All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dave Chinner <david@fromorbit.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: bfoster@redhat.com, sandeen@redhat.com, dchinner@redhat.com,
	linux-xfs@vger.kernel.org
Subject: Re: xfs: Uninitialized memory read at xlog_write
Date: Thu, 14 Sep 2017 07:40:28 +1000	[thread overview]
Message-ID: <20170913214028.GX17782@dastard> (raw)
In-Reply-To: <201709131859.AHB43227.SOFFOHJVMLFtOQ@I-love.SAKURA.ne.jp>

On Wed, Sep 13, 2017 at 06:59:38PM +0900, Tetsuo Handa wrote:
> Dave Chinner wrote:
> > On Wed, Sep 13, 2017 at 04:14:37PM +0900, Tetsuo Handa wrote:
> > > [  OK  ] Stopped target Switch Root.
> > > 
> > > [  OK  ] Stopped target Initrd File Systems.[ 1054.691505] WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff880135396660)
> > > [ 1054.691506] 000000000000000093050a200000000000000000000000000000000000000000
> > > [ 1054.691511]  u u u u u u u u i i i i i i i i u u u u u u u u u u u u u u u u
> > > [ 1054.691515]  ^
> > > [ 1054.691519] RIP: 0010:xlog_write+0x344/0x6b0
> > 
> > What line of code does this correspond to?
> > 
> 
>                         /*
>                          * Copy region.
>                          *
>                          * Unmount records just log an opheader, so can have
>                          * empty payloads with no data region to copy. Hence we
>                          * only copy the payload if the vector says it has data
>                          * to copy.
>                          */
>                         ASSERT(copy_len >= 0);
>                         if (copy_len > 0) {
>                                 memcpy(ptr, reg->i_addr + copy_off, copy_len); // <= xlog_write+0x344/0x6b0
>                                 xlog_write_adv_cnt(&ptr, &len, &log_offset,
>                                                    copy_len);
>                         }
> 

Ok, that's what I suspected. The region being copied is set up
in xlog_cil_insert_format_items(), so problem is in one of the
->iop_format methods it calls to format the dirty metadata into the
region.

And given that the address is ...6660, it's likely the offset into
the structure being copied is 96 bytes.

$ pahole...
.....
struct xfs_log_dinode {
.....
       xfs_agino_t                di_next_unlinked;     /*    96     4 */
.....

Try the patch below.

-Dave.
-- 
Dave Chinner
david@fromorbit.com

xfs: log a dummy next_unlinked value

From: Dave Chinner <dchinner@redhat.com>

Prevent kmemcheck from throwing warnings about reading 32 bits of
uninitialised memory when formatting an inode region into the incore
log buffer by writing a dummy value of zero into the
di_next_unlinked field.

Signed-Off-By: Dave Chinner <dchinner@redhat.com>
---
 fs/xfs/xfs_inode_item.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/xfs/xfs_inode_item.c b/fs/xfs/xfs_inode_item.c
index 6d0f74ec31e8..67c59a6c8b7c 100644
--- a/fs/xfs/xfs_inode_item.c
+++ b/fs/xfs/xfs_inode_item.c
@@ -364,6 +364,9 @@ xfs_inode_to_log_dinode(
 	to->di_dmstate = from->di_dmstate;
 	to->di_flags = from->di_flags;
 
+	/* log a dummy value to ensure logged structure is fully initialised */
+	to->di_next_unlinked = NULLAGINO;
+
 	if (from->di_version == 3) {
 		to->di_changecount = inode->i_version;
 		to->di_crtime.t_sec = from->di_crtime.t_sec;

  reply	other threads:[~2017-09-13 21:40 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-04 12:19 xfs: Uninitialized memory read at xlog_write Tetsuo Handa
2017-09-04 17:34 ` Darrick J. Wong
2017-09-04 21:44   ` Tetsuo Handa
2017-09-11 15:01 ` Brian Foster
2017-09-13  7:14   ` Tetsuo Handa
2017-09-13  9:43     ` Dave Chinner
2017-09-13  9:59       ` Tetsuo Handa
2017-09-13 21:40         ` Dave Chinner [this message]
2017-09-14 10:15           ` Tetsuo Handa
2017-09-14 22:44             ` Dave Chinner
2017-09-15 11:19               ` Tetsuo Handa
2017-09-18 18:21               ` Darrick J. Wong
2017-09-20  0:46                 ` Dave Chinner
2017-09-20  0:49                   ` Darrick J. Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170913214028.GX17782@dastard \
    --to=david@fromorbit.com \
    --cc=bfoster@redhat.com \
    --cc=dchinner@redhat.com \
    --cc=linux-xfs@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    --cc=sandeen@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.