Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-5305

use after free in ldlm_resource_get()

    XMLWordPrintable

Details

    • 3
    • 14823

    Description

      When lvbo initialization has failed we have a use after free in ldlm_resource_get().

                     if (unlikely(res->lr_lvb_len < 0)) {
                       ldlm_resource_putref(res);
                       res = ERR_PTR(res->lr_lvb_len);
               }
               return res;
       }

      With slab debugging enabled this results in an oops.

      [  220.086781] LustreError: 14681:0:(ldlm_resource.c:1150:ldlm_resource_get()) lustre-OST0000: lvbo_init failed for resource 0x203:0x0: rc = -12
[  220.086797] LustreError: 14681:0:(ldlm_resource.c:1150:ldlm_resource_get()) Skipped 122 previous similar messages
[  220.238178] BUG: unable to handle kernel paging request at 000000006b6b6b6b
[  220.238326] IP: [<ffffffffa064476e>] ldlm_lock_create+0x22e/0xd00 [ptlrpc]
[  220.238326] PGD 0 
[  220.238326] Oops: 0000 [#1] SMP 
[  220.238326] last sysfs file: /sys/devices/system/cpu/possible
[  220.238326] CPU 5 
[  220.242484] Modules linked in: lustre(U) ofd(U) osp(U) lod(U) ost(U) mdt(U) mdd(U) mgs(U) nodemap(U) osd_ldiskfs(U) ldiskfs(U) exportfs lquota(U) lfsck(U) jbd obdecho(U) mgc(U) lov(U) osc(U) mdc(U) lmv(U) fid(U) fld(U) ptlrpc(U) obdclass(U) ksocklnd(U) lnet(U) sha512_generic sha256_generic libcfs(U) autofs4 nfs lockd fscache auth_rpcgss nfs_acl sunrpc ipv6 microcode virtio_balloon virtio_net i2c_piix4 i2c_core ext4 jbd2 mbcache virtio_blk virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: speedstep_lib]
[  220.242484] 
[  220.242484] Pid: 6170, comm: ll_ost01_004 Not tainted 2.6.32-431.5.1.el6.lustre.x86_64 #1 Bochs Bochs
[  220.242484] RIP: 0010:[<ffffffffa064476e>]  [<ffffffffa064476e>] ldlm_lock_create+0x22e/0xd00 [ptlrpc]
[  220.242484] RSP: 0018:ffff8801e3591c40  EFLAGS: 00010246
[  220.242484] RAX: ffff8801dd655ec8 RBX: ffff8801dd655c38 RCX: 0000000000000000
[  220.242484] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffa076d728
[  220.242484] RBP: ffff8801e3591c90 R08: ffffffff81c1b5c0 R09: 0000000000000000
[  220.242484] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801dd655c38
[  220.242484] R13: ffffffffa0766100 R14: ffff8802198b49c8 R15: 000000006b6b6b6b
[  220.242484] FS:  0000000000000000(0000) GS:ffff880030200000(0000) knlGS:0000000000000000
[  220.242484] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[  220.242484] CR2: 000000006b6b6b6b CR3: 0000000001a85000 CR4: 00000000000006e0
[  220.242484] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  220.242484] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  220.242484] Process ll_ost01_004 (pid: 6170, threadinfo ffff8801e3590000, task ffff8801f0b48700)
[  220.242484] Stack:
[  220.242484]  0000000000000000 0000000000000000 0000000b00000004 ffffffffa0437d9a
[  220.242484] <d> ffff8801ec13d1f0 ffff8801db7912b0 ffff8801ec13d2d0 ffffffffa0766100
[  220.242484] <d> ffff8802198b49c8 ffff8801ec13d1f0 ffff8801e3591d00 ffffffffa066d581
[  220.242484] Call Trace:
[  220.242484]  [<ffffffffa0437d9a>] ? lprocfs_counter_add+0x16a/0x1c0 [obdclass]
[  220.242484]  [<ffffffffa066d581>] ldlm_handle_enqueue0+0x181/0x1210 [ptlrpc]
[  220.242484]  [<ffffffffa06ebf19>] tgt_enqueue+0x89/0x2a0 [ptlrpc]
[  220.242484]  [<ffffffffa06ec71e>] tgt_request_handle+0x5ee/0xb60 [ptlrpc]
[  220.242484]  [<ffffffffa069ee21>] ptlrpc_main+0xcf1/0x1880 [ptlrpc]
[  220.242484]  [<ffffffffa069e130>] ? ptlrpc_main+0x0/0x1880 [ptlrpc]
[  220.242484]  [<ffffffff8109eab6>] kthread+0x96/0xa0
[  220.242484]  [<ffffffff8100c30a>] child_rip+0xa/0x20
[  220.242484]  [<ffffffff81554710>] ? _spin_unlock_irq+0x30/0x40
[  220.242484]  [<ffffffff8100bb10>] ? restore_args+0x0/0x30
[  220.242484]  [<ffffffff8109ea20>] ? kthread+0x0/0xa0
[  220.242484]  [<ffffffff8100c300>] ? child_rip+0x0/0x20
[  220.242484] Code: 00 00 49 8d 84 24 90 02 00 00 49 c7 84 24 10 01 00 00 00 00 00 00 ba 01 00 00 00 49 89 84 24 90 02 00 00 49 89 84 24 98 02 00 00 <49> 8b 07 48 8b 00 48 8b b8 40 02 00 00 e8 b0 34 df ff 4d 89 24 
[  220.242484] RIP  [<ffffffffa064476e>] ldlm_lock_create+0x22e/0xd00 [ptlrpc]
[  220.242484]  RSP <ffff8801e3591c40>
[  220.242484] CR2: 000000006b6b6b6b

      This was found via memory allocation fault injection.

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          Activity

            People

              jhammond John Hammond
              jhammond John Hammond
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: