Date: Tue, 12 Oct 2021 08:23:36 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259093] [zfs] [panic] NULL pointer dereference on "zfs send --raw" of encrypted filesystem. Message-ID: <bug-259093-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259093 Bug ID: 259093 Summary: [zfs] [panic] NULL pointer dereference on "zfs send --raw" of encrypted filesystem. Product: Base System Version: 13.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: peterj@FreeBSD.org I'm running 13-stable fdbbd118faab but the code is identical in HEAD. Looking at the backtrace: #16 <signal handler called> #17 dmu_dump_write (dscp=3Ddscp@entry=3D0xfffffe02501abc30, type=3D<optimiz= ed out>, object=3D<optimized out>, offset=3D<optimized out>, offset@entry=3D0, lsize=3D<optimized out>, lsize@entry=3D131072, psize=3Dpsize@entry=3D13= 1072, bp=3D0x0, data=3D0xfffffe02d94a6000) at /usr/src/sys/contrib/openzfs/module/zfs/dmu_send.c:493 #18 0xffffffff80410a3c in do_dump (dscp=3Ddscp@entry=3D0xfffffe02501abc30, range=3Drange@entry=3D0xfffff805fd82d900) at /usr/src/sys/contrib/openzfs/module/zfs/dmu_send.c:1016 #19 0xffffffff8040ead3 in dmu_send_impl (dspp=3D<optimized out>, dspp@entry=3D0xfffffe02501abdf0) at /usr/src/sys/contrib/openzfs/module/zfs/dmu_send.c:2537 #20 0xffffffff8040d8fd in dmu_send_obj (pool=3D<optimized out>, pool@entry=3D0xfffffe02d3b61000 "tank/compat@20210604bu", tosnap=3D1069= 0, fromsnap=3D11065, embedok=3D<optimized out>, embedok@entry=3D1, large_block_ok=3D<optimized out>, large_block_ok@entry=3D2, compressok=3D<optimized out>, compressok@entry=3D4, rawok=3D8, savedok= =3D0, outfd=3D1, off=3D0xfffffe02501ac070, dsop=3D0xfffffe02501ac058) at /usr/src/sys/contrib/openzfs/module/zfs/dmu_send.c:2695 dmu_send.c:493 is "ASSERT(!BP_IS_EMBEDDED(bp));" which dereferences bp with no checks for NULL, whereas dmu_send.c:1016 explicitly passes NULL to dmu_dump_write() as bp. This is obviously a bug somewhere. Looking at the comment at lines 1006-1008, it seems the code expects that raw sends will always have large block sends enabled, avoiding the problematic code block. And zfs-send(8) says that --raw implies --large-block if the source is not encrypted. But even if I explicitly specify --large-block then the code panics in the same way. (And --large-block as on option doesn't actually make sense with --raw because the send stream must match what's on local disk by definition). --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259093-227>