[dm-devel] [PATCH v3] multipathd: handle fpin events
Martin Wilck
martin.wilck at suse.com
Thu Feb 10 21:05:30 UTC 2022
Hi Ben,
On Thu, 2022-02-10 at 15:02 -0600, Benjamin Marzinski wrote:
> On Thu, Feb 10, 2022 at 05:00:09PM +0000, Martin Wilck wrote:
> > Hi Muneendra,
> >
> > coverity found some defects in your patch. Please help me review
> > them,
> > see attachment. It's well possible that they're false positives,
> > but
> > please double-check.
> >
> > Thanks
> > Martin
> >
>
Thank you. Meanwhile I figured this out myself, and marked the defects
as false positives. I've pushed the patch to my "queue" branch. The
compilation errors have been resolved, too.
> > Date: Thu, 10 Feb 2022 16:50:12 +0000 (UTC)
> > From: scan-admin at coverity.com
> > To: mwilck at suse.com
> > Subject: New Defects reported by Coverity Scan for
> > mwilck/multipath-tools
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to
> > mwilck/multipath-tools found with Coverity Scan.
> >
> > 3 new defect(s) introduced to mwilck/multipath-tools found with
> > Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 3 of 3 defect(s)
> >
> >
> > ** CID 375096: Memory - corruptions (OVERRUN)
> > /multipathd/fpin_handlers.c: 161 in fpin_els_add_li_frame()
> >
> >
> > ___________________________________________________________________
> > _____________________________________
> > *** CID 375096: Memory - corruptions (OVERRUN)
> > /multipathd/fpin_handlers.c: 161 in fpin_els_add_li_frame()
> > 155 pthread_testcancel();
> > 156 els_mrg = calloc(1, sizeof(struct
> > els_marginal_list));
> > 157 if (els_mrg != NULL) {
> > 158 els_mrg->host_num = fc_event->host_no;
> > 159 els_mrg->event_code = fc_event->event_code;
> > 160 els_mrg->length = fc_event->event_datalen;
> > > > > CID 375096: Memory - corruptions (OVERRUN)
> > > > > Overrunning buffer pointed to by "&fc_event->event_data"
> > > > > of 4 bytes by passing it to a function which accesses it at
> > > > > byte offset 2047 using argument "fc_event->event_datalen"
> > > > > (which evaluates to 2048). [Note: The source code
> > > > > implementation of the function has been overridden by a
> > > > > builtin model.]
>
> fc_event->event_data is a u32, but that's just because the first 32
> bits
> of the event data is the els_cmd, right? The header makes it clear
> that
> event_data actually does hold event_datalen worth of space
>
> From /usr/include/scsi/scsi_netlink_fc.h
> -------------------------------------------
> * Note: if Vendor Unique message, &event_data will be start of
> * vendor unique payload, and the length of the payload is
> * per event_datalen
>
> The only thing that looks possibly suspect here to me is in
> fpin_fabric_notification_receiver() which calls
> fpin_els_add_li_frame()
>
> In fpin_fabric_notification_receiver() we guarantee that we read
> enough
> for plen to be correct by calling NLMSG_OK(), and we check that plen
> is
> big enough to hold fc_event before we start using that. After that,
> we
> just assume fc_event is well formed. However we could check that
>
> offsetof(struct fc_nl_event, event_data) + fc_event->event_data_len
> <= plen
>
> just to make sure that we really read enough space for all the event
> data.
>
> > 161 memcpy(els_mrg->payload, &(fc_event-
> > >event_data), fc_event->event_datalen);
> > 162 list_add_tail(&els_mrg->node,
> > &els_marginal_list_head);
> > 163 pthread_cond_signal(&fpin_li_cond);
> > 164 } else
> > 165 ret = -ENOMEM;
> > 166 pthread_cleanup_pop(1);
> >
> > ** CID 375095: Program hangs (LOCK)
> > /multipathd/fpin_handlers.c: 429 in fpin_els_li_consumer()
> >
> >
> > ___________________________________________________________________
> > _____________________________________
> > *** CID 375095: Program hangs (LOCK)
> > /multipathd/fpin_handlers.c: 429 in fpin_els_li_consumer()
> > 423 rcu_register_thread();
> > 424 pthread_cleanup_push(fpin_clean_marginal_dev_list,
> > NULL);
> > 425 INIT_LIST_HEAD(&marginal_list_head);
> > 426 pthread_cleanup_push(fpin_clean_els_marginal_list,
> > 427 (void
> > *)&marginal_list_head);
> > 428 for ( ; ; ) {
> > > > > CID 375095: Program hangs (LOCK)
> > > > > "pthread_mutex_lock" locks "fpin_li_mutex" while it is
> > > > > locked.
> > 429 pthread_mutex_lock(&fpin_li_mutex);
> > 430 pthread_cleanup_push(cleanup_mutex,
> > &fpin_li_mutex);
> > 431 pthread_testcancel();
> > 432 while (list_empty(&els_marginal_list_head))
> > 433 pthread_cond_wait(&fpin_li_cond,
> > &fpin_li_mutex);
> > 434
> >
> > ** CID 375094: Memory - corruptions (OVERRUN)
> > /multipathd/fpin_handlers.c: 339 in fpin_handle_els_frame()
>
> I can't see how we could double lock fpin_li_mutex here. This looks
> to me
> like coverity isn't understanding that the pthread_mutex_pop(1) that
> we
> must do before we loop is unlocking the mutex.
Exactly.
Martin
More information about the dm-devel
mailing list