svn commit: r318833 - head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs
Andriy Gapon
avg at FreeBSD.org
Wed May 24 22:34:56 UTC 2017
Author: avg
Date: Wed May 24 22:34:54 2017
New Revision: 318833
URL: https://svnweb.freebsd.org/changeset/base/318833
Log:
MFV r316925: 6101 attempt to lzc_create() a filesystem under a volume results in a panic
illumos/illumos-gate at b127fe3c059af7adf772735498680b4f2e1405ef
https://github.com/illumos/illumos-gate/commit/b127fe3c059af7adf772735498680b4f2e1405ef
https://www.illumos.org/issues/6101
lzc_create(), or more correctly, zfs_ioc_create() does not reject an attempt to
create a filesystem as a child of a volume, instead it proceeds to a crash.
A crash stack obtained on FreeBSD:
page fault while in kernel mode
zap_leaf_lookup()
fzap_lookup()
zap_lookup_norm()
zap_lookup()
zfs_get_zplprop()
zfs_fill_zplprops_impl()
zfs_ioc_create()
zfsdev_ioctl()
devfs_ioctl_f()
kern_ioctl()
sys_ioctl()
This crash happened with a kernel without debugging assertions.
The immediate cause of crash appears to an attempt to interpret a zvol object
as a zap object.
For filesystems:
#define MASTER_NODE_OBJ 1
For zvols:
#define ZVOL_OBJ 1ULL
#define ZVOL_ZAP_OBJ 2ULL
So, I see two problems here:
1. an attempt to create a filesystem under a zvol should be rejected as
early as possible, maybe in zfs_fill_zplprops()
2. maybe zap_lookup / zap_lockdir should reject objects that are not of one
of the zap object types
Reviewed by: Matthew Ahrens <mahrens at delphix.com>
Approved by: Dan McDonald <danmcd at omniti.com>
Author: Andriy Gapon <avg at FreeBSD.org>
MFC after: 2 weeks
Modified:
head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
Directory Properties:
head/sys/cddl/contrib/opensolaris/ (props changed)
Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Wed May 24 22:32:56 2017 (r318832)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c Wed May 24 22:34:54 2017 (r318833)
@@ -3093,6 +3093,9 @@ zfs_fill_zplprops_impl(objset_t *os, uin
ASSERT(zplprops != NULL);
+ if (os != NULL && os->os_phys->os_type != DMU_OST_ZFS)
+ return (SET_ERROR(EINVAL));
+
/*
* Pull out creator prop choices, if any.
*/
Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c Wed May 24 22:32:56 2017 (r318832)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c Wed May 24 22:34:54 2017 (r318833)
@@ -2459,8 +2459,10 @@ zfs_get_zplprop(objset_t *os, zfs_prop_t
else
pname = zfs_prop_to_name(prop);
- if (os != NULL)
+ if (os != NULL) {
+ ASSERT3U(os->os_phys->os_type, ==, DMU_OST_ZFS);
error = zap_lookup(os, MASTER_NODE_OBJ, pname, 8, 1, value);
+ }
if (error == ENOENT) {
/* No value set, use the default value */
More information about the svn-src-head
mailing list