From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCC8BC4332F for ; Sun, 12 Nov 2023 13:08:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E91CC6B0250; Sun, 12 Nov 2023 08:08:05 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E416E6B0251; Sun, 12 Nov 2023 08:08:05 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D08DD6B0252; Sun, 12 Nov 2023 08:08:05 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id C04AF6B0250 for ; Sun, 12 Nov 2023 08:08:05 -0500 (EST) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 87BF7120695 for ; Sun, 12 Nov 2023 13:08:05 +0000 (UTC) X-FDA: 81449330130.04.D1E31FC Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by imf11.hostedemail.com (Postfix) with ESMTP id 9500B40004 for ; Sun, 12 Nov 2023 13:08:03 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=aJwd65cm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf11.hostedemail.com: domain of bagasdotme@gmail.com designates 209.85.215.177 as permitted sender) smtp.mailfrom=bagasdotme@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1699794483; a=rsa-sha256; cv=none; b=1cp09mFQwMNkQygKOg2jvkpNM8SNo/ohSnmqBKZ4F6M4id60T4eLgVhQ9OAPGuQs7zkuTw Ub5cXDPxeDPQF5F7OBHNi3NNEnCZbHY54W+ZQ0MkcMWpCSOyMAZOQvZHY8bv9AwKHIK7Vp rIkO/Dx9PO7JjMTuukAW3pgJitkx1gc= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=aJwd65cm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf11.hostedemail.com: domain of bagasdotme@gmail.com designates 209.85.215.177 as permitted sender) smtp.mailfrom=bagasdotme@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1699794483; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=0RWVxpLK427H4whnOsLZxvmuxHp90iMSfaDnF1x/Reg=; b=ui2xYiC2PYqYbUBfc1CFPqn5qn18ryd14VH3b2bDVFvZV5A1pTl+w35a5umRuRmb7CqeFB aHSODq+igYkDyytD+n4WJ8jrnO9WRYoRXez034iWPjMvCPkfq+RBf6aRl3hGEjI7g+ixM7 LReP28eBpy1/U7IQJ/Mn2CK1PPFWaaM= Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-5b97ca78da8so2281012a12.3 for ; Sun, 12 Nov 2023 05:08:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699794482; x=1700399282; darn=kvack.org; h=content-transfer-encoding:subject:from:cc:to:content-language :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=0RWVxpLK427H4whnOsLZxvmuxHp90iMSfaDnF1x/Reg=; b=aJwd65cmZnYFVtwh8JApORDY/dHHUoB0911dl+CBXJ8F+vM6vUAVQIHMdex8OkN9pY bWLfeHVqctqzXmB8BtNh/uHPN3Ch6kK1f0wG77Cdo2nUVt7irEpAfV4ew3M4sY7iPRAJ b24M0UyqfFzNlSQKnxSxtNLv9oXdJU9n7Wkkzu+eqRi6xf6ZmVVC0tFoRg+UaX7+1WM6 0HmgPw2rzPijrpebyjhUB3GC8kZc7JCB0B3092TZhqwFUrVAsl0DMy2ETUB5+Ojij0hy up62pT0PrTYxC7Lq8XkbuYLOOfPCATmIFjkXbj6q09iGg3/vYcWNh72vRBJiwDd7OyQZ F0eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699794482; x=1700399282; h=content-transfer-encoding:subject:from:cc:to:content-language :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0RWVxpLK427H4whnOsLZxvmuxHp90iMSfaDnF1x/Reg=; b=LQ3Duv7aMIdgBDqa60FJWGngGWJZ4plNdJkTJcvonacKEekRMsTP+Jfd2lD3OSgwE1 6FHnBpGLissvMV1ztnG7gLZ5UkVbpwwDw3V5wjH2eP3+8XvrtlDomMJprKcabuWNx7W5 3i7qkPrIlRKIepbpZefCCIUNkW9UPzMaIuhRsvVldSfdkM4pge/31yIhFY1GjYM2QbAQ CV12d+g9a+mHw7jh/4kDOcyNUKSgl7/Vi3dQhr045ivtw2631KATTAP3ID+g/HcurYG8 QP9ZFjYJboAG6Lcl/BhX7KjeBcBZftrXDjpyTCir77pxWawF/Y791uSC1Vd3LYtBsqSQ vI/A== X-Gm-Message-State: AOJu0Yx4+a60ex1vSu/2RWXoV7leyBYsjPIlkZR1yBC2tLBzWbyDxNSV r0sD/KB7GVlSsedsv8kn7e0= X-Google-Smtp-Source: AGHT+IHPJAfhni0/ObKioqYvoX6TGhRp50dQHj13OyNKx/2qLZH9UgXzwDvJ1gJxfAYbA7djvY9i0w== X-Received: by 2002:a17:903:1210:b0:1cc:87f8:96bc with SMTP id l16-20020a170903121000b001cc87f896bcmr3209455plh.15.1699794482147; Sun, 12 Nov 2023 05:08:02 -0800 (PST) Received: from [192.168.0.106] ([103.131.18.64]) by smtp.gmail.com with ESMTPSA id y3-20020a17090322c300b001c3721897fcsm2558309plg.277.2023.11.12.05.07.