Project

General

Profile

Actions
Copy link

Bug #3404

closed

oops in strlen() from set_request_path_attr()

Added by David Zafman over 11 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Development
Tags:
Backport:
Regression:
Severity:
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Restarting an nfs server exporting ceph will try to dereference a null pointer.

Program received signal SIGSEGV, Segmentation fault.
0x000000006057cbc1 in strlen (s=0x0) at /home/dzafman/linux/lib/string.c:388
388 for (sc = s; *sc != '\0'; ++sc)
(gdb) bt
#0 0x000000006057cbc1 in strlen (s=0x0) at /home/dzafman/linux/lib/string.c:388
#1 0x0000000060539e04 in set_request_path_attr (rinode=0x0, rdentry=0x0, rpath=<optimized out>, rino=<optimized out>,
ppath=0x6de759b8, pathlen=0x6de759e0, ino=0x6de759c8, freepath=0x6de759e8) at /home/dzafman/linux/fs/ceph/mds_client.c:1593
#2 0x000000006053a063 in create_request_message (mds=0, req=0x6e11dbf0, mdsc=0x6c156bf0)
at /home/dzafman/linux/fs/ceph/mds_client.c:1619
#3 __prepare_send_request (mdsc=0x6c156bf0, req=0x6e11dbf0, mds=0) at /home/dzafman/linux/fs/ceph/mds_client.c:1775
#4 0x000000006053af33 in __do_request (mdsc=0x6c156bf0, req=0x6e11dbf0) at /home/dzafman/linux/fs/ceph/mds_client.c:1856
#5 0x000000006053c1d6 in ceph_mdsc_do_request (mdsc=0x6c156bf0, dir=0x0, req=0x6e11dbf0)
at /home/dzafman/linux/fs/ceph/mds_client.c:1943
#6 0x0000000060528b54 in __cfh_to_dentry (cfh=<optimized out>, sb=<optimized out>) at /home/dzafman/linux/fs/ceph/export.c:183
#7 ceph_fh_to_dentry (sb=<optimized out>, fid=0x6d70d04c, fh_len=<optimized out>, fh_type=<optimized out>)
at /home/dzafman/linux/fs/ceph/export.c:214
#8 0x00000000602253ce in exportfs_decode_fh (mnt=0x6e29af18, fid=0x6d70d04c, fh_len=5, fileid_type=2,
acceptable=0x602285a6 <nfsd_acceptable>, context=0x6cbd2ef0) at /home/dzafman/linux/fs/exportfs/expfs.c:384
#9 0x0000000060228a2e in nfsd_set_fh_dentry (fhp=0x6d70d040, rqstp=0x6c120000) at /home/dzafman/linux/fs/nfsd/nfsfh.c:242
#10 fh_verify (rqstp=0x6c120000, fhp=0x6d70d040, type=0, access=1024) at /home/dzafman/linux/fs/nfsd/nfsfh.c:305
#11 0x0000000060234ca1 in nfsd4_putfh (rqstp=0x6c120000, cstate=0x6d70d040, putfh=0x6d5b10a0)
at /home/dzafman/linux/fs/nfsd/nfs4proc.c:434
#12 0x00000000602347c5 in nfsd4_proc_compound (rqstp=0x6c120000, args=0x6d5b1000, resp=0x6d70d000)
at /home/dzafman/linux/fs/nfsd/nfs4proc.c:1246
#13 0x0000000060226225 in nfsd_dispatch (rqstp=0x6c120000, statp=0x6f446018) at /home/dzafman/linux/fs/nfsd/nfssvc.c:626
#14 0x0000000060657602 in svc_process_common (resv=0x6c1201d8, argv=0x6c120198, rqstp=0x6c120000)
at /home/dzafman/linux/net/sunrpc/svc.c:1200
#15 svc_process (rqstp=0x6c120000) at /home/dzafman/linux/net/sunrpc/svc.c:1325
#16 0x0000000060225828 in nfsd (vrqstp=0x6c120000) at /home/dzafman/linux/fs/nfsd/nfssvc.c:548
#17 0x000000006005da16 in kthread (_create=0x6e1fbb78) at /home/dzafman/linux/kernel/kthread.c:121
#18 0x0000000060035bf3 in run_kernel_thread (fn=0x6005d94b <kthread>, arg=0x6e1fbb78, jmp_ptr=<optimized out>)
at /home/dzafman/linux/arch/um/os-Linux/process.c:257
#19 0x0000000060022b5a in new_thread_handler () at /home/dzafman/linux/arch/um/kernel/process.c:153

This code in set_request_path_attr() is bad if rino != 0 but rpath == NULL

} else if (rpath || rino) {
                *ino = rino;
                *ppath = rpath;
                *pathlen = strlen(rpath);
Actions
Copy link

Also available in: Atom PDF