altname = NULL;
> > >           }
> > > 
> > > +       lend = *p + struct_len;
> > 
> > Looks reasonable. Maybe also add a check like this?
> > 
> >      if (lend > end)
> > 	    return -EIO;
> 
> I don't think this is needed because the:
> 
>    ceph_decode_need(p, end, struct_len, bad);
> 
> before it will help check it ?
> 
> 

Oh, right....good point. That patch looks fine then.

> > 
> > 
> > >           ceph_decode_need(p, end, struct_len, bad);
> > >           *lease = *p;
> > >           *p += sizeof(**lease);
> > > @@ -347,6 +349,7 @@ static int parse_reply_info_lease(void **p, void *end,
> > >                           *altname_len = 0;
> > >                   }
> > >           }
> > > +       *p = lend;
> > >           return 0;
> > >    bad:
> > >           return -EIO;
> > > 
> > > 
> > > > >            }
> > > > >            return 0;
> > > > >     bad:
> > > > > 
> > > > > 
> > > > > 
> > > > > > +	} else {
> > > > > > +		struct_len = sizeof(**lease);
> > > > > > +		*altname_len = 0;
> > > > > > +		*altname = NULL;
> > > > > >     	}
> > > > > >     
> > > > > > -	ceph_decode_need(p, end, sizeof(**lease), bad);
> > > > > > +	ceph_decode_need(p, end, struct_len, bad);
> > > > > >     	*lease = *p;
> > > > > >     	*p += sizeof(**lease);
> > > > > > -	if (features == (u64)-1)
> > > > > > -		*p = end;
> > > > > > +
> > > > > > +	if (features == (u64)-1) {
> > > > > > +		if (struct_v >= 2) {
> > > > > > +			ceph_decode_32_safe(p, end, *altname_len, bad);
> > > > > > +			ceph_decode_need(p, end, *altname_len, bad);
> > > > > > +			*altname = *p;
> > > > > > +			*p += *altname_len;
> > > > > > +		} else {
> > > > > > +			*altname = NULL;
> > > > > > +			*altname_len = 0;
> > > > > > +		}
> > > > > > +	}
> > > > > >     	return 0;
> > > > > >     bad:
> > > > > >     	return -EIO;
> > > > > > @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
> > > > > >     		info->dname = *p;
> > > > > >     		*p += info->dname_len;
> > > > > >     
> > > > > > -		err = parse_reply_info_lease(p, end, &info->dlease, features);
> > > > > > +		err = parse_reply_info_lease(p, end, &info->dlease, features,
> > > > > > +					     &info->altname_len, &info->altname);
> > > > > >     		if (err < 0)
> > > > > >     			goto out_bad;
> > > > > >     	}
> > > > > > @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
> > > > > >     		dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
> > > > > >     
> > > > > >     		/* dentry lease */
> > > > > > -		err = parse_reply_info_lease(p, end, &rde->lease, features);
> > > > > > +		err = parse_reply_info_lease(p, end, &rde->lease, features,
> > > > > > +					     &rde->altname_len, &rde->altname);
> > > > > >     		if (err)
> > > > > >     			goto out_bad;
> > > > > > +
> > > > > >     		/* inode */
> > > > > >     		err = parse_reply_info_in(p, end, &rde->inode, features);
> > > > > >     		if (err < 0)
> > > > > > diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
> > > > > > index e7d2c8a1b9c1..128901a847af 100644
> > > > > > --- a/fs/ceph/mds_client.h
> > > > > > +++ b/fs/ceph/mds_client.h
> > > > > > @@ -29,8 +29,8 @@ enum ceph_feature_type {
> > > > > >     	CEPHFS_FEATURE_MULTI_RECONNECT,
> > > > > >     	CEPHFS_FEATURE_DELEG_INO,
> > > > > >     	CEPHFS_FEATURE_METRIC_COLLECT,
> > > > > > -
> > > > > > -	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
> > > > > > +	CEPHFS_FEATURE_ALTERNATE_NAME,
> > > > > > +	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
> > > > > >     };
> > > > > >     
> > > > > >     /*
> > > > > > @@ -45,8 +45,7 @@ enum ceph_feature_type {
> > > > > >     	CEPHFS_FEATURE_MULTI_RECONNECT,		\
> > > > > >     	CEPHFS_FEATURE_DELEG_INO,		\
> > > > > >     	CEPHFS_FEATURE_METRIC_COLLECT,		\
> > > > > > -						\
> > > > > > -	CEPHFS_FEATURE_MAX,			\
> > > > > > +	CEPHFS_FEATURE_ALTERNATE_NAME,		\
> > > > > >     }
> > > > > >     #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
> > > > > >     
> > > > > > @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
> > > > > >     
> > > > > >     struct ceph_mds_reply_dir_entry {
> > > > > >     	char                          *name;
> > > > > > +	u8			      *altname;
> > > > > >     	u32                           name_len;
> > > > > > +	u32			      altname_len;
> > > > > >     	struct ceph_mds_reply_lease   *lease;
> > > > > >     	struct ceph_mds_reply_info_in inode;
> > > > > >     	loff_t			      offset;
> > > > > > @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
> > > > > >     	struct ceph_mds_reply_info_in diri, targeti;
> > > > > >     	struct ceph_mds_reply_dirfrag *dirfrag;
> > > > > >     	char                          *dname;
> > > > > > +	u8			      *altname;
> > > > > >     	u32                           dname_len;
> > > > > > +	u32                           altname_len;
> > > > > >     	struct ceph_mds_reply_lease   *dlease;
> > > > > >     
> > > > > >     	/* extra */
>

Xiubo Li March 1, 2022, 2:30 p.m. UTC | #8

On 3/1/22 10:14 PM, Jeff Layton wrote:
> On Tue, 2022-03-01 at 22:07 +0800, Xiubo Li wrote:
>> On 3/1/22 9:57 PM, Jeff Layton wrote:
>>> On Tue, 2022-03-01 at 21:51 +0800, Xiubo Li wrote:
>>>> On 3/1/22 9:10 PM, Jeff Layton wrote:
>>>>> On Tue, 2022-03-01 at 18:57 +0800, Xiubo Li wrote:
>>>>>> On 1/12/22 3:15 AM, Jeff Layton wrote:
>>>>>>> Ceph is a bit different from local filesystems, in that we don't want
>>>>>>> to store filenames as raw binary data, since we may also be dealing
>>>>>>> with clients that don't support fscrypt.
>>>>>>>
>>>>>>> We could just base64-encode the encrypted filenames, but that could
>>>>>>> leave us with filenames longer than NAME_MAX. It turns out that the
>>>>>>> MDS doesn't care much about filename length, but the clients do.
>>>>>>>
>>>>>>> To manage this, we've added a new "alternate name" field that can be
>>>>>>> optionally added to any dentry that we'll use to store the binary
>>>>>>> crypttext of the filename if its base64-encoded value will be longer
>>>>>>> than NAME_MAX. When a dentry has one of these names attached, the MDS
>>>>>>> will send it along in the lease info, which we can then store for
>>>>>>> later usage.
>>>>>>>
>>>>>>> Signed-off-by: Jeff Layton <jlayton@kernel.org>
>>>>>>> ---
>>>>>>>      fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
>>>>>>>      fs/ceph/mds_client.h | 11 +++++++----
>>>>>>>      2 files changed, 37 insertions(+), 14 deletions(-)
>>>>>>>
>>>>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>>>>> index 34a4f6dbac9d..709f3f654555 100644
>>>>>>> --- a/fs/ceph/mds_client.c
>>>>>>> +++ b/fs/ceph/mds_client.c
>>>>>>> @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
>>>>>>>      
>>>>>>>      static int parse_reply_info_lease(void **p, void *end,
>>>>>>>      				  struct ceph_mds_reply_lease **lease,
>>>>>>> -				  u64 features)
>>>>>>> +				  u64 features, u32 *altname_len, u8 **altname)
>>>>>>>      {
>>>>>>> +	u8 struct_v;
>>>>>>> +	u32 struct_len;
>>>>>>> +
>>>>>>>      	if (features == (u64)-1) {
>>>>>>> -		u8 struct_v, struct_compat;
>>>>>>> -		u32 struct_len;
>>>>>>> +		u8 struct_compat;
>>>>>>> +
>>>>>>>      		ceph_decode_8_safe(p, end, struct_v, bad);
>>>>>>>      		ceph_decode_8_safe(p, end, struct_compat, bad);
>>>>>>> +
>>>>>>>      		/* struct_v is expected to be >= 1. we only understand
>>>>>>>      		 * encoding whose struct_compat == 1. */
>>>>>>>      		if (!struct_v || struct_compat != 1)
>>>>>>>      			goto bad;
>>>>>>> +
>>>>>>>      		ceph_decode_32_safe(p, end, struct_len, bad);
>>>>>>> -		ceph_decode_need(p, end, struct_len, bad);
>>>>>>> -		end = *p + struct_len;
>>>>>> Hi Jeff,
>>>>>>
>>>>>> This is buggy, more detail please see https://tracker.ceph.com/issues/54430.
>>>>>>
>>>>>> The following patch will fix it. We should skip the extra memories anyway.
>>>>>>
>>>>>>
>>>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>>>> index 94b4c6508044..3dea96df4769 100644
>>>>>> --- a/fs/ceph/mds_client.c
>>>>>> +++ b/fs/ceph/mds_client.c
>>>>>> @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>>>                             goto bad;
>>>>>>
>>>>>>                     ceph_decode_32_safe(p, end, struct_len, bad);
>>>>>> +               end = *p + struct_len;
>>>>> There may be a bug here,
>>>> Yeah, this will be crash when I use the PR
>>>> https://github.com/ceph/ceph/pull/45208.
>>>>
>>>>
>>>>> but this doesn't look like the right fix. "end"
>>>>> denotes the end of the buffer we're decoding. We don't generally want to
>>>>> go changing it like this. Consider what would happen if the original
>>>>> "end" was shorter than *p + struct_len.
>>>> I missed you have also set the struct_len in the else branch.
>>>>>>             } else {
>>>>>>                     struct_len = sizeof(**lease);
>>>>>>                     *altname_len = 0;
>>>>>> @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>>>                             *altname = NULL;
>>>>>>                             *altname_len = 0;
>>>>>>                     }
>>>>>> +               *p = end;
>>>>> I think we just have to do the math here. Maybe this should be something
>>>>> like this?
>>>>>
>>>>>        *p += struct_len - sizeof(**lease) - *altname_len;
>>>> This is correct, but in future if we are adding tens of new fields we
>>>> must minus them all here.
>>>>
>>>> How about this one:
>>>>
>>>>
>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>> index 94b4c6508044..608d077f2eeb 100644
>>>> --- a/fs/ceph/mds_client.c
>>>> +++ b/fs/ceph/mds_client.c
>>>> @@ -313,6 +313,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>     {
>>>>            u8 struct_v;
>>>>            u32 struct_len;
>>>> +       void *lend;
>>>>
>>>>            if (features == (u64)-1) {
>>>>                    u8 struct_compat;
>>>> @@ -332,6 +333,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>                    *altname = NULL;
>>>>            }
>>>>
>>>> +       lend = *p + struct_len;
>>> Looks reasonable. Maybe also add a check like this?
>>>
>>>       if (lend > end)
>>> 	    return -EIO;
>> I don't think this is needed because the:
>>
>>     ceph_decode_need(p, end, struct_len, bad);
>>
>> before it will help check it ?
>>
>>
> Oh, right....good point. That patch looks fine then.

Cool, I will send out one separate patch to fix it in wip-fscrypt branch.

