lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230710170243.GF11456@frogsfrogsfrogs>
Date:   Mon, 10 Jul 2023 10:02:43 -0700
From:   "Darrick J. Wong" <djwong@...nel.org>
To:     Jeff Layton <jlayton@...nel.org>
Cc:     linux-xfs <linux-xfs@...r.kernel.org>,
        Kees Cook <keescook@...omium.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: xfs WARNING on v6.5-rc1 kernel

On Mon, Jul 10, 2023 at 12:29:29PM -0400, Jeff Layton wrote:
> I hit this this morning while running generic/013 (fsstress), with a
> kernel based on v6.5-rc1. The main changes on top of this are timestamp
> related, so I doubt they're a factor here.
> 
> Is this some of the flexarray hardening?

Yes.

https://lore.kernel.org/linux-xfs/ZI+3QXDHiohgv%2FPb@dread.disaster.area/
https://lore.kernel.org/linux-xfs/bug-217522-201763-D34HpuP9xe@https.bugzilla.kernel.org%2F/
https://lore.kernel.org/linux-xfs/Y9xiYmVLRIKdpJcC@work/

--D

> [ 2704.665314] run fstests generic/013 at 2023-07-10 16:09:58
> [ 2705.646507] XFS (loop16): Unmounting Filesystem 3058c032-3f67-4fb9-b24e-c1414b0b532b
> [ 2705.820402] XFS (loop16): Mounting V5 Filesystem 3058c032-3f67-4fb9-b24e-c1414b0b532b
> [ 2705.838655] XFS (loop16): Ending clean mount
> [ 2705.916080] ------------[ cut here ]------------
> [ 2705.917615] memcpy: detected field-spanning write (size 2) of single field "(char *)name_loc->nameval" at fs/xfs/libxfs/xfs_attr_leaf.c:1559 (size 1)
> [ 2705.921569] WARNING: CPU: 6 PID: 48206 at fs/xfs/libxfs/xfs_attr_leaf.c:1559 xfs_attr3_leaf_add_work+0x4ee/0x530 [xfs]
> [ 2705.926783] Modules linked in: xfs nls_iso8859_1 nls_cp437 vfat fat ext4 9p crc16 mbcache netfs jbd2 kvm_intel cirrus virtio_net kvm joydev drm_shmem_helper net_failover pcspkr virtio_balloon 9pnet_virtio psmouse irqbypass failover drm_kms_helper evdev button drm loop dm_mod zram zsmalloc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 sha512_generic nvme virtio_blk nvme_core t10_pi aesni_intel virtio_pci crc64_rocksoft_generic crypto_simd cryptd crc64_rocksoft virtio i6300esb crc64 virtio_pci_legacy_dev virtio_pci_modern_dev virtio_ring serio_raw btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq autofs4
> [ 2705.942668] CPU: 6 PID: 48206 Comm: fsstress Not tainted 6.5.0-rc1+ #13
> [ 2705.945361] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> [ 2705.947758] RIP: 0010:xfs_attr3_leaf_add_work+0x4ee/0x530 [xfs]
> [ 2705.949442] Code: fe ff ff b9 01 00 00 00 4c 89 fe 48 c7 c2 c8 2e fc c0 48 c7 c7 10 2f fc c0 48 89 44 24 08 c6 05 ac 9c 0e 00 01 e8 a2 de 67 d0 <0f> 0b 48 8b 44 24 08 e9 88 fe ff ff 80 3d 93 9c 0e 00 00 0f 85 bd
> [ 2705.953536] RSP: 0018:ffffb52ac29bb8c0 EFLAGS: 00010282
> [ 2705.954925] RAX: 0000000000000000 RBX: ffffb52ac29bb990 RCX: 0000000000000000
> [ 2705.956604] RDX: 0000000000000002 RSI: ffffffff92612d95 RDI: 00000000ffffffff
> [ 2705.958998] RBP: ffffb52ac29bb924 R08: 0000000000000000 R09: ffffb52ac29bb760
> [ 2705.960903] R10: 0000000000000003 R11: ffffffff928c1aa8 R12: ffff8ecf3adc8050
> [ 2705.962537] R13: ffff8ecf3adc8000 R14: ffff8ecf3adc8fcc R15: 0000000000000002
> [ 2705.964083] FS:  00007fcb152f4740(0000) GS:ffff8ed077d80000(0000) knlGS:0000000000000000
> [ 2705.965752] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2705.967124] CR2: 00007ff8022cd2d8 CR3: 000000015e1d2005 CR4: 0000000000060ee0
> [ 2705.969279] Call Trace:
> [ 2705.970318]  <TASK>
> [ 2705.971321]  ? xfs_attr3_leaf_add_work+0x4ee/0x530 [xfs]
> [ 2705.973729]  ? __warn+0x7d/0x130
> [ 2705.974822]  ? xfs_attr3_leaf_add_work+0x4ee/0x530 [xfs]
> [ 2705.976251]  ? report_bug+0x18d/0x1c0
> [ 2705.977242]  ? handle_bug+0x3c/0x80
> [ 2705.978282]  ? exc_invalid_op+0x13/0x60
> [ 2705.979310]  ? asm_exc_invalid_op+0x16/0x20
> [ 2705.980648]  ? xfs_attr3_leaf_add_work+0x4ee/0x530 [xfs]
> [ 2705.982645]  xfs_attr3_leaf_add+0x173/0x1e0 [xfs]
> [ 2705.984131]  xfs_attr_shortform_to_leaf+0x21d/0x230 [xfs]
> [ 2705.985415]  xfs_attr_set_iter+0x766/0x900 [xfs]
> [ 2705.986514]  ? path_setxattr+0xc7/0xe0
> [ 2705.987324]  xfs_xattri_finish_update+0x18/0x50 [xfs]
> [ 2705.988486]  xfs_attr_finish_item+0x1a/0xb0 [xfs]
> [ 2705.989566]  xfs_defer_finish_noroll+0x192/0x6e0 [xfs]
> [ 2705.990714]  __xfs_trans_commit+0x242/0x360 [xfs]
> [ 2705.991768]  xfs_attr_set+0x462/0x680 [xfs]
> [ 2705.993079]  xfs_xattr_set+0x89/0xe0 [xfs]
> [ 2705.994183]  __vfs_setxattr+0x95/0xd0
> [ 2705.995160]  __vfs_setxattr_noperm+0x73/0x1d0
> [ 2705.996536]  vfs_setxattr+0x9b/0x180
> [ 2705.997510]  setxattr+0x88/0xa0
> [ 2705.998249]  ? __pfx_free_object_rcu+0x10/0x10
> [ 2705.999190]  ? __call_rcu_common.constprop.0+0x107/0x220
> [ 2706.000196]  ? user_path_at_empty+0x40/0x50
> [ 2706.001045]  ? kmem_cache_free+0x160/0x380
> [ 2706.001881]  ? preempt_count_add+0x47/0xa0
> [ 2706.002719]  ? __mnt_want_write+0x61/0x90
> [ 2706.003528]  path_setxattr+0xc7/0xe0
> [ 2706.004277]  __x64_sys_setxattr+0x27/0x30
> [ 2706.005074]  do_syscall_64+0x3b/0x90
> [ 2706.005800]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> [ 2706.006739] RIP: 0033:0x7fcb1540515e
> [ 2706.007628] Code: 48 8b 0d ad 6c 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7a 6c 0c 00 f7 d8 64 89 01 48
> [ 2706.010450] RSP: 002b:00007fffe4df12d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
> [ 2706.011976] RAX: ffffffffffffffda RBX: 0000000000000061 RCX: 00007fcb1540515e
> [ 2706.013103] RDX: 0000000001548010 RSI: 00007fffe4df1320 RDI: 000000000155cf50
> [ 2706.014103] RBP: 0000000001548071 R08: 0000000000000000 R09: 0000000000000000
> [ 2706.015177] R10: 0000000000000061 R11: 0000000000000246 R12: 0000000001548010
> [ 2706.016236] R13: 0000000001548071 R14: 0410410410410411 R15: 0000000001526450
> [ 2706.017238]  </TASK>
> [ 2706.017817] ---[ end trace 0000000000000000 ]---
> [ 2706.737755] ------------[ cut here ]------------
> [ 2706.739255] memmove: detected field-spanning write (size 24) of single field "entry" at fs/xfs/libxfs/xfs_attr_leaf.c:2235 (size 8)
> [ 2706.743694] WARNING: CPU: 1 PID: 48206 at fs/xfs/libxfs/xfs_attr_leaf.c:2235 xfs_attr3_leaf_remove+0x4a7/0x4d0 [xfs]
> [ 2706.747045] Modules linked in: xfs nls_iso8859_1 nls_cp437 vfat fat ext4 9p crc16 mbcache netfs jbd2 kvm_intel cirrus virtio_net kvm joydev drm_shmem_helper net_failover pcspkr virtio_balloon 9pnet_virtio psmouse irqbypass failover drm_kms_helper evdev button drm loop dm_mod zram zsmalloc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 sha512_generic nvme virtio_blk nvme_core t10_pi aesni_intel virtio_pci crc64_rocksoft_generic crypto_simd cryptd crc64_rocksoft virtio i6300esb crc64 virtio_pci_legacy_dev virtio_pci_modern_dev virtio_ring serio_raw btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq autofs4
> [ 2706.763271] CPU: 1 PID: 48206 Comm: fsstress Tainted: G        W          6.5.0-rc1+ #13
> [ 2706.765484] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
> [ 2706.767821] RIP: 0010:xfs_attr3_leaf_remove+0x4a7/0x4d0 [xfs]
> [ 2706.769821] Code: c7 c2 00 30 fc c0 48 89 c6 48 c7 c7 08 2e fc c0 44 89 44 24 14 4c 89 4c 24 08 48 89 04 24 c6 05 30 6e 0e 00 01 e8 29 b0 67 d0 <0f> 0b 44 8b 44 24 14 4c 8b 4c 24 08 48 8b 04 24 e9 62 fd ff ff e8
> [ 2706.774843] RSP: 0018:ffffb52ac29bba20 EFLAGS: 00010282
> [ 2706.776465] RAX: 0000000000000000 RBX: 0000000000000f08 RCX: 0000000000000000
> [ 2706.778427] RDX: 0000000000000002 RSI: ffffffff92612d95 RDI: 00000000ffffffff
> [ 2706.780343] RBP: ffffb52ac29bbc70 R08: 0000000000000000 R09: ffffb52ac29bb8c0
> [ 2706.782170] R10: 0000000000000003 R11: ffffffff928c1aa8 R12: ffff8ecf3adc8050
> [ 2706.783934] R13: ffff8ecf61308900 R14: ffff8ecf3adc8000 R15: 0000000000000fcc
> [ 2706.786138] FS:  00007fcb152f4740(0000) GS:ffff8ed077c40000(0000) knlGS:0000000000000000
> [ 2706.788370] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2706.790691] CR2: 0000000001606000 CR3: 000000015e1d2005 CR4: 0000000000060ee0
> [ 2706.792692] Call Trace:
> [ 2706.793721]  <TASK>
> [ 2706.794717]  ? xfs_attr3_leaf_remove+0x4a7/0x4d0 [xfs]
> [ 2706.796542]  ? __warn+0x7d/0x130
> [ 2706.797701]  ? xfs_attr3_leaf_remove+0x4a7/0x4d0 [xfs]
> [ 2706.799435]  ? report_bug+0x18d/0x1c0
> [ 2706.800684]  ? handle_bug+0x3c/0x80
> [ 2706.801938]  ? exc_invalid_op+0x13/0x60
> [ 2706.803272]  ? asm_exc_invalid_op+0x16/0x20
> [ 2706.804474]  ? xfs_attr3_leaf_remove+0x4a7/0x4d0 [xfs]
> [ 2706.806068]  xfs_attr_leaf_removename+0xad/0x110 [xfs]
> [ 2706.808661]  ? xfs_defer_add+0x57/0x160 [xfs]
> [ 2706.810164]  xfs_attr_set_iter+0x63/0x900 [xfs]
> [ 2706.811611]  ? removexattr+0x77/0x110
> [ 2706.812779]  xfs_xattri_finish_update+0x18/0x50 [xfs]
> [ 2706.814338]  xfs_attr_finish_item+0x1a/0xb0 [xfs]
> [ 2706.815799]  xfs_defer_finish_noroll+0x192/0x6e0 [xfs]
> [ 2706.817405]  __xfs_trans_commit+0x242/0x360 [xfs]
> [ 2706.818916]  xfs_attr_set+0x462/0x680 [xfs]
> [ 2706.820252]  xfs_xattr_set+0x89/0xe0 [xfs]
> [ 2706.822251]  __vfs_removexattr+0x7f/0xb0
> [ 2706.823463]  __vfs_removexattr_locked+0xb7/0x140
> [ 2706.824648]  vfs_removexattr+0x54/0x100
> [ 2706.825667]  removexattr+0x77/0x110
> [ 2706.826830]  ? __pfx_free_object_rcu+0x10/0x10
> [ 2706.827853]  ? __call_rcu_common.constprop.0+0x107/0x220
> [ 2706.828989]  ? user_path_at_empty+0x40/0x50
> [ 2706.830468]  ? kmem_cache_free+0x160/0x380
> [ 2706.831638]  ? preempt_count_add+0x47/0xa0
> [ 2706.832611]  ? __mnt_want_write+0x61/0x90
> [ 2706.833569]  path_removexattr+0x9f/0xc0
> [ 2706.834506]  __x64_sys_removexattr+0x17/0x20
> [ 2706.835443]  do_syscall_64+0x3b/0x90
> [ 2706.836267]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> [ 2706.837302] RIP: 0033:0x7fcb1540512b
> [ 2706.838118] Code: f0 ff ff 73 01 c3 48 8b 0d da 6c 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 c5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ad 6c 0c 00 f7 d8 64 89 01 48
> [ 2706.841389] RSP: 002b:00007fffe4df1318 EFLAGS: 00000246 ORIG_RAX: 00000000000000c5
> [ 2706.842767] RAX: ffffffffffffffda RBX: 000000000000019e RCX: 00007fcb1540512b
> [ 2706.844024] RDX: 0000000000000000 RSI: 00007fffe4df1340 RDI: 000000000155d270
> [ 2706.845254] RBP: 00000000015345a0 R08: 0000000000000064 R09: 0000000000000000
> [ 2706.846557] R10: 0000000000000000 R11: 0000000000000246 R12: 028f5c28f5c28f5c
> [ 2706.847786] R13: 8f5c28f5c28f5c29 R14: 00000000004054b0 R15: 00007fcb152f46c8
> [ 2706.849029]  </TASK>
> [ 2706.849578] ---[ end trace 0000000000000000 ]---
> 
> 
> For reference:
> 
> ^1da177e4c3f4 fs/xfs/xfs_attr_leaf.c        (Linus Torvalds      2005-04-16 15:20:36 -0700 1555)        if (entry->flags & XFS_ATTR_LOCAL) {
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 1556)                name_loc = xfs_attr3_leaf_name_local(leaf, args->index);
> ^1da177e4c3f4 fs/xfs/xfs_attr_leaf.c        (Linus Torvalds      2005-04-16 15:20:36 -0700 1557)                name_loc->namelen = args->namelen;
> 053b5758cbc09 fs/xfs/xfs_attr_leaf.c        (Nathan Scott        2006-03-17 17:29:09 +1100 1558)                name_loc->valuelen = cpu_to_be16(args->valuelen);
> ^1da177e4c3f4 fs/xfs/xfs_attr_leaf.c        (Linus Torvalds      2005-04-16 15:20:36 -0700 1559)                memcpy((char *)name_loc->nameval, args->name, args->namelen);
> ^1da177e4c3f4 fs/xfs/xfs_attr_leaf.c        (Linus Torvalds      2005-04-16 15:20:36 -0700 1560)                memcpy((char *)&name_loc->nameval[args->namelen], args->value,
> 053b5758cbc09 fs/xfs/xfs_attr_leaf.c        (Nathan Scott        2006-03-17 17:29:09 +1100 1561)                                   be16_to_cpu(name_loc->valuelen));
> ^1da177e4c3f4 fs/xfs/xfs_attr_leaf.c        (Linus Torvalds      2005-04-16 15:20:36 -0700 1562)        } else {
> 
> [...]
> 
> ^1da177e4c3f4 fs/xfs/xfs_attr_leaf.c        (Linus Torvalds      2005-04-16 15:20:36 -0700 2233) 
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 2234)        tmp = (ichdr.count - args->index) * sizeof(xfs_attr_leaf_entry_t);
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 2235)        memmove(entry, entry + 1, tmp);
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 2236)        ichdr.count--;
> 1d9025e56143c fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2012-06-22 18:50:14 +1000 2237)        xfs_trans_log_buf(args->trans, bp,
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 2238)            XFS_DA_LOGRANGE(leaf, entry, tmp + sizeof(xfs_attr_leaf_entry_t)));
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 2239) 
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 2240)        entry = &xfs_attr3_leaf_entryp(leaf)[ichdr.count];
> 517c22207b045 fs/xfs/xfs_attr_leaf.c        (Dave Chinner        2013-04-24 18:58:55 +1000 2241)        memset(entry, 0, sizeof(xfs_attr_leaf_entry_t));
> ^1da177e4c3f4 fs/xfs/xfs_attr_leaf.c        (Linus Torvalds      2005-04-16 15:20:36 -0700 2242) 
> 
> 
> -- 
> Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