Bug 218111 - Kernel panic on listing QNX4 fs directory
Summary: Kernel panic on listing QNX4 fs directory
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: Intel Linux
: P3 low
Assignee: fs_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-07 08:57 UTC by Niek Nooijens
Modified: 2023-12-15 04:58 UTC (History)
1 user (show)

See Also:
Kernel Version: 6.6.0
Subsystem:
Regression: No
Bisected commit-id:


Attachments
kernel log (2.45 MB, application/x-xz)
2023-11-07 08:57 UTC, Niek Nooijens
Details

Description Niek Nooijens 2023-11-07 08:57:13 UTC
Created attachment 305376 [details]
kernel log

When mounting a QNX4 filesystem in linux 6.6.0 (latest mainline) listing a directory may fail and cause a kernel panic.


First discovered on ubuntu's own kernel, however I was curious if this was ubuntu-specific. turned out it wasn't. I compiled 6.6.0 from scratch with the attached config.


steps to reproduce:
1. grab 6.6.0 from kernel.org main page.
2. apply attached config
3. make modules_install
4. sudo make install
5. reboot into new kernel
6. open disk image with disk image mounter (attaches it to /dev/loop30)
7. mount /dev/loop30p3 /mnt #(qnx partition) 
8. cd /dmnt
9. execute ls a few times in different directories.


the first ls will give a [detected buffer overflow in strlen] kernel message.
after a few times it completely hangs. 


/var/log/kern.log reveals a full on panic:

Nov  7 10:34:09 noonie-T580-Linux kernel: [  234.756173] kernel BUG at lib/string.c:1165!
Nov  7 10:34:09 noonie-T580-Linux kernel: [  234.756184] invalid opcode: 0000 [#1] SMP PTI
....

Full log is in the attachment.
Comment 1 Monthero Ronald 2023-11-12 10:10:11 UTC
Checking the provided kernel log and config the below is what seems to be cause of the panic during the lookup operation of the qnx4 directory 

Panic dump stack indicates string length buffer overflow 
and it is at below context during  qnx4_lookup() => qnx4_find_entry() => qnx4_match()

    [ 4849.636861] detected buffer overflow in strlen
    [ 4849.636897] ------------[ cut here ]------------
    [ 4849.636902] kernel BUG at lib/string.c:1165!
    [ 4849.636917] invalid opcode: 0000 [#2] SMP PTI
    ..
    [ 4849.637047] Call Trace:
    [ 4849.637053]  <TASK>
    [ 4849.637059]  ? show_trace_log_lvl+0x1d6/0x2ea
    [ 4849.637075]  ? show_trace_log_lvl+0x1d6/0x2ea
    [ 4849.637095]  ? qnx4_find_entry.cold+0xc/0x18 [qnx4]
    [ 4849.637111]  ? show_regs.part.0+0x23/0x29
    [ 4849.637123]  ? __die_body.cold+0x8/0xd
    [ 4849.637135]  ? __die+0x2b/0x37
    [ 4849.637147]  ? die+0x30/0x60
    [ 4849.637161]  ? do_trap+0xbe/0x100
    [ 4849.637171]  ? do_error_trap+0x6f/0xb0
    [ 4849.637180]  ? fortify_panic+0x13/0x15
    [ 4849.637192]  ? exc_invalid_op+0x53/0x70
    [ 4849.637203]  ? fortify_panic+0x13/0x15
    [ 4849.637215]  ? asm_exc_invalid_op+0x1b/0x20
    [ 4849.637228]  ? fortify_panic+0x13/0x15
    [ 4849.637240]  ? fortify_panic+0x13/0x15
    [ 4849.637251]  qnx4_find_entry.cold+0xc/0x18 [qnx4]
    [ 4849.637264]  qnx4_lookup+0x3c/0xa0 [qnx4]
    [ 4849.637275]  __lookup_slow+0x85/0x150
    [ 4849.637291]  walk_component+0x145/0x1c0
    [ 4849.637304]  ? path_init+0x2c0/0x3f0
    [ 4849.637316]  path_lookupat+0x6e/0x1c0
    [ 4849.637330]  filename_lookup+0xcf/0x1d0
    [ 4849.637341]  ? __check_object_size+0x1d/0x30
    [ 4849.637354]  ? strncpy_from_user+0x44/0x150
    [ 4849.637365]  ? getname_flags.part.0+0x4c/0x1b0
    [ 4849.637375]  user_path_at_empty+0x3f/0x60
    [ 4849.637383]  vfs_statx+0x7a/0x130
    [ 4849.637393]  do_statx+0x45/0x80
    ..

( in kernel config  CONFIG_FORTIFY_SOURCE=y ) 

linux-git$ git describe 
v6.6-16177-gea69f5e8240

static int qnx4_match(int len, const char *name,
                      struct buffer_head *bh, unsigned long *offset)
{
        struct qnx4_inode_entry *de;
        int namelen, thislen;

        if (bh == NULL) {
                printk(KERN_WARNING "qnx4: matching unassigned buffer !\n");
                return 0;
        }
        de = (struct qnx4_inode_entry *) (bh->b_data + *offset);
        *offset += QNX4_DIR_ENTRY_SIZE;
        if ((de->di_status & QNX4_FILE_LINK) != 0) {
                namelen = QNX4_NAME_MAX;
        } else {
                namelen = QNX4_SHORT_NAME_MAX;
        }

        thislen = strlen( de->di_fname );     << [1]  buffer overflow 
        if ( thislen > namelen )
                thislen = namelen;
        if (len != thislen) {
                return 0;
        }
Comment 2 Monthero Ronald 2023-11-12 10:17:50 UTC
Can you please test by making the following changes in fs/qnx4/namei.c and see if the issue persists. I would like to send below for review to maintainers.

Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
---
 fs/qnx4/namei.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c
index 8d72221735d7..825b891a52b3 100644
--- a/fs/qnx4/namei.c
+++ b/fs/qnx4/namei.c
@@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name,
 	} else {
 		namelen = QNX4_SHORT_NAME_MAX;
 	}
+
+	/** qnx4 dir name length can vary, check the di_fname
+	 * fetched from (struct qnx4_inode_entry *) before use in
+	 * strlen to avoid panic due to buffer overflow"
+	 */
+	if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname))
+		return -ENAMETOOLONG;
 	thislen = strlen( de->di_fname );
 	if ( thislen > namelen )
 		thislen = namelen;
-- 
2.34.1
Comment 3 Niek Nooijens 2023-11-13 01:15:02 UTC
Yes that fixes it! Thanks!

Should I close it immediately or when the patch is merged?

root@noonie-T580-Linux:/home/noonie# disktype /dev/loop30

--- /dev/loop30
Block device, size 128 MiB (134217728 bytes)
DOS/MBR partition map
Partition 1: 15.98 MiB (16760832 bytes, 32736 sectors from 32)
  Type 0x06 (FAT16)
  FAT16 file system (hints score 5 of 5)
    Volume size 15.94 MiB (16709632 bytes, 8159 clusters of 2 KiB)
Partition 2: 4 MiB (4194304 bytes, 8192 sectors from 32768)
  Type 0xA2 (Unknown)
Partition 3: 104 MiB (109051904 bytes, 212992 sectors from 40960)
  Type 0x4F (QNX4.x 3rd part)
  QNX4 file system
Partition 4: 4 MiB (4194304 bytes, 8192 sectors from 253952)
  Type 0x4E (QNX4.x 2nd part)
  QNX4 file system

root@noonie-T580-Linux:/home/noonie# mount /dev/loop30p3 /mnt
mount: /mnt: WARNING: source write-protected, mounted read-only.
root@noonie-T580-Linux:/home/noonie# cd /mnt
root@noonie-T580-Linux:/mnt# ls
armle-v7  base  bin  etc  lib  opt  root  sbin  usr  var
root@noonie-T580-Linux:/mnt# cd root/
root@noonie-T580-Linux:/mnt/root# ls
]pac
root@noonie-T580-Linux:/mnt/root# cd pac
root@noonie-T580-Linux:/mnt/root/pac# ls
FWUpdate  Unit
root@noonie-T580-Linux:/mnt/root/pac# cd FWUpdate/
root@noonie-T580-Linux:/mnt/root/pac/FWUpdate# ls
BootLoader_tester.sh  darc_top.rpd    etfs-counts     FWUpdateLogger      recovery.img          system_base.tar.bz2   update_nand
BootLoader_writer.sh  darc_top.smh    etfs-raw        FWUpdater           scrambler_target      systembase_tester.sh
DARC_common.sh        DARC_writer.sh  fpgaupdate_eip  normal.img          systembase_common.sh  systembase_writer.sh
DARC_tester.sh        eipfwupCommand  FWUpdate.ini    preloader-nand.bin  system_base.crc32     u-boot-nand.img
root@noonie-T580-Linux:/mnt/root/pac/FWUpdate#
Comment 4 Niek Nooijens 2023-11-13 04:55:51 UTC
after using it for 2 hours a new bug appeared....


Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970037] ------------[ cut here ]------------
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970038] kernel BUG at lib/string_helpers.c:1046!
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970042] invalid opcode: 0000 [#3] PREEMPT SMP PTI
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970045] CPU: 5 PID: 31949 Comm: pool-gvfsd-admi Tainted: G      D            6.6.0 #3
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970048] Hardware name: LENOVO 20LAS1KH0J/20LAS1KH0J, BIOS N27ET45W (1.31 ) 12/14/2021
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970049] RIP: 0010:fortify_panic+0x17/0x20
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970054] Code: 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 fe 48 c7 c7 a0 48 3d b0 48 89 e5 e8 a9 9e a0 ff <0f> 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970056] RSP: 0018:ffffc9001407fab8 EFLAGS: 00010246
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970058] RAX: 0000000000000023 RBX: 00000000000000c0 RCX: 0000000000000000
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970060] RDX: 0000000000000000 RSI: ffff88846e961540 RDI: ffff88846e961540
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970061] RBP: ffffc9001407fab8 R08: 0000000000000003 R09: 205d373230303739
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970063] R10: ffffffffb0f7e120 R11: 6e656c6e72746564 R12: 0000000000000002
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970064] R13: ffff888147b57258 R14: ffff8883817900c0 R15: ffff88836cc82d00
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970065] FS:  00007fe8d97fa640(0000) GS:ffff88846e940000(0000) knlGS:0000000000000000
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970067] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970069] CR2: 00007fe8d401f038 CR3: 0000000146b0c003 CR4: 00000000003706e0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970071] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970072] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970073] Call Trace:
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970075]  <TASK>
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970077]  ? show_regs+0x6e/0x80
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970080]  ? die+0x3c/0xa0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970083]  ? do_trap+0xd4/0xf0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970086]  ? do_error_trap+0x75/0xa0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970088]  ? fortify_panic+0x17/0x20
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970090]  ? exc_invalid_op+0x57/0x80
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970093]  ? fortify_panic+0x17/0x20
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970095]  ? asm_exc_invalid_op+0x1f/0x30
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970100]  ? fortify_panic+0x17/0x20
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970102]  ? fortify_panic+0x17/0x20
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970106]  qnx4_lookup+0x1cd/0x1e0 [qnx4]
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970112]  __lookup_slow+0x81/0x130
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970115]  walk_component+0x113/0x180
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970117]  path_lookupat+0x6e/0x1c0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970120]  filename_lookup+0xd3/0x1e0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970123]  ? schedule+0x6c/0x100
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970126]  ? io_schedule+0x4a/0x80
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970128]  ? __wait_on_bit+0x108/0x120
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970131]  vfs_statx+0x91/0x170
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970133]  do_statx+0x4f/0x90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970136]  ? strncpy_from_user+0x48/0x150
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970139]  ? getname_flags.part.0+0x4c/0x1b0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970141]  ? iterate_dir+0x126/0x170
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970143]  ? getname_flags+0x45/0x70
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970146]  __x64_sys_statx+0x6d/0x90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970148]  do_syscall_64+0x5d/0x90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970150]  ? do_syscall_64+0x6d/0x90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970152]  ? do_syscall_64+0x6d/0x90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970154]  ? call_rcu+0x12/0x20
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970156]  ? __fput+0x1b0/0x2c0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970158]  ? exit_to_user_mode_prepare+0x35/0x180
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970162]  ? syscall_exit_to_user_mode+0x38/0x50
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970164]  ? do_syscall_64+0x6d/0x90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970166]  ? __x64_sys_read+0x1d/0x30
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970169]  ? do_syscall_64+0x6d/0x90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970171]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970174] RIP: 0033:0x7fe8e1f1422e
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970176] Code: ff 64 c7 00 16 00 00 00 e9 8e fd ff ff e8 2a 25 02 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 89 ca b8 4c 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2a 41 89 c1 85 c0 74 0f 48 8b 05 cc 4b 10 00
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970178] RSP: 002b:00007fe8d97f8698 EFLAGS: 00000202 ORIG_RAX: 000000000000014c
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970180] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe8e1f1422e
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970181] RDX: 0000000000000900 RSI: 00007fe8cc08d300 RDI: 00000000ffffff9c
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970183] RBP: 00007fe8d97f9970 R08: 00007fe8d97f8810 R09: 0000000000000000
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970184] R10: 0000000000000fff R11: 0000000000000202 R12: 00007fe8cc0167d0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970185] R13: 00007fe8cc08d300 R14: 00007fe8cc0a2490 R15: 00007fe8cc041e80
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970188]  </TASK>
