[LU-16617] A null-pointer dereference in osc_request.c:3358:function osc_iocontro - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Duplicate
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Labels:
None
Environment:

Hide
Three server nodes and one client. Kernel version: Ubuntu-5.4.0-90.101

# MGS
mkfs.lustre --fsname=lustre --mgs /dev/vda
mount -t lustre /dev/vda /root/lustre-server

# MDS
mkfs.lustre --fsname=lustre --index=0 --mgsnode=$start_ip@tcp0 --mdt /dev/vda
mount -t lustre /dev/vda /root/lustre-server

# OSS
mkfs.lustre --ost --fsname=lustre --index=1 --reformat --mgsnode=$start_ip@tcp0 /dev/vda
mount -t lustre /dev/vda /root/lustre-server

# Client
mount -t lustre $start_ip@tcp0:/lustre /root/lustre-client

Show
Three server nodes and one client. Kernel version: Ubuntu-5.4.0-90.101 # MGS mkfs.lustre --fsname=lustre --mgs /dev/vda mount -t lustre /dev/vda /root/lustre-server # MDS mkfs.lustre --fsname=lustre --index=0 --mgsnode=$ start_ip@tcp0 --mdt /dev/vda mount -t lustre /dev/vda /root/lustre-server # OSS mkfs.lustre --ost --fsname=lustre --index=1 --reformat --mgsnode=$ start_ip@tcp0 /dev/vda mount -t lustre /dev/vda /root/lustre-server # Client mount -t lustre $ start_ip@tcp0 :/lustre /root/lustre-client

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

A null-pointer dereference is detected in osc_request.c:3358 (function osc_iocontrol) and then crashes the kernel.

Strace
open(".", O_RDONLY) = 3
ioctl(3, _IOC(_IOC_WRITE, 0x66, 0x85, 0x8), 0) = ?
+++ killed by SIGSEGV +++
Segmentation fault

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

poc.c
0.8 kB
03/Mar/23 1:33 PM

Issue Links

is related to

LU-16616 crash in osc_brw_prep_request() ASSERTION( page_count == 1 || (ergo(i == 0, poff + pg->count == PAGE_SIZE) ...

Open

is related to

LU-16634 Null pointer dereference in lustre_set_wire_obdo

Resolved

Activity

[LU-16617] A null-pointer dereference in osc_request.c:3358:function osc_iocontro

Tao Lyu added a comment - 17/Mar/23 7:24 AM

Okay, thanks!

Tao Lyu added a comment - 17/Mar/23 7:24 AM Okay, thanks!

Andreas Dilger added a comment - 16/Mar/23 10:55 PM

This will likely also be handled by the ~~LU-16634~~ patch.

Andreas Dilger added a comment - 16/Mar/23 10:55 PM This will likely also be handled by the LU-16634 patch.

Tao Lyu added a comment - 16/Mar/23 6:39 PM

Concrete information:

Lustre commit: 9ddcdee2c8b9ec14986b93cf3180d946cd4869f7

crash stack trace:

