codeQL fixes #5
codeQL fixes #5
Conversation
Signed-off-by: Andrew Innes <andrew.c12@gmail.com>
andrewc12
force-pushed
the
andrew_ryao_codeql
branch
from
d23176d
to
5272e42
Compare
cmd/raidz_test/raidz_test.c
Outdated
| @@ -937,7 +937,7 @@ run_sweep(void) | |||
| opts = umem_zalloc(sizeof (raidz_test_opts_t), UMEM_NOFAIL); | |||
| opts->rto_ashift = ashift_v[a]; | |||
| opts->rto_dcols = dcols_v[d]; | |||
| opts->rto_offset = (1 << ashift_v[a]) * rand(); | |||
| opts->rto_offset = (uint64_t)(1 << ashift_v[a]) * rand(); | |||
There was a problem hiding this comment.
1 here should be made 1ULL, which will avoid the need for an explicit cast.
tests/zfs-tests/cmd/stride_dd.c
Outdated
| @@ -195,11 +195,13 @@ main(int argc, char *argv[]) | |||
| } | |||
|
|
|||
| if (stride > 1) { | |||
| if (lseek(ifd, (stride - 1) * bsize, SEEK_CUR) == -1) { | |||
| if (lseek(ifd, ((uint64_t)stride - 1) * bsize, | |||
There was a problem hiding this comment.
We could probably use 1ULL here to make this a bit cleaner.
tests/zfs-tests/cmd/stride_dd.c
Outdated
| perror("input lseek"); | ||
| exit(2); | ||
| } | ||
| if (lseek(ofd, (stride - 1) * bsize, SEEK_CUR) == -1) { | ||
| if (lseek(ofd, ((uint64_t)stride - 1) * bsize, |
|
I had been planning to tackle this today, but you took most of that work away from me by tackling a number of them. That makes things easier for me, so I do not mind though. :) |
|
the only reason I did it on your repo is because I didn't see a way to prove it fixed something without the codeQL checks I will say though I have no idea if these are good changes |
You can cherry-pick the commit from my repository and push it plus your changes to a branch on your repository. The result should then be visible in the code scanning page under the security tab after a half hour. You probably would need to change the search parameters from |
|
That said, I do not particularly mind you (ab)using my development repository to run these checks, but github has security against running scans on PRs from new contributors, so I need to grant permission every time you do that, which will add significant latency to getting results. On your own repository, there is no need to wait for someone to grant permission. |
oh I did that. that's where these fixes come from, so the fixes would have to go through you somehow. |
|
and honestly I don't know if its worth the back and forth to even have me fix these. |
|
@andrewc12 Brian wants these to be fixed. If you do not fix them, I will. I already have fixes for the TOCTOU race condition complaints (with 1 exception that I deem to be a false positive that is a pain to workaround): https://github.com/ryao/zfs/security/code-scanning?query=is%3Aopen+branch%3Asa I plan to tackle the snprintf and formatting function complaints too. It would be helpful if you would open an upstream PR with a fix for the |
|
will do |
Under certain loads, the following panic is hit:
panic: page fault
KDB: stack backtrace:
#0 0xffffffff805db025 at kdb_backtrace+0x65
#1 0xffffffff8058e86f at vpanic+0x17f
#2 0xffffffff8058e6e3 at panic+0x43
#3 0xffffffff808adc15 at trap_fatal+0x385
#4 0xffffffff808adc6f at trap_pfault+0x4f
#5 0xffffffff80886da8 at calltrap+0x8
openzfs#6 0xffffffff80669186 at vgonel+0x186
openzfs#7 0xffffffff80669841 at vgone+0x31
openzfs#8 0xffffffff8065806d at vfs_hash_insert+0x26d
openzfs#9 0xffffffff81a39069 at sfs_vgetx+0x149
openzfs#10 0xffffffff81a39c54 at zfsctl_snapdir_lookup+0x1e4
openzfs#11 0xffffffff8065a28c at lookup+0x45c
openzfs#12 0xffffffff806594b9 at namei+0x259
openzfs#13 0xffffffff80676a33 at kern_statat+0xf3
openzfs#14 0xffffffff8067712f at sys_fstatat+0x2f
openzfs#15 0xffffffff808ae50c at amd64_syscall+0x10c
openzfs#16 0xffffffff808876bb at fast_syscall_common+0xf8
The page fault occurs because vgonel() will call VOP_CLOSE() for active
vnodes. For this reason, define vop_close for zfsctl_ops_snapshot. While
here, define vop_open for consistency.
After adding the necessary vop, the bug progresses to the following
panic:
panic: VERIFY3(vrecycle(vp) == 1) failed (0 == 1)
cpuid = 17
KDB: stack backtrace:
#0 0xffffffff805e29c5 at kdb_backtrace+0x65
#1 0xffffffff8059620f at vpanic+0x17f
#2 0xffffffff81a27f4a at spl_panic+0x3a
#3 0xffffffff81a3a4d0 at zfsctl_snapshot_inactive+0x40
#4 0xffffffff8066fdee at vinactivef+0xde
#5 0xffffffff80670b8a at vgonel+0x1ea
openzfs#6 0xffffffff806711e1 at vgone+0x31
openzfs#7 0xffffffff8065fa0d at vfs_hash_insert+0x26d
openzfs#8 0xffffffff81a39069 at sfs_vgetx+0x149
openzfs#9 0xffffffff81a39c54 at zfsctl_snapdir_lookup+0x1e4
openzfs#10 0xffffffff80661c2c at lookup+0x45c
openzfs#11 0xffffffff80660e59 at namei+0x259
openzfs#12 0xffffffff8067e3d3 at kern_statat+0xf3
openzfs#13 0xffffffff8067eacf at sys_fstatat+0x2f
openzfs#14 0xffffffff808b5ecc at amd64_syscall+0x10c
openzfs#15 0xffffffff8088f07b at fast_syscall_common+0xf8
This is caused by a race condition that can occur when allocating a new
vnode and adding that vnode to the vfs hash. If the newly created vnode
loses the race when being inserted into the vfs hash, it will not be
recycled as its usecount is greater than zero, hitting the above
assertion.
Fix this by dropping the assertion.
FreeBSD-issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252700
Reviewed-by: Andriy Gapon <avg@FreeBSD.org>
Reviewed-by: Mateusz Guzik <mjguzik@gmail.com>
Reviewed-by: Alek Pinchuk <apinchuk@axcient.com>
Reviewed-by: Ryan Moeller <ryan@iXsystems.com>
Signed-off-by: Rob Wing <rob.wing@klarasystems.com>
Co-authored-by: Rob Wing <rob.wing@klarasystems.com>
Submitted-by: Klara, Inc.
Sponsored-by: rsync.net
Closes openzfs#14501
Signed-off-by: Andrew Innes andrew.c12@gmail.com
Motivation and Context
Description
How Has This Been Tested?
Types of changes
Checklist:
Signed-off-by.