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 12 Nov 2023 05:08:01 -0800 (PST) Message-ID: <7fa629b5-74bb-43a2-a1bc-38c4a221b30c@gmail.com> Date: Sun, 12 Nov 2023 20:07:53 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Linux Kernel Mailing List , Linux Filesystem Development , Linux Memory Management List Cc: Anders Larsen , Al Viro , Greg Kroah-Hartman , Arnd Bergmann , Niek Nooijens , Monthero Ronald From: Bagas Sanjaya Subject: Fwd: Kernel panic on listing QNX4 fs directory Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 9500B40004 X-Stat-Signature: gojkuwsnzznn1dk594fnkfajc8dexseo X-HE-Tag: 1699794483-274012 X-HE-Meta: U2FsdGVkX1/C5/N6c/GHP3WZEt5ngm4n3RylCXteawHvFulPVsyHPAvSFTsjUmAVkL++QSst9O1gVj+gQJe/wgzNH2BQS6Xk1SDn1TLt7rd+6OWpw1FU/jG+HlukOeO3ZaRT743oB8aLIh1GL1+f2F3EjZNTYIsqiTgDrbcNBv3xK2dnyVXieay8YfRmCmhDboMSByoiiW1UFgQtJ9BSMuGqUVLeWcqXpsmohvckFkpzO6RJR/fBGjHZ/5tO1YiHV5KDAfyE5ge2A3Fk5Yyhflrrsxl4l9TPKxaMWfaHuD2tI6tDL1y5ZQNTVvpzyyawVIwDWeWnQGYQ//wwfX/azsFqWp4S8YIoEqcwtva1aXtDpuRu7Y+DZchvuqWMhK3hIl6ys4UvpisMuv2UjbLkw/G1Reqt9Bjg54yMFVss8Fta2csrtaQFiJiaBJq3gUv/XBNCXMCqwUAOPl4Yufq+fIoV7L/r8WTlV2kV/NNfVj9IE6SJSZfiYY0Eyhlpoph/YbipoXLuAOoDkHHppX0qZWJEwj/OpW7cUfDuN2IOelJDa/bPijkmRE0f9OEyAUi4nVoVZgFvCF5qi7xIcet3N0PZL2i2Zz/XdRekb079DYJUMAXhG0wIiQ8860beCgF8nS7mpwTbWzVj3bt9UmuY5vvqWsg65SZFkah6xpnRetyWagB5/kufFLNvyQDGQJJslbg+ax8ZAp+qhZP/qi3uMJ8uBq7QMVEx9+WRMWz9+yjI5twojojkLvAHygL0lE43mGqzTCEPPcrj5I8uPFbivTmnisFTa3hFzScHwQ6wqWyevdbzVYUtEI/3bD+xWFLi+opQ2lG47QZv9Ytb8BGTrjzjJCggA+kAZmXGUb3XSwtD26PN8GTyDs8xCP1qJxh1oBAufm0y6v4Nc3IyKTEGSrs1fFN8U0CckwUGpa0eNyl7MZo1rSM/JBXOun35ZbI3OVe1dMkvRIbVuFUFJPw nEpaEYa/ ikzKG8WYjdMB8meYLXrPvGHJzP1zn6AjUsLEKGicRCj6LaL3gBNvI2ToqFU5q2Qbg5+LyH2oWdcyxqdAPd48gOCoUuG+jzHnffUIVqh29HOamrSvbhf2CfbqGE1OWqNm0lr377O+w7MTtD0F3Qpje5I8VnTVNPmMxI9Oz+vSmszBkUYhs3Fi1RhGJW0zf8EqqQgWR3QlGuatOKMn/LPI08NSHrBYDNUpA0XjQxSlZLD7ED6STpqipe59FdZcAYep2VoyhOC+tXzygcrDTybffcy8K3/nLuiv1V1LFM9HtRzd6mkgqBo25iMi6tTOzBlZ4GTSv8Bpe0a3V6EWtIHtCij6A3ijHl3GxPCyBjyN4494h4RPblh3whu9iNcLPPu7IX2j6Sg1WS/zAKM8E7vjYBkK7SgISAdJZY6sHKVHgtYCxKQmORHsJhXR/0mcUmC5wsTN9AS5A5E1Ek8LVmVjtzbstmt+WW6DIL2XrSxogsE9FkyvxFgxe67hlg/H2VSd8A3EfQbdMYQIDr+zROH5F8LzyfsQYGDyfY27MhFjJ5f1nm6M+72mqasWGRisZiY8WhlTdcqb8c0n7FIw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, I notice a bug report on Bugzilla [1]. Quoting from it: > When mounting a QNX4 filesystem in linux 6.6.0 (latest mainline) listing a directory may fail and cause a kernel panic. > > > First discovered on ubuntu's own kernel, however I was curious if this was ubuntu-specific. turned out it wasn't. I compiled 6.6.0 from scratch with the attached config. > > > steps to reproduce: > 1. grab 6.6.0 from kernel.org main page. > 2. apply attached config > 3. make modules_install > 4. sudo make install > 5. reboot into new kernel > 6. open disk image with disk image mounter (attaches it to /dev/loop30) > 7. mount /dev/loop30p3 /mnt #(qnx partition) > 8. cd /dmnt > 9. execute ls a few times in different directories. > > > the first ls will give a [detected buffer overflow in strlen] kernel message. > after a few times it completely hangs. > > > /var/log/kern.log reveals a full on panic: > > Nov 7 10:34:09 noonie-T580-Linux kernel: [ 234.756173] kernel BUG at lib/string.c:1165! > Nov 7 10:34:09 noonie-T580-Linux kernel: [ 234.756184] invalid opcode: 0000 [#1] SMP PTI > .... > > Full log is in the attachment. Another reporter pinned down the cause: > Checking the provided kernel log and config the below is what seems to be cause of the panic during the lookup operation of the qnx4 directory > > Panic dump stack indicates string length buffer overflow > and it is at below context during qnx4_lookup() => qnx4_find_entry() => qnx4_match() > > [ 4849.636861] detected buffer overflow in strlen > [ 4849.636897] ------------[ cut here ]------------ > [ 4849.636902] kernel BUG at lib/string.c:1165! > [ 4849.636917] invalid opcode: 0000 [#2] SMP PTI > .. > [ 4849.637047] Call Trace: > [ 4849.637053] > [ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea > [ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea > [ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4] > [ 4849.637111] ? show_regs.part.0+0x23/0x29 > [ 4849.637123] ? __die_body.cold+0x8/0xd > [ 4849.637135] ? __die+0x2b/0x37 > [ 4849.637147] ? die+0x30/0x60 > [ 4849.637161] ? do_trap+0xbe/0x100 > [ 4849.637171] ? do_error_trap+0x6f/0xb0 > [ 4849.637180] ? fortify_panic+0x13/0x15 > [ 4849.637192] ? exc_invalid_op+0x53/0x70 > [ 4849.637203] ? fortify_panic+0x13/0x15 > [ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20 > [ 4849.637228] ? fortify_panic+0x13/0x15 > [ 4849.637240] ? fortify_panic+0x13/0x15 > [ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4] > [ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4] > [ 4849.637275] __lookup_slow+0x85/0x150 > [ 4849.637291] walk_component+0x145/0x1c0 > [ 4849.637304] ? path_init+0x2c0/0x3f0 > [ 4849.637316] path_lookupat+0x6e/0x1c0 > [ 4849.637330] filename_lookup+0xcf/0x1d0 > [ 4849.637341] ? __check_object_size+0x1d/0x30 > [ 4849.637354] ? strncpy_from_user+0x44/0x150 > [ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0 > [ 4849.637375] user_path_at_empty+0x3f/0x60 > [ 4849.637383] vfs_statx+0x7a/0x130 > [ 4849.637393] do_statx+0x45/0x80 > .. > > ( in kernel config CONFIG_FORTIFY_SOURCE=y ) > > linux-git$ git describe > v6.6-16177-gea69f5e8240 > > static int qnx4_match(int len, const char *name, > struct buffer_head *bh, unsigned long *offset) > { > struct qnx4_inode_entry *de; > int namelen, thislen; > > if (bh == NULL) { > printk(KERN_WARNING "qnx4: matching unassigned buffer !\n"); > return 0; > } > de = (struct qnx4_inode_entry *) (bh->b_data + *offset); > *offset += QNX4_DIR_ENTRY_SIZE; > if ((de->di_status & QNX4_FILE_LINK) != 0) { > namelen = QNX4_NAME_MAX; > } else { > namelen = QNX4_SHORT_NAME_MAX; > } > > thislen = strlen( de->di_fname ); << [1] buffer overflow > if ( thislen > namelen ) > thislen = namelen; > if (len != thislen) { > return 0; > } > > [reply] [−] Comment 2 See Bugzilla for the full thread, attached kernel log, and proposed fix. Thanks. [1]: https://bugzilla.kernel.org/show_bug.cgi?id=218111 -- An old man doll... just what I always wanted! - Clara