Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-8819] lprocfs_alloc_stats() Segmentation fault (core dumped) https://jira.whamcloud.com/browse/LU-8819 Lustre <p>In lustre/obdclass/lprocfs_status.c ,and in the function "lprocfs_alloc_stats",<br/> when alloc percpu pointers for all possible cpu slots,the corresponding code:<br/> LIBCFS_ALLOC(stats, offsetof(typeof(*stats), ls_percpu<span class="error">&#91;num_entry&#93;</span>));<br/> In fact ,this code didn't alloc space for its member struct lprocfs_counter lp_cntr<span class="error">&#91;0&#93;</span>,<br/> but in other operations like funcion:<br/> lprocfs_counter_init which call lprocfs_stats_counter_get<br/> the code in fuction lprocfs_stats_counter_get such as <br/> stats-&gt;ls_percpu<span class="error">&#91;cpuid&#93;</span>-&gt;lp_cntr<span class="error">&#91;index&#93;</span> <br/> may access memory that not belong to var stats itself,<br/> it's not safe and may lead to Segmentation fault.especially when there is not enough memory.</p> lustre 2.8.0 centos7 kernel-3.10.0_3.10.0_327.3.1.el7_lustre.x86_64-1.x86_64 LU-8819 lprocfs_alloc_stats() Segmentation fault (core dumped) Bug Minor Open Unresolved Lai Siyao ShijunDeng Thu, 10 Nov 2016 12:17:35 +0000 Tue, 14 Mar 2017 17:34:57 +0000 Lustre 2.8.0 0 6 <p>Lai</p> <p>Could you please advise on this issue?</p> <p>Thanks</p> <p>Peter</p> <p><tt>lprocfs_stats_counter_get()</tt> is only used after successful calls to <tt>lprocfs_stats_lock()</tt> or checks that <tt>stats-&gt;ls_percpu<span class="error">&#91;i&#93;</span></tt> is not NULL.</p> <p>struct lprocfs_counter {<br/> __s64 lc_count;<br/> __s64 lc_min;<br/> __s64 lc_max;<br/> __s64 lc_sumsquare;<br/> /*</p> <ul> <li>Every counter has lc_array_sum<span class="error">&#91;0&#93;</span>, while lc_array_sum<span class="error">&#91;1&#93;</span> is only</li> <li>for irq context counter, i.e. stats with</li> <li>LPROCFS_STATS_FLAG_IRQ_SAFE flag, its counter need</li> <li>lc_array_sum<span class="error">&#91;1&#93;</span><br/> */<br/> __s64 lc_array_sum<span class="error">&#91;1&#93;</span>;<br/> };</li> </ul> <p>struct lprocfs_percpu {<br/> struct lprocfs_counter lp_cntr<span class="error">&#91;0&#93;</span>;<br/> };</p> <p>struct lprocfs_stats {<br/> /* # of counters */<br/> unsigned short ls_num;<br/> /* 1 + the biggest cpu # whose ls_percpu slot has been allocated */<br/> unsigned short ls_biggest_alloc_num;<br/> enum lprocfs_stats_flags ls_flags;<br/> /* Lock used when there are no percpu stats areas; For percpu stats,</p> <ul> <li>it is used to protect ls_biggest_alloc_num change */<br/> spinlock_t ls_lock;</li> </ul> <p> /* has ls_num of counter headers */<br/> struct lprocfs_counter_header *ls_cnt_header;<br/> struct lprocfs_percpu *ls_percpu<span class="error">&#91;0&#93;</span>;<br/> };</p> <p>the above code is corresponding definition,In lustre/obdclass/lprocfs_status.c ,and in the function "lprocfs_alloc_stats",<br/> when alloc percpu pointers for all possible cpu slots,the corresponding code:<br/> LIBCFS_ALLOC(stats, offsetof(typeof(*stats), ls_percpu<span class="error">&#91;num_entry&#93;</span>));</p> <p>the access to stats-&gt;ls_percpu<span class="error">&#91;i&#93;</span> is safe,but it's not safe to acccess lp_cntr<span class="error">&#91;index&#93;</span>,to simplify the analysis for the problem,I will justify my position by giving one example as follow:</p> <p>#include&lt;stdio.h&gt;<br/> struct en{<br/> int a;<br/> int b;<br/> int c<span class="error">&#91;0&#93;</span>;<br/> };</p> <p>int main(){</p> <p> struct en e;<br/> e.c<span class="error">&#91;0&#93;</span>=1000;<br/> e.c<span class="error">&#91;1&#93;</span>=2000;<br/> e.c<span class="error">&#91;2&#93;</span>=3000;<br/> e.c<span class="error">&#91;1000&#93;</span>=3000;<br/> printf("e.c<span class="error">&#91;0&#93;</span>=%d\n",e.c<span class="error">&#91;0&#93;</span>);<br/> printf("e.c<span class="error">&#91;1&#93;</span>=%d\n",e.c<span class="error">&#91;1&#93;</span>);<br/> printf("e.c<span class="error">&#91;2&#93;</span>=%d\n",e.c<span class="error">&#91;2&#93;</span>);<br/> printf("e.c<span class="error">&#91;1000&#93;</span>=%d\n",e.c<span class="error">&#91;1000&#93;</span>);<br/> return 0;<br/> }</p> <p>the small demo can run correctly,sometimes.but it's not safe.For the same reson,<br/> The code in lustre2.8.0 such as cntr = &amp;stats-&gt;ls_percpu<span class="error">&#91;cpuid&#93;</span>-&gt;lp_cntr<span class="error">&#91;index&#93;</span> isn't safe,too.<br/> Possibly because the value of index is small(it's cannot up to 100,not to 1000),the error "Segmentation fault (core dumped)" occurs rarely.</p> <p>Did you really meet segfault? If so, can you post logs or backtraces?</p> <p>I verified the code</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>LIBCFS_ALLOC(stats, offsetof(typeof(*stats), ls_percpu[num_entry])); </pre> </div></div> <p>does allocate percpu data, and can be accessed successfully.</p> <p>While your example code is different from above code, if you change to below:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>#include&lt;stdio.h&gt; struct en { int a; int b; int c[0]; } ; int main() { struct en *e = malloc(offset(struct en, c[1001]); e-&gt;c[0]=1000; e-&gt;c[1]=2000; e-&gt;c[2]=3000; e-&gt;c[1000]=3000; printf("e.c[0]=%d\n",e-&gt;c[0]); printf("e.c[1]=%d\n",e-&gt;c[1]); printf("e.c[2]=%d\n",e-&gt;c[2]); printf("e.c[1000]=%d\n",e-&gt;c[1000]); return 0; } </pre> </div></div> <p>It should always work, could you take a try?</p> <p>please ignore.</p> Development Epic Epic/Theme Project Rank 1|hzyv5j: Rank (Obsolete) 9223372036854775807 Severity