* [Bug 216563] [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
2022-10-09 11:59 [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) bugzilla-daemon
@ 2022-10-09 12:08 ` bugzilla-daemon
2022-10-09 17:08 ` [Bug 216563] New: " Darrick J. Wong
` (3 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: bugzilla-daemon @ 2022-10-09 12:08 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=216563
--- Comment #1 from Zorro Lang (zlang@redhat.com) ---
decode_stacktrace.sh output:
[11223.467241] memcpy: detected field-spanning write (size 32) of single field
"efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
[11223.467271] WARNING: CPU: 7 PID: 604448 at fs/xfs/xfs_extfree_item.c:693
xfs_efi_item_relog (fs/xfs/xfs_extfree_item.c:693 (discriminator 3)) xfs
[11223.467349] Modules linked in: dm_snapshot dm_bufio ext4 mbcache jbd2 loop
dm_flakey dm_mod bonding tls rfkill sunrpc pseries_rng drm fuse
drm_panel_orientation_quirks xfs libcrc32c sd_mod
t10_pi sg ibmvscsi ibmveth scsi_transport_srp vmx_crypto [last unloaded:
scsi_debug]
[11223.467408] Workqueue: xfs-inodegc/sda5 xfs_inodegc_worker [xfs]
[11223.467478] NIP: c008000001e001cc LR: c008000001e001c8 CTR:
0000000000000000
[11223.467484] REGS: c000000045893610 TRAP: 0700 Not tainted (6.0.0+)
[11223.467490] MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR:
48004222 XER: 0000000a
[11223.467514] CFAR: c000000000150060 IRQMASK: 0
GPR00: c008000001e001c8 c0000000458938b0 c008000001ebc000 0000000000000089
GPR04: 0000000000000000 c0000000458936b0 c0000000458936a8 00000001fbb90000
GPR08: 0000000000000027 0000000000000000 c000000095728800 0000000000004000
GPR12: 00000001fbb90000 c00000000ffc9080 0000000000000000 0000000000000000
GPR16: c008000001d4df14 fffffffffffff000 c000000002d40a30 c000000002d404b0
GPR20: c000000095728800 c0000000458939d8 0000000000000000 0000000000000000
GPR24: c000000002d40a30 0000000000000002 c000000033c654f0 0000000000000002
GPR28: 0000000000000020 c0000000488816a8 c000000033016440 c000000033c65438
[11223.467598] NIP [c008000001e001cc] xfs_efi_item_relog
(fs/xfs/xfs_extfree_item.c:693 (discriminator 3)) xfs
[11223.467667] LR [c008000001e001c8] xfs_efi_item_relog
(fs/xfs/xfs_extfree_item.c:693 (discriminator 3)) xfs
[11223.467737] Call Trace:
[11223.467741] [c0000000458938b0] [c008000001e001c8]
xfs_efi_item_relog+0x180/0x1d0 [xfs] unreliable
[11223.467814] [c000000045893950] [c008000001d4d198] xfs_defer_relog
(./fs/xfs/xfs_trans.h:255 fs/xfs/libxfs/xfs_defer.c:451) xfs
[11223.467879] [c0000000458939b0] [c008000001d4d6d8] xfs_defer_finish_noroll
(fs/xfs/libxfs/xfs_defer.c:557) xfs
[11223.467943] [c000000045893a80] [c008000001d4df14] xfs_defer_finish
(fs/xfs/libxfs/xfs_defer.c:591) xfs
[11223.468007] [c000000045893ab0] [c008000001dcd74c]
xfs_itruncate_extents_flags (fs/xfs/xfs_inode.c:1378) xfs
[11223.468077] [c000000045893b40] [c008000001dcde14] xfs_inactive_truncate
(fs/xfs/xfs_inode.c:1518) xfs
[11223.468146] [c000000045893b90] [c008000001dcec18] xfs_inactive
(fs/xfs/xfs_inode.c:1758) xfs
[11223.468214] [c000000045893be0] [c008000001dba36c] xfs_inodegc_worker
(fs/xfs/xfs_icache.c:1838 fs/xfs/xfs_icache.c:1862) xfs
[11223.468284] [c000000045893c40] [c000000000185298] process_one_work
(kernel/workqueue.c:2289)
[11223.468294] [c000000045893d30] [c000000000185848] worker_thread
(./include/linux/list.h:292 kernel/workqueue.c:2437)
[11223.468302] [c000000045893dc0] [c0000000001945b8] kthread
(kernel/kthread.c:376)
[11223.468309] [c000000045893e10] [c00000000000cbe4] ret_from_kernel_thread
(arch/powerpc/kernel/interrupt_64.S:718)
[11223.468319] Instruction dump:
[11223.468324] 2c0a0000 4082ff30 3d420000 38c00010 7f84e378 e8aaf9e8 3d420000
e86af9f0
[11223.468342] 39400001 99490000 48054b35 e8410018 <0fe00000> 3d220000 e929f9e0
89490001
[11223.468359] irq event stamp: 97484
[11223.468363] hardirqs last enabled at (97483): __up_console_sem
(kernel/printk/printk.c:264 (discriminator 1))
[11223.468371] hardirqs last disabled at (97484): interrupt_enter_prepare
(./arch/powerpc/include/asm/interrupt.h:182)
[11223.468380] softirqs last enabled at (95310): __do_softirq
(./arch/powerpc/include/asm/current.h:20 ./include/asm-generic/preempt.h:11
kernel/softirq.c:415 kernel/softirq.c:600)
[11223.468388] softirqs last disabled at (95259): do_softirq_own_stack
(arch/powerpc/kernel/irq.c:206 arch/powerpc/kernel/irq.c:341)
[11223.468395] ---[ end trace 0000000000000000 ]---
[11223.468403] ------------[ cut here ]------------
[11223.467241] memcpy: detected field-spanning write (size 32) of single field
"efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
[11223.467271] WARNING: CPU: 7 PID: 604448 at fs/xfs/xfs_extfree_item.c:693
xfs_efi_item_relog (fs/xfs/xfs_extfree_item.c:693 (discriminator 3)) xfs
[11223.467349] Modules linked in: dm_snapshot dm_bufio ext4 mbcache jbd2 loop
dm_flakey dm_mod bonding tls rfkill sunrpc pseries_rng drm fuse
drm_panel_orientation_quirks xfs libcrc32c sd_mod
t10_pi sg ibmvscsi ibmveth scsi_transport_srp vmx_crypto [last unloaded:
scsi_debug]
[11223.467408] Workqueue: xfs-inodegc/sda5 xfs_inodegc_worker [xfs]
[11223.467478] NIP: c008000001e001cc LR: c008000001e001c8 CTR:
0000000000000000
[11223.467484] REGS: c000000045893610 TRAP: 0700 Not tainted (6.0.0+)
[11223.467490] MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR:
48004222 XER: 0000000a
[11223.467514] CFAR: c000000000150060 IRQMASK: 0
GPR00: c008000001e001c8 c0000000458938b0 c008000001ebc000 0000000000000089
GPR04: 0000000000000000 c0000000458936b0 c0000000458936a8 00000001fbb90000
GPR08: 0000000000000027 0000000000000000 c000000095728800 0000000000004000
GPR12: 00000001fbb90000 c00000000ffc9080 0000000000000000 0000000000000000
GPR16: c008000001d4df14 fffffffffffff000 c000000002d40a30 c000000002d404b0
GPR20: c000000095728800 c0000000458939d8 0000000000000000 0000000000000000
GPR24: c000000002d40a30 0000000000000002 c000000033c654f0 0000000000000002
GPR28: 0000000000000020 c0000000488816a8 c000000033016440 c000000033c65438