root@dfs:~# [ 142.000320] kasan: CONFIG_KASAN_INLINE enabled
[ 142.000869] kasan: GPF could be caused by NULL-ptr deref or user memory access
[ 142.001675] general protection fault: 0000 1 SMP KASAN NOPTI
[ 142.002347] CPU: 0 PID: 520 Comm: test Tainted: G O 5.4.148+ #7
[ 142.003143] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 142.004159] RIP: 0010:osc_iocontrol+0x2f7/0xe80 [osc]
[ 142.004719] Code: 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 42 f9 b5 ce 49 8d bc 24 08 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 6f 0a 00 00 49 8d bf d8 05 00 00 49 8b b4 24 08
[ 142.006938] RSP: 0018:ffff88824a88f6f0 EFLAGS: 00010206
[ 142.007560] RAX: dffffc0000000000 RBX: ffffffffc0352780 RCX: ffffffffc0dbde1e
[ 142.008362] RDX: 0000000000000041 RSI: 00000000c0086815 RDI: 0000000000000208
[ 142.009128] RBP: ffff88824db93800 R08: ffff88824b3b9ec0 R09: 0000000000000000
[ 142.009943] R10: ffff88824a88f940 R11: ffff88824a88fd34 R12: 0000000000000000
[ 142.010754] R13: ffff88824db938e8 R14: 0000000040086685 R15: ffff88823d8336d8
[ 142.011582] FS: 00007ffff7fc0540(0000) GS:ffff888257400000(0000) knlGS:0000000000000000
[ 142.012552] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 142.013215] CR2: 0000000020000100 CR3: 000000024aea6005 CR4: 0000000000760ef0
[ 142.014046] PKRU: 55555554
[ 142.014363] Call Trace:
[ 142.015213] lov_iocontrol+0x4ba/0x5de0 [lov]
[ 142.021510] ll_dir_ioctl+0x2834/0x17cc0 [lustre]
[ 142.048571] do_vfs_ioctl+0x405/0x660
[ 142.049029] ksys_ioctl+0x5e/0x90
[ 142.049444] __x64_sys_ioctl+0x16/0x20
[ 142.049904] do_syscall_64+0x48/0x140
[ 142.050360] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 142.051005] RIP: 0033:0x7ffff7ee870d
[ 142.051448] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 53 f7 0c 00 f7 d8 64 89 01 48
[ 142.053593] RSP: 002b:00007fffffffe348 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[ 142.054686] RAX: ffffffffffffffda RBX: 0000555555555290 RCX: 00007ffff7ee870d
[ 142.055484] RDX: 0000000000000000 RSI: 0000000040086685 RDI: 0000000000000003
[ 142.056285] RBP: 00007fffffffe360 R08: 00007fffffffe450 R09: 00007fffffffe450
[ 142.057102] R10: 0000000000000000 R11: 0000000000000213 R12: 0000555555555080
[ 142.057909] R13: 00007fffffffe450 R14: 0000000000000000 R15: 0000000000000000
[ 142.058715] Modules linked in: mgc(O) lustre(O) lmv(O) mdc(O) fid(O) lov(O) fld(O) osc(O) ksocklnd(O) ptlrpc(O) obdclass(O) lnet(O) libcfs(O)
[ 142.060313] --~~[ end trace 9c88039dbe2366d5 ]~~--
[ 142.060919] RIP: 0010:osc_iocontrol+0x2f7/0xe80 [osc]
[ 142.061569] Code: 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 42 f9 b5 ce 49 8d bc 24 08 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 6f 0a 00 00 49 8d bf d8 05 00 00 49 8b b4 24 08
[ 142.064004] RSP: 0018:ffff88824a88f6f0 EFLAGS: 00010206
[ 142.064817] RAX: dffffc0000000000 RBX: ffffffffc0352780 RCX: ffffffffc0dbde1e
[ 142.065573] RDX: 0000000000000041 RSI: 00000000c0086815 RDI: 0000000000000208
[ 142.066227] RBP: ffff88824db93800 R08: ffff88824b3b9ec0 R09: 0000000000000000
[ 142.066887] R10: ffff88824a88f940 R11: ffff88824a88fd34 R12: 0000000000000000
[ 142.067513] R13: ffff88824db938e8 R14: 0000000040086685 R15: ffff88823d8336d8
[ 142.068139] FS: 00007ffff7fc0540(0000) GS:ffff888257400000(0000) knlGS:0000000000000000
[ 142.068921] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 142.069568] CR2: 0000000020000100 CR3: 000000024aea6005 CR4: 0000000000760ef0
[ 142.070358] PKRU: 55555554

