Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-1923] filefrag with large fiemap buffer crashes client https://jira.whamcloud.com/browse/LU-1923 Lustre <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>BUG: unable to handle kernel NULL pointer dereference at (null) IP [&lt;ffffffffa0d67265&gt;] lov_get_info+0xc75/0x1b90 [lov] Pid: 12793, comm: filefrag Tainted: P --------------- 2.6.32-279.5.1.el6_lustre.g7f15218.x86_64 #1 RIP: 0010:[&lt;ffffffffa0d67265&gt;] [&lt;ffffffffa0d67265&gt;] lov_get_info+0xc75/0x1b90 [lov] RSP: 0018:ffff8800a0c33ba8 EFLAGS: 00010213 RAX: 0000000000000007 RBX: ffff8800aafe4138 RCX: ffff8800a0c33d08 RDX: 0000000000000000 RSI: ffff8800a0c33b6c RDI: 0000000000000000 RBP: ffff8800a0c33cc8 R08: ffff8800a0c33c88 R09: ffff8800a0c33c80 R10: 000000000023efff R11: 0000000000000048 R12: 0000000000000000 R13: ffff8800a91cf000 R14: ffff8800a8825000 R15: ffff8800b26288c0 FS: 00007f0cd1c72700(0000) GS:ffff880002200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000950da000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process filefrag (pid: 12793, threadinfo ffff8800a0c32000, task ffff8800d8f9eaa0) </pre> </div></div> <p>The address resolves to:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>(gdb) list *(lov_get_info+0xc75) 0x13295 is in lov_get_info (/usr/src/lustre-head/lustre/lov/lov_obd.c:2458). 2453 req_fm_len = fm_local-&gt;fm_length; 2454 fm_local-&gt;fm_extent_count = count_local; 2455 fm_local-&gt;fm_mapped_extents = 0; 2456 fm_local-&gt;fm_flags = fiemap-&gt;fm_flags; 2457 2458 fm_key-&gt;oa.o_id = lsm-&gt;lsm_oinfo[cur_stripe]-&gt;loi_id; 2459 fm_key-&gt;oa.o_seq = lsm-&gt;lsm_oinfo[cur_stripe]-&gt;loi_seq; 2460 ost_index = lsm-&gt;lsm_oinfo[cur_stripe]-&gt;loi_ost_idx; 2461 2462 if (ost_index &lt; 0 || ost_index &gt;=lov-&gt;desc.ld_tgt_count) </pre> </div></div> <p>I suspect cur_stripe is out of bounds or something due to bad user input to the ioctl.</p> <p>It shouldn't be possible for userspace to cause the client to crash.</p> Single-node test system running on x86_64 with current master (hash 2ce0f3a848443f0f01b5cd8e66bf17e3199a20da).<br/> <br/> Running e2fsprogs-1.42.5.wc1 with a modification to filefrag_fiemap() to not initialize buf[] = &quot;&quot;. The crash does not happen with e2fsprogs-1.42.3.wc3 or if buf[] is initialized. LU-1923 filefrag with large fiemap buffer crashes client Bug Blocker Resolved Fixed Andreas Dilger Andreas Dilger Wed, 12 Sep 2012 22:35:37 +0000 Wed, 13 Dec 2017 18:45:16 +0000 Thu, 13 Sep 2012 18:54:03 +0000 Lustre 2.3.0 Lustre 2.4.0 Lustre 2.1.3 Lustre 1.8.7 Lustre 2.3.0 Lustre 2.4.0 Lustre 2.1.4 0 0 <p><a href="http://review.whamcloud.com/3962" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/3962</a></p> <p>Oleg, will you cherry pick this to b2_3 and b2_1 as well?</p> <p>Landed for 2.3 and 2.4</p> Related LU-6007 Development Rank 1|hzv5mf: Rank (Obsolete) 4445 Severity