[thirdparty/kernel/stable-queue.git] / releases / 4.4.177 / staging-lustre-fix-buffer-overflow-of-string-buffer.patch

From 9563fe8a2de9db5eb087fe0e48ec335ee66f8f41 Mon Sep 17 00:00:00 2001
From: Dmitry Eremin <dmitry.eremin@intel.com>
Date: Wed, 4 Nov 2015 13:40:00 -0500
Subject: staging: lustre: fix buffer overflow of string buffer

From: Dmitry Eremin <dmitry.eremin@intel.com>

commit 9563fe8a2de9db5eb087fe0e48ec335ee66f8f41 upstream.

Buffer overflow of string buffer due to non null terminated string.
Use strlcpy() when it's justifiable.
Use sizeof(var) instead of constants.

Signed-off-by: Dmitry Eremin <dmitry.eremin@intel.com>
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-4629
Reviewed-on: http://review.whamcloud.com/9389
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c |    9 +++++----
 drivers/staging/lustre/lnet/lnet/config.c           |   14 ++++++++------
 drivers/staging/lustre/lnet/selftest/conrpc.c       |    4 ++--
 drivers/staging/lustre/lnet/selftest/console.c      |    6 ++++--
 drivers/staging/lustre/lustre/include/lustre_disk.h |    1 +
 drivers/staging/lustre/lustre/libcfs/debug.c        |    6 +++---
 drivers/staging/lustre/lustre/libcfs/hash.c         |    3 +--
 drivers/staging/lustre/lustre/libcfs/workitem.c     |    4 ++--
 drivers/staging/lustre/lustre/llite/dir.c           |    2 +-
 drivers/staging/lustre/lustre/lov/lov_pool.c        |    3 +--
 drivers/staging/lustre/lustre/obdclass/obd_mount.c  |   10 +++++++---
 drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c      |    1 +
 drivers/staging/lustre/lustre/ptlrpc/sec_config.c   |    3 +--
 13 files changed, 37 insertions(+), 29 deletions(-)

--- a/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c
+++ b/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c
@@ -2621,8 +2621,8 @@ ksocknal_enumerate_interfaces(ksock_net_
 
 		net->ksnn_interfaces[j].ksni_ipaddr = ip;
 		net->ksnn_interfaces[j].ksni_netmask = mask;
-		strncpy(&net->ksnn_interfaces[j].ksni_name[0],
-			names[i], IFNAMSIZ);
+		strlcpy(net->ksnn_interfaces[j].ksni_name,
+			names[i], sizeof(net->ksnn_interfaces[j].ksni_name));
 		j++;
 	}
 
@@ -2805,8 +2805,9 @@ ksocknal_startup(lnet_ni_t *ni)
 				goto fail_1;
 			}
 
-			strncpy(&net->ksnn_interfaces[i].ksni_name[0],
-				ni->ni_interfaces[i], IFNAMSIZ);
+			strlcpy(net->ksnn_interfaces[i].ksni_name,
+				ni->ni_interfaces[i],
+				sizeof(net->ksnn_interfaces[i].ksni_name));
 		}
 		net->ksnn_ninterfaces = i;
 	}
--- a/drivers/staging/lustre/lnet/lnet/config.c
+++ b/drivers/staging/lustre/lnet/lnet/config.c
@@ -650,8 +650,8 @@ lnet_parse_route(char *str, int *im_a_ro
 	INIT_LIST_HEAD(&nets);
 
 	/* save a copy of the string for error messages */
-	strncpy(cmd, str, sizeof(cmd) - 1);
-	cmd[sizeof(cmd) - 1] = 0;
+	strncpy(cmd, str, sizeof(cmd));
+	cmd[sizeof(cmd) - 1] = '\0';
 
 	sep = str;
 	for (;;) {
@@ -972,11 +972,13 @@ lnet_splitnets(char *source, struct list
 			return 0;
 
 		offset += (int)(sep - tb->ltb_text);
-		tb2 = lnet_new_text_buf(strlen(sep));
+		len = strlen(sep);
+		tb2 = lnet_new_text_buf(len);
 		if (tb2 == NULL)
 			return -ENOMEM;
 
-		strcpy(tb2->ltb_text, sep);
+		strncpy(tb2->ltb_text, sep, len);
+		tb2->ltb_text[len] = '\0';
 		list_add_tail(&tb2->ltb_list, nets);
 
 		tb = tb2;
@@ -1021,8 +1023,8 @@ lnet_match_networks(char **networksp, ch
 		tb = list_entry(raw_entries.next, struct lnet_text_buf_t,
 				    ltb_list);
 
-		strncpy(source, tb->ltb_text, sizeof(source)-1);
-		source[sizeof(source)-1] = 0;
+		strncpy(source, tb->ltb_text, sizeof(source));
+		source[sizeof(source)-1] = '\0';
 
 		/* replace ltb_text with the network(s) add on match */
 		rc = lnet_match_network_tokens(tb->ltb_text, ipaddrs, nip);
--- a/drivers/staging/lustre/lnet/selftest/conrpc.c
+++ b/drivers/staging/lustre/lnet/selftest/conrpc.c
@@ -612,8 +612,8 @@ lstcon_sesrpc_prep(lstcon_node_t *nd, in
 		msrq = &(*crpc)->crp_rpc->crpc_reqstmsg.msg_body.mksn_reqst;
 		msrq->mksn_sid     = console_session.ses_id;
 		msrq->mksn_force   = console_session.ses_force;
-		strncpy(msrq->mksn_name, console_session.ses_name,
-			strlen(console_session.ses_name));
+		strlcpy(msrq->mksn_name, console_session.ses_name,
+			sizeof(msrq->mksn_name));
 		break;
 
 	case LST_TRANS_SESEND:
--- a/drivers/staging/lustre/lnet/selftest/console.c
+++ b/drivers/staging/lustre/lnet/selftest/console.c
@@ -1739,7 +1739,8 @@ lstcon_session_new(char *name, int key,
 	console_session.ses_feats_updated = 0;
 	console_session.ses_timeout = (timeout <= 0) ?
 				      LST_CONSOLE_TIMEOUT : timeout;
-	strcpy(console_session.ses_name, name);
+	strlcpy(console_session.ses_name, name,
+		sizeof(console_session.ses_name));
 
 	rc = lstcon_batch_add(LST_DEFAULT_BATCH);
 	if (rc != 0)
@@ -1959,7 +1960,8 @@ lstcon_acceptor_handle(srpc_server_rpc_t
 	if (grp->grp_userland == 0)
 		grp->grp_userland = 1;
 
-	strcpy(jrep->join_session, console_session.ses_name);
+	strlcpy(jrep->join_session, console_session.ses_name,
+		sizeof(jrep->join_session));
 	jrep->join_timeout = console_session.ses_timeout;
 	jrep->join_status  = 0;
 
--- a/drivers/staging/lustre/lustre/include/lustre_disk.h
+++ b/drivers/staging/lustre/lustre/include/lustre_disk.h
@@ -68,6 +68,7 @@
    everything as string options */
 
 #define LMD_MAGIC    0xbdacbd03
+#define LMD_PARAMS_MAXLEN	4096
 
 /* gleaned from the mount command - no persistent info here */
 struct lustre_mount_data {
--- a/drivers/staging/lustre/lustre/libcfs/debug.c
+++ b/drivers/staging/lustre/lustre/libcfs/debug.c
@@ -512,9 +512,9 @@ int libcfs_debug_init(unsigned long bufs
 	}
 
 	if (libcfs_debug_file_path != NULL) {
-		strncpy(libcfs_debug_file_path_arr,
-			libcfs_debug_file_path, PATH_MAX-1);
-		libcfs_debug_file_path_arr[PATH_MAX - 1] = '\0';
+		strlcpy(libcfs_debug_file_path_arr,
+			libcfs_debug_file_path,
+			sizeof(libcfs_debug_file_path_arr));
 	}
 
 	/* If libcfs_debug_mb is set to an invalid value or uninitialized
--- a/drivers/staging/lustre/lustre/libcfs/hash.c
+++ b/drivers/staging/lustre/lustre/libcfs/hash.c
@@ -1062,8 +1062,7 @@ cfs_hash_create(char *name, unsigned cur
 	if (hs == NULL)
 		return NULL;
 
-	strncpy(hs->hs_name, name, len);
-	hs->hs_name[len - 1] = '\0';
+	strlcpy(hs->hs_name, name, len);
 	hs->hs_flags = flags;
 
 	atomic_set(&hs->hs_refcount, 1);
--- a/drivers/staging/lustre/lustre/libcfs/workitem.c
+++ b/drivers/staging/lustre/lustre/libcfs/workitem.c
@@ -360,8 +360,8 @@ cfs_wi_sched_create(char *name, struct c
 	if (sched == NULL)
 		return -ENOMEM;
 
-	strncpy(sched->ws_name, name, CFS_WS_NAME_LEN);
-	sched->ws_name[CFS_WS_NAME_LEN - 1] = '\0';
+	strlcpy(sched->ws_name, name, CFS_WS_NAME_LEN);
+
 	sched->ws_cptab = cptab;
 	sched->ws_cpt = cpt;
 
--- a/drivers/staging/lustre/lustre/llite/dir.c
+++ b/drivers/staging/lustre/lustre/llite/dir.c
@@ -641,7 +641,7 @@ static int ll_send_mgc_param(struct obd_
 	if (!msp)
 		return -ENOMEM;
 
-	strncpy(msp->mgs_param, string, MGS_PARAM_MAXLEN);
+	strlcpy(msp->mgs_param, string, sizeof(msp->mgs_param));
 	rc = obd_set_info_async(NULL, mgc, sizeof(KEY_SET_INFO), KEY_SET_INFO,
 				sizeof(struct mgs_send_param), msp, NULL);
 	if (rc)
--- a/drivers/staging/lustre/lustre/lov/lov_pool.c
+++ b/drivers/staging/lustre/lustre/lov/lov_pool.c
@@ -412,8 +412,7 @@ int lov_pool_new(struct obd_device *obd,
 	if (!new_pool)
 		return -ENOMEM;
 
-	strncpy(new_pool->pool_name, poolname, LOV_MAXPOOLNAME);
-	new_pool->pool_name[LOV_MAXPOOLNAME] = '\0';
+	strlcpy(new_pool->pool_name, poolname, sizeof(new_pool->pool_name));
 	new_pool->pool_lobd = obd;
 	/* ref count init to 1 because when created a pool is always used
 	 * up to deletion
--- a/drivers/staging/lustre/lustre/obdclass/obd_mount.c
+++ b/drivers/staging/lustre/lustre/obdclass/obd_mount.c
@@ -892,7 +892,7 @@ static int lmd_parse(char *options, stru
 	}
 	lmd->lmd_magic = LMD_MAGIC;
 
-	lmd->lmd_params = kzalloc(4096, GFP_NOFS);
+	lmd->lmd_params = kzalloc(LMD_PARAMS_MAXLEN, GFP_NOFS);
 	if (!lmd->lmd_params)
 		return -ENOMEM;
 	lmd->lmd_params[0] = '\0';
@@ -978,7 +978,7 @@ static int lmd_parse(char *options, stru
 				goto invalid;
 			clear++;
 		} else if (strncmp(s1, "param=", 6) == 0) {
-			int length;
+			size_t length, params_length;
 			char *tail = strchr(s1 + 6, ',');
 
 			if (tail == NULL)
@@ -986,8 +986,12 @@ static int lmd_parse(char *options, stru
 			else
 				length = tail - s1;
 			length -= 6;
+			params_length = strlen(lmd->lmd_params);
+			if (params_length + length + 1 >= LMD_PARAMS_MAXLEN)
+				return -E2BIG;
 			strncat(lmd->lmd_params, s1 + 6, length);
-			strcat(lmd->lmd_params, " ");
+			lmd->lmd_params[params_length + length] = '\0';
+			strlcat(lmd->lmd_params, " ", LMD_PARAMS_MAXLEN);
 			clear++;
 		} else if (strncmp(s1, "osd=", 4) == 0) {
 			rc = lmd_parse_string(&lmd->lmd_osd_type, s1 + 4);
--- a/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c
+++ b/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c
@@ -422,6 +422,7 @@ static int ptlrpcd(void *arg)
 	complete(&pc->pc_starting);
 
 	/*
+
 	 * This mainloop strongly resembles ptlrpc_set_wait() except that our
 	 * set never completes.  ptlrpcd_check() calls ptlrpc_check_set() when
 	 * there are requests in the set. New requests come in on the set's
--- a/drivers/staging/lustre/lustre/ptlrpc/sec_config.c
+++ b/drivers/staging/lustre/lustre/ptlrpc/sec_config.c
@@ -83,8 +83,7 @@ int sptlrpc_parse_flavor(const char *str
 		return 0;
 	}
 
-	strncpy(buf, str, sizeof(buf));
-	buf[sizeof(buf) - 1] = '\0';
+	strlcpy(buf, str, sizeof(buf));
 
 	bulk = strchr(buf, '-');
 	if (bulk)
Commit	Line	Data
ddb11550 GKH	1	From 9563fe8a2de9db5eb087fe0e48ec335ee66f8f41 Mon Sep 17 00:00:00 2001
	2	From: Dmitry Eremin <dmitry.eremin@intel.com>
	3	Date: Wed, 4 Nov 2015 13:40:00 -0500
	4	Subject: staging: lustre: fix buffer overflow of string buffer
	5
	6	From: Dmitry Eremin <dmitry.eremin@intel.com>
	7
	8	commit 9563fe8a2de9db5eb087fe0e48ec335ee66f8f41 upstream.
	9
	10	Buffer overflow of string buffer due to non null terminated string.
	11	Use strlcpy() when it's justifiable.
	12	Use sizeof(var) instead of constants.
	13
	14	Signed-off-by: Dmitry Eremin <dmitry.eremin@intel.com>
	15	Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-4629
	16	Reviewed-on: http://review.whamcloud.com/9389
	17	Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
	18	Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
	19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	20
	21	---
	22	drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c \| 9 +++++----
	23	drivers/staging/lustre/lnet/lnet/config.c \| 14 ++++++++------
	24	drivers/staging/lustre/lnet/selftest/conrpc.c \| 4 ++--
	25	drivers/staging/lustre/lnet/selftest/console.c \| 6 ++++--
	26	drivers/staging/lustre/lustre/include/lustre_disk.h \| 1 +
	27	drivers/staging/lustre/lustre/libcfs/debug.c \| 6 +++---
	28	drivers/staging/lustre/lustre/libcfs/hash.c \| 3 +--
	29	drivers/staging/lustre/lustre/libcfs/workitem.c \| 4 ++--
	30	drivers/staging/lustre/lustre/llite/dir.c \| 2 +-
	31	drivers/staging/lustre/lustre/lov/lov_pool.c \| 3 +--
	32	drivers/staging/lustre/lustre/obdclass/obd_mount.c \| 10 +++++++---
	33	drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c \| 1 +
	34	drivers/staging/lustre/lustre/ptlrpc/sec_config.c \| 3 +--
	35	13 files changed, 37 insertions(+), 29 deletions(-)
	36
	37	--- a/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c
	38	+++ b/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c
	39	@@ -2621,8 +2621,8 @@ ksocknal_enumerate_interfaces(ksock_net_
	40
	41	net->ksnn_interfaces[j].ksni_ipaddr = ip;
	42	net->ksnn_interfaces[j].ksni_netmask = mask;
	43	- strncpy(&net->ksnn_interfaces[j].ksni_name[0],
	44	- names[i], IFNAMSIZ);
	45	+ strlcpy(net->ksnn_interfaces[j].ksni_name,
	46	+ names[i], sizeof(net->ksnn_interfaces[j].ksni_name));
	47	j++;
	48	}
	49
	50	@@ -2805,8 +2805,9 @@ ksocknal_startup(lnet_ni_t *ni)
	51	goto fail_1;
	52	}
	53
	54	- strncpy(&net->ksnn_interfaces[i].ksni_name[0],
	55	- ni->ni_interfaces[i], IFNAMSIZ);
	56	+ strlcpy(net->ksnn_interfaces[i].ksni_name,
	57	+ ni->ni_interfaces[i],
	58	+ sizeof(net->ksnn_interfaces[i].ksni_name));
	59	}
	60	net->ksnn_ninterfaces = i;
	61	}
	62	--- a/drivers/staging/lustre/lnet/lnet/config.c
	63	+++ b/drivers/staging/lustre/lnet/lnet/config.c
	64	@@ -650,8 +650,8 @@ lnet_parse_route(char str, int im_a_ro
65	INIT_LIST_HEAD(&nets);
66
67	/* save a copy of the string for error messages */
68	- strncpy(cmd, str, sizeof(cmd) - 1);
69	- cmd[sizeof(cmd) - 1] = 0;
70	+ strncpy(cmd, str, sizeof(cmd));
71	+ cmd[sizeof(cmd) - 1] = '\0';
72
73	sep = str;
74	for (;;) {
75	@@ -972,11 +972,13 @@ lnet_splitnets(char *source, struct list
76	return 0;
77
78	offset += (int)(sep - tb->ltb_text);
79	- tb2 = lnet_new_text_buf(strlen(sep));
80	+ len = strlen(sep);
81	+ tb2 = lnet_new_text_buf(len);
82	if (tb2 == NULL)
83	return -ENOMEM;
84
85	- strcpy(tb2->ltb_text, sep);
86	+ strncpy(tb2->ltb_text, sep, len);
87	+ tb2->ltb_text[len] = '\0';
88	list_add_tail(&tb2->ltb_list, nets);
89
90	tb = tb2;
91	@@ -1021,8 +1023,8 @@ lnet_match_networks(char **networksp, ch
92	tb = list_entry(raw_entries.next, struct lnet_text_buf_t,
93	ltb_list);
94
95	- strncpy(source, tb->ltb_text, sizeof(source)-1);
96	- source[sizeof(source)-1] = 0;
97	+ strncpy(source, tb->ltb_text, sizeof(source));
98	+ source[sizeof(source)-1] = '\0';
99
100	/* replace ltb_text with the network(s) add on match */
101	rc = lnet_match_network_tokens(tb->ltb_text, ipaddrs, nip);
102	--- a/drivers/staging/lustre/lnet/selftest/conrpc.c
103	+++ b/drivers/staging/lustre/lnet/selftest/conrpc.c
104	@@ -612,8 +612,8 @@ lstcon_sesrpc_prep(lstcon_node_t *nd, in
105	msrq = &(*crpc)->crp_rpc->crpc_reqstmsg.msg_body.mksn_reqst;
106	msrq->mksn_sid = console_session.ses_id;
107	msrq->mksn_force = console_session.ses_force;
108	- strncpy(msrq->mksn_name, console_session.ses_name,
109	- strlen(console_session.ses_name));
110	+ strlcpy(msrq->mksn_name, console_session.ses_name,
111	+ sizeof(msrq->mksn_name));
112	break;
113
114	case LST_TRANS_SESEND:
115	--- a/drivers/staging/lustre/lnet/selftest/console.c
116	+++ b/drivers/staging/lustre/lnet/selftest/console.c
117	@@ -1739,7 +1739,8 @@ lstcon_session_new(char *name, int key,
118	console_session.ses_feats_updated = 0;
119	console_session.ses_timeout = (timeout <= 0) ?
120	LST_CONSOLE_TIMEOUT : timeout;
121	- strcpy(console_session.ses_name, name);
122	+ strlcpy(console_session.ses_name, name,
123	+ sizeof(console_session.ses_name));
124
125	rc = lstcon_batch_add(LST_DEFAULT_BATCH);
126	if (rc != 0)
127	@@ -1959,7 +1960,8 @@ lstcon_acceptor_handle(srpc_server_rpc_t
128	if (grp->grp_userland == 0)
129	grp->grp_userland = 1;
130
131	- strcpy(jrep->join_session, console_session.ses_name);
132	+ strlcpy(jrep->join_session, console_session.ses_name,
133	+ sizeof(jrep->join_session));
134	jrep->join_timeout = console_session.ses_timeout;
135	jrep->join_status = 0;
136
137	--- a/drivers/staging/lustre/lustre/include/lustre_disk.h
138	+++ b/drivers/staging/lustre/lustre/include/lustre_disk.h
139	@@ -68,6 +68,7 @@
140	everything as string options */
141
142	#define LMD_MAGIC 0xbdacbd03
143	+#define LMD_PARAMS_MAXLEN 4096
144
145	/* gleaned from the mount command - no persistent info here */
146	struct lustre_mount_data {
147	--- a/drivers/staging/lustre/lustre/libcfs/debug.c
148	+++ b/drivers/staging/lustre/lustre/libcfs/debug.c
149	@@ -512,9 +512,9 @@ int libcfs_debug_init(unsigned long bufs
150	}
151
152	if (libcfs_debug_file_path != NULL) {
153	- strncpy(libcfs_debug_file_path_arr,
154	- libcfs_debug_file_path, PATH_MAX-1);
155	- libcfs_debug_file_path_arr[PATH_MAX - 1] = '\0';
156	+ strlcpy(libcfs_debug_file_path_arr,
157	+ libcfs_debug_file_path,
158	+ sizeof(libcfs_debug_file_path_arr));
159	}
160
161	/* If libcfs_debug_mb is set to an invalid value or uninitialized
162	--- a/drivers/staging/lustre/lustre/libcfs/hash.c
163	+++ b/drivers/staging/lustre/lustre/libcfs/hash.c
164	@@ -1062,8 +1062,7 @@ cfs_hash_create(char *name, unsigned cur
165	if (hs == NULL)
166	return NULL;
167
168	- strncpy(hs->hs_name, name, len);
169	- hs->hs_name[len - 1] = '\0';
170	+ strlcpy(hs->hs_name, name, len);
171	hs->hs_flags = flags;
172
173	atomic_set(&hs->hs_refcount, 1);
174	--- a/drivers/staging/lustre/lustre/libcfs/workitem.c
