Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-5417] lod_load_striping_locked() fails to detect errors from lod_get_lmv_ea() https://jira.whamcloud.com/browse/LU-5417 Lustre <p>In lod_load_striping_locked() if lod_get_lmv_ea() fails then we fail to detect this due to a signed to unsigned comparison bug.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> } <span class="code-keyword">else</span> <span class="code-keyword">if</span> (S_ISDIR(lu_object_attr(lod2lu_obj(lo)))) { rc = lod_get_lmv_ea(env, lo); <span class="code-keyword">if</span> (rc &lt; sizeof(struct lmv_mds_md_v1)) GOTO(out, rc = rc &gt; 0 ? -EINVAL : rc); buf-&gt;lb_buf = info-&gt;lti_ea_store; buf-&gt;lb_len = info-&gt;lti_ea_store_size; <span class="code-keyword">if</span> (rc == sizeof(struct lmv_mds_md_v1)) { ... } /* * there is LOV EA (striping information) in <span class="code-keyword">this</span> object * let's parse it and create in-core objects <span class="code-keyword">for</span> the stripes */ rc = lod_parse_dir_striping(env, lo, buf); } </pre> </div></div> <p>This causes a subsequent NULL pointer dereference in lod_parse_dir_striping():</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>[ 1402.003864] BUG: unable to handle kernel NULL pointer dereference at 000000000000000c [ 1402.004401] IP: [&lt;ffffffffa0d181a1&gt;] lod_parse_dir_striping+0x101/0x730 [lod] [ 1402.004401] PGD 1e4e32067 PUD 1f2b69067 PMD 0 [ 1402.004401] Oops: 0000 [#1] SMP ... [ 1402.004401] Pid: 6183, comm: mdt01_001 Not tainted 2.6.32-431.5.1.el6.lustre.x86_64 #1 Bochs Bochs [ 1402.004401] RIP: 0010:[&lt;ffffffffa0d181a1&gt;] [&lt;ffffffffa0d181a1&gt;] lod_parse_dir_striping+0x101/0x730 [lod] [ 1402.004401] RSP: 0018:ffff8801f318d9c0 EFLAGS: 00010286 [ 1402.004401] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 [ 1402.004401] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8802168d4418 [ 1402.004401] RBP: ffff8801f318da30 R08: 0000000000000000 R09: 0000000000000001 [ 1402.004401] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8801f2b50000 [ 1402.004401] R13: ffff8801f3197a68 R14: ffff8801f30c6b38 R15: ffff8801f3197a78 [ 1402.004401] FS: 0000000000000000(0000) GS:ffff88002fe00000(0000) knlGS:00000000000000\ 00 [ 1402.004401] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b [ 1402.004401] CR2: 000000000000000c CR3: 00000001e4d68000 CR4: 00000000000006e0 [ 1402.004401] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1402.004401] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 1402.004401] Process mdt01_001 (pid: 6183, threadinfo ffff8801f318c000, task ffff8801f318a3c0) [ 1402.004401] Stack: [ 1402.004401] fffffffffffffff2 00000000fffffffe ffff8801f318d9f0 ffff8801f3197a98 [ 1402.004401] &lt;d&gt; ffff8801f30c6b38 ffff8801f2b3bb58 ffff8801f318da30 ffffffffa0d0c314 [ 1402.004401] &lt;d&gt; ffffffffa0afb6ef ffff8801f2b3bb58 00000000fffffff2 ffff8801f3197a68 [ 1402.004401] Call Trace: [ 1402.004401] [&lt;ffffffffa0d0c314&gt;] ? lod_get_ea+0x514/0x520 [lod] [ 1402.004401] [&lt;ffffffffa0afb6ef&gt;] ? osd_object_write_lock+0x9f/0x130 [osd_ldiskfs] [ 1402.004401] [&lt;ffffffffa0d0c674&gt;] lod_load_striping_locked+0x354/0x5d0 [lod] [ 1402.004401] [&lt;ffffffffa0d0c959&gt;] lod_load_striping+0x69/0x190 [lod] [ 1402.004401] [&lt;ffffffffa0d2066e&gt;] lod_declare_attr_set+0x26e/0x760 [lod] [ 1402.004401] [&lt;ffffffffa0be8378&gt;] mdd_unlink+0x448/0xe80 [mdd] [ 1402.004401] [&lt;ffffffffa0c5050a&gt;] ? mdt_reint_unlink+0x9ca/0x10b0 [mdt] [ 1402.004401] [&lt;ffffffffa02cf001&gt;] ? libcfs_debug_msg+0x41/0x50 [libcfs] [ 1402.004401] [&lt;ffffffffa0c47628&gt;] mdo_unlink+0x18/0x50 [mdt] [ 1402.004401] [&lt;ffffffffa0c50544&gt;] mdt_reint_unlink+0xa04/0x10b0 [mdt] [ 1402.004401] [&lt;ffffffffa0c473c1&gt;] mdt_reint_rec+0x41/0xe0 [mdt] [ 1402.004401] [&lt;ffffffffa0c2cc63&gt;] mdt_reint_internal+0x4c3/0x7c0 [mdt] [ 1402.004401] [&lt;ffffffffa0c2d4eb&gt;] mdt_reint+0x6b/0x120 [mdt] [ 1402.004401] [&lt;ffffffffa06f1445&gt;] tgt_request_handle+0x245/0xad0 [ptlrpc] [ 1402.004401] [&lt;ffffffffa06a1e01&gt;] ptlrpc_main+0xce1/0x1960 [ptlrpc] [ 1402.004401] [&lt;ffffffffa06a1120&gt;] ? ptlrpc_main+0x0/0x1960 [ptlrpc] [ 1402.004401] [&lt;ffffffff8109eab6&gt;] kthread+0x96/0xa0 [ 1402.004401] [&lt;ffffffff8100c30a&gt;] child_rip+0xa/0x20 [ 1402.004401] [&lt;ffffffff81554710&gt;] ? _spin_unlock_irq+0x30/0x40 [ 1402.004401] [&lt;ffffffff8100bb10&gt;] ? restore_args+0x0/0x30 [ 1402.004401] [&lt;ffffffff8109ea20&gt;] ? kthread+0x0/0xa0 [ 1402.004401] [&lt;ffffffff8100c300&gt;] ? child_rip+0x0/0x20 </pre> </div></div> <p>This issue was found through DT API fault injection.</p> LU-5417 lod_load_striping_locked() fails to detect errors from lod_get_lmv_ea() Bug Minor Resolved Fixed Dmitry Eremin John Hammond Fri, 25 Jul 2014 16:34:55 +0000 Sat, 30 May 2015 04:15:43 +0000 Wed, 3 Sep 2014 09:07:34 +0000 Lustre 2.7.0 Lustre 2.7.0 0 6 <p>So this might be a broder class of problems that we need to do a separate audit of this.<br/> Idid some grepping around and there's plenty of "if (rc &lt; sizeof ....)" kind of code. Closer look shows that most of cases are ok because there's usually a preceeding "if (rc &lt; 0)" before that statement.<br/> But theern there's e.g. lod_xattr_get that while correct, is correct for non obvious reasons.</p> <p>I wonder if we should run some static tool for signed/unsigned comparison and ensure all matches are checked for correctness/fixed/made more obvious?</p> <p>Ouch, it took me a few looks to even see what the problem is, but Oleg confirmed that rc is "promoted" to unsigned int to match sizeof() and does the comparison as an unsigned value. </p> <p>Dmitry</p> <p>Could you please look into this one?</p> <p>Thanks</p> <p>Peter</p> <p>Uff. I observed few other places with such weird code. For example, in tgt_handle_lfsck_query() we have the following:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">reply-&gt;lr_status = tgt_lfsck_query(tsi-&gt;tsi_env, tsi-&gt;tsi_tgt-&gt;lut_bottom, request); <span class="code-keyword">if</span> (reply-&gt;lr_status &lt; 0) rc = reply-&gt;lr_status; RETURN(rc); </pre> </div></div> <p>The <tt>reply-&gt;lr_status</tt> is <tt>unsigned int</tt>. Therefore <tt>if</tt> is always false. So, we need a more careful look through such kind of code.</p> <p>You could do</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">make EXTRA_POST_CFLAGS='-Wsign-compare -Wno-error 2&gt;&amp;1 1&gt; /dev/<span class="code-keyword">null</span> | grep warning | sort | uniq </pre> </div></div> <p>There are only 1059 comparisons to check!</p> <p>Originally I got 1084 warnings for current master. After my patch <a href="http://review.whamcloud.com/11281/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/11281/</a> it's reduced to 1017. And <tt>lod</tt> now have only 3 warnings:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>lustre-release/lustre/lod/lod_qos.c:1169: warning: comparison between signed and unsigned integer expressions lustre-release/lustre/lod/lod_qos.c:182: warning: comparison between signed and unsigned integer expressions lustre-release/lustre/lod/lod_qos.c:711: warning: comparison between signed and unsigned integer expressions </pre> </div></div> <p>After series of <a href="http://review.whamcloud.com/#/q/message:LU-5417,n,z" class="external-link" target="_blank" rel="nofollow noopener">pathes</a> all warnings from lustre/lod/* goes away and total amount of warnings become 1004.</p> <p>Oleg Drokin (oleg.drokin@intel.com) uploaded a new patch: <a href="http://review.whamcloud.com/13903" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/13903</a><br/> Subject: Revert "<a href="https://jira.whamcloud.com/browse/LU-5417" title="lod_load_striping_locked() fails to detect errors from lod_get_lmv_ea()" class="issue-link" data-issue-key="LU-5417"><del>LU-5417</del></a> lfs: fix comparison between signed and unsigned"<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 91bfc8b2f8c37ea8d3fbdb059e3c51a8164ca8a6</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/13903/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/13903/</a><br/> Subject: Revert "<a href="https://jira.whamcloud.com/browse/LU-5417" title="lod_load_striping_locked() fails to detect errors from lod_get_lmv_ea()" class="issue-link" data-issue-key="LU-5417"><del>LU-5417</del></a> lfs: fix comparison between signed and unsigned"<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: bbadfbefd9e0323172ad0a37b4268e68bf0968b7</p> Related LU-6506 Development Rank 1|hzwsc7: Rank (Obsolete) 15066 Severity