- Xiubo

>
>>>
>>>>            ceph_decode_need(p, end, struct_len, bad);
>>>>            *lease = *p;
>>>>            *p += sizeof(**lease);
>>>> @@ -347,6 +349,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>                            *altname_len = 0;
>>>>                    }
>>>>            }
>>>> +       *p = lend;
>>>>            return 0;
>>>>     bad:
>>>>            return -EIO;
>>>>
>>>>
>>>>>>             }
>>>>>>             return 0;
>>>>>>      bad:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> +	} else {
>>>>>>> +		struct_len = sizeof(**lease);
>>>>>>> +		*altname_len = 0;
>>>>>>> +		*altname = NULL;
>>>>>>>      	}
>>>>>>>      
>>>>>>> -	ceph_decode_need(p, end, sizeof(**lease), bad);
>>>>>>> +	ceph_decode_need(p, end, struct_len, bad);
>>>>>>>      	*lease = *p;
>>>>>>>      	*p += sizeof(**lease);
>>>>>>> -	if (features == (u64)-1)
>>>>>>> -		*p = end;
>>>>>>> +
>>>>>>> +	if (features == (u64)-1) {
>>>>>>> +		if (struct_v >= 2) {
>>>>>>> +			ceph_decode_32_safe(p, end, *altname_len, bad);
>>>>>>> +			ceph_decode_need(p, end, *altname_len, bad);
>>>>>>> +			*altname = *p;
>>>>>>> +			*p += *altname_len;
>>>>>>> +		} else {
>>>>>>> +			*altname = NULL;
>>>>>>> +			*altname_len = 0;
>>>>>>> +		}
>>>>>>> +	}
>>>>>>>      	return 0;
>>>>>>>      bad:
>>>>>>>      	return -EIO;
>>>>>>> @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
>>>>>>>      		info->dname = *p;
>>>>>>>      		*p += info->dname_len;
>>>>>>>      
>>>>>>> -		err = parse_reply_info_lease(p, end, &info->dlease, features);
>>>>>>> +		err = parse_reply_info_lease(p, end, &info->dlease, features,
>>>>>>> +					     &info->altname_len, &info->altname);
>>>>>>>      		if (err < 0)
>>>>>>>      			goto out_bad;
>>>>>>>      	}
>>>>>>> @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
>>>>>>>      		dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
>>>>>>>      
>>>>>>>      		/* dentry lease */
>>>>>>> -		err = parse_reply_info_lease(p, end, &rde->lease, features);
>>>>>>> +		err = parse_reply_info_lease(p, end, &rde->lease, features,
>>>>>>> +					     &rde->altname_len, &rde->altname);
>>>>>>>      		if (err)
>>>>>>>      			goto out_bad;
>>>>>>> +
>>>>>>>      		/* inode */
>>>>>>>      		err = parse_reply_info_in(p, end, &rde->inode, features);
>>>>>>>      		if (err < 0)
>>>>>>> diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
>>>>>>> index e7d2c8a1b9c1..128901a847af 100644
>>>>>>> --- a/fs/ceph/mds_client.h
>>>>>>> +++ b/fs/ceph/mds_client.h
>>>>>>> @@ -29,8 +29,8 @@ enum ceph_feature_type {
>>>>>>>      	CEPHFS_FEATURE_MULTI_RECONNECT,
>>>>>>>      	CEPHFS_FEATURE_DELEG_INO,
>>>>>>>      	CEPHFS_FEATURE_METRIC_COLLECT,
>>>>>>> -
>>>>>>> -	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
>>>>>>> +	CEPHFS_FEATURE_ALTERNATE_NAME,
>>>>>>> +	CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
>>>>>>>      };
>>>>>>>      
>>>>>>>      /*
>>>>>>> @@ -45,8 +45,7 @@ enum ceph_feature_type {
>>>>>>>      	CEPHFS_FEATURE_MULTI_RECONNECT,		\
>>>>>>>      	CEPHFS_FEATURE_DELEG_INO,		\
>>>>>>>      	CEPHFS_FEATURE_METRIC_COLLECT,		\
>>>>>>> -						\
>>>>>>> -	CEPHFS_FEATURE_MAX,			\
>>>>>>> +	CEPHFS_FEATURE_ALTERNATE_NAME,		\
>>>>>>>      }
>>>>>>>      #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
>>>>>>>      
>>>>>>> @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
>>>>>>>      
>>>>>>>      struct ceph_mds_reply_dir_entry {
>>>>>>>      	char                          *name;
>>>>>>> +	u8			      *altname;
>>>>>>>      	u32                           name_len;
>>>>>>> +	u32			      altname_len;
>>>>>>>      	struct ceph_mds_reply_lease   *lease;
>>>>>>>      	struct ceph_mds_reply_info_in inode;
>>>>>>>      	loff_t			      offset;
>>>>>>> @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
>>>>>>>      	struct ceph_mds_reply_info_in diri, targeti;
>>>>>>>      	struct ceph_mds_reply_dirfrag *dirfrag;
>>>>>>>      	char                          *dname;
>>>>>>> +	u8			      *altname;
>>>>>>>      	u32                           dname_len;
>>>>>>> +	u32                           altname_len;
>>>>>>>      	struct ceph_mds_reply_lease   *dlease;
>>>>>>>      
>>>>>>>      	/* extra */

[RFC,v10,11/48] ceph: decode alternate_name in lease info

Commit Message

Comments

Patch