[11223.467598] NIP [c008000001e001cc] xfs_efi_item_relog
(fs/xfs/xfs_extfree_item.c:693 (discriminator 3)) xfs
[11223.467667] LR [c008000001e001c8] xfs_efi_item_relog
(fs/xfs/xfs_extfree_item.c:693 (discriminator 3)) xfs
[11223.467737] Call Trace:
[11223.467741] [c0000000458938b0] [c008000001e001c8]
xfs_efi_item_relog+0x180/0x1d0 [xfs] unreliable
[11223.467814] [c000000045893950] [c008000001d4d198] xfs_defer_relog
(./fs/xfs/xfs_trans.h:255 fs/xfs/libxfs/xfs_defer.c:451) xfs
[11223.467879] [c0000000458939b0] [c008000001d4d6d8] xfs_defer_finish_noroll
(fs/xfs/libxfs/xfs_defer.c:557) xfs
[11223.467943] [c000000045893a80] [c008000001d4df14] xfs_defer_finish
(fs/xfs/libxfs/xfs_defer.c:591) xfs
[11223.468007] [c000000045893ab0] [c008000001dcd74c]
xfs_itruncate_extents_flags (fs/xfs/xfs_inode.c:1378) xfs
[11223.468077] [c000000045893b40] [c008000001dcde14] xfs_inactive_truncate
(fs/xfs/xfs_inode.c:1518) xfs
[11223.468146] [c000000045893b90] [c008000001dcec18] xfs_inactive
(fs/xfs/xfs_inode.c:1758) xfs
[11223.468214] [c000000045893be0] [c008000001dba36c] xfs_inodegc_worker
(fs/xfs/xfs_icache.c:1838 fs/xfs/xfs_icache.c:1862) xfs
[11223.468284] [c000000045893c40] [c000000000185298] process_one_work
(kernel/workqueue.c:2289)
[11223.468294] [c000000045893d30] [c000000000185848] worker_thread
(./include/linux/list.h:292 kernel/workqueue.c:2437)
[11223.468302] [c000000045893dc0] [c0000000001945b8] kthread
(kernel/kthread.c:376)
[11223.468309] [c000000045893e10] [c00000000000cbe4] ret_from_kernel_thread
(arch/powerpc/kernel/interrupt_64.S:718)
[11223.468319] Instruction dump:
[11223.468324] 2c0a0000 4082ff30 3d420000 38c00010 7f84e378 e8aaf9e8 3d420000
e86af9f0
[11223.468342] 39400001 99490000 48054b35 e8410018 <0fe00000> 3d220000 e929f9e0
89490001
[11223.468359] irq event stamp: 97484
[11223.468363] hardirqs last enabled at (97483): __up_console_sem
(kernel/printk/printk.c:264 (discriminator 1))
[11223.468371] hardirqs last disabled at (97484): interrupt_enter_prepare
(./arch/powerpc/include/asm/interrupt.h:182)
[11223.468380] softirqs last enabled at (95310): __do_softirq
(./arch/powerpc/include/asm/current.h:20 ./include/asm-generic/preempt.h:11
kernel/softirq.c:415 kernel/softirq.c:600)
[11223.468388] softirqs last disabled at (95259): do_softirq_own_stack
(arch/powerpc/kernel/irq.c:206 arch/powerpc/kernel/irq.c:341)
[11223.468395] ---[ end trace 0000000000000000 ]---
[11223.468403] ------------[ cut here ]------------
...
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
2022-10-09 11:59 [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) bugzilla-daemon
2022-10-09 12:08 ` [Bug 216563] " bugzilla-daemon
@ 2022-10-09 17:08 ` Darrick J. Wong
2022-10-09 22:42 ` Dave Chinner
2022-10-09 17:08 ` [Bug 216563] " bugzilla-daemon
` (2 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Darrick J. Wong @ 2022-10-09 17:08 UTC (permalink / raw)
To: bugzilla-daemon; +Cc: linux-xfs
On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216563
>
> Bug ID: 216563
> Summary: [xfstests generic/113] memcpy: detected field-spanning
> write (size 32) of single field
> "efdp->efd_format.efd_extents" at
> fs/xfs/xfs_extfree_item.c:693 (size 16)
> Product: File System
> Version: 2.5
> Kernel Version: v6.1-rc0
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: XFS
> Assignee: filesystem_xfs@kernel-bugs.kernel.org
> Reporter: zlang@redhat.com
> Regression: No
>
> I xfstests generic/113 hit below kernel warning [1] on xfs with 64k directory
> block size (-n size=65536). It's reproducible for me, and the last time I
> reproduce this bug on linux v6.0+ which HEAD= ...
>
> commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> Author: Linus Torvalds <torvalds@linux-foundation.org>
> Date: Fri Oct 7 17:04:10 2022 -0700
>
> Merge tag 'driver-core-6.1-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
>
> I hit this issue on xfs with 64k directory block size 3 times(aarch64, x86_64
> and ppc64le), and once on xfs with 1k blocksize (aarch64).
>
>
> [1]
> [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4333.094807] XFS (sda3): Unmounting Filesystem
> [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> [ 4333.973061] XFS (sda3): Ending clean mount
> [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4338.564849] XFS (sda3): Unmounting Filesystem
> [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> [ 4339.430908] XFS (sda3): Ending clean mount
> [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4343.379506] XFS (sda3): Unmounting Filesystem
> [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> [ 4344.232984] XFS (sda3): Ending clean mount
> [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4348.198562] XFS (sda3): Unmounting Filesystem
> [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> [ 4349.104995] XFS (sda3): Ending clean mount
> [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4353.233555] XFS (sda3): Unmounting Filesystem
> [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> [ 4354.135975] XFS (sda3): Ending clean mount
> [ 4354.337550] ------------[ cut here ]------------
> [ 4354.342354] memcpy: detected field-spanning write (size 32) of single field
> "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> [ 4354.355820] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:693
> xfs_efi_item_relog+0x1fc/0x270 [xfs]
I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
structure definition is:
typedef struct xfs_efd_log_format {
uint16_t efd_type; /* efd log item type */
uint16_t efd_size; /* size of this item */
uint32_t efd_nextents; /* # of extents freed */
uint64_t efd_efi_id; /* id of corresponding efi */
xfs_extent_t efd_extents[1]; /* array of extents freed */
} xfs_efd_log_format_t;
Yuck, an array[1] that is actually a VLA!
I guess we're going to have to turn that into a real VLA, and adjust the
xfs_ondisk.h macros to match?
What memory sanitizer kconfig option enables this, anyway?
--D
> [ 4354.365918] Modules linked in: dm_snapshot dm_bufio ext4 mbcache jbd2 loop
> dm_flakey dm_mod intel_rapl_msr mgag200 intel_rapl_common
> intel_uncore_frequency i2c_algo_bit intel_uncore_frequency_common
> drm_shmem_helper ipmi_ssif drm_kms_helper mlx5_ib syscopyarea sysfillrect
> mei_me dell_smbios i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp
> coretemp kvm_intel rfkill dcdbas kvm irqbypass rapl intel_cstate ib_uverbs
> intel_uncore dell_wmi_descriptor wmi_bmof pcspkr ib_core isst_if_mmio
> isst_if_mbox_pci sysimgblt acpi_ipmi isst_if_common i2c_i801 mei fb_sys_fops
> ipmi_si i2c_smbus intel_pch_thermal intel_vsec ipmi_devintf ipmi_msghandler
> acpi_power_meter sunrpc drm fuse xfs libcrc32c sd_mod t10_pi sg mlx5_core
> crct10dif_pclmul crc32_pclmul mlxfw crc32c_intel ghash_clmulni_intel tls ahci
> libahci psample megaraid_sas pci_hyperv_intf tg3 libata wmi [last unloaded:
> scsi_debug]
> [ 4354.443217] CPU: 7 PID: 899243 Comm: kworker/7:0 Kdump: loaded Not tainted
> 6.0.0+ #1
> [ 4354.450990] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.5.4
> 12/17/2021
> [ 4354.458497] Workqueue: xfs-inodegc/sda3 xfs_inodegc_worker [xfs]
> [ 4354.464648] RIP: 0010:xfs_efi_item_relog+0x1fc/0x270 [xfs]
> [ 4354.470279] Code: 00 00 0f 85 09 ff ff ff b9 10 00 00 00 48 c7 c2 20 a8 22
> c1 4c 89 f6 48 c7 c7 a0 a8 22 c1 c6 05 50 56 28 00 01 e8 b1 2c 28 c5 <0f> 0b e9
> e0 fe ff ff 80 3d 3c 56 28 00 00 0f 85 35 ff ff ff b9 10
> [ 4354.472133] XFS (sda3): xlog_verify_grant_tail: space > BBTOB(tail_blocks)
> [ 4354.489042] RSP: 0018:ffa0000037dc7950 EFLAGS: 00010286
> [ 4354.489088] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
> 0000000000000000
> [ 4354.489092] RDX: 0000000000000001 RSI: ffffffff86cce8e0 RDI:
> fff3fc0006fb8f1c
> [ 4354.489096] RBP: ff11001170bbf2e0 R08: 0000000000000001 R09:
> ff11002031dfd487
> [ 4354.489100] R10: ffe21c04063bfa90 R11: 0000000000000001 R12:
> ff1100115db29f80
> [ 4354.489104] R13: ff1100118a7cb500 R14: 0000000000000020 R15:
> ff1100115db2a038
> [ 4354.537068] FS: 0000000000000000(0000) GS:ff11002031c00000(0000)
> knlGS:0000000000000000
> [ 4354.545178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4354.550938] CR2: 00007fa368b18b30 CR3: 0000000bd962c002 CR4:
> 0000000000771ee0
> [ 4354.558090] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [ 4354.565240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [ 4354.572395] PKRU: 55555554
> [ 4354.575127] Call Trace:
> [ 4354.577598] <TASK>
> [ 4354.579729] xfs_defer_relog+0x406/0x840 [xfs]
> [ 4354.584320] xfs_defer_finish_noroll+0xb84/0x1790 [xfs]
> [ 4354.589685] ? xfs_defer_trans_abort+0x680/0x680 [xfs]
> [ 4354.594954] ? xfs_defer_cancel+0x290/0x290 [xfs]
> [ 4354.599801] xfs_defer_finish+0x13/0x200 [xfs]
> [ 4354.604366] xfs_itruncate_extents_flags+0x404/0xd70 [xfs]
> [ 4354.610060] ? xfs_link+0x8e0/0x8e0 [xfs]
> [ 4354.614218] ? xfs_trans_ichgtime+0x190/0x190 [xfs]
> [ 4354.619236] ? xfs_inactive_truncate+0xb8/0x250 [xfs]
> [ 4354.624427] ? rcu_read_lock_sched_held+0x43/0x80
> [ 4354.629168] xfs_inactive_truncate+0x109/0x250 [xfs]
> [ 4354.634266] ? xfs_itruncate_extents_flags+0xd70/0xd70 [xfs]
> [ 4354.640067] ? xfs_inactive+0xe6/0x660 [xfs]
> [ 4354.644502] xfs_inactive+0x4ff/0x660 [xfs]
> [ 4354.648822] xfs_inodegc_worker+0x1aa/0x650 [xfs]
> [ 4354.653673] process_one_work+0x8b7/0x1540
> [ 4354.657814] ? __lock_acquired+0x209/0x890
> [ 4354.661942] ? pwq_dec_nr_in_flight+0x230/0x230
> [ 4354.666502] ? __lock_contended+0x980/0x980
> [ 4354.670726] ? worker_thread+0x160/0xed0
> [ 4354.674691] worker_thread+0x5ac/0xed0
> [ 4354.678509] ? process_one_work+0x1540/0x1540
> [ 4354.682896] kthread+0x29f/0x340
> [ 4354.686154] ? kthread_complete_and_exit+0x20/0x20
> [ 4354.690974] ret_from_fork+0x1f/0x30
> [ 4354.694603] </TASK>
> [ 4354.696813] irq event stamp: 225213
> [ 4354.700325] hardirqs last enabled at (225223): [<ffffffff843b7f3b>]
> __up_console_sem+0x6b/0x80
> [ 4354.709049] hardirqs last disabled at (225238): [<ffffffff843b7f20>]
> __up_console_sem+0x50/0x80
> [ 4354.717770] softirqs last enabled at (225236): [<ffffffff86800625>]
> __do_softirq+0x625/0x9b0
> [ 4354.726316] softirqs last disabled at (225231): [<ffffffff8422640c>]
> __irq_exit_rcu+0x1fc/0x2a0
> [ 4354.735030] ---[ end trace 0000000000000000 ]---
> [ 4354.739682] ------------[ cut here ]------------
> [ 4354.744333] memcpy: detected field-spanning write (size 32) of single field
> "efip->efi_format.efi_extents" at fs/xfs/xfs_extfree_item.c:697 (size 16)
> [ 4354.757790] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:697
> xfs_efi_item_relog+0x232/0x270 [xfs]
> [ 4354.767843] Modules linked in: dm_snapshot dm_bufio ext4 mbcache jbd2 loop
> dm_flakey dm_mod intel_rapl_msr mgag200 intel_rapl_common
> intel_uncore_frequency i2c_algo_bit intel_uncore_frequency_common
> drm_shmem_helper ipmi_ssif drm_kms_helper mlx5_ib syscopyarea sysfillrect
> mei_me dell_smbios i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp
> coretemp kvm_intel rfkill dcdbas kvm irqbypass rapl intel_cstate ib_uverbs
> intel_uncore dell_wmi_descriptor wmi_bmof pcspkr ib_core isst_if_mmio
> isst_if_mbox_pci sysimgblt acpi_ipmi isst_if_common i2c_i801 mei fb_sys_fops
> ipmi_si i2c_smbus intel_pch_thermal intel_vsec ipmi_devintf ipmi_msghandler
> acpi_power_meter sunrpc drm fuse xfs libcrc32c sd_mod t10_pi sg mlx5_core
> crct10dif_pclmul crc32_pclmul mlxfw crc32c_intel ghash_clmulni_intel tls ahci
> libahci psample megaraid_sas pci_hyperv_intf tg3 libata wmi [last unloaded:
> scsi_debug]
> [ 4354.845125] CPU: 7 PID: 899243 Comm: kworker/7:0 Kdump: loaded Tainted: G
> W 6.0.0+ #1
> [ 4354.854370] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.5.4
> 12/17/2021
> [ 4354.861875] Workqueue: xfs-inodegc/sda3 xfs_inodegc_worker [xfs]
> [ 4354.868016] RIP: 0010:xfs_efi_item_relog+0x232/0x270 [xfs]
> [ 4354.873643] Code: 00 00 0f 85 35 ff ff ff b9 10 00 00 00 48 c7 c2 20 a9 22
> c1 4c 89 f6 48 c7 c7 a0 a8 22 c1 c6 05 19 56 28 00 01 e8 7b 2c 28 c5 <0f> 0b e9
> 0c ff ff ff 4c 89 ef e8 bf e2 8e c3 e9 4c ff ff ff e8 b5
> [ 4354.892409] RSP: 0018:ffa0000037dc7950 EFLAGS: 00010286
> [ 4354.897660] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
> 0000000000000000
> [ 4354.904816] RDX: 0000000000000001 RSI: ffffffff86cce8e0 RDI:
> fff3fc0006fb8f1c
> [ 4354.911978] RBP: ff11001170bbf2e0 R08: 0000000000000001 R09:
> ff11002031dfd487
> [ 4354.919135] R10: ffe21c04063bfa90 R11: 0000000000000001 R12:
> ff1100118a7c8d90
> [ 4354.926296] R13: ff1100118a7cb500 R14: 0000000000000020 R15:
> ff1100118a7c8e40
> [ 4354.933454] FS: 0000000000000000(0000) GS:ff11002031c00000(0000)
> knlGS:0000000000000000
> [ 4354.941564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4354.947337] CR2: 00007fa368b18b30 CR3: 0000000bd962c002 CR4:
> 0000000000771ee0
> [ 4354.954497] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [ 4354.961653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [ 4354.968812] PKRU: 55555554
> [ 4354.971546] Call Trace:
> [ 4354.974021] <TASK>
> [ 4354.976163] xfs_defer_relog+0x406/0x840 [xfs]
> [ 4354.980753] xfs_defer_finish_noroll+0xb84/0x1790 [xfs]
> [ 4354.986135] ? xfs_defer_trans_abort+0x680/0x680 [xfs]
> [ 4354.991400] ? xfs_defer_cancel+0x290/0x290 [xfs]
> [ 4354.996271] xfs_defer_finish+0x13/0x200 [xfs]
> [ 4355.000844] xfs_itruncate_extents_flags+0x404/0xd70 [xfs]
> [ 4355.006487] ? xfs_link+0x8e0/0x8e0 [xfs]
> [ 4355.010642] ? xfs_trans_ichgtime+0x190/0x190 [xfs]
> [ 4355.015656] ? xfs_inactive_truncate+0xb8/0x250 [xfs]
> [ 4355.020851] ? rcu_read_lock_sched_held+0x43/0x80
> [ 4355.025591] xfs_inactive_truncate+0x109/0x250 [xfs]
> [ 4355.030695] ? xfs_itruncate_extents_flags+0xd70/0xd70 [xfs]
> [ 4355.036504] ? xfs_inactive+0xe6/0x660 [xfs]
> [ 4355.040931] xfs_inactive+0x4ff/0x660 [xfs]
> [ 4355.045255] xfs_inodegc_worker+0x1aa/0x650 [xfs]
> [ 4355.050111] process_one_work+0x8b7/0x1540
> [ 4355.054247] ? __lock_acquired+0x209/0x890
> [ 4355.058378] ? pwq_dec_nr_in_flight+0x230/0x230
> [ 4355.062937] ? __lock_contended+0x980/0x980
> [ 4355.067161] ? worker_thread+0x160/0xed0
> [ 4355.071125] worker_thread+0x5ac/0xed0
> [ 4355.074926] ? process_one_work+0x1540/0x1540
> [ 4355.079320] kthread+0x29f/0x340
> [ 4355.082582] ? kthread_complete_and_exit+0x20/0x20
> [ 4355.087406] ret_from_fork+0x1f/0x30
> [ 4355.091042] </TASK>
> [ 4355.093255] irq event stamp: 226333
> [ 4355.096768] hardirqs last enabled at (226343): [<ffffffff843b7f3b>]
> __up_console_sem+0x6b/0x80
> [ 4355.105492] hardirqs last disabled at (226358): [<ffffffff843b7f20>]
> __up_console_sem+0x50/0x80
> [ 4355.114214] softirqs last enabled at (226356): [<ffffffff86800625>]
> __do_softirq+0x625/0x9b0
> [ 4355.122762] softirqs last disabled at (226351): [<ffffffff8422640c>]
> __irq_exit_rcu+0x1fc/0x2a0
> [ 4355.131484] ---[ end trace 0000000000000000 ]---
> [ 4355.263177] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4358.321839] XFS (sda3): Unmounting Filesystem
> [ 4359.155439] XFS (sda3): Mounting V5 Filesystem
> [ 4359.193937] XFS (sda3): Ending clean mount
> [ 4359.367326] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4362.438659] XFS (sda3): Unmounting Filesystem
> [ 4363.230018] XFS (sda3): Mounting V5 Filesystem
> [ 4363.269186] XFS (sda3): Ending clean mount
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
2022-10-09 17:08 ` [Bug 216563] New: " Darrick J. Wong
@ 2022-10-09 22:42 ` Dave Chinner
0 siblings, 0 replies; 8+ messages in thread
From: Dave Chinner @ 2022-10-09 22:42 UTC (permalink / raw)
To: Darrick J. Wong; +Cc: bugzilla-daemon, linux-xfs
On Sun, Oct 09, 2022 at 10:08:46AM -0700, Darrick J. Wong wrote:
> On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> > https://bugzilla.kernel.org/show_bug.cgi?id=216563
> >
> > Bug ID: 216563
> > Summary: [xfstests generic/113] memcpy: detected field-spanning
> > write (size 32) of single field
> > "efdp->efd_format.efd_extents" at
> > fs/xfs/xfs_extfree_item.c:693 (size 16)
> > Product: File System
> > Version: 2.5
> > Kernel Version: v6.1-rc0
> > Hardware: All
> > OS: Linux
> > Tree: Mainline
> > Status: NEW
> > Severity: normal
> > Priority: P1
> > Component: XFS
> > Assignee: filesystem_xfs@kernel-bugs.kernel.org
> > Reporter: zlang@redhat.com
> > Regression: No
> >
> > I xfstests generic/113 hit below kernel warning [1] on xfs with 64k directory
> > block size (-n size=65536). It's reproducible for me, and the last time I
> > reproduce this bug on linux v6.0+ which HEAD= ...
> >
> > commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> > Author: Linus Torvalds <torvalds@linux-foundation.org>
> > Date: Fri Oct 7 17:04:10 2022 -0700
> >
> > Merge tag 'driver-core-6.1-rc1' of
> > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
> >
> > I hit this issue on xfs with 64k directory block size 3 times(aarch64, x86_64
> > and ppc64le), and once on xfs with 1k blocksize (aarch64).
> >
> >
> > [1]
> > [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> > [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4333.094807] XFS (sda3): Unmounting Filesystem
> > [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> > [ 4333.973061] XFS (sda3): Ending clean mount
> > [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4338.564849] XFS (sda3): Unmounting Filesystem
> > [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> > [ 4339.430908] XFS (sda3): Ending clean mount
> > [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4343.379506] XFS (sda3): Unmounting Filesystem
> > [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> > [ 4344.232984] XFS (sda3): Ending clean mount
> > [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4348.198562] XFS (sda3): Unmounting Filesystem
> > [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> > [ 4349.104995] XFS (sda3): Ending clean mount
> > [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4353.233555] XFS (sda3): Unmounting Filesystem
> > [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> > [ 4354.135975] XFS (sda3): Ending clean mount
> > [ 4354.337550] ------------[ cut here ]------------
> > [ 4354.342354] memcpy: detected field-spanning write (size 32) of single field
> > "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> > [ 4354.355820] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:693
> > xfs_efi_item_relog+0x1fc/0x270 [xfs]
>
> I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
> structure definition is:
>
> typedef struct xfs_efd_log_format {
> uint16_t efd_type; /* efd log item type */
> uint16_t efd_size; /* size of this item */
> uint32_t efd_nextents; /* # of extents freed */
> uint64_t efd_efi_id; /* id of corresponding efi */
> xfs_extent_t efd_extents[1]; /* array of extents freed */
> } xfs_efd_log_format_t;
>
> Yuck, an array[1] that is actually a VLA!
Always been the case; the comment above both EFI and EFD definitions
state this directly:
/*
* This is the structure used to lay out an efi log item in the
* log. The efi_extents field is a variable size array whose
* size is given by efi_nextents.
*/
The EFI/EFD support recording multiple extents being freed in a
single intent. The idea behind this originally was that all the
extents being freed in a single transaction would be recorded in the
same EFI (i.e. XFS_ITRUNC_MAX_EXTENTS) and the EFI and EFD could
then be relogged as progress freeing those extents is made after the
BMBT modifications were committed...
> I guess we're going to have to turn that into a real VLA, and adjust the
> xfs_ondisk.h macros to match?
>
> What memory sanitizer kconfig option enables this, anyway?
54d9469bc515 fortify: Add run-time WARN for cross-field memcpy()
CONFIG_FORTIFY_SOURCE=y, committed in 6.0-rc2.
It effectively ignores flex arrays defined with [], but sees
anything defined with [1] as a fixed size array of known size and so
issues a warning when it's actually used as a flex array.
unsafe_memcpy() could be a temporary solution, given we know the
code works fine as it stands...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 216563] [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
2022-10-09 11:59 [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) bugzilla-daemon
2022-10-09 12:08 ` [Bug 216563] " bugzilla-daemon
2022-10-09 17:08 ` [Bug 216563] New: " Darrick J. Wong
@ 2022-10-09 17:08 ` bugzilla-daemon
2022-10-09 22:42 ` bugzilla-daemon
2022-10-18 20:44 ` bugzilla-daemon
4 siblings, 0 replies; 8+ messages in thread
From: bugzilla-daemon @ 2022-10-09 17:08 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=216563
--- Comment #2 from Darrick J. Wong (djwong@kernel.org) ---
On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216563
>
> Bug ID: 216563
> Summary: [xfstests generic/113] memcpy: detected field-spanning
> write (size 32) of single field
> "efdp->efd_format.efd_extents" at
> fs/xfs/xfs_extfree_item.c:693 (size 16)
> Product: File System
> Version: 2.5
> Kernel Version: v6.1-rc0
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: XFS
> Assignee: filesystem_xfs@kernel-bugs.kernel.org
> Reporter: zlang@redhat.com
> Regression: No
>
> I xfstests generic/113 hit below kernel warning [1] on xfs with 64k directory
> block size (-n size=65536). It's reproducible for me, and the last time I
> reproduce this bug on linux v6.0+ which HEAD= ...
>
> commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> Author: Linus Torvalds <torvalds@linux-foundation.org>
> Date: Fri Oct 7 17:04:10 2022 -0700
>
> Merge tag 'driver-core-6.1-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
>
> I hit this issue on xfs with 64k directory block size 3 times(aarch64, x86_64
> and ppc64le), and once on xfs with 1k blocksize (aarch64).
>
>
> [1]
> [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4333.094807] XFS (sda3): Unmounting Filesystem
> [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> [ 4333.973061] XFS (sda3): Ending clean mount
> [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4338.564849] XFS (sda3): Unmounting Filesystem
> [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> [ 4339.430908] XFS (sda3): Ending clean mount
> [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4343.379506] XFS (sda3): Unmounting Filesystem
> [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> [ 4344.232984] XFS (sda3): Ending clean mount
> [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4348.198562] XFS (sda3): Unmounting Filesystem
> [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> [ 4349.104995] XFS (sda3): Ending clean mount
> [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4353.233555] XFS (sda3): Unmounting Filesystem
> [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> [ 4354.135975] XFS (sda3): Ending clean mount
> [ 4354.337550] ------------[ cut here ]------------
> [ 4354.342354] memcpy: detected field-spanning write (size 32) of single
> field
> "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> [ 4354.355820] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:693
> xfs_efi_item_relog+0x1fc/0x270 [xfs]
I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
structure definition is:
typedef struct xfs_efd_log_format {
uint16_t efd_type; /* efd log item type */
uint16_t efd_size; /* size of this item */
uint32_t efd_nextents; /* # of extents freed */
uint64_t efd_efi_id; /* id of corresponding efi */
xfs_extent_t efd_extents[1]; /* array of extents freed */
} xfs_efd_log_format_t;
Yuck, an array[1] that is actually a VLA!
I guess we're going to have to turn that into a real VLA, and adjust the
xfs_ondisk.h macros to match?
What memory sanitizer kconfig option enables this, anyway?
--D
> [ 4354.365918] Modules linked in: dm_snapshot dm_bufio ext4 mbcache jbd2 loop
> dm_flakey dm_mod intel_rapl_msr mgag200 intel_rapl_common
> intel_uncore_frequency i2c_algo_bit intel_uncore_frequency_common
> drm_shmem_helper ipmi_ssif drm_kms_helper mlx5_ib syscopyarea sysfillrect
> mei_me dell_smbios i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp
> coretemp kvm_intel rfkill dcdbas kvm irqbypass rapl intel_cstate ib_uverbs
> intel_uncore dell_wmi_descriptor wmi_bmof pcspkr ib_core isst_if_mmio
> isst_if_mbox_pci sysimgblt acpi_ipmi isst_if_common i2c_i801 mei fb_sys_fops
> ipmi_si i2c_smbus intel_pch_thermal intel_vsec ipmi_devintf ipmi_msghandler
> acpi_power_meter sunrpc drm fuse xfs libcrc32c sd_mod t10_pi sg mlx5_core
> crct10dif_pclmul crc32_pclmul mlxfw crc32c_intel ghash_clmulni_intel tls ahci
> libahci psample megaraid_sas pci_hyperv_intf tg3 libata wmi [last unloaded:
> scsi_debug]
> [ 4354.443217] CPU: 7 PID: 899243 Comm: kworker/7:0 Kdump: loaded Not tainted
> 6.0.0+ #1
> [ 4354.450990] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.5.4
> 12/17/2021
> [ 4354.458497] Workqueue: xfs-inodegc/sda3 xfs_inodegc_worker [xfs]
> [ 4354.464648] RIP: 0010:xfs_efi_item_relog+0x1fc/0x270 [xfs]
> [ 4354.470279] Code: 00 00 0f 85 09 ff ff ff b9 10 00 00 00 48 c7 c2 20 a8 22
> c1 4c 89 f6 48 c7 c7 a0 a8 22 c1 c6 05 50 56 28 00 01 e8 b1 2c 28 c5 <0f> 0b
> e9
> e0 fe ff ff 80 3d 3c 56 28 00 00 0f 85 35 ff ff ff b9 10
> [ 4354.472133] XFS (sda3): xlog_verify_grant_tail: space > BBTOB(tail_blocks)
> [ 4354.489042] RSP: 0018:ffa0000037dc7950 EFLAGS: 00010286
> [ 4354.489088] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
> 0000000000000000
> [ 4354.489092] RDX: 0000000000000001 RSI: ffffffff86cce8e0 RDI:
> fff3fc0006fb8f1c
> [ 4354.489096] RBP: ff11001170bbf2e0 R08: 0000000000000001 R09:
> ff11002031dfd487
> [ 4354.489100] R10: ffe21c04063bfa90 R11: 0000000000000001 R12:
> ff1100115db29f80
> [ 4354.489104] R13: ff1100118a7cb500 R14: 0000000000000020 R15:
> ff1100115db2a038
> [ 4354.537068] FS: 0000000000000000(0000) GS:ff11002031c00000(0000)
> knlGS:0000000000000000
> [ 4354.545178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4354.550938] CR2: 00007fa368b18b30 CR3: 0000000bd962c002 CR4:
> 0000000000771ee0
> [ 4354.558090] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [ 4354.565240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [ 4354.572395] PKRU: 55555554
> [ 4354.575127] Call Trace:
> [ 4354.577598] <TASK>
> [ 4354.579729] xfs_defer_relog+0x406/0x840 [xfs]
> [ 4354.584320] xfs_defer_finish_noroll+0xb84/0x1790 [xfs]
> [ 4354.589685] ? xfs_defer_trans_abort+0x680/0x680 [xfs]
> [ 4354.594954] ? xfs_defer_cancel+0x290/0x290 [xfs]
> [ 4354.599801] xfs_defer_finish+0x13/0x200 [xfs]
> [ 4354.604366] xfs_itruncate_extents_flags+0x404/0xd70 [xfs]
> [ 4354.610060] ? xfs_link+0x8e0/0x8e0 [xfs]
> [ 4354.614218] ? xfs_trans_ichgtime+0x190/0x190 [xfs]
> [ 4354.619236] ? xfs_inactive_truncate+0xb8/0x250 [xfs]
> [ 4354.624427] ? rcu_read_lock_sched_held+0x43/0x80
> [ 4354.629168] xfs_inactive_truncate+0x109/0x250 [xfs]
> [ 4354.634266] ? xfs_itruncate_extents_flags+0xd70/0xd70 [xfs]
> [ 4354.640067] ? xfs_inactive+0xe6/0x660 [xfs]
> [ 4354.644502] xfs_inactive+0x4ff/0x660 [xfs]
> [ 4354.648822] xfs_inodegc_worker+0x1aa/0x650 [xfs]
> [ 4354.653673] process_one_work+0x8b7/0x1540
> [ 4354.657814] ? __lock_acquired+0x209/0x890
> [ 4354.661942] ? pwq_dec_nr_in_flight+0x230/0x230
> [ 4354.666502] ? __lock_contended+0x980/0x980
> [ 4354.670726] ? worker_thread+0x160/0xed0
> [ 4354.674691] worker_thread+0x5ac/0xed0
> [ 4354.678509] ? process_one_work+0x1540/0x1540
> [ 4354.682896] kthread+0x29f/0x340
> [ 4354.686154] ? kthread_complete_and_exit+0x20/0x20
> [ 4354.690974] ret_from_fork+0x1f/0x30
> [ 4354.694603] </TASK>
> [ 4354.696813] irq event stamp: 225213
> [ 4354.700325] hardirqs last enabled at (225223): [<ffffffff843b7f3b>]
> __up_console_sem+0x6b/0x80
> [ 4354.709049] hardirqs last disabled at (225238): [<ffffffff843b7f20>]
> __up_console_sem+0x50/0x80
> [ 4354.717770] softirqs last enabled at (225236): [<ffffffff86800625>]
> __do_softirq+0x625/0x9b0
> [ 4354.726316] softirqs last disabled at (225231): [<ffffffff8422640c>]
> __irq_exit_rcu+0x1fc/0x2a0
> [ 4354.735030] ---[ end trace 0000000000000000 ]---
> [ 4354.739682] ------------[ cut here ]------------
> [ 4354.744333] memcpy: detected field-spanning write (size 32) of single
> field
> "efip->efi_format.efi_extents" at fs/xfs/xfs_extfree_item.c:697 (size 16)
> [ 4354.757790] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:697
> xfs_efi_item_relog+0x232/0x270 [xfs]
> [ 4354.767843] Modules linked in: dm_snapshot dm_bufio ext4 mbcache jbd2 loop
> dm_flakey dm_mod intel_rapl_msr mgag200 intel_rapl_common
> intel_uncore_frequency i2c_algo_bit intel_uncore_frequency_common
> drm_shmem_helper ipmi_ssif drm_kms_helper mlx5_ib syscopyarea sysfillrect
> mei_me dell_smbios i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp
> coretemp kvm_intel rfkill dcdbas kvm irqbypass rapl intel_cstate ib_uverbs
> intel_uncore dell_wmi_descriptor wmi_bmof pcspkr ib_core isst_if_mmio
> isst_if_mbox_pci sysimgblt acpi_ipmi isst_if_common i2c_i801 mei fb_sys_fops
> ipmi_si i2c_smbus intel_pch_thermal intel_vsec ipmi_devintf ipmi_msghandler
> acpi_power_meter sunrpc drm fuse xfs libcrc32c sd_mod t10_pi sg mlx5_core
> crct10dif_pclmul crc32_pclmul mlxfw crc32c_intel ghash_clmulni_intel tls ahci
> libahci psample megaraid_sas pci_hyperv_intf tg3 libata wmi [last unloaded:
> scsi_debug]
> [ 4354.845125] CPU: 7 PID: 899243 Comm: kworker/7:0 Kdump: loaded Tainted: G
> W 6.0.0+ #1
> [ 4354.854370] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.5.4
> 12/17/2021
> [ 4354.861875] Workqueue: xfs-inodegc/sda3 xfs_inodegc_worker [xfs]
> [ 4354.868016] RIP: 0010:xfs_efi_item_relog+0x232/0x270 [xfs]
> [ 4354.873643] Code: 00 00 0f 85 35 ff ff ff b9 10 00 00 00 48 c7 c2 20 a9 22
> c1 4c 89 f6 48 c7 c7 a0 a8 22 c1 c6 05 19 56 28 00 01 e8 7b 2c 28 c5 <0f> 0b
> e9
> 0c ff ff ff 4c 89 ef e8 bf e2 8e c3 e9 4c ff ff ff e8 b5
> [ 4354.892409] RSP: 0018:ffa0000037dc7950 EFLAGS: 00010286
> [ 4354.897660] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
> 0000000000000000
> [ 4354.904816] RDX: 0000000000000001 RSI: ffffffff86cce8e0 RDI:
> fff3fc0006fb8f1c
> [ 4354.911978] RBP: ff11001170bbf2e0 R08: 0000000000000001 R09:
> ff11002031dfd487
> [ 4354.919135] R10: ffe21c04063bfa90 R11: 0000000000000001 R12:
> ff1100118a7c8d90
> [ 4354.926296] R13: ff1100118a7cb500 R14: 0000000000000020 R15:
> ff1100118a7c8e40
> [ 4354.933454] FS: 0000000000000000(0000) GS:ff11002031c00000(0000)
> knlGS:0000000000000000
> [ 4354.941564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 4354.947337] CR2: 00007fa368b18b30 CR3: 0000000bd962c002 CR4:
> 0000000000771ee0
> [ 4354.954497] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [ 4354.961653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [ 4354.968812] PKRU: 55555554
> [ 4354.971546] Call Trace:
> [ 4354.974021] <TASK>
> [ 4354.976163] xfs_defer_relog+0x406/0x840 [xfs]
> [ 4354.980753] xfs_defer_finish_noroll+0xb84/0x1790 [xfs]
> [ 4354.986135] ? xfs_defer_trans_abort+0x680/0x680 [xfs]
> [ 4354.991400] ? xfs_defer_cancel+0x290/0x290 [xfs]
> [ 4354.996271] xfs_defer_finish+0x13/0x200 [xfs]
> [ 4355.000844] xfs_itruncate_extents_flags+0x404/0xd70 [xfs]
> [ 4355.006487] ? xfs_link+0x8e0/0x8e0 [xfs]
> [ 4355.010642] ? xfs_trans_ichgtime+0x190/0x190 [xfs]
> [ 4355.015656] ? xfs_inactive_truncate+0xb8/0x250 [xfs]
> [ 4355.020851] ? rcu_read_lock_sched_held+0x43/0x80
> [ 4355.025591] xfs_inactive_truncate+0x109/0x250 [xfs]
> [ 4355.030695] ? xfs_itruncate_extents_flags+0xd70/0xd70 [xfs]
> [ 4355.036504] ? xfs_inactive+0xe6/0x660 [xfs]
> [ 4355.040931] xfs_inactive+0x4ff/0x660 [xfs]
> [ 4355.045255] xfs_inodegc_worker+0x1aa/0x650 [xfs]
> [ 4355.050111] process_one_work+0x8b7/0x1540
> [ 4355.054247] ? __lock_acquired+0x209/0x890
> [ 4355.058378] ? pwq_dec_nr_in_flight+0x230/0x230
> [ 4355.062937] ? __lock_contended+0x980/0x980
> [ 4355.067161] ? worker_thread+0x160/0xed0
> [ 4355.071125] worker_thread+0x5ac/0xed0
> [ 4355.074926] ? process_one_work+0x1540/0x1540
> [ 4355.079320] kthread+0x29f/0x340
> [ 4355.082582] ? kthread_complete_and_exit+0x20/0x20
> [ 4355.087406] ret_from_fork+0x1f/0x30
> [ 4355.091042] </TASK>
> [ 4355.093255] irq event stamp: 226333
> [ 4355.096768] hardirqs last enabled at (226343): [<ffffffff843b7f3b>]
> __up_console_sem+0x6b/0x80
> [ 4355.105492] hardirqs last disabled at (226358): [<ffffffff843b7f20>]
> __up_console_sem+0x50/0x80
> [ 4355.114214] softirqs last enabled at (226356): [<ffffffff86800625>]
> __do_softirq+0x625/0x9b0
> [ 4355.122762] softirqs last disabled at (226351): [<ffffffff8422640c>]
> __irq_exit_rcu+0x1fc/0x2a0
> [ 4355.131484] ---[ end trace 0000000000000000 ]---
> [ 4355.263177] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4358.321839] XFS (sda3): Unmounting Filesystem
> [ 4359.155439] XFS (sda3): Mounting V5 Filesystem
> [ 4359.193937] XFS (sda3): Ending clean mount
> [ 4359.367326] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> your own risk!
> [ 4362.438659] XFS (sda3): Unmounting Filesystem
> [ 4363.230018] XFS (sda3): Mounting V5 Filesystem
> [ 4363.269186] XFS (sda3): Ending clean mount
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread* [Bug 216563] [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
2022-10-09 11:59 [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) bugzilla-daemon
` (2 preceding siblings ...)
2022-10-09 17:08 ` [Bug 216563] " bugzilla-daemon
@ 2022-10-09 22:42 ` bugzilla-daemon
2022-10-18 20:44 ` Darrick J. Wong
2022-10-18 20:44 ` bugzilla-daemon
4 siblings, 1 reply; 8+ messages in thread
From: bugzilla-daemon @ 2022-10-09 22:42 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=216563
--- Comment #3 from Dave Chinner (david@fromorbit.com) ---
On Sun, Oct 09, 2022 at 10:08:46AM -0700, Darrick J. Wong wrote:
> On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> > https://bugzilla.kernel.org/show_bug.cgi?id=216563
> >
> > Bug ID: 216563
> > Summary: [xfstests generic/113] memcpy: detected field-spanning
> > write (size 32) of single field
> > "efdp->efd_format.efd_extents" at
> > fs/xfs/xfs_extfree_item.c:693 (size 16)
> > Product: File System
> > Version: 2.5
> > Kernel Version: v6.1-rc0
> > Hardware: All
> > OS: Linux
> > Tree: Mainline
> > Status: NEW
> > Severity: normal
> > Priority: P1
> > Component: XFS
> > Assignee: filesystem_xfs@kernel-bugs.kernel.org
> > Reporter: zlang@redhat.com
> > Regression: No
> >
> > I xfstests generic/113 hit below kernel warning [1] on xfs with 64k
> directory
> > block size (-n size=65536). It's reproducible for me, and the last time I
> > reproduce this bug on linux v6.0+ which HEAD= ...
> >
> > commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> > Author: Linus Torvalds <torvalds@linux-foundation.org>
> > Date: Fri Oct 7 17:04:10 2022 -0700
> >
> > Merge tag 'driver-core-6.1-rc1' of
> > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
> >
> > I hit this issue on xfs with 64k directory block size 3 times(aarch64,
> x86_64
> > and ppc64le), and once on xfs with 1k blocksize (aarch64).
> >
> >
> > [1]
> > [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> > [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4333.094807] XFS (sda3): Unmounting Filesystem
> > [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> > [ 4333.973061] XFS (sda3): Ending clean mount
> > [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4338.564849] XFS (sda3): Unmounting Filesystem
> > [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> > [ 4339.430908] XFS (sda3): Ending clean mount
> > [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4343.379506] XFS (sda3): Unmounting Filesystem
> > [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> > [ 4344.232984] XFS (sda3): Ending clean mount
> > [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4348.198562] XFS (sda3): Unmounting Filesystem
> > [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> > [ 4349.104995] XFS (sda3): Ending clean mount
> > [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > your own risk!
> > [ 4353.233555] XFS (sda3): Unmounting Filesystem
> > [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> > [ 4354.135975] XFS (sda3): Ending clean mount
> > [ 4354.337550] ------------[ cut here ]------------
> > [ 4354.342354] memcpy: detected field-spanning write (size 32) of single
> field
> > "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> > [ 4354.355820] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:693
> > xfs_efi_item_relog+0x1fc/0x270 [xfs]
>
> I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
> structure definition is:
>
> typedef struct xfs_efd_log_format {
> uint16_t efd_type; /* efd log item type */
> uint16_t efd_size; /* size of this item */
> uint32_t efd_nextents; /* # of extents freed */
> uint64_t efd_efi_id; /* id of corresponding efi */
> xfs_extent_t efd_extents[1]; /* array of extents freed */
> } xfs_efd_log_format_t;
>
> Yuck, an array[1] that is actually a VLA!
Always been the case; the comment above both EFI and EFD definitions
state this directly:
/*
* This is the structure used to lay out an efi log item in the
* log. The efi_extents field is a variable size array whose
* size is given by efi_nextents.
*/
The EFI/EFD support recording multiple extents being freed in a
single intent. The idea behind this originally was that all the
extents being freed in a single transaction would be recorded in the
same EFI (i.e. XFS_ITRUNC_MAX_EXTENTS) and the EFI and EFD could
then be relogged as progress freeing those extents is made after the
BMBT modifications were committed...
> I guess we're going to have to turn that into a real VLA, and adjust the
> xfs_ondisk.h macros to match?
>
> What memory sanitizer kconfig option enables this, anyway?
54d9469bc515 fortify: Add run-time WARN for cross-field memcpy()
CONFIG_FORTIFY_SOURCE=y, committed in 6.0-rc2.
It effectively ignores flex arrays defined with [], but sees
anything defined with [1] as a fixed size array of known size and so
issues a warning when it's actually used as a flex array.
unsafe_memcpy() could be a temporary solution, given we know the
code works fine as it stands...
Cheers,
Dave.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [Bug 216563] [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
2022-10-09 22:42 ` bugzilla-daemon
@ 2022-10-18 20:44 ` Darrick J. Wong
0 siblings, 0 replies; 8+ messages in thread
From: Darrick J. Wong @ 2022-10-18 20:44 UTC (permalink / raw)
To: bugzilla-daemon; +Cc: linux-xfs
On Sun, Oct 09, 2022 at 10:42:29PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216563
>
> --- Comment #3 from Dave Chinner (david@fromorbit.com) ---
> On Sun, Oct 09, 2022 at 10:08:46AM -0700, Darrick J. Wong wrote:
> > On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> > > https://bugzilla.kernel.org/show_bug.cgi?id=216563
> > >
> > > Bug ID: 216563
> > > Summary: [xfstests generic/113] memcpy: detected field-spanning
> > > write (size 32) of single field
> > > "efdp->efd_format.efd_extents" at
> > > fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > Product: File System
> > > Version: 2.5
> > > Kernel Version: v6.1-rc0
> > > Hardware: All
> > > OS: Linux
> > > Tree: Mainline
> > > Status: NEW
> > > Severity: normal
> > > Priority: P1
> > > Component: XFS
> > > Assignee: filesystem_xfs@kernel-bugs.kernel.org
> > > Reporter: zlang@redhat.com
> > > Regression: No
> > >
> > > I xfstests generic/113 hit below kernel warning [1] on xfs with 64k
> > directory
> > > block size (-n size=65536). It's reproducible for me, and the last time I
> > > reproduce this bug on linux v6.0+ which HEAD= ...
> > >
> > > commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> > > Author: Linus Torvalds <torvalds@linux-foundation.org>
> > > Date: Fri Oct 7 17:04:10 2022 -0700
> > >
> > > Merge tag 'driver-core-6.1-rc1' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
> > >
> > > I hit this issue on xfs with 64k directory block size 3 times(aarch64,
> > x86_64
> > > and ppc64le), and once on xfs with 1k blocksize (aarch64).
> > >
> > >
> > > [1]
> > > [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> > > [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4333.094807] XFS (sda3): Unmounting Filesystem
> > > [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> > > [ 4333.973061] XFS (sda3): Ending clean mount
> > > [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4338.564849] XFS (sda3): Unmounting Filesystem
> > > [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> > > [ 4339.430908] XFS (sda3): Ending clean mount
> > > [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4343.379506] XFS (sda3): Unmounting Filesystem
> > > [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> > > [ 4344.232984] XFS (sda3): Ending clean mount
> > > [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4348.198562] XFS (sda3): Unmounting Filesystem
> > > [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> > > [ 4349.104995] XFS (sda3): Ending clean mount
> > > [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at
> > > your own risk!
> > > [ 4353.233555] XFS (sda3): Unmounting Filesystem
> > > [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> > > [ 4354.135975] XFS (sda3): Ending clean mount
> > > [ 4354.337550] ------------[ cut here ]------------
> > > [ 4354.342354] memcpy: detected field-spanning write (size 32) of single
> > field
> > > "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > [ 4354.355820] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:693
> > > xfs_efi_item_relog+0x1fc/0x270 [xfs]
> >
> > I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
> > structure definition is:
> >
> > typedef struct xfs_efd_log_format {
> > uint16_t efd_type; /* efd log item type */
> > uint16_t efd_size; /* size of this item */
> > uint32_t efd_nextents; /* # of extents freed */
> > uint64_t efd_efi_id; /* id of corresponding efi */
> > xfs_extent_t efd_extents[1]; /* array of extents freed */
> > } xfs_efd_log_format_t;
> >
> > Yuck, an array[1] that is actually a VLA!
>
> Always been the case; the comment above both EFI and EFD definitions
> state this directly:
>
> /*
> * This is the structure used to lay out an efi log item in the
> * log. The efi_extents field is a variable size array whose
> * size is given by efi_nextents.
> */
>
> The EFI/EFD support recording multiple extents being freed in a
> single intent. The idea behind this originally was that all the
> extents being freed in a single transaction would be recorded in the
> same EFI (i.e. XFS_ITRUNC_MAX_EXTENTS) and the EFI and EFD could
> then be relogged as progress freeing those extents is made after the
> BMBT modifications were committed...
>
> > I guess we're going to have to turn that into a real VLA, and adjust the
> > xfs_ondisk.h macros to match?
> >
> > What memory sanitizer kconfig option enables this, anyway?
>
> 54d9469bc515 fortify: Add run-time WARN for cross-field memcpy()
>
> CONFIG_FORTIFY_SOURCE=y, committed in 6.0-rc2.
>
> It effectively ignores flex arrays defined with [], but sees
> anything defined with [1] as a fixed size array of known size and so
> issues a warning when it's actually used as a flex array.
>
> unsafe_memcpy() could be a temporary solution, given we know the
> code works fine as it stands...
Annoyingly, this now triggers fstests failures on xfs/436 when log
recovery tries to memcpy a BUI log item:
------------[ cut here ]------------
memcpy: detected field-spanning write (size 48) of single field
"dst_bui_fmt" at fs/xfs/xfs_bmap_item.c:628 (size 16)
WARNING: CPU: 0 PID: 20925 at fs/xfs/xfs_bmap_item.c:628
xlog_recover_bui_commit_pass2+0x124/0x160 [xfs]
Here we're using struct xfs_map_extent bui_extents[] for the VLA, so I
think this means the memcpy fortify macros aren't detecting the VLAs
correctly at all.
--D
> Cheers,
>
> Dave.
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 216563] [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
2022-10-09 11:59 [Bug 216563] New: [xfstests generic/113] memcpy: detected field-spanning write (size 32) of single field "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) bugzilla-daemon
` (3 preceding siblings ...)
2022-10-09 22:42 ` bugzilla-daemon
@ 2022-10-18 20:44 ` bugzilla-daemon
4 siblings, 0 replies; 8+ messages in thread
From: bugzilla-daemon @ 2022-10-18 20:44 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=216563
--- Comment #4 from Darrick J. Wong (djwong@kernel.org) ---
On Sun, Oct 09, 2022 at 10:42:29PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216563
>
> --- Comment #3 from Dave Chinner (david@fromorbit.com) ---
> On Sun, Oct 09, 2022 at 10:08:46AM -0700, Darrick J. Wong wrote:
> > On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@kernel.org wrote:
> > > https://bugzilla.kernel.org/show_bug.cgi?id=216563
> > >
> > > Bug ID: 216563
> > > Summary: [xfstests generic/113] memcpy: detected
> field-spanning
> > > write (size 32) of single field
> > > "efdp->efd_format.efd_extents" at
> > > fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > Product: File System
> > > Version: 2.5
> > > Kernel Version: v6.1-rc0
> > > Hardware: All
> > > OS: Linux
> > > Tree: Mainline
> > > Status: NEW
> > > Severity: normal
> > > Priority: P1
> > > Component: XFS
> > > Assignee: filesystem_xfs@kernel-bugs.kernel.org
> > > Reporter: zlang@redhat.com
> > > Regression: No
> > >
> > > I xfstests generic/113 hit below kernel warning [1] on xfs with 64k
> > directory
> > > block size (-n size=65536). It's reproducible for me, and the last time I
> > > reproduce this bug on linux v6.0+ which HEAD= ...
> > >
> > > commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734
> > > Author: Linus Torvalds <torvalds@linux-foundation.org>
> > > Date: Fri Oct 7 17:04:10 2022 -0700
> > >
> > > Merge tag 'driver-core-6.1-rc1' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
> > >
> > > I hit this issue on xfs with 64k directory block size 3 times(aarch64,
> > x86_64
> > > and ppc64le), and once on xfs with 1k blocksize (aarch64).
> > >
> > >
> > > [1]
> > > [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42
> > > [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4333.094807] XFS (sda3): Unmounting Filesystem
> > > [ 4333.934996] XFS (sda3): Mounting V5 Filesystem
> > > [ 4333.973061] XFS (sda3): Ending clean mount
> > > [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4338.564849] XFS (sda3): Unmounting Filesystem
> > > [ 4339.391848] XFS (sda3): Mounting V5 Filesystem
> > > [ 4339.430908] XFS (sda3): Ending clean mount
> > > [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4343.379506] XFS (sda3): Unmounting Filesystem
> > > [ 4344.195036] XFS (sda3): Mounting V5 Filesystem
> > > [ 4344.232984] XFS (sda3): Ending clean mount
> > > [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4348.198562] XFS (sda3): Unmounting Filesystem
> > > [ 4349.065061] XFS (sda3): Mounting V5 Filesystem
> > > [ 4349.104995] XFS (sda3): Ending clean mount
> > > [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use
> at
> > > your own risk!
> > > [ 4353.233555] XFS (sda3): Unmounting Filesystem
> > > [ 4354.093530] XFS (sda3): Mounting V5 Filesystem
> > > [ 4354.135975] XFS (sda3): Ending clean mount
> > > [ 4354.337550] ------------[ cut here ]------------
> > > [ 4354.342354] memcpy: detected field-spanning write (size 32) of single
> > field
> > > "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16)
> > > [ 4354.355820] WARNING: CPU: 7 PID: 899243 at
> fs/xfs/xfs_extfree_item.c:693
> > > xfs_efi_item_relog+0x1fc/0x270 [xfs]
> >
> > I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the
> > structure definition is:
> >
> > typedef struct xfs_efd_log_format {
> > uint16_t efd_type; /* efd log item type */
> > uint16_t efd_size; /* size of this item */
> > uint32_t efd_nextents; /* # of extents freed */
> > uint64_t efd_efi_id; /* id of corresponding efi */
> > xfs_extent_t efd_extents[1]; /* array of extents freed */
> > } xfs_efd_log_format_t;
> >
> > Yuck, an array[1] that is actually a VLA!
>
> Always been the case; the comment above both EFI and EFD definitions
> state this directly:
>
> /*
> * This is the structure used to lay out an efi log item in the
> * log. The efi_extents field is a variable size array whose
> * size is given by efi_nextents.
> */
>
> The EFI/EFD support recording multiple extents being freed in a
> single intent. The idea behind this originally was that all the
> extents being freed in a single transaction would be recorded in the
> same EFI (i.e. XFS_ITRUNC_MAX_EXTENTS) and the EFI and EFD could
> then be relogged as progress freeing those extents is made after the
> BMBT modifications were committed...
>
> > I guess we're going to have to turn that into a real VLA, and adjust the
> > xfs_ondisk.h macros to match?
> >
> > What memory sanitizer kconfig option enables this, anyway?
>
> 54d9469bc515 fortify: Add run-time WARN for cross-field memcpy()
>
> CONFIG_FORTIFY_SOURCE=y, committed in 6.0-rc2.
>
> It effectively ignores flex arrays defined with [], but sees
> anything defined with [1] as a fixed size array of known size and so
> issues a warning when it's actually used as a flex array.
>
> unsafe_memcpy() could be a temporary solution, given we know the
> code works fine as it stands...
Annoyingly, this now triggers fstests failures on xfs/436 when log
recovery tries to memcpy a BUI log item:
------------[ cut here ]------------
memcpy: detected field-spanning write (size 48) of single field
"dst_bui_fmt" at fs/xfs/xfs_bmap_item.c:628 (size 16)
WARNING: CPU: 0 PID: 20925 at fs/xfs/xfs_bmap_item.c:628
xlog_recover_bui_commit_pass2+0x124/0x160 [xfs]
Here we're using struct xfs_map_extent bui_extents[] for the VLA, so I
think this means the memcpy fortify macros aren't detecting the VLAs
correctly at all.
--D
> Cheers,
>
> Dave.
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread