Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-19094

MDT:Thread info initialization and potential memory corruption

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • None
    • None
    • None
    • 3
    • 9223372036854775807

    Description

      There are two potential area for memory corruption.

      1/ thread info-> mti_big_lov, mti_big_lmv, mti_big_acl, mti_big_lovsize, mti_big_lmvsize, mti_big_actsize maybe used without being initialized.

      2/ mdt_big_xattr_get can reallocate memory - freeing big_lmm and reallocating it.  https://jira.whamcloud.com/browse/LU-17983 recognized that mti_big_lmm can be used for LOV, LMV and as a generic buffer in mdt_attr_get_pfid() and mdt_attr_get_pfid_name() and split mti_big_lmm into mti_big_lov and mti_big_lmv. 

       

      There is still an issue - unlikely but still possible - in using it as a generic buffer for mdt_attr_get_pfid() and mdt_attr_get_pfid_name(). 

       

      mdt_stripe_get can save mti_big_lov (or lmv) buffer pointers in (info->md_attr )ma->m_lmm (or lmv).  If the get_pfid routines are called after a call to mdt_stripe_get - they can free and reallocate the buffer pointer saved in ma->m_lmm(or lmv)

       

      Here's a potential code path:

      mdt_reint_migrate calls mdt_stripe_get (info, sobj, ma, XATTR_NAME_LOV) [This will store big_lmm in ma   info->mti_big_lov = ma->ma_lmm = big_lmm ]

      Further in the code in mdt_reint_migrate there is a call to mdt_attr_get_complex

      mdt_attr_get_complex call

              mdt_attr_get_pfid, // Can call mdt_big_xattr_get -> reallocates memory pointed to by ma_lmm

              __mdt_stripe_get(info, o, ma, XATTR_NAME_LOV); // Will set buf->lb_buf = ma->ma_lmm and then call  mo_xattr_get(info->mti_env, next, buf, name);

       

      Here mo_xattr_get will write into buf which points to freed memory

      This is not a path we've hit or encountered, but ran into memory corruption on 2_15 without the fix https://jira.whamcloud.com/browse/LU-17983

      Proposed solutions:

      1/ Initialize these variables

      2/ While this is obscure - there are some unwritten rules in how mdt_stripe_get and mdt_attr_get_pfid interact and the implications of mdt_big_xattr_get reallocating memory.  One option is to not call mdt_big_xattr_get from mdt_attr_get_pfid[_name and instead in the unlikely case that 128 bytes is not enough to allocate a local buffer.

      Attachments

        Activity

          People

            vrungta Vandana Rungta
            vrungta Vandana Rungta
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: