Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-6520] Potential null pointer deref in mdt_stack_init and mdt_quota_init https://jira.whamcloud.com/browse/LU-6520 Lustre <p>smatch highlighted problematic code in mdt_stack_init and mdt_quota_init</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre> lcfg = lustre_cfg_new(LCFG_SETUP, bufs); if (lcfg == NULL) GOTO(class_detach, rc = -ENOMEM); ... class_detach: if (rc) class_detach(obd, lcfg); lcfg_cleanup: lustre_cfg_free(lcfg); </pre> </div></div> <p>note that while lustre_cfs_Free is basically kfree, which is ok to work with NULL pointers, in reality it does</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>static inline void lustre_cfg_free(struct lustre_cfg *lcfg) { #ifdef __KERNEL__ OBD_FREE(lcfg, lustre_cfg_len(lcfg-&gt;lcfg_bufcount, lcfg-&gt;lcfg_buflens)); </pre> </div></div> <p>which makes it not ok.</p> LU-6520 Potential null pointer deref in mdt_stack_init and mdt_quota_init Bug Minor Open Unresolved WC Triage Oleg Drokin Mon, 27 Apr 2015 05:03:50 +0000 Sun, 30 Jan 2022 10:21:44 +0000 Lustre 2.15.0 0 3 <p>Hi,<br/> lustre_cfg_free code is as below-</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>static inline void lustre_cfg_free(struct lustre_cfg *lcfg) { #ifdef __KERNEL__ OBD_FREE(lcfg, lustre_cfg_len(lcfg-&gt;lcfg_bufcount, lcfg-&gt;lcfg_buflens)); #else /* ! __KERNEL__ */ free(lcfg); #endif /* __KERNEL__ */ } </pre> </div></div> <p>OBD_FREE calls OBD_FREE_PRE(ptr, size, "kfreed");<br/> OBD_FREE_PRE asserts the pointer.</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>#define OBD_FREE_PRE(ptr, size, name) \ LASSERT(ptr); \ obd_memory_sub(size); \ CDEBUG(D_MALLOC, name " '" #ptr "': %d at %p.\n", \ (int)(size), ptr); \ POISON(ptr, 0x5a, size) </pre> </div></div> <p>So this LASSERT will fail if lcfg pointer is NULL.</p> <p>I think this way we will get logs why memory allocation failed.<br/> And it is not causing dereferencing of NULL pointer.</p> <p>Having said that we can add extra check lcfg != NULL in lustre_cfg_free. But this will not give us reason of failure.</p> <p>-Ulka</p> <p>The this is - if we add the check, then we'll avoid the crash and whatever the failure is, memory allocator will print us something in dmesg.</p> Development Rank 1|hzxbrj: Rank (Obsolete) 9223372036854775807 Severity