Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-10694] use after free in ll_dir_read https://jira.whamcloud.com/browse/LU-10694 Lustre <p>It looks like we have some use after free problem in ll_dir_read in amster. I hit this in master-next, but nothing appears to be related to it in the queue so likely an older rare problem.</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>[245308.118823] Lustre: DEBUG MARKER: == sanity test 48a: Access renamed working dir (should return errors)================================= 10:36:33 (1518881793) [245308.291198] BUG: unable to handle kernel paging request at ffff880084cf1f78 [245308.296641] IP: [&lt;ffffffffa16617d1&gt;] ll_dir_read+0x121/0x320 [lustre] [245308.297422] PGD 2e75067 PUD 33fa01067 PMD 33f9da067 PTE 8000000084cf1060 [245308.298130] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [245308.298798] Modules linked in: lustre(OE) ofd(OE) osp(OE) lod(OE) ost(OE) mdt(OE) mdd(OE) mgs(OE) osd_ldiskfs(OE) ldiskfs(OE) lquota(OE) lfsck(OE) obdecho(OE) mgc(OE) lov(OE) mdc(OE) osc(OE) lmv(OE) fid(OE) fld(OE) ptlrpc_gss(OE) ptlrpc(OE) obdclass(OE) ksocklnd(OE) lnet(OE) libcfs(OE) ext4 loop zfs(PO) zunicode(PO) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) zlib_deflate mbcache jbd2 syscopyarea sysfillrect sysimgblt ttm drm_kms_helper i2c_piix4 ata_generic drm pata_acpi i2c_core serio_raw pcspkr virtio_blk ata_piix virtio_balloon virtio_console floppy libata nfsd ip_tables rpcsec_gss_krb5 [last unloaded: libcfs] [245308.305963] CPU: 2 PID: 10385 Comm: ls Tainted: P W OE ------------ 3.10.0-debug #2 [245308.307247] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [245308.309135] task: ffff880095160a80 ti: ffff880053d34000 task.ti: ffff880053d34000 [245308.310394] RIP: 0010:[&lt;ffffffffa16617d1&gt;] [&lt;ffffffffa16617d1&gt;] ll_dir_read+0x121/0x320 [lustre] [245308.311682] RSP: 0018:ffff880053d37dd0 EFLAGS: 00010282 [245308.312332] RAX: 0000000000006f20 RBX: 7ff8f5c704c2772b RCX: 0000000000000020 [245308.313701] RDX: 0000000000000000 RSI: ffff880084ceb03f RDI: 00000000015d61b9 [245308.315216] RBP: ffff880053d37e58 R08: 0200000002000001 R09: 0000000000000004 [245308.316550] R10: ffff880084ceb018 R11: ffff880053d3782e R12: ffff880084ceb000 [245308.317491] R13: ffffea0002133ac0 R14: 29454f2865727473 R15: ffff880084cf1f68 [245308.318433] FS: 00007f1e12a0a800(0000) GS:ffff88033e440000(0000) knlGS:0000000000000000 [245308.319379] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [245308.320000] CR2: ffff880084cf1f78 CR3: 0000000091178000 CR4: 00000000000006e0 [245308.320888] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [245308.321742] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [245308.322584] Stack: [245308.322983] ffff880053d37ea8 ffff880203af5e00 ffff88029bcf7828 ffffffff81201e10 [245308.323858] ffff880053d37f38 0001880053d37e58 0000000700000000 7ff8f5c704c2772b [245308.324740] ffff880000000000 0000000200000002 0000000000000001 0000000062937836 [245308.325624] Call Trace: [245308.326048] [&lt;ffffffff81201e10&gt;] ? fillonedir+0xf0/0xf0 [245308.326507] [&lt;ffffffff81201e10&gt;] ? fillonedir+0xf0/0xf0 [245308.327129] [&lt;ffffffffa1661aec&gt;] ll_readdir+0x11c/0x4c0 [lustre] [245308.327613] [&lt;ffffffff81201e10&gt;] ? fillonedir+0xf0/0xf0 [245308.328058] [&lt;ffffffff81201e10&gt;] ? fillonedir+0xf0/0xf0 [245308.328525] [&lt;ffffffff81201cf0&gt;] vfs_readdir+0xb0/0xe0 [245308.328971] [&lt;ffffffff81202165&gt;] SyS_getdents+0x95/0x130 [245308.329485] [&lt;ffffffff8170fc49&gt;] system_call_fastpath+0x16/0x1b [245308.329942] Code: 06 49 c1 e4 0c 49 01 c4 41 f6 44 24 10 01 4d 8d 54 24 18 4d 0f 44 fa 31 d2 90 84 d2 0f 85 bd 00 00 00 4d 85 ff 0f 84 b4 00 00 00 &lt;4d&gt; 8b 77 10 49 39 de 0f 82 f2 00 00 00 41 0f b7 57 1a 85 d2 0f [245308.331758] RIP [&lt;ffffffffa16617d1&gt;] ll_dir_read+0x121/0x320 [lustre] </pre> </div></div> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>(gdb) l *(ll_dir_read+0x121) 0x47d1 is in ll_dir_read (/home/green/git/lustre-release/lustre/llite/dir.c:248). 243 int namelen; 244 struct lu_fid fid; 245 __u64 lhash; 246 __u64 ino; 247 248 hash = le64_to_cpu(ent-&gt;lde_hash); 249 if (hash &lt; pos) /* Skip until we find target hash */ 250 continue; 251 252 namelen = le16_to_cpu(ent-&gt;lde_namelen); </pre> </div></div> LU-10694 use after free in ll_dir_read Bug Major Open Unresolved WC Triage Oleg Drokin Wed, 21 Feb 2018 03:35:57 +0000 Wed, 21 Feb 2018 03:35:57 +0000 0 2 Development Rank 1|hzzt3b: Rank (Obsolete) 9223372036854775807 Severity