Tao Lyu added a comment - 16/Mar/23 6:39 PM Concrete information: Lustre commit: 9ddcdee2c8b9ec14986b93cf3180d946cd4869f7 crash stack trace: root@dfs:~# [ 142.000320] kasan: CONFIG_KASAN_INLINE enabled [ 142.000869] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 142.001675] general protection fault: 0000 1 SMP KASAN NOPTI [ 142.002347] CPU: 0 PID: 520 Comm: test Tainted: G O 5.4.148+ #7 [ 142.003143] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 142.004159] RIP: 0010:osc_iocontrol+0x2f7/0xe80 [osc] [ 142.004719] Code: 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 42 f9 b5 ce 49 8d bc 24 08 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 6f 0a 00 00 49 8d bf d8 05 00 00 49 8b b4 24 08 [ 142.006938] RSP: 0018:ffff88824a88f6f0 EFLAGS: 00010206 [ 142.007560] RAX: dffffc0000000000 RBX: ffffffffc0352780 RCX: ffffffffc0dbde1e [ 142.008362] RDX: 0000000000000041 RSI: 00000000c0086815 RDI: 0000000000000208 [ 142.009128] RBP: ffff88824db93800 R08: ffff88824b3b9ec0 R09: 0000000000000000 [ 142.009943] R10: ffff88824a88f940 R11: ffff88824a88fd34 R12: 0000000000000000 [ 142.010754] R13: ffff88824db938e8 R14: 0000000040086685 R15: ffff88823d8336d8 [ 142.011582] FS: 00007ffff7fc0540(0000) GS:ffff888257400000(0000) knlGS:0000000000000000 [ 142.012552] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 142.013215] CR2: 0000000020000100 CR3: 000000024aea6005 CR4: 0000000000760ef0 [ 142.014046] PKRU: 55555554 [ 142.014363] Call Trace: [ 142.015213] lov_iocontrol+0x4ba/0x5de0 [lov] [ 142.021510] ll_dir_ioctl+0x2834/0x17cc0 [lustre] [ 142.048571] do_vfs_ioctl+0x405/0x660 [ 142.049029] ksys_ioctl+0x5e/0x90 [ 142.049444] __x64_sys_ioctl+0x16/0x20 [ 142.049904] do_syscall_64+0x48/0x140 [ 142.050360] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 142.051005] RIP: 0033:0x7ffff7ee870d [ 142.051448] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 53 f7 0c 00 f7 d8 64 89 01 48 [ 142.053593] RSP: 002b:00007fffffffe348 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 142.054686] RAX: ffffffffffffffda RBX: 0000555555555290 RCX: 00007ffff7ee870d [ 142.055484] RDX: 0000000000000000 RSI: 0000000040086685 RDI: 0000000000000003 [ 142.056285] RBP: 00007fffffffe360 R08: 00007fffffffe450 R09: 00007fffffffe450 [ 142.057102] R10: 0000000000000000 R11: 0000000000000213 R12: 0000555555555080 [ 142.057909] R13: 00007fffffffe450 R14: 0000000000000000 R15: 0000000000000000 [ 142.058715] Modules linked in: mgc(O) lustre(O) lmv(O) mdc(O) fid(O) lov(O) fld(O) osc(O) ksocklnd(O) ptlrpc(O) obdclass(O) lnet(O) libcfs(O) [ 142.060313] -- [ end trace 9c88039dbe2366d5 ] -- [ 142.060919] RIP: 0010:osc_iocontrol+0x2f7/0xe80 [osc] [ 142.061569] Code: 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 42 f9 b5 ce 49 8d bc 24 08 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 6f 0a 00 00 49 8d bf d8 05 00 00 49 8b b4 24 08 [ 142.064004] RSP: 0018:ffff88824a88f6f0 EFLAGS: 00010206 [ 142.064817] RAX: dffffc0000000000 RBX: ffffffffc0352780 RCX: ffffffffc0dbde1e [ 142.065573] RDX: 0000000000000041 RSI: 00000000c0086815 RDI: 0000000000000208 [ 142.066227] RBP: ffff88824db93800 R08: ffff88824b3b9ec0 R09: 0000000000000000 [ 142.066887] R10: ffff88824a88f940 R11: ffff88824a88fd34 R12: 0000000000000000 [ 142.067513] R13: ffff88824db938e8 R14: 0000000040086685 R15: ffff88823d8336d8 [ 142.068139] FS: 00007ffff7fc0540(0000) GS:ffff888257400000(0000) knlGS:0000000000000000 [ 142.068921] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 142.069568] CR2: 0000000020000100 CR3: 000000024aea6005 CR4: 0000000000760ef0 [ 142.070358] PKRU: 55555554

A null-pointer dereference in osc_request.c:3358:function osc_iocontro

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates