From: bugzilla-daemon@kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 216563] [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
Date: Tue, 18 Oct 2022 20:44:26 +0000 [thread overview]
Message-ID: <bug-216563-201763-3vpUtdFzFb@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-216563-201763@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=216563
--- Comment #4 from Darrick J. Wong (djwong@kernel.org) ---
On Sun, Oct 09, 2022 at 10:42:29PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216563
>
> --- Comment #3 from Dave Chinner (david@fromorbit.com) ---
> On Sun, Oct 09, 2022 at 10:08:46AM -0700, Darrick J. Wong wrote:
> > On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> > > https://bugzilla.kernel.org/show_bug.cgi?id=216563
> > >
> > > Bug ID: 216563
> > > Summary: [xfstests generic/113] memcpy: detected
> field-spanning
> > > write (size 32) of single field
> > > "efdp->efd_format.efd_extents" at
> > > fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > Product: File System
> > > Version: 2.5
> > > Kernel Version: v6.1-rc0
> > > Hardware: All
> > > OS: Linux
> > > Tree: Mainline
> > > Status: NEW
> > > Severity: normal
> > > Priority: P1
> > > Component: XFS
> > > Assignee: filesystem_xfs@kernel-bugs.kernel.org
> > > Reporter: zlang@redhat.com
> > > Regression: No
> > >
> > > I xfstests generic/113 hit below kernel warning [1] on xfs with 64k
> > directory
> > > block size (-n size=65536). It's reproducible for me, and the last time I
> > > reproduce this bug on linux v6.0+ which HEAD= ...
> > >
> > > commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> > > Author: Linus Torvalds <torvalds@linux-foundation.org>
> > > Date: Fri Oct 7 17:04:10 2022 -0700
> > >
> > > Merge tag 'driver-core-6.1-rc1' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
> > >
> > > I hit this issue on xfs with 64k directory block size 3 times(aarch64,
> > x86_64
> > > and ppc64le), and once on xfs with 1k blocksize (aarch64).
> > >
> > >
> > > [1]
> > > [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> > > [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4333.094807] XFS (sda3): Unmounting Filesystem
> > > [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> > > [ 4333.973061] XFS (sda3): Ending clean mount
> > > [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4338.564849] XFS (sda3): Unmounting Filesystem
> > > [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> > > [ 4339.430908] XFS (sda3): Ending clean mount
> > > [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4343.379506] XFS (sda3): Unmounting Filesystem
> > > [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> > > [ 4344.232984] XFS (sda3): Ending clean mount
> > > [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4348.198562] XFS (sda3): Unmounting Filesystem
> > > [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> > > [ 4349.104995] XFS (sda3): Ending clean mount
> > > [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4353.233555] XFS (sda3): Unmounting Filesystem
> > > [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> > > [ 4354.135975] XFS (sda3): Ending clean mount
> > > [ 4354.337550] ------------[ cut here ]------------
> > > [ 4354.342354] memcpy: detected field-spanning write (size 32) of single
> > field
> > > "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > [ 4354.355820] WARNING: CPU: 7 PID: 899243 at
> fs/xfs/xfs_extfree_item.c:693
> > > xfs_efi_item_relog+0x1fc/0x270 [xfs]
> >
> > I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
> > structure definition is:
> >
> > typedef struct xfs_efd_log_format {
> > uint16_t efd_type; /* efd log item type */
> > uint16_t efd_size; /* size of this item */
> > uint32_t efd_nextents; /* # of extents freed */
> > uint64_t efd_efi_id; /* id of corresponding efi */
> > xfs_extent_t efd_extents[1]; /* array of extents freed */
> > } xfs_efd_log_format_t;
> >
> > Yuck, an array[1] that is actually a VLA!
>
> Always been the case; the comment above both EFI and EFD definitions
> state this directly:
>
> /*
> * This is the structure used to lay out an efi log item in the
> * log. The efi_extents field is a variable size array whose
> * size is given by efi_nextents.
> */
>
> The EFI/EFD support recording multiple extents being freed in a
> single intent. The idea behind this originally was that all the
> extents being freed in a single transaction would be recorded in the
> same EFI (i.e. XFS_ITRUNC_MAX_EXTENTS) and the EFI and EFD could
> then be relogged as progress freeing those extents is made after the
> BMBT modifications were committed...
>
> > I guess we're going to have to turn that into a real VLA, and adjust the
> > xfs_ondisk.h macros to match?
> >
> > What memory sanitizer kconfig option enables this, anyway?
>
> 54d9469bc515 fortify: Add run-time WARN for cross-field memcpy()
>
> CONFIG_FORTIFY_SOURCE=y, committed in 6.0-rc2.
>
> It effectively ignores flex arrays defined with [], but sees
> anything defined with [1] as a fixed size array of known size and so
> issues a warning when it's actually used as a flex array.
>
> unsafe_memcpy() could be a temporary solution, given we know the
> code works fine as it stands...
Annoyingly, this now triggers fstests failures on xfs/436 when log
recovery tries to memcpy a BUI log item:
------------[ cut here ]------------
memcpy: detected field-spanning write (size 48) of single field
"dst_bui_fmt" at fs/xfs/xfs_bmap_item.c:628 (size 16)
WARNING: CPU: 0 PID: 20925 at fs/xfs/xfs_bmap_item.c:628
xlog_recover_bui_commit_pass2+0x124/0x160 [xfs]
Here we're using struct xfs_map_extent bui_extents[] for the VLA, so I
think this means the memcpy fortify macros aren't detecting the VLAs
correctly at all.
--D
> Cheers,
>
> Dave.
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
prev parent reply other threads:[~2022-10-18 20:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-09 11:59 [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) bugzilla-daemon
2022-10-09 12:08 ` [Bug 216563] " bugzilla-daemon
2022-10-09 17:08 ` [Bug 216563] New: " Darrick J. Wong
2022-10-09 22:42 ` Dave Chinner
2022-10-09 17:08 ` [Bug 216563] " bugzilla-daemon
2022-10-09 22:42 ` bugzilla-daemon
2022-10-18 20:44 ` Darrick J. Wong
2022-10-18 20:44 ` bugzilla-daemon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-216563-201763-3vpUtdFzFb@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).