Project

General

Profile

Bug #1661

ZFS bug in sa_find_sizes() that can lead to panic (patch included)

Added by Martin Matuška almost 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
zfs - Zettabyte File System
Start date:
2011-10-17
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

When calculating space needed for SA_BONUS buffers, hdrsize is always rounded up to next 8-aligned boundary. However, in two places the round up was done against sum of 'total' plus hdrsize. On the other hand, hdrsize increments by 4 each time, which means in certain conditions, we would end up returning with will_spill == 0 and (total + hdrsize) larger than full_space, leading to a failed assertion because it's invalid for dmu_set_bonus.

Fix by: Xin Li <>
Sponsored by: iXsystems, Inc.

--- a/usr/src/uts/common/fs/zfs/sa.c    Fri Jul 22 09:27:57 2011 -0700
+++ b/usr/src/uts/common/fs/zfs/sa.c    Tue Oct 18 01:50:46 2011 +0200
@@ -605,14 +605,14 @@ sa_find_sizes(sa_os_t *sa, sa_bulk_attr_
          * and spill buffer.
          */
         if (buftype == SA_BONUS && *index == -1 &&
-            P2ROUNDUP(*total + hdrsize, 8) >
+            (*total + P2ROUNDUP(hdrsize, 8) >
             (full_space - sizeof (blkptr_t))) {
             *index = i;
             done = B_TRUE;
         }

 next:
-        if (P2ROUNDUP(*total + hdrsize, 8) > full_space &&
+        if (*total + P2ROUNDUP(hdrsize, 8) > full_space &&
             buftype == SA_BONUS)
             *will_spill = B_TRUE;
     }

History

#1

Updated by Martin Matuška almost 8 years ago

There was one bracket too much:

--- a/usr/src/uts/common/fs/zfs/sa.c    Fri Jul 22 09:27:57 2011 -0700
+++ b/usr/src/uts/common/fs/zfs/sa.c    Tue Oct 18 01:50:46 2011 +0200
@@ -605,14 +605,14 @@ sa_find_sizes(sa_os_t *sa, sa_bulk_attr_
          * and spill buffer.
          */
         if (buftype == SA_BONUS && *index == -1 &&
-            P2ROUNDUP(*total + hdrsize, 8) >
+            *total + P2ROUNDUP(hdrsize, 8) >
             (full_space - sizeof (blkptr_t))) {
             *index = i;
             done = B_TRUE;
         }

 next:
-        if (P2ROUNDUP(*total + hdrsize, 8) > full_space &&
+        if (*total + P2ROUNDUP(hdrsize, 8) > full_space &&
             buftype == SA_BONUS)
             *will_spill = B_TRUE;
     }
#2

Updated by Gordon Ross almost 8 years ago

  • Status changed from New to Resolved
changeset:   13493:86d96517d461
tag:         tip
user:        Xin Li <delphij@FreeBSD.org>
date:        Fri Oct 21 11:44:31 2011 -0400
description:
    1661 ZFS bug in sa_find_sizes() that can lead to panic
    1313 Integer overflow in txg_delay() (fix copyright)
    Reviewed by: Matthew Ahrens <matt@delphix.com>
    Reviewed by: Dan McDonald <danmcd@nexenta.com>
    Approved by: Gordon Ross <gwr@nexenta.com>

Also available in: Atom PDF