On Tue, May 19, 2015 at 3:50 PM, Alex Elder <elder@xxxxxxxx> wrote: > On 05/19/2015 07:39 AM, CSa wrote: >> Hi, >> >> we are encountering a bug in the cephfs client kernel module: >> >> >> May 18 11:02:04 allegro kernel: [1020094.145209] ------------[ cut here >> ]------------ >> May 18 11:02:04 allegro kernel: [1020094.149127] kernel BUG at /build/linux- >> RGM_Ed/linux-3.16.7-ckt9/fs/ceph/xattr.c:287! >> May 18 11:02:04 allegro kernel: [1020094.149127] invalid opcode: 0000 [#1] >> SMP >> [...] >> May 18 11:02:04 allegro kernel: [1020094.149127] CPU: 2 PID: 1359 Comm: mv >> Not tainted 3.16.0-4-amd64 #1 Debian 3.16.7-ckt9-3~deb8u1 >> [...] >> >> (see full log at http://paste.debian.net/180292) > > Based on a quick look at the code, I think this must be > a use-after-free. > > The bug occurs if ceph_vxattrs_name_size() is given a non-NULL > vxattrs pointer that is neither ceph_dir_vxattrs nor ceph_file_vxattrs. > There is only one caller of ceph_vxattrs_name_size(), and it is > passed a value that's a result of a call to ceph_inode_vxattrs(). > That function returns only three possible values: ceph_dir_vxattrs, > ceph_file_vxattrs, or NULL. Is there a symlink involved by any chance? Probably fixed by 0abb43dcacb5 "ceph: fix llistxattr on symlink" in 3.18. Thanks, Ilya -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
