sysfs: upgrade OOB write by buggy .show hook into WARNing

Linux filesystem development
 help / color / mirror / Atom feed

* sysfs: upgrade OOB write by buggy .show hook into WARNing
@ 2026-05-06 15:04 Alexey Dobriyan
  2026-05-07  9:01 ` [PATCH] " Alexey Dobriyan
  0 siblings, 1 reply; 6+ messages in thread
From: Alexey Dobriyan @ 2026-05-06 15:04 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Rafael J. Wysocki, Danilo Krummrich; +Cc: linux-fsdevel

Buggy .show hook will get just 1 line of dmesg:

	fill_read_buffer: ext4_attr_show+0x0/0x600 returned bad count

It may or may not oops later in some unrelated process.

But buggy .show hook most likely is corrupting random memory past sysfs
buffer therefore deserving more. WARN, make it more visible and let
QA machines panic earlier.

Also, delete useless cast -- "count" is >=0 at this point.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

 fs/sysfs/file.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -70,9 +70,8 @@ static int sysfs_kf_seq_show(struct seq_file *sf, void *v)
 	 * The code works fine with PAGE_SIZE return but it's likely to
 	 * indicate truncated result or overflow in normal use cases.
 	 */
-	if (count >= (ssize_t)PAGE_SIZE) {
-		printk("fill_read_buffer: %pS returned bad count\n",
-				ops->show);
+	if (count >= PAGE_SIZE) {
+		WARN(1, "OOB write or bad count %zd at %pS\n", count, ops->show);
 		/* Try to struggle along */
 		count = PAGE_SIZE - 1;
 	}

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] sysfs: upgrade OOB write by buggy .show hook into WARNing
  2026-05-06 15:04 sysfs: upgrade OOB write by buggy .show hook into WARNing Alexey Dobriyan
@ 2026-05-07  9:01 ` Alexey Dobriyan
  2026-05-07  9:05   ` Greg Kroah-Hartman
  2026-05-07  9:28   ` Danilo Krummrich
  0 siblings, 2 replies; 6+ messages in thread
From: Alexey Dobriyan @ 2026-05-07  9:01 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Rafael J. Wysocki, Danilo Krummrich; +Cc: linux-fsdevel

Buggy .show hook will get just 1 line of dmesg:

	fill_read_buffer: ext4_attr_show+0x0/0x600 returned bad count

It may or may not oops later in some unrelated process.

But buggy .show hook most likely is corrupting random memory past sysfs
buffer therefore deserving more. WARN, make it more visible and let
QA machines panic earlier.

Also, delete useless cast -- "count" is >=0 at this point.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

 fs/sysfs/file.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -70,9 +70,8 @@ static int sysfs_kf_seq_show(struct seq_file *sf, void *v)
 	 * The code works fine with PAGE_SIZE return but it's likely to
 	 * indicate truncated result or overflow in normal use cases.
 	 */
-	if (count >= (ssize_t)PAGE_SIZE) {
-		printk("fill_read_buffer: %pS returned bad count\n",
-				ops->show);
+	if (count >= PAGE_SIZE) {
+		WARN(1, "OOB write or bad count %zd at %pS\n", count, ops->show);
 		/* Try to struggle along */
 		count = PAGE_SIZE - 1;
 	}

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] sysfs: upgrade OOB write by buggy .show hook into WARNing
  2026-05-07  9:01 ` [PATCH] " Alexey Dobriyan
@ 2026-05-07  9:05   ` Greg Kroah-Hartman
  2026-05-07 13:51     ` Alexey Dobriyan
  2026-05-07  9:28   ` Danilo Krummrich
  1 sibling, 1 reply; 6+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-07  9:05 UTC (permalink / raw)
  To: Alexey Dobriyan; +Cc: Rafael J. Wysocki, Danilo Krummrich, linux-fsdevel

On Thu, May 07, 2026 at 12:01:43PM +0300, Alexey Dobriyan wrote:
> Buggy .show hook will get just 1 line of dmesg:
> 
> 	fill_read_buffer: ext4_attr_show+0x0/0x600 returned bad count
> 
> It may or may not oops later in some unrelated process.
> 
> But buggy .show hook most likely is corrupting random memory past sysfs
> buffer therefore deserving more. WARN, make it more visible and let
> QA machines panic earlier.
> 
> Also, delete useless cast -- "count" is >=0 at this point.
> 
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> ---
> 
>  fs/sysfs/file.c |    5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)

The first was fine, no need for [PATCH] :)

> --- a/fs/sysfs/file.c
> +++ b/fs/sysfs/file.c
> @@ -70,9 +70,8 @@ static int sysfs_kf_seq_show(struct seq_file *sf, void *v)
>  	 * The code works fine with PAGE_SIZE return but it's likely to
>  	 * indicate truncated result or overflow in normal use cases.
>  	 */
> -	if (count >= (ssize_t)PAGE_SIZE) {
> -		printk("fill_read_buffer: %pS returned bad count\n",
> -				ops->show);
> +	if (count >= PAGE_SIZE) {
> +		WARN(1, "OOB write or bad count %zd at %pS\n", count, ops->show);

This is going to be interesting to see what triggers, so I'll go queue
this up soon.

And this implies you did hit this on ext4?  What sysfs file for ext4 is
doing this?  That should not be a valid sysfs file at all.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] sysfs: upgrade OOB write by buggy .show hook into WARNing
  2026-05-07  9:01 ` [PATCH] " Alexey Dobriyan
  2026-05-07  9:05   ` Greg Kroah-Hartman
@ 2026-05-07  9:28   ` Danilo Krummrich
  2026-05-07 13:52     ` Alexey Dobriyan
  1 sibling, 1 reply; 6+ messages in thread
From: Danilo Krummrich @ 2026-05-07  9:28 UTC (permalink / raw)
  To: Alexey Dobriyan
  Cc: Greg Kroah-Hartman, Rafael J. Wysocki, linux-fsdevel, driver-core

(Cc: driver-core)

On Thu May 7, 2026 at 11:01 AM CEST, Alexey Dobriyan wrote:
> Buggy .show hook will get just 1 line of dmesg:
>
> 	fill_read_buffer: ext4_attr_show+0x0/0x600 returned bad count
>
> It may or may not oops later in some unrelated process.
>
> But buggy .show hook most likely is corrupting random memory past sysfs
> buffer therefore deserving more. WARN, make it more visible and let
> QA machines panic earlier.
>
> Also, delete useless cast -- "count" is >=0 at this point.
>
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>

Reviewed-by: Danilo Krummrich <dakr@kernel.org>

NIT: This patch also cleans up the stale "fill_read_buffer:" prefix, and instead
points out the actual caller, which could be mentioned in the commit message --
no need to resend for this though.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] sysfs: upgrade OOB write by buggy .show hook into WARNing
  2026-05-07  9:05   ` Greg Kroah-Hartman
@ 2026-05-07 13:51     ` Alexey Dobriyan
  0 siblings, 0 replies; 6+ messages in thread
From: Alexey Dobriyan @ 2026-05-07 13:51 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Rafael J. Wysocki, Danilo Krummrich, linux-fsdevel

On Thu, May 07, 2026 at 11:05:16AM +0200, Greg Kroah-Hartman wrote:
> On Thu, May 07, 2026 at 12:01:43PM +0300, Alexey Dobriyan wrote:

> > --- a/fs/sysfs/file.c
> > +++ b/fs/sysfs/file.c
> > @@ -70,9 +70,8 @@ static int sysfs_kf_seq_show(struct seq_file *sf, void *v)
> >  	 * The code works fine with PAGE_SIZE return but it's likely to
> >  	 * indicate truncated result or overflow in normal use cases.
> >  	 */
> > -	if (count >= (ssize_t)PAGE_SIZE) {
> > -		printk("fill_read_buffer: %pS returned bad count\n",
> > -				ops->show);
> > +	if (count >= PAGE_SIZE) {
> > +		WARN(1, "OOB write or bad count %zd at %pS\n", count, ops->show);
> 
> This is going to be interesting to see what triggers, so I'll go queue
> this up soon.
> 
> And this implies you did hit this on ext4?

The check was triggered by out-of-tree module.
ext4 is me testing the patch with a custom written buggy hook.

	/sys/alexey

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] sysfs: upgrade OOB write by buggy .show hook into WARNing
  2026-05-07  9:28   ` Danilo Krummrich
@ 2026-05-07 13:52     ` Alexey Dobriyan
  0 siblings, 0 replies; 6+ messages in thread
From: Alexey Dobriyan @ 2026-05-07 13:52 UTC (permalink / raw)
  To: Danilo Krummrich
  Cc: Greg Kroah-Hartman, Rafael J. Wysocki, linux-fsdevel, driver-core

On Thu, May 07, 2026 at 11:28:29AM +0200, Danilo Krummrich wrote:
> (Cc: driver-core)
> 
> On Thu May 7, 2026 at 11:01 AM CEST, Alexey Dobriyan wrote:
> > Buggy .show hook will get just 1 line of dmesg:
> >
> > 	fill_read_buffer: ext4_attr_show+0x0/0x600 returned bad count
> >
> > It may or may not oops later in some unrelated process.
> >
> > But buggy .show hook most likely is corrupting random memory past sysfs
> > buffer therefore deserving more. WARN, make it more visible and let
> > QA machines panic earlier.
> >
> > Also, delete useless cast -- "count" is >=0 at this point.
> >
> > Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> 
> Reviewed-by: Danilo Krummrich <dakr@kernel.org>
> 
> NIT: This patch also cleans up the stale "fill_read_buffer:" prefix, and instead
> points out the actual caller, which could be mentioned in the commit message --
> no need to resend for this though.

Yes. WARN prints enough information to locate the bug, so stale function
name just goes away.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-05-07 13:50 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-06 15:04 sysfs: upgrade OOB write by buggy .show hook into WARNing Alexey Dobriyan
2026-05-07  9:01 ` [PATCH] " Alexey Dobriyan
2026-05-07  9:05   ` Greg Kroah-Hartman
2026-05-07 13:51     ` Alexey Dobriyan
2026-05-07  9:28   ` Danilo Krummrich
2026-05-07 13:52     ` Alexey Dobriyan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox