Bug #3404
closedoops in strlen() from set_request_path_attr()
0%
Description
Restarting an nfs server exporting ceph will try to dereference a null pointer.
Program received signal SIGSEGV, Segmentation fault.
0x000000006057cbc1 in strlen (s=0x0) at /home/dzafman/linux/lib/string.c:388
388 for (sc = s; *sc != '\0'; ++sc)
(gdb) bt
#0 0x000000006057cbc1 in strlen (s=0x0) at /home/dzafman/linux/lib/string.c:388
#1 0x0000000060539e04 in set_request_path_attr (rinode=0x0, rdentry=0x0, rpath=<optimized out>, rino=<optimized out>,
ppath=0x6de759b8, pathlen=0x6de759e0, ino=0x6de759c8, freepath=0x6de759e8) at /home/dzafman/linux/fs/ceph/mds_client.c:1593
#2 0x000000006053a063 in create_request_message (mds=0, req=0x6e11dbf0, mdsc=0x6c156bf0)
at /home/dzafman/linux/fs/ceph/mds_client.c:1619
#3 __prepare_send_request (mdsc=0x6c156bf0, req=0x6e11dbf0, mds=0) at /home/dzafman/linux/fs/ceph/mds_client.c:1775
#4 0x000000006053af33 in __do_request (mdsc=0x6c156bf0, req=0x6e11dbf0) at /home/dzafman/linux/fs/ceph/mds_client.c:1856
#5 0x000000006053c1d6 in ceph_mdsc_do_request (mdsc=0x6c156bf0, dir=0x0, req=0x6e11dbf0)
at /home/dzafman/linux/fs/ceph/mds_client.c:1943
#6 0x0000000060528b54 in __cfh_to_dentry (cfh=<optimized out>, sb=<optimized out>) at /home/dzafman/linux/fs/ceph/export.c:183
#7 ceph_fh_to_dentry (sb=<optimized out>, fid=0x6d70d04c, fh_len=<optimized out>, fh_type=<optimized out>)
at /home/dzafman/linux/fs/ceph/export.c:214
#8 0x00000000602253ce in exportfs_decode_fh (mnt=0x6e29af18, fid=0x6d70d04c, fh_len=5, fileid_type=2,
acceptable=0x602285a6 <nfsd_acceptable>, context=0x6cbd2ef0) at /home/dzafman/linux/fs/exportfs/expfs.c:384
#9 0x0000000060228a2e in nfsd_set_fh_dentry (fhp=0x6d70d040, rqstp=0x6c120000) at /home/dzafman/linux/fs/nfsd/nfsfh.c:242
#10 fh_verify (rqstp=0x6c120000, fhp=0x6d70d040, type=0, access=1024) at /home/dzafman/linux/fs/nfsd/nfsfh.c:305
#11 0x0000000060234ca1 in nfsd4_putfh (rqstp=0x6c120000, cstate=0x6d70d040, putfh=0x6d5b10a0)
at /home/dzafman/linux/fs/nfsd/nfs4proc.c:434
#12 0x00000000602347c5 in nfsd4_proc_compound (rqstp=0x6c120000, args=0x6d5b1000, resp=0x6d70d000)
at /home/dzafman/linux/fs/nfsd/nfs4proc.c:1246
#13 0x0000000060226225 in nfsd_dispatch (rqstp=0x6c120000, statp=0x6f446018) at /home/dzafman/linux/fs/nfsd/nfssvc.c:626
#14 0x0000000060657602 in svc_process_common (resv=0x6c1201d8, argv=0x6c120198, rqstp=0x6c120000)
at /home/dzafman/linux/net/sunrpc/svc.c:1200
#15 svc_process (rqstp=0x6c120000) at /home/dzafman/linux/net/sunrpc/svc.c:1325
#16 0x0000000060225828 in nfsd (vrqstp=0x6c120000) at /home/dzafman/linux/fs/nfsd/nfssvc.c:548
#17 0x000000006005da16 in kthread (_create=0x6e1fbb78) at /home/dzafman/linux/kernel/kthread.c:121
#18 0x0000000060035bf3 in run_kernel_thread (fn=0x6005d94b <kthread>, arg=0x6e1fbb78, jmp_ptr=<optimized out>)
at /home/dzafman/linux/arch/um/os-Linux/process.c:257
#19 0x0000000060022b5a in new_thread_handler () at /home/dzafman/linux/arch/um/kernel/process.c:153
This code in set_request_path_attr() is bad if rino != 0 but rpath == NULL
} else if (rpath || rino) {
*ino = rino;
*ppath = rpath;
*pathlen = strlen(rpath);Updated by David Zafman over 11 years ago
- Status changed from New to Resolved
Commit: f18b417f1e80f3d9053ea07958d87f87bd20c138
https://github.com/ceph/ceph-client/commit/f18b417f1e80f3d9053ea07958d87f87bd20c138
Author: David Zafman <david.zafman@inktank.com>
Date: 2012-10-25 (Thu, 25 Oct 2012)
Changed paths:
M fs/ceph/mds_client.c
Log Message:
-----------
ceph: Fix NULL ptr crash in strlen()
set_request_path_attr() checks for NULL ptr before calling strlen()
This fixes http://tracker.newdream.net/issues/3404
Signed-off-by: David Zafman <david.zafman@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Updated by Ivan Kudryavtsev over 11 years ago
I'm found the same bug in Bobtail release with NFS kernel server and 3.7.3 kernel
[70205.985665] BUG: unable to handle kernel NULL pointer dereference at (null)
[70205.985705] IP: [<c1173b96>] strlen+0x8/0x11
[70205.985747] *pdpt = 00000000228a2001 *pde = 0000000000000000
[70205.985778] Oops: 0000 [#1] SMP
[70205.985805] Modules linked in: nfsv3 nfsv4 cbc ceph libceph libcrc32c ip_tables x_tables parport_pc ppdev lp parport tun ib_srp scsi_transport_srp scsi_tgt fuse nfsd nfs_acl auth_rpcgss exportfs nfs fscache dns_resolver lockd sunrpc dm_crypt ib_uverbs ib_addr ib_umad ib_ipoib ib_cm ib_sa loop tpm_tis snd_pcm tpm coretemp snd_timer ib_mthca ib_mad kvm_intel kvm lpc_ich snd soundcore snd_page_alloc tpm_bios joydev ib_core i2c_i801 hid_generic pcspkr acpi_cpufreq mperf i2c_core mfd_core evdev psmouse processor button video serio_raw microcode ext3 jbd mbcache dm_mod raid1 md_mod usbhid hid sd_mod crc_t10dif thermal ahci libahci libata scsi_mod crc32c_intel ehci_hcd usbcore e1000e usb_common fan thermal_sys
[70205.986200] Pid: 12876, comm: nfsd Tainted: G W 3.7.3 #1 Supermicro X9SCL/X9SCM/X9SCL/X9SCM
[70205.986248] EIP: 0060:[<c1173b96>] EFLAGS: 00010246 CPU: 0
[70205.986275] EIP is at strlen+0x8/0x11
[70205.986298] EAX: 00000000 EBX: 00000000 ECX: ffffffff EDX: 00000000
[70205.986327] ESI: e6b7bcb8 EDI: 00000000 EBP: 00000100 ESP: e6b7bc48
[70205.986355] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[70205.986381] CR0: 80050033 CR2: 00000000 CR3: 23f71000 CR4: 000407f0
[70205.986409] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[70205.986437] DR6: ffff0ff0 DR7: 00000400
[70205.986461] Process nfsd (pid: 12876, ti=e6b7a000 task=e3e32d60 task.ti=e6b7a000)
[70205.986505] Stack:
[70205.986530] e6b7bcc0 fb8b1177 0012ea63 00000000 00000100 d8945200 e6b7bcc0 00000000
[70205.986600] e762d000 fb8b12b9 0012ea63 00000100 e6b7bcc0 e6b7bcb8 e6b7bca0 e6b7bcb0
