Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 May 2017 22:34:55 +0000 (UTC)
From:      Andriy Gapon <avg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r318833 - head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs
Message-ID:  <201705242234.v4OMYtaK057785@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: avg
Date: Wed May 24 22:34:54 2017
New Revision: 318833
URL: https://svnweb.freebsd.org/changeset/base/318833

Log:
  MFV r316925: 6101 attempt to lzc_create() a filesystem under a volume results in a panic
  
  illumos/illumos-gate@b127fe3c059af7adf772735498680b4f2e1405ef
  https://github.com/illumos/illumos-gate/commit/b127fe3c059af7adf772735498680b4f2e1405ef
  
  https://www.illumos.org/issues/6101
    lzc_create(), or more correctly, zfs_ioc_create() does not reject an attempt to
    create a filesystem as a child of a volume, instead it proceeds to a crash.
    A crash stack obtained on FreeBSD:
    page fault while in kernel mode
  
    zap_leaf_lookup()
    fzap_lookup()
    zap_lookup_norm()
    zap_lookup()
    zfs_get_zplprop()
    zfs_fill_zplprops_impl()
    zfs_ioc_create()
    zfsdev_ioctl()
    devfs_ioctl_f()
    kern_ioctl()
    sys_ioctl()
    This crash happened with a kernel without debugging assertions.
    The immediate cause of crash appears to an attempt to interpret a zvol object
    as a zap object.
    For filesystems:
    #define MASTER_NODE_OBJ 1
    For zvols:
    #define ZVOL_OBJ                1ULL
    #define ZVOL_ZAP_OBJ            2ULL
    So, I see two problems here:
       1. an attempt to create a filesystem under a zvol should be rejected as
          early as possible, maybe in zfs_fill_zplprops()
       2. maybe zap_lookup / zap_lockdir should reject objects that are not of one
          of the zap object types
  
  Reviewed by: Matthew Ahrens <mahrens@delphix.com>
  Approved by: Dan McDonald <danmcd@omniti.com>
  Author: Andriy Gapon <avg@FreeBSD.org>
  MFC after:	2 weeks

Modified:
  head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
  head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
Directory Properties:
  head/sys/cddl/contrib/opensolaris/   (props changed)

Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c	Wed May 24 22:32:56 2017	(r318832)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c	Wed May 24 22:34:54 2017	(r318833)
@@ -3093,6 +3093,9 @@ zfs_fill_zplprops_impl(objset_t *os, uin
 
 	ASSERT(zplprops != NULL);
 
+	if (os != NULL && os->os_phys->os_type != DMU_OST_ZFS)
+		return (SET_ERROR(EINVAL));
+
 	/*
 	 * Pull out creator prop choices, if any.
 	 */

Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c	Wed May 24 22:32:56 2017	(r318832)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c	Wed May 24 22:34:54 2017	(r318833)
@@ -2459,8 +2459,10 @@ zfs_get_zplprop(objset_t *os, zfs_prop_t
 	else
 		pname = zfs_prop_to_name(prop);
 
-	if (os != NULL)
+	if (os != NULL) {
+		ASSERT3U(os->os_phys->os_type, ==, DMU_OST_ZFS);
 		error = zap_lookup(os, MASTER_NODE_OBJ, pname, 8, 1, value);
+	}
 
 	if (error == ENOENT) {
 		/* No value set, use the default value */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705242234.v4OMYtaK057785>