From owner-freebsd-current@freebsd.org Sat Aug 29 10:03:24 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AE929C5B96 for ; Sat, 29 Aug 2015 10:03:24 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E03701867; Sat, 29 Aug 2015 10:03:23 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from Xins-MBP.home.us.delphij.net (unknown [IPv6:2601:646:8f00:8a91:f980:c96f:9a9:6dc9]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 737671E577; Sat, 29 Aug 2015 03:03:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1440842603; x=1440857003; bh=jyp0cIcAbo0UuV+SuMjf4huGzaMiRs4XGTcfHjixMvM=; h=Subject:References:To:From:Date:In-Reply-To; b=uoGSKohoZ/+8QwhvVHlLluBnww93wtZJ/hKwBDRZ2YHWzvQj4mbF+zr84O/lKHNSy l3eyni4EQGCEPmHcrhab4BzZ0Kpp8g3Ymi8KlITC9fBR5bxw+vhoiMsS6uqXwpw8Sm ZrqC5zPFPGNfgwC0dyzxzY2RvEPtPQG8Im7ilQGw= Subject: HEADSUP: Memory corruption issue with ZFS users using L2ARC [Fwd: svn commit: r287283 - head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs] References: <201508290922.t7T9MXhF007620@repo.freebsd.org> To: FreeBSD Current From: Xin Li X-Enigmail-Draft-Status: N1110 X-Forwarded-Message-Id: <201508290922.t7T9MXhF007620@repo.freebsd.org> Message-ID: <55E1836B.6040107@delphij.net> Date: Sat, 29 Aug 2015 03:03:23 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <201508290922.t7T9MXhF007620@repo.freebsd.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="a1Mj4oE6IBTRJNqvgx1CnCTDId9wr8DJe" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 10:03:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --a1Mj4oE6IBTRJNqvgx1CnCTDId9wr8DJe Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, Please note that -CURRENT in revision range of [r286951, 287283), approximately 9 days ago until now, are affected by a buffer overrun issue that may cause data corruption (!) which may manifest itself as random panics that relates to NULL pointer deference (e.g. Kernel Trap 12 with <4K fault address), or strange UMA related panics. Systems that do not have L2ARC devices are not affected by this problem. The affected code is L2ARC specific. For those who are using L2ARC devices -- it's not clear to me how bad the corruption could affect the on disk data for ZFS. If you are running -CURRENT and have L2ARC, please be sure to examine if you have any data loss. Cheers, -------- Forwarded Message -------- Subject: svn commit: r287283 - head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs Date: Sat, 29 Aug 2015 09:22:33 +0000 (UTC) From: Xin LI To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Author: delphij Date: Sat Aug 29 09:22:32 2015 New Revision: 287283 URL: https://svnweb.freebsd.org/changeset/base/287283 Log: Fix a buffer overrun which may lead to data corruption, introduced in r286951 by reinstating changes in r274628. In l2arc_compress_buf(), we allocate a buffer to stash away the compres= sed data in 'cdata', allocated of l2hdr->b_asize bytes. We then ask zio_compress_data() to compress the buffer, b_l1hdr.b_tmp_cdata, which is of l2hdr->b_asize bytes, and have the compressed size (or original size, if compress didn't gain enough) stored in csize. To pad the buffer to fit the optimal write size, we round up the compressed size to L2 device's vdev_ashift. Illumos code rounds up the size by at most SPA_MINBLOCKSIZE. Because w= e know csize <=3D b_asize, and b_asize is integer multiple of SPA_MINBLOCKSIZE, we are guaranteed that the rounded up csize would be <=3D b_asize. Howe= ver, this is not necessarily true when we round up to 1 << vdev_ashift, beca= use it could be larger than SPA_MINBLOCKSIZE. So, in the worst case scenario, we are overwriting at most (1 << vdev_ashift - SPA_MINBLOCKSIZE) bytes of memory next to the compressed data buffer. Andriy's original change in r274628 reorganized the code a little bit, by moving the padding to after we determined that the compression was beneficial. At which point, we would check rounded size against the allocated buffer size, and the buffer overrun would not be possible. Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c Cheers, --a1Mj4oE6IBTRJNqvgx1CnCTDId9wr8DJe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJV4YNrAAoJEJW2GBstM+nsoHUP/if6asTTKfFRG0f7kWmZKurV IqOU0SL1oLGDgWeAi4k5JPceYd8fktRIsMmkKhh8A+slI5bwpUSv4oR63bePSTZm +Fe+ZkwF0coqnK+grPwmFE9PtWV0czVlQPtcqKmDK8jSiZrQ2UsoKkordk8DbfVZ X7vD3bpNIQProzeh+V/d3lktz8oUcnE1+4/3y+IxWpLIcFwvxvv3THCJuEDgki3R EWTRMxRWCn1RfvqO/PFaA9XXmRsMfGUjibhFLzJe2ens95jqOfv5C/eUT36N+OUB Hngdi4Xc/0MtOMWCNUp2f0ppvZQtm+teIad02B28pxiuZLT7Wu99CkSqDLNH/rvs xemGmNCzyR9NiyqXwsila7wV/+fAELnbp0Tpdi+4fDwosXs+PbF+bMn8SzJ38oI3 GxdURAHUF1V4j32Pz0iMs0X45ZljHBOYZeZN1y2gxNwr5mb4vEAe5rPCaBd8Jdii ib9N/+nh+cwvv9+jrPz+vXWqv2v1pM2x1PQOeP2WPCOPvFQzd6nqp4X4McAC2WLr dDCOeOdOhYc0rN02nc/twrHmXjL0QjX3aL6fFGQpHP0Y04zW34hP9VfdpGGWBvcp gGUAGMWIFJNOw+w3V0ywqObnPoL0+9ubzMlKbcIhr18XEv0q2dYBiJo5dNLBR+i3 zQh7CjruHEi7FBB8S21F =7c7H -----END PGP SIGNATURE----- --a1Mj4oE6IBTRJNqvgx1CnCTDId9wr8DJe--