zpl_revalidate crashes on NULL pointer deref on nameidata #1226

e45lee · 2013-01-21T03:47:44Z

At least in kernel 3.2, lookup_one_len can pass a NULL nameidata to d_revalidate. This crashes ZFS with a NULL pointer dereference.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000038

c0d3x42 · 2013-01-22T12:35:00Z

I think I have hit the same problem on Ubuntu 12.10, maybe the following would also be useful

Jan 22 10:57:13 zer0 kernel: [    4.380186] SPL: Loaded module v0.6.0.93-rc13
Jan 22 10:57:13 zer0 kernel: [    4.382333] zunicode: module license 'CDDL' taints kernel.
Jan 22 10:57:13 zer0 kernel: [    4.384498] Disabling lock debugging due to kernel taint
Jan 22 10:57:13 zer0 kernel: [    4.402596] ZFS: Loaded module v0.6.0.93-rc13, ZFS pool version 5000, ZFS    filesystem version 5

BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
IP: [<ffffffffa0344bdd>] zpl_revalidate+0x1d/0xb0 [zfs]
PGD 0 
SMP 
CPU 1 
Modules linked in: ip6table_filter ip6_tables ebtable_nat ebtables xt_state ipt_REJECT xt_CHECKSUM iptable_mangle xt_tcpudp iptable_filter ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 ip_tables x_tables bridge stp llc dm_crypt snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_seq_midi kvm_intel snd_rawmidi snd_seq_midi_event snd_seq joydev kvm snd_timer dm_multipath snd_seq_device snd ghash_clmulni_intel psmouse scsi_dh aesni_intel cryptd aes_x86_64 soundcore mac_hid serio_raw mei lpc_ich snd_page_alloc microcode bnep rfcomm bluetooth parport_pc ppdev lp parport coretemp binfmt_misc zfs(PO) zcommon(PO) znvpair(PO) zavl(PO) zunicode(PO) spl(O) zlib_deflate raid10 raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq async_tx raid0 multipath linear hid_apple hid_generic usbhid hid uas usb_storage raid1 i915 e1000e drm_kms_helper drm i2c_algo_bit video

Pid: 5092, comm: Chrome_FileThre Tainted: P           O 3.5.0-22-generic #34-Ubuntu To Be Filled By O.E.M. To Be Filled By O.E.M./Q77M vPro
RIP: 0010:[<ffffffffa0344bdd>]  [<ffffffffa0344bdd>] zpl_revalidate+0x1d/0xb0 [zfs]
RSP: 0018:ffff880768645b88  EFLAGS: 00010286 
RAX: ffffffffa0353740 RBX: ffff88077eb5f900 RCX: 0000000000000018
RDX: ffff88077eb600f8 RSI: 0000000000000000 RDI: ffff88077eb5f900
RBP: ffff880768645ba8 R08: 0000000000474f4c R09: 0000000000000000
R10: ffff88077eb5f900 R11: ffffff8cffb8b0b3 R12: ffff88077eb5f9c0
R13: ffff880768645bf8 R14: 0000000000000000 R15: 00000000ffffff9c
FS:  00007f827d0c2700(0000) GS:ffff88082e240000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: 0000000000000038 CR3: 0000000779203000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process Chrome_FileThre (pid: 5092, threadinfo ffff880768644000, task ffff88076b285c00)
Stack:
 ffff88077eb5f900 ffff88077eb5f9c0 ffff880768645bf8 0000000000000000
 ffff880768645be8 ffffffff8118ca4c ffff880768645bf8 ffff88077eb600fb
 ffff88077eb600fb 0000000000000002 ffff88077eb5f9c0 ffff88077eb5f9c0
Call Trace: 
 [<ffffffff8118ca4c>] __lookup_hash+0xac/0x120
 [<ffffffff8118d8b6>] lookup_one_len+0xd6/0x110
 [<ffffffff81281123>] ecryptfs_lookup+0x93/0x3b0
 [<ffffffff81683aae>] ? _raw_spin_lock+0xe/0x20
 [<ffffffff8118ca01>] __lookup_hash+0x61/0x120
 [<ffffffff8118cad9>] lookup_hash+0x19/0x20
 [<ffffffff8118fee4>] do_last+0x3f4/0xa10
 [<ffffffff8116ddaf>] ? kmem_cache_alloc_trace+0x11f/0x130
 [<ffffffff811917e9>] path_openat+0xd9/0x430
 [<ffffffff81191c61>] do_filp_open+0x41/0xa0
 [<ffffffff8119edb6>] ? alloc_fd+0xc6/0x110
 [<ffffffff81181725>] do_sys_open+0xf5/0x230
 [<ffffffff81181881>] sys_open+0x21/0x30 
 [<ffffffff8168bd29>] system_call_fastpath+0x16/0x1b
Code: 2a ff ff ff 5d c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 ec 20 48 89 5d e0 4c 89 65 e8 4c 89 6d f0 4c 89 75 f8 0f 1f 44 00 00 <f6> 46 38 40 48 8b 47 68 48 89 fb 4c 8b a0 f0 02 00 00 75 77 48  
RIP  [<ffffffffa0344bdd>] zpl_revalidate+0x1d/0xb0 [zfs]
 RSP <ffff880768645b88>
CR2: 0000000000000038
---[ end trace c7008d6b4e74041b ]---
BUG: unable to handle kernel NULL pointer dereference at 0000000000000038

behlendorf · 2013-01-22T17:41:02Z

Thanks for the clear bug report. I've made the obvious fix.

09a661e Fix zpl_revalidate() NULL deref

In zpl_revalidate() it's possible for the nameidata to be NULL for kernels which still accept the parameter. In particular, lookup_one_len() calls d_revalidate() with a NULL nameidata. Resolve the issue by checking for a NULL nameidata in which case just set the flags to 0. Signed-off-by: Brian Behlendorf <[email protected]> Closes #1226

In zpl_revalidate() it's possible for the nameidata to be NULL for kernels which still accept the parameter. In particular, lookup_one_len() calls d_revalidate() with a NULL nameidata. Resolve the issue by checking for a NULL nameidata in which case just set the flags to 0. Signed-off-by: Brian Behlendorf <[email protected]> Closes openzfs#1226

behlendorf mentioned this issue Jan 22, 2013

nfs_lookup_revalidate() NULL deref #456

Closed

behlendorf closed this as completed in 09a661e Jan 22, 2013

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

zpl_revalidate crashes on NULL pointer deref on nameidata #1226

zpl_revalidate crashes on NULL pointer deref on nameidata #1226

e45lee commented Jan 21, 2013

c0d3x42 commented Jan 22, 2013

behlendorf commented Jan 22, 2013

zpl_revalidate crashes on NULL pointer deref on nameidata #1226

zpl_revalidate crashes on NULL pointer deref on nameidata #1226

Comments

e45lee commented Jan 21, 2013

c0d3x42 commented Jan 22, 2013

behlendorf commented Jan 22, 2013