https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-17336 Lustre <p>Kernel crashes when changing rsi_upcall path value with:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> lctl set_param sptlrpc.gss.rsi_upcall=/usr/sbin/l_getauth2</pre> </div></div> <p> </p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> [  184.300846] BUG: unable to handle kernel paging request at 00007ffee6a74617 [  184.301698] PGD 1cf3a3067 P4D 1cf3a3067 PUD 56eb02067 PMD 3356f0067 PTE 80000004857c2867 [  184.302636] Oops: 0001 [#1] SMP NOPTI [  184.303197] CPU: 4 PID: 19026 Comm: lctl Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-425.13.1.el8_lustre.ddn17.x86_64 #1 [  184.304736] Hardware name: DDN SFA400NVXE, BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [  184.306154] RIP: 0010:vsscanf+0x11b/0x900 [  184.307334] Code: 80 fa 6c 0f 84 3f 01 00 00 48 89 f9 41 bf ff ff ff ff 3c 7a 0f 84 2e 01 00 00 84 c0 0f 84 50 ff ff ff 3c 6e 0f 84 4e 05 00 00 &lt;80&gt; 3b 00 0f 84 3f ff ff ff 48 8d 51 01 48 89 54 24 08 0f b6 01 3c [  184.310163] RSP: 0018:ffffb3b8ccf2bdd0 EFLAGS: 00010216 [  184.311062] RAX: 0000000000000073 RBX: 00007ffee6a74617 RCX: ffffffffc1abe6a8 [  184.312379] RDX: 0000000000000073 RSI: ffffffffc1abe6a7 RDI: ffffffffc1abe6a8 [  184.313476] RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000001 [  184.314790] R10: 0000000000000000 R11: 0000000000000001 R12: ffffb3b8ccf2be48 [  184.315873] R13: 00007ffee6a74617 R14: ffffffffad50bfe0 R15: 00000000ffffffff [  184.317181] FS:  00007f943fabc140(0000) GS:ffff9495a9900000(0000) knlGS:0000000000000000 [  184.318370] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  184.319477] CR2: 00007ffee6a74617 CR3: 0000000187a2c004 CR4: 0000000000770ee0 [  184.320566] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [  184.321649] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [  184.322740] PKRU: 55555554 [  184.323325] Call Trace: [  184.323900]  sscanf+0x4e/0x70 [  184.324520]  ? kmem_cache_free+0x116/0x300 [  184.325251]  rsi_upcall_seq_write+0x44/0x1a0 [ptlrpc_gss] [  184.326142]  proc_reg_write+0x39/0x60 [  184.326819]  vfs_write+0xa5/0x1b0 [  184.327557]  ksys_write+0x4f/0xb0 [  184.328184]  do_syscall_64+0x5b/0x1b0 [  184.328974]  entry_SYSCALL_64_after_hwframe+0x61/0xc6 [  184.329817] RIP: 0033:0x7f943ec979e5 </pre> </div></div> <p>This is because <tt>rsi_upcall_seq_write()</tt> uses <tt>sscanf</tt> with a <tt>__user</tt> pointer:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> <span class="code-keyword">static</span> ssize_t rsi_upcall_seq_write(struct file *file,                                     <span class="code-keyword">const</span> <span class="code-object">char</span> __user *buffer,                                     size_t count, loff_t *off) {         <span class="code-object">int</span> rc;         <span class="code-keyword">if</span> (count &gt;= UC_CACHE_UPCALL_MAXPATH) {                 CERROR(<span class="code-quote">"%s: rsi upcall too <span class="code-object">long</span>\n"</span>, rsicache-&gt;uc_name);                 <span class="code-keyword">return</span> -EINVAL;         }         <span class="code-comment">/* Remove any extraneous bits from the upcall (e.g. linefeeds) */</span>         down_write(&amp;rsicache-&gt;uc_upcall_rwsem);       rc = sscanf(buffer, <span class="code-quote">"%s"</span>, rsicache-&gt;uc_upcall); &lt;-----         up_write(&amp;rsicache-&gt;uc_upcall_rwsem);         <span class="code-keyword">if</span> (rc != 1) {                 CERROR(<span class="code-quote">"%s: invalid rsi upcall provided\n"</span>, rsicache-&gt;uc_name);                 <span class="code-keyword">return</span> -EINVAL;         }         CDEBUG(D_CONFIG, <span class="code-quote">"%s: rsi upcall set to %s\n"</span>, rsicache-&gt;uc_name,                rsicache-&gt;uc_upcall);         <span class="code-keyword">return</span> count; } LPROC_SEQ_FOPS(rsi_upcall); </pre> </div></div> LU-17336

BUG while setting rsi_upcall path

Bug Minor Resolved Fixed Sebastien Buisson Sebastien Buisson gss patch security Wed, 6 Dec 2023 08:20:32 +0000 Wed, 20 Dec 2023 02:44:42 +0000 Wed, 20 Dec 2023 02:44:42 +0000 Lustre 2.16.0 Lustre 2.16.0 0 2 <p>"Sebastien Buisson &lt;sbuisson@ddn.com&gt;" uploaded a new patch: <a href="https://review.whamcloud.com/c/fs/lustre-release/+/53342" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/c/fs/lustre-release/+/53342</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-17336" title="BUG while setting rsi_upcall path" class="issue-link" data-issue-key="LU-17336"><del>LU-17336</del></a> gss: fix __user pointer in rsi_upcall_seq_write<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 9747b550bc7fc09563e5c04550f7d126f0d76c43</p> <p>"Oleg Drokin &lt;green@whamcloud.com&gt;" merged in patch <a href="https://review.whamcloud.com/c/fs/lustre-release/+/53342/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/c/fs/lustre-release/+/53342/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-17336" title="BUG while setting rsi_upcall path" class="issue-link" data-issue-key="LU-17336"><del>LU-17336</del></a> gss: fix __user pointer in rsi_upcall_seq_write<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 7b90925dcdd96e2e8a0c25a5d04803d22eb2e80f</p> <p>Landed for 2.16</p> Duplicate Related Development Rank 1|i043zj: Rank (Obsolete) 9223372036854775807 Severity