[LU-17336] BUG while setting rsi_upcall path Created: 06/Dec/23 Updated: 20/Dec/23 Resolved: 20/Dec/23 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.16.0 |
| Fix Version/s: | Lustre 2.16.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Sebastien Buisson | Assignee: | Sebastien Buisson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | gss, patch, security | ||
| Issue Links: |
|
||||||||
| Severity: | 3 | ||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||
| Description |
|
Kernel crashes when changing rsi_upcall path value with: lctl set_param sptlrpc.gss.rsi_upcall=/usr/sbin/l_getauth2
[ 184.300846] BUG: unable to handle kernel paging request at 00007ffee6a74617 [ 184.301698] PGD 1cf3a3067 P4D 1cf3a3067 PUD 56eb02067 PMD 3356f0067 PTE 80000004857c2867 [ 184.302636] Oops: 0001 [#1] SMP NOPTI [ 184.303197] CPU: 4 PID: 19026 Comm: lctl Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.13.1.el8_lustre.ddn17.x86_64 #1 [ 184.304736] Hardware name: DDN SFA400NVXE, BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 184.306154] RIP: 0010:vsscanf+0x11b/0x900 [ 184.307334] Code: 80 fa 6c 0f 84 3f 01 00 00 48 89 f9 41 bf ff ff ff ff 3c 7a 0f 84 2e 01 00 00 84 c0 0f 84 50 ff ff ff 3c 6e 0f 84 4e 05 00 00 <80> 3b 00 0f 84 3f ff ff ff 48 8d 51 01 48 89 54 24 08 0f b6 01 3c [ 184.310163] RSP: 0018:ffffb3b8ccf2bdd0 EFLAGS: 00010216 [ 184.311062] RAX: 0000000000000073 RBX: 00007ffee6a74617 RCX: ffffffffc1abe6a8 [ 184.312379] RDX: 0000000000000073 RSI: ffffffffc1abe6a7 RDI: ffffffffc1abe6a8 [ 184.313476] RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000001 [ 184.314790] R10: 0000000000000000 R11: 0000000000000001 R12: ffffb3b8ccf2be48 [ 184.315873] R13: 00007ffee6a74617 R14: ffffffffad50bfe0 R15: 00000000ffffffff [ 184.317181] FS: 00007f943fabc140(0000) GS:ffff9495a9900000(0000) knlGS:0000000000000000 [ 184.318370] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 184.319477] CR2: 00007ffee6a74617 CR3: 0000000187a2c004 CR4: 0000000000770ee0 [ 184.320566] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 184.321649] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 184.322740] PKRU: 55555554 [ 184.323325] Call Trace: [ 184.323900] sscanf+0x4e/0x70 [ 184.324520] ? kmem_cache_free+0x116/0x300 [ 184.325251] rsi_upcall_seq_write+0x44/0x1a0 [ptlrpc_gss] [ 184.326142] proc_reg_write+0x39/0x60 [ 184.326819] vfs_write+0xa5/0x1b0 [ 184.327557] ksys_write+0x4f/0xb0 [ 184.328184] do_syscall_64+0x5b/0x1b0 [ 184.328974] entry_SYSCALL_64_after_hwframe+0x61/0xc6 [ 184.329817] RIP: 0033:0x7f943ec979e5 This is because rsi_upcall_seq_write() uses sscanf with a __user pointer: static ssize_t rsi_upcall_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { int rc; if (count >= UC_CACHE_UPCALL_MAXPATH) { CERROR("%s: rsi upcall too long\n", rsicache->uc_name); return -EINVAL; } /* Remove any extraneous bits from the upcall (e.g. linefeeds) */ down_write(&rsicache->uc_upcall_rwsem); rc = sscanf(buffer, "%s", rsicache->uc_upcall); <----- up_write(&rsicache->uc_upcall_rwsem); if (rc != 1) { CERROR("%s: invalid rsi upcall provided\n", rsicache->uc_name); return -EINVAL; } CDEBUG(D_CONFIG, "%s: rsi upcall set to %s\n", rsicache->uc_name, rsicache->uc_upcall); return count; } LPROC_SEQ_FOPS(rsi_upcall); |
| Comments |
| Comment by Gerrit Updater [ 06/Dec/23 ] |
|
"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/53342 |
| Comment by Gerrit Updater [ 20/Dec/23 ] |
|
"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/53342/ |
| Comment by Peter Jones [ 20/Dec/23 ] |
|
Landed for 2.16 |