Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-12614] Lustre ldlm_cancel_hpreq_check() bug https://jira.whamcloud.com/browse/LU-12614 Lustre <p>In the latest version of lustre file system, ptlrpc module has a out-of-access bug due to the lack of validation for specific fields of packets sent by client.</p> <p>The kernel panic:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> [50920.983447] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c [50920.986242] IP: [&lt;ffffffffa6b6b46c&gt;] _raw_spin_lock+0xc/0x30 [50920.988767] PGD 0 [50920.990411] Oops: 0002 [#1] SMP [50920.992116] Modules linked in: ofd(OE) ost(OE) osp(OE) mdd(OE) lod(OE) mdt(OE) lfsck(OE) mgs(OE) osd_ldiskfs(OE) lquota(OE) ldiskfs(OE) loop lustre(OE) obdecho(OE) mgc(OE) lov(OE) mdc(OE) osc(OE) lmv(OE) fid(OE) fld(OE) ptlrpc(OE) obdclass(OE) crc_t10dif crct10dif_generic ksocklnd(OE) lnet(OE) libcfs(OE) dm_flakey macsec tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc dm_mod nfit libnvdimm iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd ppdev joydev virtio_balloon parport_pc parport i2c_piix4 pcspkr ip_tables ext4 mbcache jbd2 ata_generic pata_acpi virtio_console virtio_net virtio_blk cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crct10dif_pclmul crct10dif_common ata_piix drm crc32c_intel libata [50921.008352] serio_raw virtio_pci virtio_ring virtio drm_panel_orientation_quirks floppy [50921.010518] CPU: 0 PID: 15708 Comm: ldlm_cn00_000 Kdump: loaded Tainted: G OE ------------ 3.10.0-957.10.1.el7_lustre.x86_64 #1 [50921.014624] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 3288b3c 04/01/2014 [50921.016833] task: ffff8bfdb0600000 ti: ffff8bfde97a4000 task.ti: ffff8bfde97a4000 [50921.019010] RIP: 0010:[&lt;ffffffffa6b6b46c&gt;] [&lt;ffffffffa6b6b46c&gt;] _raw_spin_lock+0xc/0x30 [50921.021257] RSP: 0018:ffff8bfde97a7d88 EFLAGS: 00010246 [50921.023228] RAX: 0000000000000000 RBX: ffff8bfdd238cc00 RCX: ffff8bfdd238ccb0 [50921.025367] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000000001c [50921.027495] RBP: ffff8bfde97a7d98 R08: 00000000000000b8 R09: 00000000000000e0 [50921.029607] R10: ffffffffc0756100 R11: 0000000000000000 R12: 0000000000000000 [50921.031710] R13: ffff8bfde92da0e0 R14: ffff8bfde9e87500 R15: ffff8bfde63c5c00 [50921.033793] FS: 0000000000000000(0000) GS:ffff8bfdffc00000(0000) knlGS:0000000000000000 [50921.035965] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [50921.037907] CR2: 000000000000001c CR3: 0000000427206000 CR4: 00000000003606f0 [50921.039980] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [50921.042023] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [50921.044034] Call Trace: [50921.045680] [&lt;ffffffffc092002c&gt;] ? lock_res_and_lock+0x2c/0x50 [ptlrpc] [50921.047707] [&lt;ffffffffc09218ea&gt;] __ldlm_handle2lock+0x7a/0x3f0 [ptlrpc] [50921.049728] [&lt;ffffffffc0949aa7&gt;] ldlm_cancel_hpreq_check+0x97/0x220 [ptlrpc] [50921.051774] [&lt;ffffffffc0986f79&gt;] ptlrpc_main+0x17a9/0x20f0 [ptlrpc] [50921.053690] [&lt;ffffffffa64d08c0&gt;] ? finish_task_switch+0x50/0x1c0 [50921.055619] [&lt;ffffffffc09857d0&gt;] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc] [50921.057616] [&lt;ffffffffa64c1c71&gt;] kthread+0xd1/0xe0 [50921.059378] [&lt;ffffffffa64c1ba0&gt;] ? insert_kthread_work+0x40/0x40 [50921.061220] [&lt;ffffffffa6b75c1d&gt;] ret_from_fork_nospec_begin+0x7/0x21 [50921.063094] [&lt;ffffffffa64c1ba0&gt;] ? insert_kthread_work+0x40/0x40 [50921.064927] Code: 5d c3 0f 1f 44 00 00 85 d2 74 e4 0f 1f 40 00 eb ed 66 0f 1f 44 00 00 b8 01 00 00 00 5d c3 90 0f 1f 44 00 00 31 c0 ba 01 00 00 00 &lt;f0&gt; 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 40 1b ff ff 5d [50921.070141] RIP [&lt;ffffffffa6b6b46c&gt;] _raw_spin_lock+0xc/0x30 [50921.071981] RSP &lt;ffff8bfde97a7d88&gt; [50921.073587] CR2: 000000000000001c </pre> </div></div> <p>In function ldlm_cancel_hpreq_check(), there is no boundary check about the 'lock_count' parameter obtained from the 'dlm_req' structure, and 'lock_count' is taken as an index to directly access the 'lock_handle' array, resulting in an out-of-bounds access.</p> <p> </p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> dlm_req = req_capsule_client_get(&amp;req-&gt;rq_pill, &amp;RMF_DLM_REQ); <span class="code-keyword">if</span> (dlm_req == NULL) RETURN(-EFAULT); <span class="code-keyword">for</span> (i = 0; i &lt; dlm_req-&gt;lock_count; i++) { struct ldlm_lock *lock; lock = ldlm_handle2lock(&amp;dlm_req-&gt;lock_handle[i]); ... </pre> </div></div> <p> </p> LU-12614 Lustre ldlm_cancel_hpreq_check() bug Bug Critical Resolved Fixed Oleg Drokin Alibaba Cloud Tue, 30 Jul 2019 11:18:44 +0000 Mon, 16 Mar 2020 13:05:14 +0000 Tue, 3 Sep 2019 13:22:25 +0000 Lustre 2.13.0 Lustre 2.12.3 0 3 <p>Oleg</p> <p>Could you please investigate</p> <p>Peter</p> <p>Oleg Drokin (green@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/35807" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35807</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12614" title="Lustre ldlm_cancel_hpreq_check() bug" class="issue-link" data-issue-key="LU-12614"><del>LU-12614</del></a> ldlm: ldlm_cancel_hpreq_check should check lock count<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: b61051a5287a33be879a7e6c8783af2d172918e2</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/35807/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35807/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12614" title="Lustre ldlm_cancel_hpreq_check() bug" class="issue-link" data-issue-key="LU-12614"><del>LU-12614</del></a> ldlm: ldlm_cancel_hpreq_check should check lock count<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 2b7af478bdbf5c6701e0e49aefe34597bdee3126</p> <p>Landed for 2.13</p> <p>Minh Diep (mdiep@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/36107" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/36107</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12614" title="Lustre ldlm_cancel_hpreq_check() bug" class="issue-link" data-issue-key="LU-12614"><del>LU-12614</del></a> ldlm: ldlm_cancel_hpreq_check should check lock count<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: 1<br/> Commit: 338d53e2401d1a853082f6e377c1d39fdcd756a5</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/36107/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/36107/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12614" title="Lustre ldlm_cancel_hpreq_check() bug" class="issue-link" data-issue-key="LU-12614"><del>LU-12614</del></a> ldlm: ldlm_cancel_hpreq_check should check lock count<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: <br/> Commit: 4c4c4ca3a6c1c1e62a74fc25f76dd1dfa81e5265</p> Related Development Rank 1|i00kev: Rank (Obsolete) 9223372036854775807 Severity