On Sun, Oct 09, 2022 at 10:08:46AM -0700, Darrick J. Wong wrote: > On Sun, Oct 09, 2022 at 11:59:13AM +0000, bugzilla-daemon@xxxxxxxxxx wrote: > > https://bugzilla.kernel.org/show_bug.cgi?id=216563 > > > > Bug ID: 216563 > > Summary: [xfstests generic/113] memcpy: detected field-spanning > > write (size 32) of single field > > "efdp->efd_format.efd_extents" at > > fs/xfs/xfs_extfree_item.c:693 (size 16) > > Product: File System > > Version: 2.5 > > Kernel Version: v6.1-rc0 > > Hardware: All > > OS: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: XFS > > Assignee: filesystem_xfs@xxxxxxxxxxxxxxxxxxxxxx > > Reporter: zlang@xxxxxxxxxx > > Regression: No > > > > I xfstests generic/113 hit below kernel warning [1] on xfs with 64k directory > > block size (-n size=65536). It's reproducible for me, and the last time I > > reproduce this bug on linux v6.0+ which HEAD= ... > > > > commit e8bc52cb8df80c31c73c726ab58ea9746e9ff734 > > Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > > Date: Fri Oct 7 17:04:10 2022 -0700 > > > > Merge tag 'driver-core-6.1-rc1' of > > git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core > > > > I hit this issue on xfs with 64k directory block size 3 times(aarch64, x86_64 > > and ppc64le), and once on xfs with 1k blocksize (aarch64). > > > > > > [1] > > [ 4328.023770] run fstests generic/113 at 2022-10-08 11:57:42 > > [ 4330.104632] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at > > your own risk! > > [ 4333.094807] XFS (sda3): Unmounting Filesystem > > [ 4333.934996] XFS (sda3): Mounting V5 Filesystem > > [ 4333.973061] XFS (sda3): Ending clean mount > > [ 4335.457595] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at > > your own risk! > > [ 4338.564849] XFS (sda3): Unmounting Filesystem > > [ 4339.391848] XFS (sda3): Mounting V5 Filesystem > > [ 4339.430908] XFS (sda3): Ending clean mount > > [ 4340.100364] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at > > your own risk! > > [ 4343.379506] XFS (sda3): Unmounting Filesystem > > [ 4344.195036] XFS (sda3): Mounting V5 Filesystem > > [ 4344.232984] XFS (sda3): Ending clean mount > > [ 4345.190073] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at > > your own risk! > > [ 4348.198562] XFS (sda3): Unmounting Filesystem > > [ 4349.065061] XFS (sda3): Mounting V5 Filesystem > > [ 4349.104995] XFS (sda3): Ending clean mount > > [ 4350.118883] XFS (sda3): EXPERIMENTAL online scrub feature in use. Use at > > your own risk! > > [ 4353.233555] XFS (sda3): Unmounting Filesystem > > [ 4354.093530] XFS (sda3): Mounting V5 Filesystem > > [ 4354.135975] XFS (sda3): Ending clean mount > > [ 4354.337550] ------------[ cut here ]------------ > > [ 4354.342354] memcpy: detected field-spanning write (size 32) of single field > > "efdp->efd_format.efd_extents" at fs/xfs/xfs_extfree_item.c:693 (size 16) > > [ 4354.355820] WARNING: CPU: 7 PID: 899243 at fs/xfs/xfs_extfree_item.c:693 > > xfs_efi_item_relog+0x1fc/0x270 [xfs] > > I think this is caused by an EF[ID] with ef[id]_nextents > 1, since the > structure definition is: > > typedef struct xfs_efd_log_format { > uint16_t efd_type; /* efd log item type */ > uint16_t efd_size; /* size of this item */ > uint32_t efd_nextents; /* # of extents freed */ > uint64_t efd_efi_id; /* id of corresponding efi */ > xfs_extent_t efd_extents[1]; /* array of extents freed */ > } xfs_efd_log_format_t; > > Yuck, an array[1] that is actually a VLA! Always been the case; the comment above both EFI and EFD definitions state this directly: /* * This is the structure used to lay out an efi log item in the * log. The efi_extents field is a variable size array whose * size is given by efi_nextents. */ The EFI/EFD support recording multiple extents being freed in a single intent. The idea behind this originally was that all the extents being freed in a single transaction would be recorded in the same EFI (i.e. XFS_ITRUNC_MAX_EXTENTS) and the EFI and EFD could then be relogged as progress freeing those extents is made after the BMBT modifications were committed... > I guess we're going to have to turn that into a real VLA, and adjust the > xfs_ondisk.h macros to match? > > What memory sanitizer kconfig option enables this, anyway? 54d9469bc515 fortify: Add run-time WARN for cross-field memcpy() CONFIG_FORTIFY_SOURCE=y, committed in 6.0-rc2. It effectively ignores flex arrays defined with [], but sees anything defined with [1] as a fixed size array of known size and so issues a warning when it's actually used as a flex array. unsafe_memcpy() could be a temporary solution, given we know the code works fine as it stands... Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx
