zfs PANIC: accessing past end of object in 0.8.3-1ubuntu12.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zfs-linux (Ubuntu) |
Fix Released
|
Medium
|
Colin Ian King | ||
Focal |
Fix Released
|
High
|
Colin Ian King | ||
Groovy |
Fix Released
|
Medium
|
Colin Ian King | ||
Hirsute |
Fix Released
|
Medium
|
Colin Ian King |
Bug Description
[Impact]
zfs_write() doesn't properly account partial copies done by copy_from_user(), causing accesses past the end of objects and triggering kernel panics.
[Test case]
The problem seems to be workload specific, there is not a specific test case to reproduce the problem, but the bug seems to be pretty well identified by the upstream commit reported below.
[Fix]
Apply upstream commit c9e3efdb3a6111b
[Regression potential]
Upstream commit that is basically fixing potential out-of-bounds accesses by properly checking partial copies done by copy_from_user() and preventing kernel panics. Regression potential is minimal: it seems unlikely to break other things if this change is applied.
[Original bug report]
Using latest zfs 0.8.3-1ubuntu12.4 on latest Ubuntu 20.04.1, I observe a rare zfs panics that seem to be workload-specific which render a server mostly unresponsive besides ssh still working. Attempting to reboot the server in this state makes the shutdown hang forever.
You may want to consider backporting the fix released in zfs 0.8.4 into 20.04: https:/
Log sample of panic:
```
Nov 17 16:06:15 hostname kernel: [3385134.716024] PANIC: zfs: accessing past end of object c1c/2db52f (size=17408 access=7492+16428)
Nov 17 16:06:15 hostname kernel: [3385134.716072] Showing stack for process 3166846
Nov 17 16:06:15 hostname kernel: [3385134.716074] CPU: 25 PID: 3166846 Comm: node Tainted: P O 5.4.0-48-generic #52-Ubuntu
Nov 17 16:06:15 hostname kernel: [3385134.716075] Hardware name: <hardware>
Nov 17 16:06:15 hostname kernel: [3385134.716076] Call Trace:
Nov 17 16:06:15 hostname kernel: [3385134.716085] dump_stack+
Nov 17 16:06:15 hostname kernel: [3385134.716097] spl_dumpstack+
Nov 17 16:06:15 hostname kernel: [3385134.716102] vcmn_err.
Nov 17 16:06:15 hostname kernel: [3385134.716106] ? _cond_resched+
Nov 17 16:06:15 hostname kernel: [3385134.716108] ? __kmalloc_
Nov 17 16:06:15 hostname kernel: [3385134.716113] ? spl_kmem_
Nov 17 16:06:15 hostname kernel: [3385134.716190] ? __list_
Nov 17 16:06:15 hostname kernel: [3385134.716235] zfs_panic_
Nov 17 16:06:15 hostname kernel: [3385134.716272] ? dsl_dir_
Nov 17 16:06:15 hostname kernel: [3385134.716305] dmu_buf_
Nov 17 16:06:15 hostname kernel: [3385134.716338] dmu_write_
Nov 17 16:06:15 hostname kernel: [3385134.716370] dmu_write_
Nov 17 16:06:15 hostname kernel: [3385134.716416] zfs_write+
Nov 17 16:06:15 hostname kernel: [3385134.716419] ? d_absolute_
Nov 17 16:06:15 hostname kernel: [3385134.716421] ? __switch_
Nov 17 16:06:15 hostname kernel: [3385134.716423] ? __switch_
Nov 17 16:06:15 hostname kernel: [3385134.716424] ? __switch_
Nov 17 16:06:15 hostname kernel: [3385134.716425] ? __switch_
Nov 17 16:06:15 hostname kernel: [3385134.716427] ? __switch_
Nov 17 16:06:15 hostname kernel: [3385134.716474] zpl_write_
Nov 17 16:06:15 hostname kernel: [3385134.716567] zpl_iter_
Nov 17 16:06:15 hostname kernel: [3385134.716570] do_iter_
Nov 17 16:06:15 hostname kernel: [3385134.716574] ? futex_wake+
Nov 17 16:06:15 hostname kernel: [3385134.716577] do_writev+
Nov 17 16:06:15 hostname kernel: [3385134.716581] do_syscall_
Nov 17 16:06:15 hostname kernel: [3385134.716584] RIP: 0033:0x7fa366eee0cd
Nov 17 16:06:15 hostname kernel: [3385134.716587] RSP: 002b:00007fa35e
Nov 17 16:06:15 hostname kernel: [3385134.716590] RDX: 000000000000000c RSI: 000000000651c7b0 RDI: 000000000000001d
```
summary: |
- zfs: accessing past end of object in 0.8.3-1ubuntu12.4 + zfs PANIC: accessing past end of object in 0.8.3-1ubuntu12.4 |
Changed in zfs-linux (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Colin Ian King (colin-king) |
Changed in zfs-linux (Ubuntu Hirsute): | |
status: | In Progress → Fix Released |
Changed in zfs-linux (Ubuntu Groovy): | |
status: | New → Fix Released |
importance: | Undecided → Medium |
assignee: | nobody → Colin Ian King (colin-king) |
Changed in zfs-linux (Ubuntu Focal): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Colin Ian King (colin-king) |
description: | updated |
Upstream fix that has been backported is attached