Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-17336

BUG while setting rsi_upcall path

    XMLWordPrintable

Details

    • 3
    • 9223372036854775807

    Description

      Kernel crashes when changing rsi_upcall path value with:

      lctl set_param sptlrpc.gss.rsi_upcall=/usr/sbin/l_getauth2

       

      [  184.300846] BUG: unable to handle kernel paging request at 00007ffee6a74617
[  184.301698] PGD 1cf3a3067 P4D 1cf3a3067 PUD 56eb02067 PMD 3356f0067 PTE 80000004857c2867
[  184.302636] Oops: 0001 [#1] SMP NOPTI
[  184.303197] CPU: 4 PID: 19026 Comm: lctl Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-425.13.1.el8_lustre.ddn17.x86_64 #1
[  184.304736] Hardware name: DDN SFA400NVXE, BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[  184.306154] RIP: 0010:vsscanf+0x11b/0x900
[  184.307334] Code: 80 fa 6c 0f 84 3f 01 00 00 48 89 f9 41 bf ff ff ff ff 3c 7a 0f 84 2e 01 00 00 84 c0 0f 84 50 ff ff ff 3c 6e 0f 84 4e 05 00 00 <80> 3b 00 0f 84 3f ff ff ff 48 8d 51 01 48 89 54 24 08 0f b6 01 3c
[  184.310163] RSP: 0018:ffffb3b8ccf2bdd0 EFLAGS: 00010216
[  184.311062] RAX: 0000000000000073 RBX: 00007ffee6a74617 RCX: ffffffffc1abe6a8
[  184.312379] RDX: 0000000000000073 RSI: ffffffffc1abe6a7 RDI: ffffffffc1abe6a8
[  184.313476] RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000001
[  184.314790] R10: 0000000000000000 R11: 0000000000000001 R12: ffffb3b8ccf2be48
[  184.315873] R13: 00007ffee6a74617 R14: ffffffffad50bfe0 R15: 00000000ffffffff
[  184.317181] FS:  00007f943fabc140(0000) GS:ffff9495a9900000(0000) knlGS:0000000000000000
[  184.318370] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  184.319477] CR2: 00007ffee6a74617 CR3: 0000000187a2c004 CR4: 0000000000770ee0
[  184.320566] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  184.321649] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  184.322740] PKRU: 55555554
[  184.323325] Call Trace:
[  184.323900]  sscanf+0x4e/0x70
[  184.324520]  ? kmem_cache_free+0x116/0x300
[  184.325251]  rsi_upcall_seq_write+0x44/0x1a0 [ptlrpc_gss]
[  184.326142]  proc_reg_write+0x39/0x60
[  184.326819]  vfs_write+0xa5/0x1b0
[  184.327557]  ksys_write+0x4f/0xb0
[  184.328184]  do_syscall_64+0x5b/0x1b0
[  184.328974]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[  184.329817] RIP: 0033:0x7f943ec979e5

      This is because rsi_upcall_seq_write() uses sscanf with a __user pointer:

      static ssize_t rsi_upcall_seq_write(struct file *file,
                                    const char __user *buffer,
                                    size_t count, loff_t *off)
{
        int rc;
        if (count >= UC_CACHE_UPCALL_MAXPATH) {
                CERROR("%s: rsi upcall too long\n", rsicache->uc_name);
                return -EINVAL;
        }
        /* Remove any extraneous bits from the upcall (e.g. linefeeds) */
        down_write(&rsicache->uc_upcall_rwsem);
        rc = sscanf(buffer, "%s", rsicache->uc_upcall);   <-----
        up_write(&rsicache->uc_upcall_rwsem);
        if (rc != 1) {
                CERROR("%s: invalid rsi upcall provided\n", rsicache->uc_name);
                return -EINVAL;
        }
        CDEBUG(D_CONFIG, "%s: rsi upcall set to %s\n", rsicache->uc_name,
               rsicache->uc_upcall);
        return count;
}
LPROC_SEQ_FOPS(rsi_upcall);

      Attachments

        Activity

          People

            sebastien Sebastien Buisson
            sebastien Sebastien Buisson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: