Details
-
Bug
-
Resolution: Fixed
-
Critical
-
Lustre 2.13.0, Lustre 2.12.1
-
None
-
3
-
9223372036854775807
Description
It was observed that when we have changelogs enabled there's a getxattr path that can create a transaction even if getxattr itself only wants the xattr size and there's no reply buffer
This results in a NULL pointer deref in lustre_msg_set_transno because rq_rep is NULL like this:
[ 1826.910143] RIP: 0010:[<ffffffffc0e5012c>] [<ffffffffc0e5012c>] lustre_msg_set_transno+0xc/0xa0 [ptlrpc] [ 1826.922696] RSP: 0018:ffff8e7d974df940 EFLAGS: 00010282 [ 1826.930429] RAX: 0000002700000008 RBX: ffff8e5d4c5bb000 RCX: ffff8e5d4e9280b0 [ 1826.940192] RDX: 0000000000000000 RSI: 0000002700000008 RDI: 0000000000000000 [ 1826.949927] RBP: ffff8e7d974df950 R08: ffff8e7d913d8a40 R09: 0000000000000030 [ 1826.959650] R10: 0000000000000000 R11: ffff8e7d974df72e R12: ffff8e7d97477000 [ 1826.969402] R13: ffff8e7d913d8a40 R14: ffff8e7db37c1c80 R15: 0000000000000000 [ 1826.979089] FS: 0000000000000000(0000) GS:ffff8e7dbdfc0000(0000) knlGS:0000000000000000 [ 1826.989827] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1826.997935] CR2: 0000000000000008 CR3: 0000001ffc266000 CR4: 00000000003607e0 [ 1827.007585] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1827.017224] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1827.026817] Call Trace: [ 1827.031220] [<ffffffffc0eaaeba>] tgt_last_rcvd_update+0x21a/0xc90 [ptlrpc] [ 1827.040631] [<ffffffffc0ae4d07>] ? libcfs_debug_msg+0x57/0x80 [libcfs] [ 1827.049674] [<ffffffffc0eb011d>] tgt_txn_stop_cb+0x19d/0x490 [ptlrpc] [ 1827.058593] [<ffffffffc0c25071>] dt_txn_hook_stop+0x81/0xd0 [obdclass] [ 1827.067570] [<ffffffffc1269854>] osd_trans_stop+0x134/0x850 [osd_ldiskfs] [ 1827.076823] [<ffffffffc0bdc283>] ? llog_cat_add_rec+0x233/0x8b0 [obdclass] [ 1827.086182] [<ffffffffc0eca602>] top_trans_stop+0x92/0x930 [ptlrpc] [ 1827.094806] [<ffffffff9d0f944f>] ? __getnstimeofday64+0x3f/0xd0 [ 1827.103028] [<ffffffffc147c5e9>] lod_trans_stop+0x259/0x340 [lod] [ 1827.111424] [<ffffffffc151b7ba>] mdd_trans_stop+0x2a/0x46 [mdd] [ 1827.119589] [<ffffffffc150f340>] mdd_xattr_get+0x2f0/0x5c0 [mdd] [ 1827.127864] [<ffffffffc13caf71>] mdt_getxattr+0x951/0x12c0 [mdt] [ 1827.136094] [<ffffffffc0c22f7f>] ? lu_object_find_at+0x20f/0x2b0 [obdclass] [ 1827.145358] [<ffffffffc13b477c>] mdt_tgt_getxattr+0x1c/0x30 [mdt] [ 1827.153671] [<ffffffffc0eb741a>] tgt_request_handle+0x92a/0x1370 [ptlrpc] [ 1827.162737] [<ffffffffc0e5cfeb>] ptlrpc_server_handle_request+0x23b/0xaa0 [ptlrpc] [ 1827.172666] [<ffffffffc0e59618>] ? ptlrpc_wait_event+0x98/0x340 [ptlrpc] [ 1827.181578] [<ffffffff9d0cf682>] ? default_wake_function+0x12/0x20 [ 1827.189891] [<ffffffff9d0c52ab>] ? __wake_up_common+0x5b/0x90 [ 1827.197740] [<ffffffffc0e60732>] ptlrpc_main+0xa92/0x1e40 [ptlrpc] [ 1827.206078] [<ffffffffc0e5fca0>] ? ptlrpc_register_service+0xe30/0xe30 [ptlrpc] [ 1827.215631] [<ffffffff9d0bb621>] kthread+0xd1/0xe0 [ 1827.222337] [<ffffffff9d0bb550>] ? insert_kthread_work+0x40/0x40 [ 1827.230379] [<ffffffff9d7205f7>] ret_from_fork_nospec_begin+0x21/0x21 [ 1827.238877] [<ffffffff9d0bb550>] ? insert_kthread_work+0x40/0x40