* [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446)
@ 2019-03-18 6:20 Murphy Zhou
2019-03-18 19:39 ` Steve French
2019-03-19 1:09 ` ronnie sahlberg
0 siblings, 2 replies; 6+ messages in thread
From: Murphy Zhou @ 2019-03-18 6:20 UTC (permalink / raw)
To: CIFS; +Cc: ronniesahlberg, piastryyy
Hi,
My mail account got stuck for a few days and I missed you guys' reply
about generic/013 hang.
The commits Ronnie mentioned have been merged into Linus tress, and
tests passed. Thanks!
The commit Pavel talked about is not merged yet. I'll test after it
hit Linus tree or any -for-next branch.
The setup I'm using is:
----------------------------------------------
# cat /etc/samba/smb.conf
[test]
path = /export/cifstest
writeable = yes
[scratch]
path = /export/cifsscratch
writeable = yes
# cat xfstests-dev/local.config
TEST_DEV=//localhost/test
TEST_DIR=/cifsmnt
SCRATCH_DEV=//localhost/scratch
SCRATCH_MNT=/cifssch
FSTYP=cifs
MOUNT_OPTIONS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
TEST_FS_MOUNT_OPTS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
MKFS_OPTIONS=""
--------------------------------------------------------
Now with kernel updated to 5.1-rc1, generic/446 starts to panic. It's
easy to reproduce. I'm going to bisect this issue, just sending this
email to give you guys a update and heads up. :)
[ 4991.913298] detected buffer overflow in strcat
[ 4991.918273] ------------[ cut here ]------------
[ 4991.923422] kernel BUG at lib/string.c:1053!
[ 4991.928190] invalid opcode: 0000 [#1] SMP PTI
[ 4991.933048] CPU: 0 PID: 860 Comm: kworker/0:1 Not tainted 5.0.0+ #1
[ 4991.940037] Hardware name: IBM IBM System X3250 M4
-[2583AC1]-/00D3729, BIOS -[JQE164AUS-1.07]- 12/09/2013
[ 4991.950832] Workqueue: cifsoplockd cifs_oplock_break [cifs]
[ 4991.957049] RIP: 0010:fortify_panic+0xf/0x1a
[ 4991.961811] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
53 48
[ 4991.982764] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
[ 4991.988591] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
[ 4991.996551] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
[ 4992.004512] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
[ 4992.012471] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
[ 4992.020432] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
[ 4992.028393] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
knlGS:0000000000000000
[ 4992.037420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4992.043830] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
[ 4992.051789] Call Trace:
[ 4992.054537] smb21_set_oplock_level.cold.39+0xc/0xc [cifs]
[ 4992.060673] smb3_set_oplock_level+0x1d/0x80 [cifs]
[ 4992.066125] cifs_oplock_break+0x89/0x400 [cifs]
[ 4992.071276] process_one_work+0x1a1/0x3a0
[ 4992.075746] worker_thread+0x30/0x380
[ 4992.079828] ? mod_delayed_work_on+0x90/0x90
[ 4992.084588] kthread+0x112/0x130
[ 4992.088185] ? __kthread_parkme+0x70/0x70
[ 4992.092655] ret_from_fork+0x35/0x40
[ 4992.096640] Modules linked in: loop dm_mod arc4 md4 sha512_ssse3
sha512_generic cmac nls_utf8 cifs ccm dns_resolver sunrpc intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul ext4 iTCO_wdt cdc_ether
ghash_clmulni_intel usbnet ipmi_ssif iTCO_vendor_support mii
intel_cstate gpio_ich sg intel_uncore ipmi_devintf intel_rapl_perf
mbcache pcspkr i2c_i801 jbd2 ipmi_msghandler lpc_ich ie31200_edac xfs
libcrc32c sr_mod sd_mod cdrom ata_generic mgag200 i2c_algo_bit
drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
ata_piix libata crc32c_intel e1000e wmi
[ 4992.158052] ---[ end trace 5d01c28800220e20 ]---
[ 4992.163209] RIP: 0010:fortify_panic+0xf/0x1a
[ 4992.167973] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
53 48
[ 4992.188930] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
[ 4992.194761] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
[ 4992.202725] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
[ 4992.210686] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
[ 4992.218650] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
[ 4992.226613] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
[ 4992.234576] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
knlGS:0000000000000000
[ 4992.243606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4992.250017] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
[ 4992.257979] Kernel panic - not syncing: Fatal exception
[ 4992.263838] Kernel Offset: 0x3aa00000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 4992.275862] ---[ end Kernel panic - not syncing: Fatal exception ]---
Thanks,
M
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446)
2019-03-18 6:20 [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446) Murphy Zhou
@ 2019-03-18 19:39 ` Steve French
2019-03-19 12:29 ` Murphy Zhou
2019-03-19 1:09 ` ronnie sahlberg
1 sibling, 1 reply; 6+ messages in thread
From: Steve French @ 2019-03-18 19:39 UTC (permalink / raw)
To: Murphy Zhou; +Cc: CIFS, ronnie sahlberg, Pavel Shilovsky
Thanks for the update - it will be very helpful if we can make sure
that when something like this is found that we add a simple (hopefully
a test that adds less than 1 minute to execution time) xfstest or
script that we can add to tests/cifs in xfstests that will ensure that
we never regress that scenario in the future.
We are trying to add more and more tests to the 'buildbot'
(http://smb3-test-rhel-75.southcentralus.cloudapp.azure.com) to
continue to improve automated functional test verification for cifs.ko
(it has already been an enormous help just in the last few months)
On Mon, Mar 18, 2019 at 1:21 AM Murphy Zhou <jencce.kernel@gmail.com> wrote:
>
> Hi,
>
> My mail account got stuck for a few days and I missed you guys' reply
> about generic/013 hang.
>
> The commits Ronnie mentioned have been merged into Linus tress, and
> tests passed. Thanks!
>
> The commit Pavel talked about is not merged yet. I'll test after it
> hit Linus tree or any -for-next branch.
>
> The setup I'm using is:
> ----------------------------------------------
> # cat /etc/samba/smb.conf
> [test]
> path = /export/cifstest
> writeable = yes
> [scratch]
> path = /export/cifsscratch
> writeable = yes
> # cat xfstests-dev/local.config
> TEST_DEV=//localhost/test
> TEST_DIR=/cifsmnt
> SCRATCH_DEV=//localhost/scratch
> SCRATCH_MNT=/cifssch
> FSTYP=cifs
> MOUNT_OPTIONS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> TEST_FS_MOUNT_OPTS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> MKFS_OPTIONS=""
> --------------------------------------------------------
>
>
> Now with kernel updated to 5.1-rc1, generic/446 starts to panic. It's
> easy to reproduce. I'm going to bisect this issue, just sending this
> email to give you guys a update and heads up. :)
>
> [ 4991.913298] detected buffer overflow in strcat
> [ 4991.918273] ------------[ cut here ]------------
> [ 4991.923422] kernel BUG at lib/string.c:1053!
> [ 4991.928190] invalid opcode: 0000 [#1] SMP PTI
> [ 4991.933048] CPU: 0 PID: 860 Comm: kworker/0:1 Not tainted 5.0.0+ #1
> [ 4991.940037] Hardware name: IBM IBM System X3250 M4
> -[2583AC1]-/00D3729, BIOS -[JQE164AUS-1.07]- 12/09/2013
> [ 4991.950832] Workqueue: cifsoplockd cifs_oplock_break [cifs]
> [ 4991.957049] RIP: 0010:fortify_panic+0xf/0x1a
> [ 4991.961811] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> 53 48
> [ 4991.982764] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> [ 4991.988591] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> [ 4991.996551] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> [ 4992.004512] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> [ 4992.012471] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> [ 4992.020432] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> [ 4992.028393] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> knlGS:0000000000000000
> [ 4992.037420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4992.043830] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> [ 4992.051789] Call Trace:
> [ 4992.054537] smb21_set_oplock_level.cold.39+0xc/0xc [cifs]
> [ 4992.060673] smb3_set_oplock_level+0x1d/0x80 [cifs]
> [ 4992.066125] cifs_oplock_break+0x89/0x400 [cifs]
> [ 4992.071276] process_one_work+0x1a1/0x3a0
> [ 4992.075746] worker_thread+0x30/0x380
> [ 4992.079828] ? mod_delayed_work_on+0x90/0x90
> [ 4992.084588] kthread+0x112/0x130
> [ 4992.088185] ? __kthread_parkme+0x70/0x70
> [ 4992.092655] ret_from_fork+0x35/0x40
> [ 4992.096640] Modules linked in: loop dm_mod arc4 md4 sha512_ssse3
> sha512_generic cmac nls_utf8 cifs ccm dns_resolver sunrpc intel_rapl
> x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass
> crct10dif_pclmul crc32_pclmul ext4 iTCO_wdt cdc_ether
> ghash_clmulni_intel usbnet ipmi_ssif iTCO_vendor_support mii
> intel_cstate gpio_ich sg intel_uncore ipmi_devintf intel_rapl_perf
> mbcache pcspkr i2c_i801 jbd2 ipmi_msghandler lpc_ich ie31200_edac xfs
> libcrc32c sr_mod sd_mod cdrom ata_generic mgag200 i2c_algo_bit
> drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
> ata_piix libata crc32c_intel e1000e wmi
> [ 4992.158052] ---[ end trace 5d01c28800220e20 ]---
> [ 4992.163209] RIP: 0010:fortify_panic+0xf/0x1a
> [ 4992.167973] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> 53 48
> [ 4992.188930] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> [ 4992.194761] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> [ 4992.202725] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> [ 4992.210686] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> [ 4992.218650] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> [ 4992.226613] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> [ 4992.234576] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> knlGS:0000000000000000
> [ 4992.243606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4992.250017] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> [ 4992.257979] Kernel panic - not syncing: Fatal exception
> [ 4992.263838] Kernel Offset: 0x3aa00000 from 0xffffffff81000000
> (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [ 4992.275862] ---[ end Kernel panic - not syncing: Fatal exception ]---
>
> Thanks,
> M
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446)
2019-03-18 19:39 ` Steve French
@ 2019-03-19 12:29 ` Murphy Zhou
0 siblings, 0 replies; 6+ messages in thread
From: Murphy Zhou @ 2019-03-19 12:29 UTC (permalink / raw)
To: Steve French; +Cc: CIFS, ronnie sahlberg, Pavel Shilovsky
On Tue, Mar 19, 2019 at 3:39 AM Steve French <smfrench@gmail.com> wrote:
>
> Thanks for the update - it will be very helpful if we can make sure
> that when something like this is found that we add a simple (hopefully
> a test that adds less than 1 minute to execution time) xfstest or
> script that we can add to tests/cifs in xfstests that will ensure that
> we never regress that scenario in the future.
Sure. That's true.
>
> We are trying to add more and more tests to the 'buildbot'
> (http://smb3-test-rhel-75.southcentralus.cloudapp.azure.com) to
> continue to improve automated functional test verification for cifs.ko
> (it has already been an enormous help just in the last few months)
Great!
>
> On Mon, Mar 18, 2019 at 1:21 AM Murphy Zhou <jencce.kernel@gmail.com> wrote:
> >
> > Hi,
> >
> > My mail account got stuck for a few days and I missed you guys' reply
> > about generic/013 hang.
> >
> > The commits Ronnie mentioned have been merged into Linus tress, and
> > tests passed. Thanks!
> >
> > The commit Pavel talked about is not merged yet. I'll test after it
> > hit Linus tree or any -for-next branch.
> >
> > The setup I'm using is:
> > ----------------------------------------------
> > # cat /etc/samba/smb.conf
> > [test]
> > path = /export/cifstest
> > writeable = yes
> > [scratch]
> > path = /export/cifsscratch
> > writeable = yes
> > # cat xfstests-dev/local.config
> > TEST_DEV=//localhost/test
> > TEST_DIR=/cifsmnt
> > SCRATCH_DEV=//localhost/scratch
> > SCRATCH_MNT=/cifssch
> > FSTYP=cifs
> > MOUNT_OPTIONS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> > TEST_FS_MOUNT_OPTS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> > MKFS_OPTIONS=""
> > --------------------------------------------------------
> >
> >
> > Now with kernel updated to 5.1-rc1, generic/446 starts to panic. It's
> > easy to reproduce. I'm going to bisect this issue, just sending this
> > email to give you guys a update and heads up. :)
> >
> > [ 4991.913298] detected buffer overflow in strcat
> > [ 4991.918273] ------------[ cut here ]------------
> > [ 4991.923422] kernel BUG at lib/string.c:1053!
> > [ 4991.928190] invalid opcode: 0000 [#1] SMP PTI
> > [ 4991.933048] CPU: 0 PID: 860 Comm: kworker/0:1 Not tainted 5.0.0+ #1
> > [ 4991.940037] Hardware name: IBM IBM System X3250 M4
> > -[2583AC1]-/00D3729, BIOS -[JQE164AUS-1.07]- 12/09/2013
> > [ 4991.950832] Workqueue: cifsoplockd cifs_oplock_break [cifs]
> > [ 4991.957049] RIP: 0010:fortify_panic+0xf/0x1a
> > [ 4991.961811] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> > 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> > 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> > 53 48
> > [ 4991.982764] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> > [ 4991.988591] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> > [ 4991.996551] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> > [ 4992.004512] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> > [ 4992.012471] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> > [ 4992.020432] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> > [ 4992.028393] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> > knlGS:0000000000000000
> > [ 4992.037420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 4992.043830] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> > [ 4992.051789] Call Trace:
> > [ 4992.054537] smb21_set_oplock_level.cold.39+0xc/0xc [cifs]
> > [ 4992.060673] smb3_set_oplock_level+0x1d/0x80 [cifs]
> > [ 4992.066125] cifs_oplock_break+0x89/0x400 [cifs]
> > [ 4992.071276] process_one_work+0x1a1/0x3a0
> > [ 4992.075746] worker_thread+0x30/0x380
> > [ 4992.079828] ? mod_delayed_work_on+0x90/0x90
> > [ 4992.084588] kthread+0x112/0x130
> > [ 4992.088185] ? __kthread_parkme+0x70/0x70
> > [ 4992.092655] ret_from_fork+0x35/0x40
> > [ 4992.096640] Modules linked in: loop dm_mod arc4 md4 sha512_ssse3
> > sha512_generic cmac nls_utf8 cifs ccm dns_resolver sunrpc intel_rapl
> > x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass
> > crct10dif_pclmul crc32_pclmul ext4 iTCO_wdt cdc_ether
> > ghash_clmulni_intel usbnet ipmi_ssif iTCO_vendor_support mii
> > intel_cstate gpio_ich sg intel_uncore ipmi_devintf intel_rapl_perf
> > mbcache pcspkr i2c_i801 jbd2 ipmi_msghandler lpc_ich ie31200_edac xfs
> > libcrc32c sr_mod sd_mod cdrom ata_generic mgag200 i2c_algo_bit
> > drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
> > ata_piix libata crc32c_intel e1000e wmi
> > [ 4992.158052] ---[ end trace 5d01c28800220e20 ]---
> > [ 4992.163209] RIP: 0010:fortify_panic+0xf/0x1a
> > [ 4992.167973] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> > 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> > 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> > 53 48
> > [ 4992.188930] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> > [ 4992.194761] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> > [ 4992.202725] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> > [ 4992.210686] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> > [ 4992.218650] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> > [ 4992.226613] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> > [ 4992.234576] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> > knlGS:0000000000000000
> > [ 4992.243606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 4992.250017] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> > [ 4992.257979] Kernel panic - not syncing: Fatal exception
> > [ 4992.263838] Kernel Offset: 0x3aa00000 from 0xffffffff81000000
> > (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> > [ 4992.275862] ---[ end Kernel panic - not syncing: Fatal exception ]---
> >
> > Thanks,
> > M
>
>
>
> --
> Thanks,
>
> Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446)
2019-03-18 6:20 [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446) Murphy Zhou
2019-03-18 19:39 ` Steve French
@ 2019-03-19 1:09 ` ronnie sahlberg
2019-03-19 10:39 ` Aurélien Aptel
2019-03-19 12:34 ` Murphy Zhou
1 sibling, 2 replies; 6+ messages in thread
From: ronnie sahlberg @ 2019-03-19 1:09 UTC (permalink / raw)
To: Murphy Zhou; +Cc: CIFS, Pavel Shilovsky
Hi,
I tested generic/446 on both my machine as well as our buildbot using
Steves current for-next branch and it passes without crashing.
I have added this test to our buildbot so we will continue to run it
for every patch moving forward.
Can you test if you still get crashes if you use Steve's for-next branch ?
On Mon, Mar 18, 2019 at 4:20 PM Murphy Zhou <jencce.kernel@gmail.com> wrote:
>
> Hi,
>
> My mail account got stuck for a few days and I missed you guys' reply
> about generic/013 hang.
>
> The commits Ronnie mentioned have been merged into Linus tress, and
> tests passed. Thanks!
>
> The commit Pavel talked about is not merged yet. I'll test after it
> hit Linus tree or any -for-next branch.
>
> The setup I'm using is:
> ----------------------------------------------
> # cat /etc/samba/smb.conf
> [test]
> path = /export/cifstest
> writeable = yes
> [scratch]
> path = /export/cifsscratch
> writeable = yes
> # cat xfstests-dev/local.config
> TEST_DEV=//localhost/test
> TEST_DIR=/cifsmnt
> SCRATCH_DEV=//localhost/scratch
> SCRATCH_MNT=/cifssch
> FSTYP=cifs
> MOUNT_OPTIONS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> TEST_FS_MOUNT_OPTS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> MKFS_OPTIONS=""
> --------------------------------------------------------
>
>
> Now with kernel updated to 5.1-rc1, generic/446 starts to panic. It's
> easy to reproduce. I'm going to bisect this issue, just sending this
> email to give you guys a update and heads up. :)
>
> [ 4991.913298] detected buffer overflow in strcat
> [ 4991.918273] ------------[ cut here ]------------
> [ 4991.923422] kernel BUG at lib/string.c:1053!
> [ 4991.928190] invalid opcode: 0000 [#1] SMP PTI
> [ 4991.933048] CPU: 0 PID: 860 Comm: kworker/0:1 Not tainted 5.0.0+ #1
> [ 4991.940037] Hardware name: IBM IBM System X3250 M4
> -[2583AC1]-/00D3729, BIOS -[JQE164AUS-1.07]- 12/09/2013
> [ 4991.950832] Workqueue: cifsoplockd cifs_oplock_break [cifs]
> [ 4991.957049] RIP: 0010:fortify_panic+0xf/0x1a
> [ 4991.961811] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> 53 48
> [ 4991.982764] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> [ 4991.988591] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> [ 4991.996551] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> [ 4992.004512] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> [ 4992.012471] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> [ 4992.020432] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> [ 4992.028393] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> knlGS:0000000000000000
> [ 4992.037420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4992.043830] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> [ 4992.051789] Call Trace:
> [ 4992.054537] smb21_set_oplock_level.cold.39+0xc/0xc [cifs]
> [ 4992.060673] smb3_set_oplock_level+0x1d/0x80 [cifs]
> [ 4992.066125] cifs_oplock_break+0x89/0x400 [cifs]
> [ 4992.071276] process_one_work+0x1a1/0x3a0
> [ 4992.075746] worker_thread+0x30/0x380
> [ 4992.079828] ? mod_delayed_work_on+0x90/0x90
> [ 4992.084588] kthread+0x112/0x130
> [ 4992.088185] ? __kthread_parkme+0x70/0x70
> [ 4992.092655] ret_from_fork+0x35/0x40
> [ 4992.096640] Modules linked in: loop dm_mod arc4 md4 sha512_ssse3
> sha512_generic cmac nls_utf8 cifs ccm dns_resolver sunrpc intel_rapl
> x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass
> crct10dif_pclmul crc32_pclmul ext4 iTCO_wdt cdc_ether
> ghash_clmulni_intel usbnet ipmi_ssif iTCO_vendor_support mii
> intel_cstate gpio_ich sg intel_uncore ipmi_devintf intel_rapl_perf
> mbcache pcspkr i2c_i801 jbd2 ipmi_msghandler lpc_ich ie31200_edac xfs
> libcrc32c sr_mod sd_mod cdrom ata_generic mgag200 i2c_algo_bit
> drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
> ata_piix libata crc32c_intel e1000e wmi
> [ 4992.158052] ---[ end trace 5d01c28800220e20 ]---
> [ 4992.163209] RIP: 0010:fortify_panic+0xf/0x1a
> [ 4992.167973] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> 53 48
> [ 4992.188930] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> [ 4992.194761] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> [ 4992.202725] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> [ 4992.210686] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> [ 4992.218650] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> [ 4992.226613] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> [ 4992.234576] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> knlGS:0000000000000000
> [ 4992.243606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4992.250017] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> [ 4992.257979] Kernel panic - not syncing: Fatal exception
> [ 4992.263838] Kernel Offset: 0x3aa00000 from 0xffffffff81000000
> (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [ 4992.275862] ---[ end Kernel panic - not syncing: Fatal exception ]---
>
> Thanks,
> M
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446)
2019-03-19 1:09 ` ronnie sahlberg
@ 2019-03-19 10:39 ` Aurélien Aptel
2019-03-19 12:34 ` Murphy Zhou
1 sibling, 0 replies; 6+ messages in thread
From: Aurélien Aptel @ 2019-03-19 10:39 UTC (permalink / raw)
To: ronnie sahlberg, Murphy Zhou; +Cc: CIFS, Pavel Shilovsky
ronnie sahlberg <ronniesahlberg@gmail.com> writes:
> I tested generic/446 on both my machine as well as our buildbot using
> Steves current for-next branch and it passes without crashing.
> I have added this test to our buildbot so we will continue to run it
> for every patch moving forward.
>
> Can you test if you still get crashes if you use Steve's for-next branch ?
Do you have KASAN enabled in the kernel config?
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446)
2019-03-19 1:09 ` ronnie sahlberg
2019-03-19 10:39 ` Aurélien Aptel
@ 2019-03-19 12:34 ` Murphy Zhou
1 sibling, 0 replies; 6+ messages in thread
From: Murphy Zhou @ 2019-03-19 12:34 UTC (permalink / raw)
To: ronnie sahlberg; +Cc: CIFS, Pavel Shilovsky
Hi,
On Tue, Mar 19, 2019 at 9:09 AM ronnie sahlberg
<ronniesahlberg@gmail.com> wrote:
>
> Hi,
>
> I tested generic/446 on both my machine as well as our buildbot using
> Steves current for-next branch and it passes without crashing.
> I have added this test to our buildbot so we will continue to run it
> for every patch moving forward.
Looping a few times will reproduce.
>
> Can you test if you still get crashes if you use Steve's for-next branch ?
Yes. The same panic on the 5th loop.
Thanks,
M
>
> On Mon, Mar 18, 2019 at 4:20 PM Murphy Zhou <jencce.kernel@gmail.com> wrote:
> >
> > Hi,
> >
> > My mail account got stuck for a few days and I missed you guys' reply
> > about generic/013 hang.
> >
> > The commits Ronnie mentioned have been merged into Linus tress, and
> > tests passed. Thanks!
> >
> > The commit Pavel talked about is not merged yet. I'll test after it
> > hit Linus tree or any -for-next branch.
> >
> > The setup I'm using is:
> > ----------------------------------------------
> > # cat /etc/samba/smb.conf
> > [test]
> > path = /export/cifstest
> > writeable = yes
> > [scratch]
> > path = /export/cifsscratch
> > writeable = yes
> > # cat xfstests-dev/local.config
> > TEST_DEV=//localhost/test
> > TEST_DIR=/cifsmnt
> > SCRATCH_DEV=//localhost/scratch
> > SCRATCH_MNT=/cifssch
> > FSTYP=cifs
> > MOUNT_OPTIONS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> > TEST_FS_MOUNT_OPTS="-o vers=3.0,username=root,password=redhat,sfu,mfsymlinks"
> > MKFS_OPTIONS=""
> > --------------------------------------------------------
> >
> >
> > Now with kernel updated to 5.1-rc1, generic/446 starts to panic. It's
> > easy to reproduce. I'm going to bisect this issue, just sending this
> > email to give you guys a update and heads up. :)
> >
> > [ 4991.913298] detected buffer overflow in strcat
> > [ 4991.918273] ------------[ cut here ]------------
> > [ 4991.923422] kernel BUG at lib/string.c:1053!
> > [ 4991.928190] invalid opcode: 0000 [#1] SMP PTI
> > [ 4991.933048] CPU: 0 PID: 860 Comm: kworker/0:1 Not tainted 5.0.0+ #1
> > [ 4991.940037] Hardware name: IBM IBM System X3250 M4
> > -[2583AC1]-/00D3729, BIOS -[JQE164AUS-1.07]- 12/09/2013
> > [ 4991.950832] Workqueue: cifsoplockd cifs_oplock_break [cifs]
> > [ 4991.957049] RIP: 0010:fortify_panic+0xf/0x1a
> > [ 4991.961811] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> > 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> > 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> > 53 48
> > [ 4991.982764] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> > [ 4991.988591] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> > [ 4991.996551] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> > [ 4992.004512] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> > [ 4992.012471] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> > [ 4992.020432] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> > [ 4992.028393] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> > knlGS:0000000000000000
> > [ 4992.037420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 4992.043830] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> > [ 4992.051789] Call Trace:
> > [ 4992.054537] smb21_set_oplock_level.cold.39+0xc/0xc [cifs]
> > [ 4992.060673] smb3_set_oplock_level+0x1d/0x80 [cifs]
> > [ 4992.066125] cifs_oplock_break+0x89/0x400 [cifs]
> > [ 4992.071276] process_one_work+0x1a1/0x3a0
> > [ 4992.075746] worker_thread+0x30/0x380
> > [ 4992.079828] ? mod_delayed_work_on+0x90/0x90
> > [ 4992.084588] kthread+0x112/0x130
> > [ 4992.088185] ? __kthread_parkme+0x70/0x70
> > [ 4992.092655] ret_from_fork+0x35/0x40
> > [ 4992.096640] Modules linked in: loop dm_mod arc4 md4 sha512_ssse3
> > sha512_generic cmac nls_utf8 cifs ccm dns_resolver sunrpc intel_rapl
> > x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass
> > crct10dif_pclmul crc32_pclmul ext4 iTCO_wdt cdc_ether
> > ghash_clmulni_intel usbnet ipmi_ssif iTCO_vendor_support mii
> > intel_cstate gpio_ich sg intel_uncore ipmi_devintf intel_rapl_perf
> > mbcache pcspkr i2c_i801 jbd2 ipmi_msghandler lpc_ich ie31200_edac xfs
> > libcrc32c sr_mod sd_mod cdrom ata_generic mgag200 i2c_algo_bit
> > drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
> > ata_piix libata crc32c_intel e1000e wmi
> > [ 4992.158052] ---[ end trace 5d01c28800220e20 ]---
> > [ 4992.163209] RIP: 0010:fortify_panic+0xf/0x1a
> > [ 4992.167973] Code: 48 89 cf 48 0f 42 e8 48 89 ea e8 86 94 00 00 c6
> > 04 28 00 48 89 d8 5b 5d c3 0f 0b 48 89 fe 48 c7 c7 d8 a6 b3 bc e8 09
> > 46 8c ff <0f> 0b 90 90 90 90 90 90 90 90 90 55 48 89 fa 48 89 fd 31 c9
> > 53 48
> > [ 4992.188930] RSP: 0018:ffff98d689897e00 EFLAGS: 00010246
> > [ 4992.194761] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
> > [ 4992.202725] RDX: 0000000000000000 RSI: ffff8b53f7a15a98 RDI: ffff8b53f7a15a98
> > [ 4992.210686] RBP: ffff8b53ee63bd08 R08: 0000000000000f89 R09: 0000000000000000
> > [ 4992.218650] R10: 0000000000000000 R11: ffff98d689897cb0 R12: 0000000000000000
> > [ 4992.226613] R13: 0000000000000003 R14: ffff8b53f5bb1800 R15: ffff8b53f5bb7000
> > [ 4992.234576] FS: 0000000000000000(0000) GS:ffff8b53f7a00000(0000)
> > knlGS:0000000000000000
> > [ 4992.243606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 4992.250017] CR2: 000000000062aa28 CR3: 0000000102c0e002 CR4: 00000000001606f0
> > [ 4992.257979] Kernel panic - not syncing: Fatal exception
> > [ 4992.263838] Kernel Offset: 0x3aa00000 from 0xffffffff81000000
> > (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> > [ 4992.275862] ---[ end Kernel panic - not syncing: Fatal exception ]---
> >
> > Thanks,
> > M
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-03-19 12:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-18 6:20 [5.1-rc1 CIFS regression] detected buffer overflow in strcat in smb21_set_oplock_level (xfstests generic/446) Murphy Zhou
2019-03-18 19:39 ` Steve French
2019-03-19 12:29 ` Murphy Zhou
2019-03-19 1:09 ` ronnie sahlberg
2019-03-19 10:39 ` Aurélien Aptel
2019-03-19 12:34 ` Murphy Zhou
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.