Created attachment 305376 [details] kernel log When mounting a QNX4 filesystem in linux 6.6.0 (latest mainline) listing a directory may fail and cause a kernel panic. First discovered on ubuntu's own kernel, however I was curious if this was ubuntu-specific. turned out it wasn't. I compiled 6.6.0 from scratch with the attached config. steps to reproduce: 1. grab 6.6.0 from kernel.org main page. 2. apply attached config 3. make modules_install 4. sudo make install 5. reboot into new kernel 6. open disk image with disk image mounter (attaches it to /dev/loop30) 7. mount /dev/loop30p3 /mnt #(qnx partition) 8. cd /dmnt 9. execute ls a few times in different directories. the first ls will give a [detected buffer overflow in strlen] kernel message. after a few times it completely hangs. /var/log/kern.log reveals a full on panic: Nov 7 10:34:09 noonie-T580-Linux kernel: [ 234.756173] kernel BUG at lib/string.c:1165! Nov 7 10:34:09 noonie-T580-Linux kernel: [ 234.756184] invalid opcode: 0000 [#1] SMP PTI .... Full log is in the attachment.
Checking the provided kernel log and config the below is what seems to be cause of the panic during the lookup operation of the qnx4 directory Panic dump stack indicates string length buffer overflow and it is at below context during qnx4_lookup() => qnx4_find_entry() => qnx4_match() [ 4849.636861] detected buffer overflow in strlen [ 4849.636897] ------------[ cut here ]------------ [ 4849.636902] kernel BUG at lib/string.c:1165! [ 4849.636917] invalid opcode: 0000 [#2] SMP PTI .. [ 4849.637047] Call Trace: [ 4849.637053] <TASK> [ 4849.637059] ? show_trace_log_lvl+0x1d6/0x2ea [ 4849.637075] ? show_trace_log_lvl+0x1d6/0x2ea [ 4849.637095] ? qnx4_find_entry.cold+0xc/0x18 [qnx4] [ 4849.637111] ? show_regs.part.0+0x23/0x29 [ 4849.637123] ? __die_body.cold+0x8/0xd [ 4849.637135] ? __die+0x2b/0x37 [ 4849.637147] ? die+0x30/0x60 [ 4849.637161] ? do_trap+0xbe/0x100 [ 4849.637171] ? do_error_trap+0x6f/0xb0 [ 4849.637180] ? fortify_panic+0x13/0x15 [ 4849.637192] ? exc_invalid_op+0x53/0x70 [ 4849.637203] ? fortify_panic+0x13/0x15 [ 4849.637215] ? asm_exc_invalid_op+0x1b/0x20 [ 4849.637228] ? fortify_panic+0x13/0x15 [ 4849.637240] ? fortify_panic+0x13/0x15 [ 4849.637251] qnx4_find_entry.cold+0xc/0x18 [qnx4] [ 4849.637264] qnx4_lookup+0x3c/0xa0 [qnx4] [ 4849.637275] __lookup_slow+0x85/0x150 [ 4849.637291] walk_component+0x145/0x1c0 [ 4849.637304] ? path_init+0x2c0/0x3f0 [ 4849.637316] path_lookupat+0x6e/0x1c0 [ 4849.637330] filename_lookup+0xcf/0x1d0 [ 4849.637341] ? __check_object_size+0x1d/0x30 [ 4849.637354] ? strncpy_from_user+0x44/0x150 [ 4849.637365] ? getname_flags.part.0+0x4c/0x1b0 [ 4849.637375] user_path_at_empty+0x3f/0x60 [ 4849.637383] vfs_statx+0x7a/0x130 [ 4849.637393] do_statx+0x45/0x80 .. ( in kernel config CONFIG_FORTIFY_SOURCE=y ) linux-git$ git describe v6.6-16177-gea69f5e8240 static int qnx4_match(int len, const char *name, struct buffer_head *bh, unsigned long *offset) { struct qnx4_inode_entry *de; int namelen, thislen; if (bh == NULL) { printk(KERN_WARNING "qnx4: matching unassigned buffer !\n"); return 0; } de = (struct qnx4_inode_entry *) (bh->b_data + *offset); *offset += QNX4_DIR_ENTRY_SIZE; if ((de->di_status & QNX4_FILE_LINK) != 0) { namelen = QNX4_NAME_MAX; } else { namelen = QNX4_SHORT_NAME_MAX; } thislen = strlen( de->di_fname ); << [1] buffer overflow if ( thislen > namelen ) thislen = namelen; if (len != thislen) { return 0; }
Can you please test by making the following changes in fs/qnx4/namei.c and see if the issue persists. I would like to send below for review to maintainers. Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com> --- fs/qnx4/namei.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c index 8d72221735d7..825b891a52b3 100644 --- a/fs/qnx4/namei.c +++ b/fs/qnx4/namei.c @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name, } else { namelen = QNX4_SHORT_NAME_MAX; } + + /** qnx4 dir name length can vary, check the di_fname + * fetched from (struct qnx4_inode_entry *) before use in + * strlen to avoid panic due to buffer overflow" + */ + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname)) + return -ENAMETOOLONG; thislen = strlen( de->di_fname ); if ( thislen > namelen ) thislen = namelen; -- 2.34.1
Yes that fixes it! Thanks! Should I close it immediately or when the patch is merged? root@noonie-T580-Linux:/home/noonie# disktype /dev/loop30 --- /dev/loop30 Block device, size 128 MiB (134217728 bytes) DOS/MBR partition map Partition 1: 15.98 MiB (16760832 bytes, 32736 sectors from 32) Type 0x06 (FAT16) FAT16 file system (hints score 5 of 5) Volume size 15.94 MiB (16709632 bytes, 8159 clusters of 2 KiB) Partition 2: 4 MiB (4194304 bytes, 8192 sectors from 32768) Type 0xA2 (Unknown) Partition 3: 104 MiB (109051904 bytes, 212992 sectors from 40960) Type 0x4F (QNX4.x 3rd part) QNX4 file system Partition 4: 4 MiB (4194304 bytes, 8192 sectors from 253952) Type 0x4E (QNX4.x 2nd part) QNX4 file system root@noonie-T580-Linux:/home/noonie# mount /dev/loop30p3 /mnt mount: /mnt: WARNING: source write-protected, mounted read-only. root@noonie-T580-Linux:/home/noonie# cd /mnt root@noonie-T580-Linux:/mnt# ls armle-v7 base bin etc lib opt root sbin usr var root@noonie-T580-Linux:/mnt# cd root/ root@noonie-T580-Linux:/mnt/root# ls ]pac root@noonie-T580-Linux:/mnt/root# cd pac root@noonie-T580-Linux:/mnt/root/pac# ls FWUpdate Unit root@noonie-T580-Linux:/mnt/root/pac# cd FWUpdate/ root@noonie-T580-Linux:/mnt/root/pac/FWUpdate# ls BootLoader_tester.sh darc_top.rpd etfs-counts FWUpdateLogger recovery.img system_base.tar.bz2 update_nand BootLoader_writer.sh darc_top.smh etfs-raw FWUpdater scrambler_target systembase_tester.sh DARC_common.sh DARC_writer.sh fpgaupdate_eip normal.img systembase_common.sh systembase_writer.sh DARC_tester.sh eipfwupCommand FWUpdate.ini preloader-nand.bin system_base.crc32 u-boot-nand.img root@noonie-T580-Linux:/mnt/root/pac/FWUpdate#
after using it for 2 hours a new bug appeared.... Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970037] ------------[ cut here ]------------ Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970038] kernel BUG at lib/string_helpers.c:1046! Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970042] invalid opcode: 0000 [#3] PREEMPT SMP PTI Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970045] CPU: 5 PID: 31949 Comm: pool-gvfsd-admi Tainted: G D 6.6.0 #3 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970048] Hardware name: LENOVO 20LAS1KH0J/20LAS1KH0J, BIOS N27ET45W (1.31 ) 12/14/2021 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970049] RIP: 0010:fortify_panic+0x17/0x20 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970054] Code: 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 fe 48 c7 c7 a0 48 3d b0 48 89 e5 e8 a9 9e a0 ff <0f> 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970056] RSP: 0018:ffffc9001407fab8 EFLAGS: 00010246 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970058] RAX: 0000000000000023 RBX: 00000000000000c0 RCX: 0000000000000000 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970060] RDX: 0000000000000000 RSI: ffff88846e961540 RDI: ffff88846e961540 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970061] RBP: ffffc9001407fab8 R08: 0000000000000003 R09: 205d373230303739 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970063] R10: ffffffffb0f7e120 R11: 6e656c6e72746564 R12: 0000000000000002 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970064] R13: ffff888147b57258 R14: ffff8883817900c0 R15: ffff88836cc82d00 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970065] FS: 00007fe8d97fa640(0000) GS:ffff88846e940000(0000) knlGS:0000000000000000 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970069] CR2: 00007fe8d401f038 CR3: 0000000146b0c003 CR4: 00000000003706e0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970071] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970072] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970073] Call Trace: Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970075] <TASK> Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970077] ? show_regs+0x6e/0x80 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970080] ? die+0x3c/0xa0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970083] ? do_trap+0xd4/0xf0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970086] ? do_error_trap+0x75/0xa0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970088] ? fortify_panic+0x17/0x20 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970090] ? exc_invalid_op+0x57/0x80 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970093] ? fortify_panic+0x17/0x20 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970095] ? asm_exc_invalid_op+0x1f/0x30 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970100] ? fortify_panic+0x17/0x20 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970102] ? fortify_panic+0x17/0x20 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970106] qnx4_lookup+0x1cd/0x1e0 [qnx4] Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970112] __lookup_slow+0x81/0x130 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970115] walk_component+0x113/0x180 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970117] path_lookupat+0x6e/0x1c0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970120] filename_lookup+0xd3/0x1e0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970123] ? schedule+0x6c/0x100 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970126] ? io_schedule+0x4a/0x80 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970128] ? __wait_on_bit+0x108/0x120 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970131] vfs_statx+0x91/0x170 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970133] do_statx+0x4f/0x90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970136] ? strncpy_from_user+0x48/0x150 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970139] ? getname_flags.part.0+0x4c/0x1b0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970141] ? iterate_dir+0x126/0x170 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970143] ? getname_flags+0x45/0x70 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970146] __x64_sys_statx+0x6d/0x90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970148] do_syscall_64+0x5d/0x90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970150] ? do_syscall_64+0x6d/0x90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970152] ? do_syscall_64+0x6d/0x90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970154] ? call_rcu+0x12/0x20 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970156] ? __fput+0x1b0/0x2c0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970158] ? exit_to_user_mode_prepare+0x35/0x180 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970162] ? syscall_exit_to_user_mode+0x38/0x50 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970164] ? do_syscall_64+0x6d/0x90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970166] ? __x64_sys_read+0x1d/0x30 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970169] ? do_syscall_64+0x6d/0x90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970171] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970174] RIP: 0033:0x7fe8e1f1422e Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970176] Code: ff 64 c7 00 16 00 00 00 e9 8e fd ff ff e8 2a 25 02 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 89 ca b8 4c 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2a 41 89 c1 85 c0 74 0f 48 8b 05 cc 4b 10 00 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970178] RSP: 002b:00007fe8d97f8698 EFLAGS: 00000202 ORIG_RAX: 000000000000014c Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970180] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe8e1f1422e Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970181] RDX: 0000000000000900 RSI: 00007fe8cc08d300 RDI: 00000000ffffff9c Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970183] RBP: 00007fe8d97f9970 R08: 00007fe8d97f8810 R09: 0000000000000000 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970184] R10: 0000000000000fff R11: 0000000000000202 R12: 00007fe8cc0167d0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970185] R13: 00007fe8cc08d300 R14: 00007fe8cc0a2490 R15: 00007fe8cc041e80 Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970188] </TASK> Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970189] Modules linked in: ntfs3 qnx4 rfcomm snd_seq_dummy snd_hrtimer xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_multiport xt_cgroup xt_mark xt_owner xt_tcpudp xt_comment nft_compat cmac algif_hash algif_skcipher af_alg bnep nf_tables snd_hda_codec_hdmi nfnetlink snd_ctl_led snd_hda_codec_realtek snd_hda_codec_generic overlay intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 aesni_intel crypto_simd cryptd i915 snd_sof_pci_intel_skl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda iwlmvm snd_sof_pci snd_sof_xtensa_dsp mei_hdcp snd_sof intel_rapl_msr kvm_intel snd_sof_utils kvm soundwire_bus mac80211 snd_soc_skl binfmt_misc snd_soc_hdac_hda snd_hda_ext_core nls_iso8859_1 snd_soc_sst_ipc Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970235] snd_soc_sst_dsp rapl snd_soc_acpi_intel_match snd_soc_acpi intel_cstate snd_soc_core rmi_smbus libarc4 uvcvideo rmi_core btusb snd_compress btrtl iwlwifi ac97_bus videobuf2_vmalloc serio_raw uvc snd_pcm_dmaengine btintel btbcm videobuf2_memops btmtk snd_hda_intel videobuf2_v4l2 think_lmi snd_seq_midi firmware_attributes_class wmi_bmof intel_wmi_thunderbolt joydev input_leds snd_intel_dspcfg thinkpad_acpi videodev ftdi_sio drm_buddy ee1004 nvram snd_intel_sdw_acpi bluetooth usbserial snd_seq_midi_event ttm snd_hda_codec ledtrig_audio videobuf2_common drm_display_helper mc snd_rawmidi platform_profile cfg80211 snd_hda_core snd_seq cec snd_hwdep ecdh_generic snd_pcm snd_seq_device ecc rc_core processor_thermal_device_pci_legacy mei_me drm_kms_helper processor_thermal_device processor_thermal_rfim snd_timer processor_thermal_mbox mei processor_thermal_rapl sch_fq_codel intel_rapl_common i2c_algo_bit intel_pch_thermal snd intel_xhci_usb_role_switch intel_soc_dts_iosf int3403_thermal soundcore Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970281] int340x_thermal_zone int3400_thermal mac_hid acpi_thermal_rel acpi_pad drm msr parport_pc ppdev lp parport efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid uas usb_storage btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear e1000e thunderbolt nvme ucsi_acpi psmouse nvme_core crc32_pclmul typec_ucsi i2c_i801 xhci_pci i2c_smbus typec xhci_pci_renesas video wmi Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970314] ---[ end trace 0000000000000000 ]--- Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133452] RIP: 0010:fortify_panic+0x17/0x20 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133466] Code: 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 fe 48 c7 c7 a0 48 3d b0 48 89 e5 e8 a9 9e a0 ff <0f> 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133469] RSP: 0018:ffffc9000604bac8 EFLAGS: 00010246 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133472] RAX: 0000000000000023 RBX: 0000000000000100 RCX: 0000000000000000 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133473] RDX: 0000000000000000 RSI: ffff88846e821540 RDI: ffff88846e821540 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133475] RBP: ffffc9000604bac8 R08: 0000000000000003 R09: 205d383432343730 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133476] R10: ffffffffb0f7e120 R11: 6e656c6e72746564 R12: 0000000000000002 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133477] R13: ffff888147b57ab0 R14: ffff8882426e1d00 R15: ffff88814b105c30 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133479] FS: 00007fe8d97fa640(0000) GS:ffff88846e940000(0000) knlGS:0000000000000000 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133481] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133482] CR2: 00007fe8d401f038 CR3: 0000000146b0c003 CR4: 00000000003706e0 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133484] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133485] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026311] watchdog: BUG: soft lockup - CPU#7 stuck for 26s! [pool-gvfsd-admi:31952] Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026315] Modules linked in: ntfs3 qnx4 rfcomm snd_seq_dummy snd_hrtimer xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_multiport xt_cgroup xt_mark xt_owner xt_tcpudp xt_comment nft_compat cmac algif_hash algif_skcipher af_alg bnep nf_tables snd_hda_codec_hdmi nfnetlink snd_ctl_led snd_hda_codec_realtek snd_hda_codec_generic overlay intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 aesni_intel crypto_simd cryptd i915 snd_sof_pci_intel_skl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda iwlmvm snd_sof_pci snd_sof_xtensa_dsp mei_hdcp snd_sof intel_rapl_msr kvm_intel snd_sof_utils kvm soundwire_bus mac80211 snd_soc_skl binfmt_misc snd_soc_hdac_hda snd_hda_ext_core nls_iso8859_1 snd_soc_sst_ipc Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026360] snd_soc_sst_dsp rapl snd_soc_acpi_intel_match snd_soc_acpi intel_cstate snd_soc_core rmi_smbus libarc4 uvcvideo rmi_core btusb snd_compress btrtl iwlwifi ac97_bus videobuf2_vmalloc serio_raw uvc snd_pcm_dmaengine btintel btbcm videobuf2_memops btmtk snd_hda_intel videobuf2_v4l2 think_lmi snd_seq_midi firmware_attributes_class wmi_bmof intel_wmi_thunderbolt joydev input_leds snd_intel_dspcfg thinkpad_acpi videodev ftdi_sio drm_buddy ee1004 nvram snd_intel_sdw_acpi bluetooth usbserial snd_seq_midi_event ttm snd_hda_codec ledtrig_audio videobuf2_common drm_display_helper mc snd_rawmidi platform_profile cfg80211 snd_hda_core snd_seq cec snd_hwdep ecdh_generic snd_pcm snd_seq_device ecc rc_core processor_thermal_device_pci_legacy mei_me drm_kms_helper processor_thermal_device processor_thermal_rfim snd_timer processor_thermal_mbox mei processor_thermal_rapl sch_fq_codel intel_rapl_common i2c_algo_bit intel_pch_thermal snd intel_xhci_usb_role_switch intel_soc_dts_iosf int3403_thermal soundcore Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026405] int340x_thermal_zone int3400_thermal mac_hid acpi_thermal_rel acpi_pad drm msr parport_pc ppdev lp parport efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid uas usb_storage btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear e1000e thunderbolt nvme ucsi_acpi psmouse nvme_core crc32_pclmul typec_ucsi i2c_i801 xhci_pci i2c_smbus typec xhci_pci_renesas video wmi Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026436] CPU: 7 PID: 31952 Comm: pool-gvfsd-admi Tainted: G D 6.6.0 #3 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026439] Hardware name: LENOVO 20LAS1KH0J/20LAS1KH0J, BIOS N27ET45W (1.31 ) 12/14/2021 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026440] RIP: 0010:native_queued_spin_lock_slowpath+0x86/0x300 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026445] Code: 92 c2 41 8b 04 24 0f b6 d2 c1 e2 08 30 e4 09 d0 a9 00 01 ff ff 0f 85 f6 01 00 00 85 c0 74 14 41 0f b6 04 24 84 c0 74 0b f3 90 <41> 0f b6 04 24 84 c0 75 f5 b8 01 00 00 00 66 41 89 04 24 5b 41 5c Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026447] RSP: 0018:ffffc90014137a00 EFLAGS: 00000202 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026449] RAX: 0000000000000001 RBX: 00000000e09c1059 RCX: ffff888114e4b230 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026451] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888114e4b1d8 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026452] RBP: ffffc90014137a28 R08: 0000000000000001 R09: 0000000000000013 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026453] R10: 732e2b2b63647473 R11: 33312e302e362e6f R12: ffff888114e4b1d8 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026455] R13: 0000000000000000 R14: ffff8881226a7cc0 R15: ffff888114e4b1d8 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026456] FS: 00007fe8daffd640(0000) GS:ffff88846e9c0000(0000) knlGS:0000000000000000 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026457] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026459] CR2: 00007f1343139008 CR3: 0000000146b0c005 CR4: 00000000003706e0 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026461] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026462] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026463] Call Trace: Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026464] <IRQ> Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026467] ? show_regs+0x6e/0x80 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026470] ? watchdog_timer_fn+0x1d2/0x240 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026474] ? __pfx_watchdog_timer_fn+0x10/0x10 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026476] ? __hrtimer_run_queues+0x10e/0x290 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026479] ? clockevents_program_event+0xae/0x130 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026483] ? hrtimer_interrupt+0x105/0x240 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026486] ? __sysvec_apic_timer_interrupt+0x54/0x150 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026489] ? sysvec_apic_timer_interrupt+0x7f/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026492] </IRQ> Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026493] <TASK> Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026494] ? asm_sysvec_apic_timer_interrupt+0x1f/0x30 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026498] ? native_queued_spin_lock_slowpath+0x86/0x300 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026501] _raw_spin_lock+0x2d/0x40 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026503] lockref_get_not_dead+0x6a/0xa0 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026506] d_alloc_parallel+0x1c8/0x430 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026508] ? step_into+0x114/0x6f0 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026512] __lookup_slow+0x5b/0x130 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026514] walk_component+0x113/0x180 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026516] path_lookupat+0x6e/0x1c0 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026519] filename_lookup+0xd3/0x1e0 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026522] ? page_counter_uncharge+0x26/0x40 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026525] vfs_statx+0x91/0x170 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026528] do_statx+0x4f/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026530] ? strncpy_from_user+0x48/0x150 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026533] ? getname_flags.part.0+0x4c/0x1b0 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026535] ? getname_flags+0x45/0x70 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026537] __x64_sys_statx+0x6d/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026540] do_syscall_64+0x5d/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026542] ? __f_unlock_pos+0x16/0x20 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026544] ? __x64_sys_getdents64+0x105/0x120 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026546] ? __pfx_filldir64+0x10/0x10 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026548] ? exit_to_user_mode_prepare+0x35/0x180 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026552] ? syscall_exit_to_user_mode+0x38/0x50 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026554] ? do_syscall_64+0x6d/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026556] ? do_syscall_64+0x6d/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026558] ? do_syscall_64+0x6d/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026559] ? do_syscall_64+0x6d/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026561] ? do_syscall_64+0x6d/0x90 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026563] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026565] RIP: 0033:0x7fe8e1f1422e Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026567] Code: ff 64 c7 00 16 00 00 00 e9 8e fd ff ff e8 2a 25 02 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 89 ca b8 4c 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2a 41 89 c1 85 c0 74 0f 48 8b 05 cc 4b 10 00 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026569] RSP: 002b:00007fe8daffb698 EFLAGS: 00000206 ORIG_RAX: 000000000000014c Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026571] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe8e1f1422e Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026572] RDX: 0000000000000900 RSI: 00007fe8d003b970 RDI: 00000000ffffff9c Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026573] RBP: 00007fe8daffc970 R08: 00007fe8daffb810 R09: 00007fe8d0101650 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026575] R10: 0000000000000fff R11: 0000000000000206 R12: 00007fe8d00a7a00 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026576] R13: 00007fe8d003b970 R14: 00007fe8cc0772d0 R15: 00007fe8d002bd30 Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026579] </TASK> Nov 13 13:48:54 noonie-T580-Linux kernel: [ 0.000000] microcode: updated early: 0xec -> 0xf4, date = 2023-02-23
Kees Cook has queued the below 2 patches for -next/hardening. [1/2] qnx4: Extract dir entry filename processing into helper https://git.kernel.org/kees/c/49a85c02a189 [2/2] qnx4: Use get_directory_fname() in qnx4_match() https://git.kernel.org/kees/c/0a0fb20f5e08 @Niek Nooijens can you please test with the above 2 patches and confirm if the issue is resolved.
(In reply to Monthero Ronald from comment #5) > > Kees Cook has queued the below 2 patches for -next/hardening. > > [1/2] qnx4: Extract dir entry filename processing into helper > https://git.kernel.org/kees/c/49a85c02a189 > [2/2] qnx4: Use get_directory_fname() in qnx4_match() > https://git.kernel.org/kees/c/0a0fb20f5e08 > > @Niek Nooijens can you please test with the above 2 patches and > confirm if the issue is resolved. Yes I just recompiled the kernel with the patches applied (took a while) and things seem to work: ==============shell============= /dev/loop30 on /mnt type qnx4 (ro,relatime) noonie@noonie-T580-Linux:~$ cd /mnt noonie@noonie-T580-Linux:/mnt$ ls armle-v7 base bin etc lib opt root sbin usr var noonie@noonie-T580-Linux:/mnt$ sudo -s root@noonie-T580-Linux:/mnt# cd root root@noonie-T580-Linux:/mnt/root# cd pac/FWUpdate/ root@noonie-T580-Linux:/mnt/root/pac/FWUpdate# ls BootLoader_tester.sh etfs-raw systembase_common.sh BootLoader_writer.sh fpgaupdate_eip system_base.crc32 DARC_common.sh FWUpdate.ini system_base.tar.bz2 DARC_tester.sh FWUpdateLogger systembase_tester.sh darc_top.rpd FWUpdater systembase_writer.sh darc_top.smh normal.img u-boot-nand.img DARC_writer.sh preloader-nand.bin update_nand eipfwupCommand recovery.img etfs-counts scrambler_target ========================================== Checking the dmesg shows nothing other than: ===================dmesg================== [ 132.003822] loop30: detected capacity change from 0 to 212992 [ 148.008769] QNX4 filesystem 0.2.3 registered. [ 255.961307] capability: warning: `gvfsd-admin' uses 32-bit capabilities (legacy support in use) [ 333.079255] loop31: detected capacity change from 0 to 7565 ========================================== so far, no crashes yet. things seem to work.
Hi Niek, Thanks for testing and verifying the patches. Then probably we can close this BZ.
I guess so.