[LU-9856] NULL pointer dereference in mdd_xattr_list() Created: 10/Aug/17  Updated: 08/May/18  Resolved: 28/Aug/17

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.11.0
Fix Version/s: Lustre 2.10.1, Lustre 2.11.0

Type: Bug Priority: Minor
Reporter: John Hammond Assignee: John Hammond
Resolution: Fixed Votes: 0
Labels: mdd

Issue Links:
Related
is related to LU-10912 avoid triggering LU-9856 for older se... Resolved
is related to LU-9417 xattr cache memory usage can be reduced Resolved
Rank (Obsolete): 9223372036854775807

 Description   

Running racer on v2_10_51_0-23-gd564bec I see a NULL pointer deference in mdd_xattr_list():

#11 [ffff88001e9d7c10] mdd_xattr_list+736 at ffffffffa0ebaaa0 [mdd]
    /root/lustre-release/lustre/mdd/mdd_object.c: 319
#12 [ffff88001e9d7c50] mdt_getxattr+1492 at ffffffffa0f23f04 [mdt]
    /root/lustre-release/lustre/include/md_object.h: 440
#13 [ffff88001e9d7ce0] mdt_tgt_getxattr+28 at ffffffffa0f0e55c [mdt]
    /root/lustre-release/lustre/mdt/mdt_handler.c: 4630
#14 [ffff88001e9d7d00] tgt_request_handle+2341 at ffffffffa0944a75 [ptlrpc]
    /root/lustre-release/lustre/include/lu_target.h: 574
#15 [ffff88001e9d7d48] ptlrpc_server_handle_request+566 at ffffffffa08ed486 [ptlrpc]
    /root/lustre-release/lustre/include/lustre_net.h: 2464
#16 [ffff88001e9d7de8] ptlrpc_main+2720 at ffffffffa08f14c0 [ptlrpc]
    /root/lustre-release/lustre/ptlrpc/service.c: 2578
#17 [ffff88001e9d7ec8] kthread+207 at ffffffff810b06ff
    /usr/src/debug/kernel-3.10.0-514.10.2.el7/linux-3.10.0-514.10.2.el7.lustre.x86_64/kernel/kthread.c: 200
#18 [ffff88001e9d7f50] ret_from_fork+88 at ffffffff81696c98
    /usr/src/debug/kernel-3.10.0-514.10.2.el7/linux-3.10.0-514.10.2.el7.lustre.x86_64/arch/x86/kernel/entry_64.S: 369

                while (p < end) {
                        char   *next = p + strlen(p) + 1;

                        if (strcmp(p, XATTR_NAME_LINK) == 0) { /* HERE */
                                if (end - next > 0)
                                        memmove(p, next, end - next);
                                rc -= next - p;

I first saw this when evaluating https://review.whamcloud.com/28223 "LU-9417 mdc: excessive memory consumption by the xattr cache" for landing on b2_10 along with some other changes which are unlikely to have introduced this. So think that LU-9417 (which is a client side only change) is likely to have uncovered this bug.

 Comments   
Comment by John Hammond [ 10/Aug/17 ]

After reverting LU-9417 from my batch of test changes I no longer see this.

Comment by Peter Jones [ 10/Aug/17 ]

Andrew

Would you please advise?

Thanks

Peter

Comment by Andrew Perepechko [ 10/Aug/17 ]

Peter, the quoted code (which has no relation to either the xattr cache or LU-9417 in particular) does not look right.

It is possible that mdd_list_xattr() is passed the NULL ptr if we only want to know the list size, e.g. via OBD_MD_FLXATTRLS request. The code makes an attempt to parse the buffer and can deref the NULL ptr. It's a bug in LU-6027.

LU-9417 falls back to non-cached xattr requests when it encounters really large xattr blobs. That's a valid case and should not cause server crashes.

P.S. Sorry for the edits, I'm currently on PTO and not very attentive.

Comment by Gerrit Updater [ 10/Aug/17 ]

John L. Hammond (john.hammond@intel.com) uploaded a new patch: https://review.whamcloud.com/28469
Subject: LU-9856 mdd: handle NULL buffer in mdd_xattr_list()
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: b9184d37a514918b7a0a4ac8d1963c2db4c0a101

Comment by Gerrit Updater [ 28/Aug/17 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28469/
Subject: LU-9856 mdd: handle NULL buffer in mdd_xattr_list()
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 33a4b5ef00e88b33136d09d2f4029223a3c4d681

Comment by Minh Diep [ 28/Aug/17 ]

Landed for 2.11

Comment by Gerrit Updater [ 28/Aug/17 ]

Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/28766
Subject: LU-9856 mdd: handle NULL buffer in mdd_xattr_list()
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: a7a63cb2e5d20451f87d83e802dbfd63a24d9dba

Comment by Gerrit Updater [ 06/Sep/17 ]

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/28766/
Subject: LU-9856 mdd: handle NULL buffer in mdd_xattr_list()
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: 8e2cd001a9640c5e9959341c5af6da680c609eee

Generated at Sat Feb 10 02:29:53 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.