[70205.986664] 00000001 e6b7bcc8 00000000 e3aad200 00000000 00000000 0012ea63 00000100
[70205.986726] Call Trace:
[70205.986750] [<fb8b1177>] ? set_request_path_attr+0x117/0x125 [ceph]
[70205.986780] [<fb8b12b9>] ? __prepare_send_request+0x134/0x42e [ceph]
[70205.986810] [<fb8b1922>] ? __do_request+0x36f/0x3d2 [ceph]
[70205.986839] [<fb8aba96>] ? ceph_reserve_caps+0xb8/0x13d [ceph]
[70205.986868] [<fb8b07c0>] ? __register_request+0x9f/0x10f [ceph]
[70205.986897] [<fb8b1a9b>] ? ceph_mdsc_do_request+0x6c/0x11b [ceph]
[70205.986927] [<fb8a9412>] ? ceph_fh_to_dentry+0x22e/0x2aa [ceph]
[70205.992395] [<fb8a91e4>] ? ceph_mdsc_put_request+0x1d/0x1d [ceph]
[70205.992424] [<fb6ff4f3>] ? exportfs_decode_fh+0x64/0x1ed [exportfs]
[70205.992455] [<fb75420b>] ? fh_compose+0x2af/0x2af [nfsd]
[70205.992484] [<fb7578ab>] ? exp_get_by_name+0x6d/0x7c [nfsd]
[70205.992513] [<c1221f29>] ? __sock_recvmsg_nosec+0x47/0x4f
[70205.992544] [<fb543235>] ? seconds_since_boot+0xf/0x15 [sunrpc]
[70205.992573] [<c10d8025>] ? T.1924+0xae/0x36d
[70205.992600] [<c104fbe4>] ? prepare_creds+0x12/0x82
[70205.992628] [<fb757836>] ? svc_expkey_lookup+0x82/0x8a [nfsd]
[70205.992657] [<fb757964>] ? exp_find+0xaa/0xb5 [nfsd]
[70205.992684] [<c1065a5f>] ? getboottime+0x29/0x2d
[70205.992710] [<c10d8535>] ? kmem_cache_alloc+0x46/0xc6
[70205.992736] [<c10d8535>] ? kmem_cache_alloc+0x46/0xc6
[70205.992762] [<c104fbe4>] ? prepare_creds+0x12/0x82
[70205.992790] [<fb7544fa>] ? fh_verify+0x258/0x3d6 [nfsd]
[70205.992818] [<fb75420b>] ? fh_compose+0x2af/0x2af [nfsd]
[70205.992848] [<fb540da7>] ? svcauth_unix_set_client+0x1ff/0x266 [sunrpc]
[70205.992878] [<c1050acb>] ? groups_alloc+0x28/0x95
[70205.992907] [<fb75a84e>] ? nfsd3_proc_getattr+0x21/0x4b [nfsd]
[70205.992936] [<fb75224b>] ? nfsd_dispatch+0x8a/0x132 [nfsd]
[70205.992967] [<fb53db8d>] ? svc_process+0x384/0x53b [sunrpc]
[70205.992995] [<fb75249e>] ? T.972+0x37/0x37 [nfsd]
[70205.993023] [<fb75253a>] ? nfsd+0x9c/0xe5 [nfsd]
[70205.993049] [<c104ae6b>] ? kthread+0x8d/0x92
[70205.993075] [<c12ddbb7>] ? ret_from_kernel_thread+0x1b/0x28
[70205.993103] [<c104adde>] ? kthread_freezable_should_stop+0x4b/0x4b
[70205.993130] Code: eb 04 19 c0 0c 01 5e 5f c3 56 89 c6 89 d0 88 c4 ac 38 e0 74 09 84 c0 75 f7 be 01 00 00 00 89 f0 48 5e c3 57 83 c9 ff 89 c7 31 c0 <f2> ae f7 d1 5f 8d 41 ff c3 57 31 ff 85 c9 74 0e 89 c7 89 d0 f2
[70205.993319] EIP: [<c1173b96>] strlen+0x8/0x11 SS:ESP 0068:e6b7bc48
[70205.993351] CR2: 0000000000000000
[70205.993782] ---[ end trace 304dde2251304d7a ]---
[70241.175858] nfsd: find_fh_dentry returned a DISCONNECTED directory: ///
[70241.178771] nfsd: find_fh_dentry returned a DISCONNECTED directory: ///
[70246.770291] nfsd: find_fh_dentry returned a DISCONNECTED directory: ///
[70256.437428] nfsd: find_fh_dentry returned a DISCONNECTED directory: ///