The branch stable/14 has been updated by jah:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=c18e6a5a5c63d85d664d60dc3bf0232ea21bf8d2

commit c18e6a5a5c63d85d664d60dc3bf0232ea21bf8d2
Author:     Jason A. Harmening <j...@freebsd.org>
AuthorDate: 2023-12-24 04:48:19 +0000
Commit:     Jason A. Harmening <j...@freebsd.org>
CommitDate: 2024-03-04 18:31:25 +0000

    unionfs: work around underlying FS failing to respect cn_namelen
    
    unionfs_mkshadowdir() may be invoked on a non-leaf pathname component
    during lookup, in which case the NUL terminator of the pathname buffer
    will be well beyond the end of the current component.  cn_namelen in
    this case will still (correctly) indicate the length of only the
    current component, but ZFS in particular does not currently respect
    cn_namelen, leading to the creation on inacessible files with slashes
    in their names.  Work around this behavior by temporarily NUL-
    terminating the current pathname component for the call to VOP_MKDIR().
    
    https://github.com/openzfs/zfs/issues/15705 has been filed to track
    a proper upstream fix for the issue at hand.
    
    PR:             275871
    Reported by:    Karlo Miličević <karlo9...@gmail.com>
    Tested by:      Karlo Miličević <karlo9...@gmail.com>
    Reviewed by:    kib, olce
    Differential Revision: https://reviews.freebsd.org/D43818
    
    (cherry picked from commit a2ddbe019d51b35f9da2cb5ddca8c69f0ee422da)
---
 sys/fs/unionfs/union_subr.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/sys/fs/unionfs/union_subr.c b/sys/fs/unionfs/union_subr.c
index c841136e42d5..469ba0775e7c 100644
--- a/sys/fs/unionfs/union_subr.c
+++ b/sys/fs/unionfs/union_subr.c
@@ -918,7 +918,24 @@ unionfs_mkshadowdir(struct unionfs_mount *ump, struct 
vnode *udvp,
                goto unionfs_mkshadowdir_abort;
        unionfs_create_uppervattr_core(ump, &lva, &va, td);
 
+       /*
+        * Temporarily NUL-terminate the current pathname component.
+        * This function may be called during lookup operations in which
+        * the current pathname component is not the leaf, meaning that
+        * the NUL terminator is some distance beyond the end of the current
+        * component.  This *should* be fine, as cn_namelen will still
+        * correctly indicate the length of only the current component,
+        * but ZFS in particular does not respect cn_namelen in its VOP_MKDIR
+        * implementation
+        * Note that this assumes nd.ni_cnd.cn_pnbuf was allocated by
+        * something like a local namei() operation and the temporary
+        * NUL-termination will not have an effect on other threads.
+        */
+       char *pathend = &nd.ni_cnd.cn_nameptr[nd.ni_cnd.cn_namelen];
+       char pathterm = *pathend;
+       *pathend = '\0';
        error = VOP_MKDIR(udvp, &uvp, &nd.ni_cnd, &va);
+       *pathend = pathterm;
 
        if (!error) {
                unionfs_node_update(unp, uvp, td);

Reply via email to