Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-1923

filefrag with large fiemap buffer crashes client

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • Lustre 2.3.0, Lustre 2.4.0, Lustre 2.1.3, Lustre 1.8.7
    • None
    • 3
    • 4445

    Description

      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP [<ffffffffa0d67265>] lov_get_info+0xc75/0x1b90 [lov]
      Pid: 12793, comm: filefrag Tainted: P           ---------------    2.6.32-279.5.1.el6_lustre.g7f15218.x86_64 #1
      RIP: 0010:[<ffffffffa0d67265>] [<ffffffffa0d67265>] lov_get_info+0xc75/0x1b90 [lov]
      RSP: 0018:ffff8800a0c33ba8  EFLAGS: 00010213
      RAX: 0000000000000007 RBX: ffff8800aafe4138 RCX: ffff8800a0c33d08
      RDX: 0000000000000000 RSI: ffff8800a0c33b6c RDI: 0000000000000000
      RBP: ffff8800a0c33cc8 R08: ffff8800a0c33c88 R09: ffff8800a0c33c80
      R10: 000000000023efff R11: 0000000000000048 R12: 0000000000000000
      R13: ffff8800a91cf000 R14: ffff8800a8825000 R15: ffff8800b26288c0
      FS:  00007f0cd1c72700(0000) GS:ffff880002200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 00000000950da000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process filefrag (pid: 12793, threadinfo ffff8800a0c32000, task ffff8800d8f9eaa0)
      

      The address resolves to:

      (gdb) list *(lov_get_info+0xc75)
      0x13295 is in lov_get_info (/usr/src/lustre-head/lustre/lov/lov_obd.c:2458).
      2453                            req_fm_len = fm_local->fm_length;
      2454                            fm_local->fm_extent_count = count_local;
      2455                            fm_local->fm_mapped_extents = 0;
      2456                            fm_local->fm_flags = fiemap->fm_flags;
      2457
      2458                            fm_key->oa.o_id = lsm->lsm_oinfo[cur_stripe]->loi_id;
      2459                            fm_key->oa.o_seq = lsm->lsm_oinfo[cur_stripe]->loi_seq;
      2460                            ost_index = lsm->lsm_oinfo[cur_stripe]->loi_ost_idx;
      2461
      2462                            if (ost_index < 0 || ost_index >=lov->desc.ld_tgt_count)
      

      I suspect cur_stripe is out of bounds or something due to bad user input to the ioctl.

      It shouldn't be possible for userspace to cause the client to crash.

      Attachments

        Issue Links

          Activity

            People

              adilger Andreas Dilger
              adilger Andreas Dilger
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: