memcpy: detected field-spanning write #16501

leelists · 2024-09-03T11:18:07Z

System information

Type	Version/Name
Distribution Name	armbian
Distribution Version	24.11
Kernel Version	6.11.0-rc4-edge-rockchip-rk3588
Architecture
OpenZFS Version	2.2.99-687_gb3b749161

Describe the problem you're observing

kernel warn on zpool import

Describe how to reproduce the problem

zpool import tank

Include any warning/errors/backtraces from the system logs

[   37.404937] ------------[ cut here ]------------
[   37.404949] memcpy: detected field-spanning write (size 14) of single field "lr + 1" at /var/lib/dkms/zfs/2.2.99/build/module/zfs/zfs_log.c:461 (size 0)
[   37.405016] WARNING: CPU: 0 PID: 2495 at /var/lib/dkms/zfs/2.2.99/build/module/zfs/zfs_log.c:461 zfs_log_link+0x100/0x108 [zfs]
[   37.405155] Modules linked in: ebtable_filter ebtables ip_set ip6table_raw iptable_raw ip6table_filter ip6_tables iptable_filter bridge bonding tls lz4hc lz4 zram sunrpc nfnetlink_log nfnetlink binfmt_misc crct10dif_ce hantro_vpu snd_soc_rt5616 v4l2_vp9 snd_soc_rl6231 rk805_pwrkey rockchip_vdec2 v4l2_jpeg rockchip_rga v4l2_h264 nvmem_rockchip_otp v4l2_mem2mem rk_crypto2 videobuf2_dma_sg videobuf2_dma_contig sm3_generic rockchip_rng crypto_engine sm3 videobuf2_memops snd_soc_rockchip_i2s_tdm videobuf2_v4l2 videodev videobuf2_common mc snd_soc_simple_card snd_soc_simple_card_utils snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine snd_pcm snd_timer snd soundcore cfg80211 rfkill vhost_net tun vhost vhost_iotlb tap dm_mod ip_tables x_tables autofs4 zfs(PO) spl(O) r8169 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 simplefb rk808_regulator rockchipdrm fusb302 dw_hdmi_qp dw_mipi_dsi dw_hdmi tcpm analogix_dp rk8xx_spi phy_rockchip_samsung_hdptx rk8xx_core phy_rockchip_snps_pcie3 cec
[   37.405356]  panthor drm_gpuvm drm_dma_helper gpu_sched drm_display_helper drm_shmem_helper drm_exec drm_kms_helper drm adc_keys
[   37.405385] CPU: 0 UID: 1000 PID: 2495 Comm: xauth Tainted: P        W  O       6.11.0-rc4-edge-rockchip-rk3588 #2
[   37.405395] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE
[   37.405399] Hardware name: FriendlyElec CM3588 NAS (DT)
[   37.405403] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   37.405409] pc : zfs_log_link+0x100/0x108 [zfs]
[   37.405535] lr : zfs_log_link+0x100/0x108 [zfs]
[   37.405660] sp : ffff800090c3bb90
[   37.405663] x29: ffff800090c3bb90 x28: 0000000000000000 x27: ffff00010661c0f8
[   37.405674] x26: 0000000000000000 x25: ffff00016b7b7290 x24: ffff000141c8ee28
[   37.405685] x23: ffff000141ece938 x22: ffff000121b489c0 x21: ffff000102e1f000
[   37.405695] x20: ffff0001264fb600 x19: 000000000000000e x18: ffffffffffffffff
[   37.405705] x17: 0000000000000000 x16: 0000000000000000 x15: 667a2f736d6b642f
[   37.405715] x14: 62696c2f7261762f x13: 0000000000000496 x12: 00000000ffffffea
[   37.405725] x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800081d80b90
[   37.405735] x8 : 000000000002ffe8 x7 : c0000000ffffdfff x6 : 00000000000affa8
[   37.405744] x5 : ffff0004fddf2f88 x4 : 0000000000000000 x3 : ffff80047c4ff000
[   37.405754] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000107263480
[   37.405764] Call trace:
[   37.405767]  zfs_log_link+0x100/0x108 [zfs]
[   37.405893]  zfs_link+0x5f8/0x678 [zfs]
[   37.406018]  zpl_link+0x8c/0x118 [zfs]
[   37.406142]  vfs_link+0x2c8/0x3e4
[   37.406152]  do_linkat+0x238/0x2d0
[   37.406157]  __arm64_sys_linkat+0x5c/0x78
[   37.406163]  invoke_syscall+0x48/0x110
[   37.406172]  el0_svc_common.constprop.0+0x40/0xe8
[   37.406179]  do_el0_svc+0x20/0x2c
[   37.406185]  el0_svc+0x38/0x100
[   37.406193]  el0t_64_sync_handler+0x13c/0x158
[   37.406199]  el0t_64_sync+0x1a4/0x1a8
[   37.406205] ---[ end trace 0000000000000000 ]---

The text was updated successfully, but these errors were encountered:

dankamongmen · 2024-09-16T08:56:21Z

I'm also seeing this on x86, though in zfs_log_remove():

[ 1907.500667] ------------[ cut here ]------------
[ 1907.500673] memcpy: detected field-spanning write (size 64) of single field "lr + 1" at /var/lib/dkms/zfs/2.2.6/build/module/zfs/zfs_log.c:425 (size 0)
[ 1907.500705] WARNING: CPU: 8 PID: 3047 at /var/lib/dkms/zfs/2.2.6/build/module/zfs/zfs_log.c:425 zfs_log_remove+0xfa/0x100 [zfs]
[ 1907.500776] Modules linked in: tls nft_masq nft_nat nft_fib_ipv4 nft_fib nft_chain_nat xt_MASQUERADE nf_nat xt_multiport xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat rfcomm cmac algif_hash algif_skcipher af_alg bnep wireguard libchacha20poly1305 chacha_x86_64 poly1305_x86_64 ip6_udp_tunnel udp_tunnel curve25519_x86_64 libcurve25519_generic libchacha nf_tables binfmt_misc amdgpu nls_ascii nls_cp437 edac_mce_amd kvm_amd gigabyte_wmi wmi_bmof kvm snd_hda_codec_realtek snd_hda_codec_generic crct10dif_pclmul snd_hda_scodec_component ghash_clmulni_intel mt7921e sha512_ssse3 mt7921_common sha256_ssse3 mt792x_lib sha1_ssse3 snd_hda_codec_hdmi mt76_connac_lib mt76 snd_hda_intel snd_intel_dspcfg snd_usb_audio drm_exec drm_suballoc_helper snd_hda_codec amdxcp mac80211 mfd_core snd_usbmidi_lib drm_buddy uvcvideo snd_hda_core snd_rawmidi gpu_sched uvc aesni_intel snd_pcsp snd_hwdep snd_seq_device videobuf2_vmalloc drm_display_helper btusb gf128mul videobuf2_memops btrtl crypto_simd snd_pcm
[ 1907.500796]  videobuf2_v4l2 cec cryptd btbcm videobuf2_common libarc4 drm_ttm_helper btmtk snd_timer cdc_acm videodev ttm btintel ch341 ccp snd cfg80211 drm_kms_helper sp5100_tco bluetooth usbserial mc led_class usblp rapl k10temp watchdog aquacomputer_d5next soundcore i2c_algo_bit rng_core video rfkill zfs(POE) spl(OE) wmi evdev button sg tcp_bbr nfsd auth_rpcgss lockd grace drivetemp sunrpc it87(OE) drm hwmon_vid fuse efi_pstore configfs nfnetlink ip_tables x_tables autofs4 efivarfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 r8153_ecm cdc_ether usbnet raid1 hid_generic usbhid hid md_mod sfc r8169 crc32_pclmul r8152 crc32c_intel realtek i2c_piix4 mii mdio_devres i2c_smbus mdio libphy ptp pps_core ses enclosure
[ 1907.500833] CPU: 8 UID: 0 PID: 3047 Comm: nfsd Tainted: P           OE      6.11.0 #67
[ 1907.500836] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 1907.500837] Hardware name: Gigabyte Technology Co., Ltd. X670 AORUS ELITE AX/X670 AORUS ELITE AX, BIOS F22b 02/06/2024
[ 1907.500839] RIP: 0010:zfs_log_remove+0xfa/0x100 [zfs]
[ 1907.500881] Code: 89 df e8 69 eb 00 00 eb d7 48 8b 74 24 10 31 c9 48 c7 c2 d0 af 0f c1 48 c7 c7 20 af 0f c1 c6 05 43 8c 0e 00 01 e8 86 18 68 c6 <0f> 0b eb 96 66 90 66 0f 1f 00 0f 1f 44 00 00 41 57 49 89 cf 41 56
[ 1907.500884] RSP: 0018:ffffbe2302d6bb90 EFLAGS: 00010286
[ 1907.500885] RAX: 0000000000000000 RBX: ffff9c6b63ecf800 RCX: 0000000000000000
[ 1907.500886] RDX: 0000000000000002 RSI: 0000000000000027 RDI: 00000000ffffffff
[ 1907.500887] RBP: ffff9c6b41118fc0 R08: 0000000000000000 R09: ffffbe2302d6ba00
[ 1907.500888] R10: ffffffff88ca8708 R11: 0000000000000003 R12: ffff9c6b476c2970
[ 1907.500889] R13: ffff9c6b78de7e00 R14: ffff9c6b78de7e70 R15: 00000000000208a3
[ 1907.500891] FS:  0000000000000000(0000) GS:ffff9c7a3e400000(0000) knlGS:0000000000000000
[ 1907.500892] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1907.500893] CR2: 00007f4c2169bd20 CR3: 0000000c13a1a000 CR4: 0000000000750ef0
[ 1907.500894] PKRU: 55555554
[ 1907.500895] Call Trace:
[ 1907.500897]  <TASK>
[ 1907.500898]  ? zfs_log_remove+0xfa/0x100 [zfs]
[ 1907.500936]  ? __warn.cold+0x8e/0xe8
[ 1907.500940]  ? zfs_log_remove+0xfa/0x100 [zfs]
[ 1907.500977]  ? report_bug+0xe6/0x170
[ 1907.500978]  ? handle_bug+0x38/0x70
[ 1907.500980]  ? exc_invalid_op+0x17/0x60
[ 1907.500982]  ? asm_exc_invalid_op+0x1a/0x20
[ 1907.500984]  ? zfs_log_remove+0xfa/0x100 [zfs]
[ 1907.501020]  zfs_remove+0x635/0xa20 [zfs]
[ 1907.501060]  zpl_unlink+0x65/0xb0 [zfs]
[ 1907.501096]  vfs_unlink+0xf6/0x280
[ 1907.501099]  nfsd_unlink+0x186/0x300 [nfsd]
[ 1907.501112]  nfsd4_remove+0x4f/0x90 [nfsd]
[ 1907.501123]  nfsd4_proc_compound+0x32b/0x630 [nfsd]
[ 1907.501131]  nfsd_dispatch+0xc8/0x210 [nfsd]
[ 1907.501142]  svc_process_common+0x493/0x600 [sunrpc]
[ 1907.501156]  ? nfsd_svc+0x320/0x320 [nfsd]
[ 1907.501164]  svc_process+0x131/0x170 [sunrpc]
[ 1907.501173]  svc_recv+0x7d7/0x980 [sunrpc]
[ 1907.501187]  ? nfsd_inet6addr_event+0x120/0x120 [nfsd]
[ 1907.501195]  nfsd+0x87/0xd0 [nfsd]
[ 1907.501203]  kthread+0xde/0x110
[ 1907.501205]  ? kthread_park+0x80/0x80
[ 1907.501206]  ret_from_fork+0x31/0x50
[ 1907.501208]  ? kthread_park+0x80/0x80
[ 1907.501209]  ret_from_fork_asm+0x11/0x20
[ 1907.501212]  </TASK>
[ 1907.501212] ---[ end trace 0000000000000000 ]---

kees · 2024-09-22T22:53:16Z

This is likely due to upstream commit 2003e483a81c ("fortify: Do not special-case 0-sized destinations"). The lr + 1 is probably beyond the end of the prior structure, so the memcpy sees it as 0-sized. This is out-of-tree code, though, so that's how it got missed in upstream sweeps for this kind of code pattern.

xplodwild · 2024-09-25T12:19:59Z

This happened to me too on Ubuntu 24.10 beta + Linux 6.11.0-061100-generic x86_64

2024-09-25T13:45:09.578963+02:00 mana kernel: ------------[ cut here ]------------
2024-09-25T13:45:09.578972+02:00 mana kernel: memcpy: detected field-spanning write (size 3) of single field "(char *)(lr + 1)" at /var/lib/dkms/zfs/2.2.6/build/module/zfs/zfs_log.c:593 (size 0)
2024-09-25T13:45:09.578974+02:00 mana kernel: WARNING: CPU: 0 PID: 3754 at /var/lib/dkms/zfs/2.2.6/build/module/zfs/zfs_log.c:593 zfs_log_rename_whiteout+0x267/0x2b0 [zfs]
2024-09-25T13:45:09.580020+02:00 mana kernel: Modules linked in: overlay uhid rfcomm cmac algif_hash algif_skcipher af_alg bnep binfmt_misc snd_ctl_led snd_soc_skl_hda_dsp snd_soc_hdac_hdmi snd_soc_intel_hda_dsp_common snd_sof_probes xe snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_soc_dmic drm_suballoc_helper input_leds intel_uncore_frequency intel_uncore_frequency_common x86_pkg_temp_thermal intel_powerclamp coretemp snd_sof_pci_intel_tgl snd_sof_pci_intel_cnl snd_sof_intel_hda_generic soundwire_intel soundwire_cadence snd_sof_intel_hda_common snd_sof_intel_hda_mlink snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp iwlmvm snd_sof snd_sof_utils snd_soc_hdac_hda kvm_intel snd_soc_acpi_intel_match nls_iso8859_1 mac80211 soundwire_generic_allocation snd_soc_acpi soundwire_bus kvm snd_soc_avs cmdlinepart snd_soc_hda_codec spi_nor snd_hda_ext_core snd_usb_audio mei_hdcp mei_pxp mtd ee1004 intel_rapl_msr libarc4 snd_soc_core rapl snd_usbmidi_lib nouveau i915 snd_compress snd_ump snd_hda_codec_hdmi ac97_bus uvcvideo
2024-09-25T13:45:09.580037+02:00 mana kernel:  snd_pcm_dmaengine snd_seq_midi videobuf2_vmalloc snd_seq_midi_event uvc snd_hda_intel videobuf2_memops btusb videobuf2_v4l2 intel_cstate mxm_wmi snd_intel_dspcfg iwlwifi drm_gpuvm snd_rawmidi btrtl snd_intel_sdw_acpi videodev btintel drm_exec snd_hda_codec btbcm processor_thermal_device_pci_legacy gpu_sched snd_hda_core videobuf2_common essiv drm_buddy drm_ttm_helper processor_thermal_device snd_hwdep btmtk authenc snd_seq mei_me ttm processor_thermal_wt_hint wmi_bmof cfg80211 mc razeraccessory(OE) snd_pcm bluetooth processor_thermal_rfim snd_seq_device spi_intel_pci i2c_i801 processor_thermal_rapl mei drm_display_helper i2c_mux snd_timer spi_intel i2c_smbus intel_rapl_common processor_thermal_wt_req cec snd processor_thermal_power_floor rc_core processor_thermal_mbox soundcore i2c_algo_bit intel_soc_dts_iosf razermouse(OE) razerkbd(OE) intel_pmc_core int3403_thermal int340x_thermal_zone intel_vsec pmt_telemetry intel_hid int3400_thermal joydev pmt_class acpi_thermal_rel acpi_pad sparse_keymap acpi_tad
2024-09-25T13:45:09.580041+02:00 mana kernel:  mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 uas usb_storage zfs(POE) spl(OE) cdc_ether usbnet dm_crypt r8152 mii usbhid hid_multitouch crct10dif_pclmul hid_generic crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel rtsx_pci_sdmmc nvme sha256_ssse3 intel_lpss_pci sha1_ssse3 intel_lpss i2c_hid_acpi rtsx_pci thunderbolt xhci_pci nvme_core idma64 xhci_pci_renesas i2c_hid nvme_auth hid video wmi pinctrl_tigerlake aesni_intel crypto_simd cryptd
2024-09-25T13:45:09.580046+02:00 mana kernel: CPU: 0 UID: 0 PID: 3754 Comm: podman Kdump: loaded Tainted: P        W  OE      6.11.0-061100-generic #202409151536
2024-09-25T13:45:09.580049+02:00 mana kernel: Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
2024-09-25T13:45:09.580051+02:00 mana kernel: Hardware name: Razer Blade 15 Advanced Model (Mid 2021) - RZ09-0409/CH570, BIOS 2.02 11/12/2021
2024-09-25T13:45:09.580054+02:00 mana kernel: RIP: 0010:zfs_log_rename_whiteout+0x267/0x2b0 [zfs]
2024-09-25T13:45:09.580056+02:00 mana kernel: Code: cc cc cc 4c 8b 6d a8 31 c9 4c 89 4d d0 48 c7 c2 d8 e1 c3 c0 48 c7 c7 d0 df c3 c0 c6 05 4f 29 14 00 01 4c 89 ee e8 89 a4 e6 d0 <0f> 0b 48 8b 75 b8 48 8b 7d d0 4c 89 ea e8 27 78 00 d2 e9 5a ff ff
2024-09-25T13:45:09.580059+02:00 mana kernel: RSP: 0018:ffffa223417bf780 EFLAGS: 00010246
2024-09-25T13:45:09.580061+02:00 mana kernel: RAX: 0000000000000000 RBX: ffff91e52021f000 RCX: 0000000000000000
2024-09-25T13:45:09.580063+02:00 mana kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
2024-09-25T13:45:09.580065+02:00 mana kernel: RBP: ffffa223417bf7d8 R08: 0000000000000000 R09: 0000000000000000
2024-09-25T13:45:09.580068+02:00 mana kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff91e50ffc60c0
2024-09-25T13:45:09.580070+02:00 mana kernel: R13: 0000000000000003 R14: ffff91e56ae3d4bb R15: ffff91e56ae3d400
2024-09-25T13:45:09.580071+02:00 mana kernel: FS:  0000796a31c26d00(0000) GS:ffff91ec77400000(0000) knlGS:0000000000000000
2024-09-25T13:45:09.580073+02:00 mana kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
2024-09-25T13:45:09.580076+02:00 mana kernel: CR2: 000000c0005ad000 CR3: 0000000130950001 CR4: 0000000000f70ef0
2024-09-25T13:45:09.580078+02:00 mana kernel: PKRU: 55555554
2024-09-25T13:45:09.580080+02:00 mana kernel: Call Trace:
2024-09-25T13:45:09.580081+02:00 mana kernel:  <TASK>
2024-09-25T13:45:09.580084+02:00 mana kernel:  ? show_trace_log_lvl+0x1be/0x310
2024-09-25T13:45:09.580085+02:00 mana kernel:  ? show_trace_log_lvl+0x1be/0x310
2024-09-25T13:45:09.580091+02:00 mana kernel:  ? zfs_rename+0x15e3/0x1730 [zfs]
2024-09-25T13:45:09.580094+02:00 mana kernel:  ? show_regs.part.0+0x22/0x30
2024-09-25T13:45:09.580096+02:00 mana kernel:  ? show_regs.cold+0x8/0x10
2024-09-25T13:45:09.580780+02:00 mana kernel:  ? zfs_log_rename_whiteout+0x267/0x2b0 [zfs]
2024-09-25T13:45:09.580784+02:00 mana kernel:  ? __warn.cold+0xa7/0x101
2024-09-25T13:45:09.580784+02:00 mana kernel:  ? zfs_log_rename_whiteout+0x267/0x2b0 [zfs]
2024-09-25T13:45:09.580785+02:00 mana kernel:  ? report_bug+0x114/0x160
2024-09-25T13:45:09.580785+02:00 mana kernel:  ? handle_bug+0x51/0xa0
2024-09-25T13:45:09.580786+02:00 mana kernel:  ? exc_invalid_op+0x18/0x80
2024-09-25T13:45:09.580788+02:00 mana kernel:  ? asm_exc_invalid_op+0x1b/0x20
2024-09-25T13:45:09.580789+02:00 mana kernel:  ? zfs_log_rename_whiteout+0x267/0x2b0 [zfs]
2024-09-25T13:45:09.581801+02:00 mana kernel:  zfs_rename+0x15e3/0x1730 [zfs]
2024-09-25T13:45:09.581803+02:00 mana kernel:  ? zfs_dirent_unlock+0xd6/0x160 [zfs]
2024-09-25T13:45:09.581804+02:00 mana kernel:  ? __kvmalloc_node_noprof+0x5f/0x100
2024-09-25T13:45:09.581805+02:00 mana kernel:  zpl_rename2+0x16e/0x1b0 [zfs]
2024-09-25T13:45:09.581805+02:00 mana kernel:  vfs_rename+0x737/0xc10
2024-09-25T13:45:09.581806+02:00 mana kernel:  ? zpl_lookup+0x268/0x280 [zfs]
2024-09-25T13:45:09.581806+02:00 mana kernel:  ovl_do_rename.constprop.0+0x76/0x100 [overlay]
2024-09-25T13:45:09.581807+02:00 mana kernel:  ovl_check_rename_whiteout+0xd8/0x1e0 [overlay]
2024-09-25T13:45:09.581807+02:00 mana kernel:  ? may_open+0x7b/0x160
2024-09-25T13:45:09.581808+02:00 mana kernel:  ovl_make_workdir+0x15a/0x3b0 [overlay]
2024-09-25T13:45:09.581815+02:00 mana kernel:  ovl_fill_super+0x339/0x690 [overlay]
2024-09-25T13:45:09.581816+02:00 mana kernel:  ? __pfx_ovl_fill_super+0x10/0x10 [overlay]
2024-09-25T13:45:09.581817+02:00 mana kernel:  get_tree_nodev+0x6f/0xa0
2024-09-25T13:45:09.581817+02:00 mana kernel:  ovl_get_tree+0x15/0x20 [overlay]
2024-09-25T13:45:09.581818+02:00 mana kernel:  vfs_get_tree+0x27/0xe0
2024-09-25T13:45:09.581818+02:00 mana kernel:  do_new_mount+0x1a1/0x340
2024-09-25T13:45:09.581819+02:00 mana kernel:  path_mount+0x1d8/0x840
2024-09-25T13:45:09.581820+02:00 mana kernel:  __x64_sys_mount+0x129/0x160
2024-09-25T13:45:09.581820+02:00 mana kernel:  x64_sys_call+0x208a/0x22b0
2024-09-25T13:45:09.581821+02:00 mana kernel:  do_syscall_64+0x7e/0x170
2024-09-25T13:45:09.581821+02:00 mana kernel:  ? count_memcg_events.constprop.0+0x2a/0x50
2024-09-25T13:45:09.581822+02:00 mana kernel:  ? handle_mm_fault+0x1bb/0x2d0
2024-09-25T13:45:09.581822+02:00 mana kernel:  ? do_user_addr_fault+0x1ee/0x7e0
2024-09-25T13:45:09.581823+02:00 mana kernel:  ? irqentry_exit_to_user_mode+0x43/0x250
2024-09-25T13:45:09.581823+02:00 mana kernel:  ? irqentry_exit+0x43/0x50
2024-09-25T13:45:09.581824+02:00 mana kernel:  ? clear_bhb_loop+0x15/0x70

robn · 2024-09-26T22:19:29Z

@kees thanks for the confirmation.

ZIL log record structs (lr_XX_t) are frequently allocated with extra space after the struct to carry variable-sized "payload" items. Linux 6.10+ compiled with CONFIG_FORTIFY_SOURCE has been doing runtime bounds checking on memcpy() calls. Because these types had no indicator that they might use more space than their simple definition, __fortify_memcpy_chk will frequently complain about overruns eg: memcpy: detected field-spanning write (size 7) of single field "lr + 1" at zfs_log.c:425 (size 0) memcpy: detected field-spanning write (size 9) of single field "(char *)(lr + 1)" at zfs_log.c:593 (size 0) memcpy: detected field-spanning write (size 4) of single field "(char *)(lr + 1) + snamesize" at zfs_log.c:594 (size 0) memcpy: detected field-spanning write (size 7) of single field "lr + 1" at zfs_log.c:425 (size 0) memcpy: detected field-spanning write (size 9) of single field "(char *)(lr + 1)" at zfs_log.c:593 (size 0) memcpy: detected field-spanning write (size 4) of single field "(char *)(lr + 1) + snamesize" at zfs_log.c:594 (size 0) memcpy: detected field-spanning write (size 7) of single field "lr + 1" at zfs_log.c:425 (size 0) memcpy: detected field-spanning write (size 9) of single field "(char *)(lr + 1)" at zfs_log.c:593 (size 0) memcpy: detected field-spanning write (size 4) of single field "(char *)(lr + 1) + snamesize" at zfs_log.c:594 (size 0) To fix this, this commit adds flex array fields to all lr_XX_t structs that require them, and then uses those fields to access that end-of-struct area rather than more complicated casts and pointer addition. Sponsored-by: https://despairlabs.com/sponsor/ Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Rob Norris <robn@despairlabs.com> Closes #16501 Closes #16539

ik5pvx · 2024-10-05T16:21:52Z

I'm seeing this similar trace on RISC-V (visionfive2)

[378153.982489] memcpy: detected field-spanning write (size 9) of single field "(char *)(lr + 1) + snamesize" at /var/lib/dkms/zfs/2.2.6/build/module/zfs/zfs_log.c:515 (size 0)
[378153.998055] WARNING: CPU: 1 PID: 20355 at /var/lib/dkms/zfs/2.2.6/build/module/zfs/zfs_log.c:515 do_zfs_log_rename+0x142/0x146 [zfs]
[378154.019929] Modules linked in: dm_mod cfg80211 rfkill 8021q garp stp mrp llc binfmt_misc zfs(POE) nls_ascii nls_cp437 vfat fat snd_soc_simple_card cdns3 jh7110_pwmdac snd_s
oc_simple_card_utils snd_soc_spdif_tx snd_soc_core spl(OE) udc_core cdns_usb_common roles ofpart zlib_deflate snd_pcm_dmaengine snd_pcm spi_nor snd_timer cdns3_starfive starfiv
e_wdt dw_axi_dmac_platform mtd snd watchdog jh7110_trng virt_dma soundcore sfctemp cpufreq_dt nfsd auth_rpcgss nfs_acl lockd grace drm sunrpc nvme_fabrics configfs drm_panel_or
ientation_quirks nfnetlink ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 efivarfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq li
bcrc32c crc32c_generic raid1 raid0 md_mod xhci_pci xhci_hcd motorcomm nvme dwmac_starfive stmmac_platform mmc_block stmmac usbcore nvme_core axp20x_regulator pcs_xpcs axp20x_i2
c axp20x mdio_devres usb_common of_mdio dw_mmc_starfive mfd_core fixed_phy dw_mmc_pltfm regmap_i2c phylink dw_mmc fwnode_mdio libphy mmc_core
[378154.020179]  clk_starfive_jh7110_vout phy_jh7110_dphy_rx clk_starfive_jh7110_isp clk_starfive_jh7110_aon spi_cadence_quadspi i2c_designware_platform i2c_designware_core phy
_jh7110_pcie phy_jh7110_usb clk_starfive_jh7110_stg
[378154.020211] CPU: 1 UID: 0 PID: 20355 Comm: mv Tainted: P        W  OE      6.11-riscv64 #1  Debian 6.11-1~exp1
[378154.020225] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[378154.020229] Hardware name: starfive StarFive VisionFive 2 v1.3B/StarFive VisionFive 2 v1.3B, BIOS 2024.10-rc5 10/01/2024
[378154.020234] epc : do_zfs_log_rename+0x142/0x146 [zfs]
[378154.042069]  ra : do_zfs_log_rename+0x142/0x146 [zfs]
[378154.063905] epc : ffffffff053c7358 ra : ffffffff053c7358 sp : ffffffc600a53910
[378154.063914]  gp : ffffffff81bad5e0 tp : ffffffd6c7d10e00 t0 : ffffffff80a0d604
[378154.063919]  t1 : 0720072007200720 t2 : 656c676e69732066 s0 : ffffffc600a53980
[378154.063925]  s1 : ffffffd6e8766c81 a0 : 00000000000000a0 a1 : ffffffd7fdd5d448
[378154.063930]  a2 : ffffffd7fdd6aa68 a3 : 0000000000000008 a4 : 0000000000000000
[378154.063934]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000057fa8
[378154.063938]  s2 : ffffffd6e8766c00 s3 : 0000000000000009 s4 : ffffffd6c54a2000
[378154.063943]  s5 : ffffffd6e03033c0 s6 : ffffffd6c73c3638 s7 : ffffffd6c480a638
[378154.063948]  s8 : ffffffd6cb8669c0 s9 : ffffffff0543a301 s10: ffffffd6e8766c78
[378154.063953]  s11: 0000000000000009 t3 : ffffffd6c01d3f00 t4 : ffffffd6c01d3f00
[378154.063957]  t5 : ffffffd6c01d3000 t6 : ffffffc600a53718
[378154.063961] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
[378154.063971] [<ffffffff053c7358>] do_zfs_log_rename+0x142/0x146 [zfs]
[378154.085741] [<ffffffff053c79b0>] zfs_log_rename+0x1c/0x24 [zfs]
[378154.107586] [<ffffffff054042fc>] zfs_rename+0xe6a/0x12ca [zfs]
[378154.129397] [<ffffffff05410be0>] zpl_rename2+0x7e/0x104 [zfs]
[378154.151195] [<ffffffff8031578c>] vfs_rename+0x478/0x9ce
[378154.151211] [<ffffffff8031b46c>] do_renameat2+0x4c2/0x514
[378154.151221] [<ffffffff8031b536>] __riscv_sys_renameat2+0x78/0xac
[378154.151230] [<ffffffff80a1c228>] do_trap_ecall_u+0x98/0x1fa
[378154.151239] [<ffffffff80a29e72>] handle_exception+0xce/0xda
[378154.151248] ---[ end trace 0000000000000000 ]---

I'm trying to trigger it again but I can't so far.
root@debianV:/testpool/test# zfs -V
zfs-2.2.6-1
zfs-kmod-2.2.6-1
root@debianV:/testpool/test# uname -a
Linux debianV 6.11-riscv64 #1 SMP Debian 6.11-1~exp1 (2024-09-19) riscv64 GNU/Linux

ZIL log record structs (lr_XX_t) are frequently allocated with extra space after the struct to carry variable-sized "payload" items. Linux 6.10+ compiled with CONFIG_FORTIFY_SOURCE has been doing runtime bounds checking on memcpy() calls. Because these types had no indicator that they might use more space than their simple definition, __fortify_memcpy_chk will frequently complain about overruns eg: memcpy: detected field-spanning write (size 7) of single field "lr + 1" at zfs_log.c:425 (size 0) memcpy: detected field-spanning write (size 9) of single field "(char *)(lr + 1)" at zfs_log.c:593 (size 0) memcpy: detected field-spanning write (size 4) of single field "(char *)(lr + 1) + snamesize" at zfs_log.c:594 (size 0) memcpy: detected field-spanning write (size 7) of single field "lr + 1" at zfs_log.c:425 (size 0) memcpy: detected field-spanning write (size 9) of single field "(char *)(lr + 1)" at zfs_log.c:593 (size 0) memcpy: detected field-spanning write (size 4) of single field "(char *)(lr + 1) + snamesize" at zfs_log.c:594 (size 0) memcpy: detected field-spanning write (size 7) of single field "lr + 1" at zfs_log.c:425 (size 0) memcpy: detected field-spanning write (size 9) of single field "(char *)(lr + 1)" at zfs_log.c:593 (size 0) memcpy: detected field-spanning write (size 4) of single field "(char *)(lr + 1) + snamesize" at zfs_log.c:594 (size 0) To fix this, this commit adds flex array fields to all lr_XX_t structs that require them, and then uses those fields to access that end-of-struct area rather than more complicated casts and pointer addition. Sponsored-by: https://despairlabs.com/sponsor/ Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Rob Norris <robn@despairlabs.com> Closes openzfs#16501 Closes openzfs#16539

leelists added the Type: Defect Incorrect behavior (e.g. crash, hang) label Sep 3, 2024

robn mentioned this issue Sep 16, 2024

zfs_log: add flex array fields to log record structs #16539

Merged

13 tasks

amotin mentioned this issue Sep 16, 2024

memcpy: detected field-spanning write (size 7) of single field "sbuf" at /var/lib/dkms/zfs/2.2.99/build/module/lua/lstring.c:107 #16541

Closed

behlendorf closed this as completed in #16539 Sep 27, 2024

behlendorf mentioned this issue Oct 8, 2024

[6.11] dmesg reports memcpy: detected field-spanning write cases for zfs_log module #16621

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

memcpy: detected field-spanning write #16501

memcpy: detected field-spanning write #16501

leelists commented Sep 3, 2024

dankamongmen commented Sep 16, 2024 •

edited

Loading

kees commented Sep 22, 2024

xplodwild commented Sep 25, 2024

robn commented Sep 26, 2024

ik5pvx commented Oct 5, 2024

memcpy: detected field-spanning write #16501

memcpy: detected field-spanning write #16501

Comments

leelists commented Sep 3, 2024

System information

Describe the problem you're observing

Describe how to reproduce the problem

Include any warning/errors/backtraces from the system logs

dankamongmen commented Sep 16, 2024 • edited Loading

kees commented Sep 22, 2024

xplodwild commented Sep 25, 2024

robn commented Sep 26, 2024

ik5pvx commented Oct 5, 2024

dankamongmen commented Sep 16, 2024 •

edited

Loading