Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-5305] use after free in ldlm_resource_get() https://jira.whamcloud.com/browse/LU-5305 Lustre <p>When lvbo initialization has failed we have a use after free in ldlm_resource_get().</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> <span class="code-keyword">if</span> (unlikely(res-&gt;lr_lvb_len &lt; 0)) { ldlm_resource_putref(res); res = ERR_PTR(res-&gt;lr_lvb_len); } <span class="code-keyword">return</span> res; } </pre> </div></div> <p>With slab debugging enabled this results in an oops.</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>[ 220.086781] LustreError: 14681:0:(ldlm_resource.c:1150:ldlm_resource_get()) lustre-OST0000: lvbo_init failed for resource 0x203:0x0: rc = -12 [ 220.086797] LustreError: 14681:0:(ldlm_resource.c:1150:ldlm_resource_get()) Skipped 122 previous similar messages [ 220.238178] BUG: unable to handle kernel paging request at 000000006b6b6b6b [ 220.238326] IP: [&lt;ffffffffa064476e&gt;] ldlm_lock_create+0x22e/0xd00 [ptlrpc] [ 220.238326] PGD 0 [ 220.238326] Oops: 0000 [#1] SMP [ 220.238326] last sysfs file: /sys/devices/system/cpu/possible [ 220.238326] CPU 5 [ 220.242484] Modules linked in: lustre(U) ofd(U) osp(U) lod(U) ost(U) mdt(U) mdd(U) mgs(U) nodemap(U) osd_ldiskfs(U) ldiskfs(U) exportfs lquota(U) lfsck(U) jbd obdecho(U) mgc(U) lov(U) osc(U) mdc(U) lmv(U) fid(U) fld(U) ptlrpc(U) obdclass(U) ksocklnd(U) lnet(U) sha512_generic sha256_generic libcfs(U) autofs4 nfs lockd fscache auth_rpcgss nfs_acl sunrpc ipv6 microcode virtio_balloon virtio_net i2c_piix4 i2c_core ext4 jbd2 mbcache virtio_blk virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: speedstep_lib] [ 220.242484] [ 220.242484] Pid: 6170, comm: ll_ost01_004 Not tainted 2.6.32-431.5.1.el6.lustre.x86_64 #1 Bochs Bochs [ 220.242484] RIP: 0010:[&lt;ffffffffa064476e&gt;] [&lt;ffffffffa064476e&gt;] ldlm_lock_create+0x22e/0xd00 [ptlrpc] [ 220.242484] RSP: 0018:ffff8801e3591c40 EFLAGS: 00010246 [ 220.242484] RAX: ffff8801dd655ec8 RBX: ffff8801dd655c38 RCX: 0000000000000000 [ 220.242484] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffa076d728 [ 220.242484] RBP: ffff8801e3591c90 R08: ffffffff81c1b5c0 R09: 0000000000000000 [ 220.242484] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801dd655c38 [ 220.242484] R13: ffffffffa0766100 R14: ffff8802198b49c8 R15: 000000006b6b6b6b [ 220.242484] FS: 0000000000000000(0000) GS:ffff880030200000(0000) knlGS:0000000000000000 [ 220.242484] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b [ 220.242484] CR2: 000000006b6b6b6b CR3: 0000000001a85000 CR4: 00000000000006e0 [ 220.242484] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 220.242484] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 220.242484] Process ll_ost01_004 (pid: 6170, threadinfo ffff8801e3590000, task ffff8801f0b48700) [ 220.242484] Stack: [ 220.242484] 0000000000000000 0000000000000000 0000000b00000004 ffffffffa0437d9a [ 220.242484] &lt;d&gt; ffff8801ec13d1f0 ffff8801db7912b0 ffff8801ec13d2d0 ffffffffa0766100 [ 220.242484] &lt;d&gt; ffff8802198b49c8 ffff8801ec13d1f0 ffff8801e3591d00 ffffffffa066d581 [ 220.242484] Call Trace: [ 220.242484] [&lt;ffffffffa0437d9a&gt;] ? lprocfs_counter_add+0x16a/0x1c0 [obdclass] [ 220.242484] [&lt;ffffffffa066d581&gt;] ldlm_handle_enqueue0+0x181/0x1210 [ptlrpc] [ 220.242484] [&lt;ffffffffa06ebf19&gt;] tgt_enqueue+0x89/0x2a0 [ptlrpc] [ 220.242484] [&lt;ffffffffa06ec71e&gt;] tgt_request_handle+0x5ee/0xb60 [ptlrpc] [ 220.242484] [&lt;ffffffffa069ee21&gt;] ptlrpc_main+0xcf1/0x1880 [ptlrpc] [ 220.242484] [&lt;ffffffffa069e130&gt;] ? ptlrpc_main+0x0/0x1880 [ptlrpc] [ 220.242484] [&lt;ffffffff8109eab6&gt;] kthread+0x96/0xa0 [ 220.242484] [&lt;ffffffff8100c30a&gt;] child_rip+0xa/0x20 [ 220.242484] [&lt;ffffffff81554710&gt;] ? _spin_unlock_irq+0x30/0x40 [ 220.242484] [&lt;ffffffff8100bb10&gt;] ? restore_args+0x0/0x30 [ 220.242484] [&lt;ffffffff8109ea20&gt;] ? kthread+0x0/0xa0 [ 220.242484] [&lt;ffffffff8100c300&gt;] ? child_rip+0x0/0x20 [ 220.242484] Code: 00 00 49 8d 84 24 90 02 00 00 49 c7 84 24 10 01 00 00 00 00 00 00 ba 01 00 00 00 49 89 84 24 90 02 00 00 49 89 84 24 98 02 00 00 &lt;49&gt; 8b 07 48 8b 00 48 8b b8 40 02 00 00 e8 b0 34 df ff 4d 89 24 [ 220.242484] RIP [&lt;ffffffffa064476e&gt;] ldlm_lock_create+0x22e/0xd00 [ptlrpc] [ 220.242484] RSP &lt;ffff8801e3591c40&gt; [ 220.242484] CR2: 000000006b6b6b6b </pre> </div></div> <p>This was found via memory allocation fault injection.</p> LU-5305 use after free in ldlm_resource_get() Bug Minor Closed Fixed John Hammond John Hammond Tue, 8 Jul 2014 20:14:05 +0000 Thu, 15 Jun 2017 13:19:57 +0000 Mon, 27 Apr 2015 20:26:34 +0000 Lustre 2.6.0 Lustre 2.7.0 0 4 <p>Please see <a href="http://review.whamcloud.com/#/c/11017/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/11017/</a>.</p> <p>Patch landed to master.</p> <p>Reopening to add label</p> Duplicate Related Development Rank 1|hzwqw7: Rank (Obsolete) 14823 Severity