From: "Darrick J. Wong" <djwong@kernel.org>
To: bugzilla-daemon@kernel.org
Cc: linux-xfs@vger.kernel.org
Subject: Re: [Bug 216563] [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
Date: Tue, 18 Oct 2022 13:44:25 -0700 [thread overview]
Message-ID: <Y08QKc6YMSOthy2N@magnolia> (raw)
In-Reply-To: <bug-216563-201763-xMifTmrqrR@https.bugzilla.kernel.org/>
On Sun, Oct 09, 2022 at 10:42:29PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216563
>
> --- Comment #3 from Dave Chinner (david@fromorbit.com) ---
> On Sun, Oct 09, 2022 at 10:08:46AM -0700, Darrick J. Wong wrote:
> > On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> > > https://bugzilla.kernel.org/show_bug.cgi?id=216563
> > >
> > > Bug ID: 216563
> > > Summary: [xfstests generic/113] memcpy: detected field-spanning
> > > write (size 32) of single field
> > > "efdp->efd_format.efd_extents" at
> > > fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > Product: File System
> > > Version: 2.5
> > > Kernel Version: v6.1-rc0
> > > Hardware: All
> > > OS: Linux
> > > Tree: Mainline
> > > Status: NEW
> > > Severity: normal
> > > Priority: P1
> > > Component: XFS
> > > Assignee: filesystem_xfs@kernel-bugs.kernel.org
> > > Reporter: zlang@redhat.com
> > > Regression: No
> > >
> > > I xfstests generic/113 hit below kernel warning [1] on xfs with 64k
> > directory
> > > block size (-n size=65536). It's reproducible for me, and the last time I
> > > reproduce this bug on linux v6.0+ which HEAD= ...
> > >
> > > commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> > > Author: Linus Torvalds <torvalds@linux-foundation.org>
> > > Date: Fri Oct 7 17:04:10 2022 -0700
> > >
> > > Merge tag 'driver-core-6.1-rc1' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
> > >
> > > I hit this issue on xfs with 64k directory block size 3 times(aarch64,
> > x86_64
> > > and ppc64le), and once on xfs with 1k blocksize (aarch64).
> > >
> > >
> > > [1]
> > > [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> > > [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4333.094807] XFS (sda3): Unmounting Filesystem
> > > [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> > > [ 4333.973061] XFS (sda3): Ending clean mount
> > > [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4338.564849] XFS (sda3): Unmounting Filesystem
> > > [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> > > [ 4339.430908] XFS (sda3): Ending clean mount
> > > [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4343.379506] XFS (sda3): Unmounting Filesystem
> > > [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> > > [ 4344.232984] XFS (sda3): Ending clean mount
> > > [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4348.198562] XFS (sda3): Unmounting Filesystem
> > > [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> > > [ 4349.104995] XFS (sda3): Ending clean mount
> > > [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4353.233555] XFS (sda3): Unmounting Filesystem
> > > [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> > > [ 4354.135975] XFS (sda3): Ending clean mount
> > > [ 4354.337550] ------------[ cut here ]------------
> > > [ 4354.342354] memcpy: detected field-spanning write (size 32) of single
> > field
> > > "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > [ 4354.355820] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:693
> > > xfs_efi_item_relog+0x1fc/0x270 [xfs]
> >
> > I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
> > structure definition is:
> >
> > typedef struct xfs_efd_log_format {
> > uint16_t efd_type; /* efd log item type */
> > uint16_t efd_size; /* size of this item */
> > uint32_t efd_nextents; /* # of extents freed */
> > uint64_t efd_efi_id; /* id of corresponding efi */
> > xfs_extent_t efd_extents[1]; /* array of extents freed */
> > } xfs_efd_log_format_t;
> >
> > Yuck, an array[1] that is actually a VLA!
>
> Always been the case; the comment above both EFI and EFD definitions
> state this directly:
>
> /*
> * This is the structure used to lay out an efi log item in the
> * log. The efi_extents field is a variable size array whose
> * size is given by efi_nextents.
> */
>
> The EFI/EFD support recording multiple extents being freed in a
> single intent. The idea behind this originally was that all the
> extents being freed in a single transaction would be recorded in the
> same EFI (i.e. XFS_ITRUNC_MAX_EXTENTS) and the EFI and EFD could
> then be relogged as progress freeing those extents is made after the
> BMBT modifications were committed...
>
> > I guess we're going to have to turn that into a real VLA, and adjust the
> > xfs_ondisk.h macros to match?
> >
> > What memory sanitizer kconfig option enables this, anyway?
>
> 54d9469bc515 fortify: Add run-time WARN for cross-field memcpy()
>
> CONFIG_FORTIFY_SOURCE=y, committed in 6.0-rc2.
>
> It effectively ignores flex arrays defined with [], but sees
> anything defined with [1] as a fixed size array of known size and so
> issues a warning when it's actually used as a flex array.
>
> unsafe_memcpy() could be a temporary solution, given we know the
> code works fine as it stands...
Annoyingly, this now triggers fstests failures on xfs/436 when log
recovery tries to memcpy a BUI log item:
------------[ cut here ]------------
memcpy: detected field-spanning write (size 48) of single field
"dst_bui_fmt" at fs/xfs/xfs_bmap_item.c:628 (size 16)
WARNING: CPU: 0 PID: 20925 at fs/xfs/xfs_bmap_item.c:628
xlog_recover_bui_commit_pass2+0x124/0x160 [xfs]
Here we're using struct xfs_map_extent bui_extents[] for the VLA, so I
think this means the memcpy fortify macros aren't detecting the VLAs
correctly at all.
--D
> Cheers,
>
> Dave.
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
next prev parent reply other threads:[~2022-10-18 20:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-09 11:59 [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) bugzilla-daemon
2022-10-09 12:08 ` [Bug 216563] " bugzilla-daemon
2022-10-09 17:08 ` [Bug 216563] New: " Darrick J. Wong
2022-10-09 22:42 ` Dave Chinner
2022-10-09 17:08 ` [Bug 216563] " bugzilla-daemon
2022-10-09 22:42 ` bugzilla-daemon
2022-10-18 20:44 ` Darrick J. Wong [this message]
2022-10-18 20:44 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y08QKc6YMSOthy2N@magnolia \
--to=djwong@kernel.org \
--cc=bugzilla-daemon@kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.