[LU-1923] filefrag with large fiemap buffer crashes client Created: 12/Sep/12  Updated: 13/Dec/17  Resolved: 13/Sep/12

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.3.0, Lustre 2.4.0, Lustre 2.1.3, Lustre 1.8.7
Fix Version/s: Lustre 2.3.0, Lustre 2.4.0, Lustre 2.1.4

Type: Bug Priority: Blocker
Reporter: Andreas Dilger Assignee: Andreas Dilger
Resolution: Fixed Votes: 0
Labels: None
Environment:

Single-node test system running on x86_64 with current master (hash 2ce0f3a848443f0f01b5cd8e66bf17e3199a20da).

Running e2fsprogs-1.42.5.wc1 with a modification to filefrag_fiemap() to not initialize buf[] = "". The crash does not happen with e2fsprogs-1.42.3.wc3 or if buf[] is initialized.

Issue Links:
Related
is related to LU-6007 FIEMAP fails xfstests's fiemap-tester Open
Severity: 3
Rank (Obsolete): 4445

 Description    
BUG: unable to handle kernel NULL pointer dereference at (null)
IP [<ffffffffa0d67265>] lov_get_info+0xc75/0x1b90 [lov]
Pid: 12793, comm: filefrag Tainted: P           ---------------    2.6.32-279.5.1.el6_lustre.g7f15218.x86_64 #1
RIP: 0010:[<ffffffffa0d67265>] [<ffffffffa0d67265>] lov_get_info+0xc75/0x1b90 [lov]
RSP: 0018:ffff8800a0c33ba8  EFLAGS: 00010213
RAX: 0000000000000007 RBX: ffff8800aafe4138 RCX: ffff8800a0c33d08
RDX: 0000000000000000 RSI: ffff8800a0c33b6c RDI: 0000000000000000
RBP: ffff8800a0c33cc8 R08: ffff8800a0c33c88 R09: ffff8800a0c33c80
R10: 000000000023efff R11: 0000000000000048 R12: 0000000000000000
R13: ffff8800a91cf000 R14: ffff8800a8825000 R15: ffff8800b26288c0
FS:  00007f0cd1c72700(0000) GS:ffff880002200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000950da000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process filefrag (pid: 12793, threadinfo ffff8800a0c32000, task ffff8800d8f9eaa0)

The address resolves to:

(gdb) list *(lov_get_info+0xc75)
0x13295 is in lov_get_info (/usr/src/lustre-head/lustre/lov/lov_obd.c:2458).
2453                            req_fm_len = fm_local->fm_length;
2454                            fm_local->fm_extent_count = count_local;
2455                            fm_local->fm_mapped_extents = 0;
2456                            fm_local->fm_flags = fiemap->fm_flags;
2457
2458                            fm_key->oa.o_id = lsm->lsm_oinfo[cur_stripe]->loi_id;
2459                            fm_key->oa.o_seq = lsm->lsm_oinfo[cur_stripe]->loi_seq;
2460                            ost_index = lsm->lsm_oinfo[cur_stripe]->loi_ost_idx;
2461
2462                            if (ost_index < 0 || ost_index >=lov->desc.ld_tgt_count)

I suspect cur_stripe is out of bounds or something due to bad user input to the ioctl.

It shouldn't be possible for userspace to cause the client to crash.

 Comments   
Comment by Andreas Dilger [ 12/Sep/12 ]

http://review.whamcloud.com/3962

Comment by Andreas Dilger [ 13/Sep/12 ]

Oleg, will you cherry pick this to b2_3 and b2_1 as well?

Comment by Peter Jones [ 13/Sep/12 ]

Landed for 2.3 and 2.4

Generated at Sat Feb 10 01:20:52 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.