175	+++ b/drivers/staging/lustre/lustre/libcfs/workitem.c
176	@@ -360,8 +360,8 @@ cfs_wi_sched_create(char *name, struct c
177	if (sched == NULL)
178	return -ENOMEM;
179
180	- strncpy(sched->ws_name, name, CFS_WS_NAME_LEN);
181	- sched->ws_name[CFS_WS_NAME_LEN - 1] = '\0';
182	+ strlcpy(sched->ws_name, name, CFS_WS_NAME_LEN);
183	+
184	sched->ws_cptab = cptab;
185	sched->ws_cpt = cpt;
186
187	--- a/drivers/staging/lustre/lustre/llite/dir.c
188	+++ b/drivers/staging/lustre/lustre/llite/dir.c
189	@@ -641,7 +641,7 @@ static int ll_send_mgc_param(struct obd_
190	if (!msp)
191	return -ENOMEM;
192
193	- strncpy(msp->mgs_param, string, MGS_PARAM_MAXLEN);
194	+ strlcpy(msp->mgs_param, string, sizeof(msp->mgs_param));
195	rc = obd_set_info_async(NULL, mgc, sizeof(KEY_SET_INFO), KEY_SET_INFO,
196	sizeof(struct mgs_send_param), msp, NULL);
197	if (rc)
198	--- a/drivers/staging/lustre/lustre/lov/lov_pool.c
199	+++ b/drivers/staging/lustre/lustre/lov/lov_pool.c
200	@@ -412,8 +412,7 @@ int lov_pool_new(struct obd_device *obd,
201	if (!new_pool)
202	return -ENOMEM;
203
204	- strncpy(new_pool->pool_name, poolname, LOV_MAXPOOLNAME);
205	- new_pool->pool_name[LOV_MAXPOOLNAME] = '\0';
206	+ strlcpy(new_pool->pool_name, poolname, sizeof(new_pool->pool_name));
207	new_pool->pool_lobd = obd;
208	/* ref count init to 1 because when created a pool is always used
209	* up to deletion
210	--- a/drivers/staging/lustre/lustre/obdclass/obd_mount.c
211	+++ b/drivers/staging/lustre/lustre/obdclass/obd_mount.c
212	@@ -892,7 +892,7 @@ static int lmd_parse(char *options, stru
213	}
214	lmd->lmd_magic = LMD_MAGIC;
215
216	- lmd->lmd_params = kzalloc(4096, GFP_NOFS);
217	+ lmd->lmd_params = kzalloc(LMD_PARAMS_MAXLEN, GFP_NOFS);
218	if (!lmd->lmd_params)
219	return -ENOMEM;
220	lmd->lmd_params[0] = '\0';
221	@@ -978,7 +978,7 @@ static int lmd_parse(char *options, stru
222	goto invalid;
223	clear++;
224	} else if (strncmp(s1, "param=", 6) == 0) {
225	- int length;
226	+ size_t length, params_length;
227	char *tail = strchr(s1 + 6, ',');
228
229	if (tail == NULL)
230	@@ -986,8 +986,12 @@ static int lmd_parse(char *options, stru
231	else
232	length = tail - s1;
233	length -= 6;
234	+ params_length = strlen(lmd->lmd_params);
235	+ if (params_length + length + 1 >= LMD_PARAMS_MAXLEN)
236	+ return -E2BIG;
237	strncat(lmd->lmd_params, s1 + 6, length);
238	- strcat(lmd->lmd_params, " ");
239	+ lmd->lmd_params[params_length + length] = '\0';
240	+ strlcat(lmd->lmd_params, " ", LMD_PARAMS_MAXLEN);
241	clear++;
242	} else if (strncmp(s1, "osd=", 4) == 0) {
243	rc = lmd_parse_string(&lmd->lmd_osd_type, s1 + 4);
244	--- a/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c
245	+++ b/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c
246	@@ -422,6 +422,7 @@ static int ptlrpcd(void *arg)
247	complete(&pc->pc_starting);
248
249	/*
250	+
251	* This mainloop strongly resembles ptlrpc_set_wait() except that our
252	* set never completes. ptlrpcd_check() calls ptlrpc_check_set() when
253	* there are requests in the set. New requests come in on the set's
254	--- a/drivers/staging/lustre/lustre/ptlrpc/sec_config.c
255	+++ b/drivers/staging/lustre/lustre/ptlrpc/sec_config.c
256	@@ -83,8 +83,7 @@ int sptlrpc_parse_flavor(const char *str
257	return 0;
258	}
259
260	- strncpy(buf, str, sizeof(buf));
261	- buf[sizeof(buf) - 1] = '\0';
262	+ strlcpy(buf, str, sizeof(buf));
263
264	bulk = strchr(buf, '-');
265	if (bulk)