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970189] Modules linked in: ntfs3 qnx4 rfcomm snd_seq_dummy snd_hrtimer xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_multiport xt_cgroup xt_mark xt_owner xt_tcpudp xt_comment nft_compat cmac algif_hash algif_skcipher af_alg bnep nf_tables snd_hda_codec_hdmi nfnetlink snd_ctl_led snd_hda_codec_realtek snd_hda_codec_generic overlay intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 aesni_intel crypto_simd cryptd i915 snd_sof_pci_intel_skl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda iwlmvm snd_sof_pci snd_sof_xtensa_dsp mei_hdcp snd_sof intel_rapl_msr kvm_intel snd_sof_utils kvm soundwire_bus mac80211 snd_soc_skl binfmt_misc snd_soc_hdac_hda snd_hda_ext_core nls_iso8859_1 snd_soc_sst_ipc
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970235]  snd_soc_sst_dsp rapl snd_soc_acpi_intel_match snd_soc_acpi intel_cstate snd_soc_core rmi_smbus libarc4 uvcvideo rmi_core btusb snd_compress btrtl iwlwifi ac97_bus videobuf2_vmalloc serio_raw uvc snd_pcm_dmaengine btintel btbcm videobuf2_memops btmtk snd_hda_intel videobuf2_v4l2 think_lmi snd_seq_midi firmware_attributes_class wmi_bmof intel_wmi_thunderbolt joydev input_leds snd_intel_dspcfg thinkpad_acpi videodev ftdi_sio drm_buddy ee1004 nvram snd_intel_sdw_acpi bluetooth usbserial snd_seq_midi_event ttm snd_hda_codec ledtrig_audio videobuf2_common drm_display_helper mc snd_rawmidi platform_profile cfg80211 snd_hda_core snd_seq cec snd_hwdep ecdh_generic snd_pcm snd_seq_device ecc rc_core processor_thermal_device_pci_legacy mei_me drm_kms_helper processor_thermal_device processor_thermal_rfim snd_timer processor_thermal_mbox mei processor_thermal_rapl sch_fq_codel intel_rapl_common i2c_algo_bit intel_pch_thermal snd intel_xhci_usb_role_switch intel_soc_dts_iosf int3403_thermal soundcore
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970281]  int340x_thermal_zone int3400_thermal mac_hid acpi_thermal_rel acpi_pad drm msr parport_pc ppdev lp parport efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid uas usb_storage btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear e1000e thunderbolt nvme ucsi_acpi psmouse nvme_core crc32_pclmul typec_ucsi i2c_i801 xhci_pci i2c_smbus typec xhci_pci_renesas video wmi
Nov 13 13:46:53 noonie-T580-Linux kernel: [13030.970314] ---[ end trace 0000000000000000 ]---
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133452] RIP: 0010:fortify_panic+0x17/0x20
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133466] Code: 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 fe 48 c7 c7 a0 48 3d b0 48 89 e5 e8 a9 9e a0 ff <0f> 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133469] RSP: 0018:ffffc9000604bac8 EFLAGS: 00010246
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133472] RAX: 0000000000000023 RBX: 0000000000000100 RCX: 0000000000000000
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133473] RDX: 0000000000000000 RSI: ffff88846e821540 RDI: ffff88846e821540
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133475] RBP: ffffc9000604bac8 R08: 0000000000000003 R09: 205d383432343730
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133476] R10: ffffffffb0f7e120 R11: 6e656c6e72746564 R12: 0000000000000002
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133477] R13: ffff888147b57ab0 R14: ffff8882426e1d00 R15: ffff88814b105c30
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133479] FS:  00007fe8d97fa640(0000) GS:ffff88846e940000(0000) knlGS:0000000000000000
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133481] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133482] CR2: 00007fe8d401f038 CR3: 0000000146b0c003 CR4: 00000000003706e0
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133484] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Nov 13 13:46:53 noonie-T580-Linux kernel: [13031.133485] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026311] watchdog: BUG: soft lockup - CPU#7 stuck for 26s! [pool-gvfsd-admi:31952]
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026315] Modules linked in: ntfs3 qnx4 rfcomm snd_seq_dummy snd_hrtimer xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_multiport xt_cgroup xt_mark xt_owner xt_tcpudp xt_comment nft_compat cmac algif_hash algif_skcipher af_alg bnep nf_tables snd_hda_codec_hdmi nfnetlink snd_ctl_led snd_hda_codec_realtek snd_hda_codec_generic overlay intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 aesni_intel crypto_simd cryptd i915 snd_sof_pci_intel_skl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda iwlmvm snd_sof_pci snd_sof_xtensa_dsp mei_hdcp snd_sof intel_rapl_msr kvm_intel snd_sof_utils kvm soundwire_bus mac80211 snd_soc_skl binfmt_misc snd_soc_hdac_hda snd_hda_ext_core nls_iso8859_1 snd_soc_sst_ipc
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026360]  snd_soc_sst_dsp rapl snd_soc_acpi_intel_match snd_soc_acpi intel_cstate snd_soc_core rmi_smbus libarc4 uvcvideo rmi_core btusb snd_compress btrtl iwlwifi ac97_bus videobuf2_vmalloc serio_raw uvc snd_pcm_dmaengine btintel btbcm videobuf2_memops btmtk snd_hda_intel videobuf2_v4l2 think_lmi snd_seq_midi firmware_attributes_class wmi_bmof intel_wmi_thunderbolt joydev input_leds snd_intel_dspcfg thinkpad_acpi videodev ftdi_sio drm_buddy ee1004 nvram snd_intel_sdw_acpi bluetooth usbserial snd_seq_midi_event ttm snd_hda_codec ledtrig_audio videobuf2_common drm_display_helper mc snd_rawmidi platform_profile cfg80211 snd_hda_core snd_seq cec snd_hwdep ecdh_generic snd_pcm snd_seq_device ecc rc_core processor_thermal_device_pci_legacy mei_me drm_kms_helper processor_thermal_device processor_thermal_rfim snd_timer processor_thermal_mbox mei processor_thermal_rapl sch_fq_codel intel_rapl_common i2c_algo_bit intel_pch_thermal snd intel_xhci_usb_role_switch intel_soc_dts_iosf int3403_thermal soundcore
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026405]  int340x_thermal_zone int3400_thermal mac_hid acpi_thermal_rel acpi_pad drm msr parport_pc ppdev lp parport efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid uas usb_storage btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear e1000e thunderbolt nvme ucsi_acpi psmouse nvme_core crc32_pclmul typec_ucsi i2c_i801 xhci_pci i2c_smbus typec xhci_pci_renesas video wmi
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026436] CPU: 7 PID: 31952 Comm: pool-gvfsd-admi Tainted: G      D            6.6.0 #3
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026439] Hardware name: LENOVO 20LAS1KH0J/20LAS1KH0J, BIOS N27ET45W (1.31 ) 12/14/2021
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026440] RIP: 0010:native_queued_spin_lock_slowpath+0x86/0x300
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026445] Code: 92 c2 41 8b 04 24 0f b6 d2 c1 e2 08 30 e4 09 d0 a9 00 01 ff ff 0f 85 f6 01 00 00 85 c0 74 14 41 0f b6 04 24 84 c0 74 0b f3 90 <41> 0f b6 04 24 84 c0 75 f5 b8 01 00 00 00 66 41 89 04 24 5b 41 5c
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026447] RSP: 0018:ffffc90014137a00 EFLAGS: 00000202
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026449] RAX: 0000000000000001 RBX: 00000000e09c1059 RCX: ffff888114e4b230
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026451] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888114e4b1d8
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026452] RBP: ffffc90014137a28 R08: 0000000000000001 R09: 0000000000000013
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026453] R10: 732e2b2b63647473 R11: 33312e302e362e6f R12: ffff888114e4b1d8
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026455] R13: 0000000000000000 R14: ffff8881226a7cc0 R15: ffff888114e4b1d8
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026456] FS:  00007fe8daffd640(0000) GS:ffff88846e9c0000(0000) knlGS:0000000000000000
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026459] CR2: 00007f1343139008 CR3: 0000000146b0c005 CR4: 00000000003706e0
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026461] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026462] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026463] Call Trace:
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026464]  <IRQ>
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026467]  ? show_regs+0x6e/0x80
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026470]  ? watchdog_timer_fn+0x1d2/0x240
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026474]  ? __pfx_watchdog_timer_fn+0x10/0x10
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026476]  ? __hrtimer_run_queues+0x10e/0x290
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026479]  ? clockevents_program_event+0xae/0x130
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026483]  ? hrtimer_interrupt+0x105/0x240
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026486]  ? __sysvec_apic_timer_interrupt+0x54/0x150
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026489]  ? sysvec_apic_timer_interrupt+0x7f/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026492]  </IRQ>
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026493]  <TASK>
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026494]  ? asm_sysvec_apic_timer_interrupt+0x1f/0x30
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026498]  ? native_queued_spin_lock_slowpath+0x86/0x300
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026501]  _raw_spin_lock+0x2d/0x40
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026503]  lockref_get_not_dead+0x6a/0xa0
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026506]  d_alloc_parallel+0x1c8/0x430
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026508]  ? step_into+0x114/0x6f0
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026512]  __lookup_slow+0x5b/0x130
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026514]  walk_component+0x113/0x180
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026516]  path_lookupat+0x6e/0x1c0
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026519]  filename_lookup+0xd3/0x1e0
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026522]  ? page_counter_uncharge+0x26/0x40
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026525]  vfs_statx+0x91/0x170
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026528]  do_statx+0x4f/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026530]  ? strncpy_from_user+0x48/0x150
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026533]  ? getname_flags.part.0+0x4c/0x1b0
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026535]  ? getname_flags+0x45/0x70
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026537]  __x64_sys_statx+0x6d/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026540]  do_syscall_64+0x5d/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026542]  ? __f_unlock_pos+0x16/0x20
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026544]  ? __x64_sys_getdents64+0x105/0x120
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026546]  ? __pfx_filldir64+0x10/0x10
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026548]  ? exit_to_user_mode_prepare+0x35/0x180
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026552]  ? syscall_exit_to_user_mode+0x38/0x50
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026554]  ? do_syscall_64+0x6d/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026556]  ? do_syscall_64+0x6d/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026558]  ? do_syscall_64+0x6d/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026559]  ? do_syscall_64+0x6d/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026561]  ? do_syscall_64+0x6d/0x90
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026563]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026565] RIP: 0033:0x7fe8e1f1422e
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026567] Code: ff 64 c7 00 16 00 00 00 e9 8e fd ff ff e8 2a 25 02 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 89 ca b8 4c 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2a 41 89 c1 85 c0 74 0f 48 8b 05 cc 4b 10 00
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026569] RSP: 002b:00007fe8daffb698 EFLAGS: 00000206 ORIG_RAX: 000000000000014c
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026571] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe8e1f1422e
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026572] RDX: 0000000000000900 RSI: 00007fe8d003b970 RDI: 00000000ffffff9c
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026573] RBP: 00007fe8daffc970 R08: 00007fe8daffb810 R09: 00007fe8d0101650
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026575] R10: 0000000000000fff R11: 0000000000000206 R12: 00007fe8d00a7a00
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026576] R13: 00007fe8d003b970 R14: 00007fe8cc0772d0 R15: 00007fe8d002bd30
Nov 13 13:47:18 noonie-T580-Linux kernel: [13056.026579]  </TASK>
Nov 13 13:48:54 noonie-T580-Linux kernel: [    0.000000] microcode: updated early: 0xec -> 0xf4, date = 2023-02-23
Comment 5 Monthero Ronald 2023-12-14 04:10:42 UTC

Kees Cook has queued the below 2 patches for -next/hardening. 

[1/2] qnx4: Extract dir entry filename processing into helper
      https://git.kernel.org/kees/c/49a85c02a189
[2/2] qnx4: Use get_directory_fname() in qnx4_match()
      https://git.kernel.org/kees/c/0a0fb20f5e08

@Niek Nooijens can you please test with the above 2 patches and 
confirm if the issue is resolved.
Comment 6 Niek Nooijens 2023-12-14 07:15:21 UTC
(In reply to Monthero Ronald from comment #5)
> 
> Kees Cook has queued the below 2 patches for -next/hardening. 
> 
> [1/2] qnx4: Extract dir entry filename processing into helper
>       https://git.kernel.org/kees/c/49a85c02a189
> [2/2] qnx4: Use get_directory_fname() in qnx4_match()
>       https://git.kernel.org/kees/c/0a0fb20f5e08
> 
> @Niek Nooijens can you please test with the above 2 patches and 
> confirm if the issue is resolved.

Yes I just recompiled the kernel with the patches applied (took a while) and things seem to work:
==============shell=============
/dev/loop30 on /mnt type qnx4 (ro,relatime)
noonie@noonie-T580-Linux:~$ cd /mnt
noonie@noonie-T580-Linux:/mnt$ ls
armle-v7  base  bin  etc  lib  opt  root  sbin  usr  var
noonie@noonie-T580-Linux:/mnt$ sudo -s
root@noonie-T580-Linux:/mnt# cd root
root@noonie-T580-Linux:/mnt/root# cd pac/FWUpdate/
root@noonie-T580-Linux:/mnt/root/pac/FWUpdate# ls
BootLoader_tester.sh  etfs-raw            systembase_common.sh
BootLoader_writer.sh  fpgaupdate_eip      system_base.crc32
DARC_common.sh        FWUpdate.ini        system_base.tar.bz2
DARC_tester.sh        FWUpdateLogger      systembase_tester.sh
darc_top.rpd          FWUpdater           systembase_writer.sh
darc_top.smh          normal.img          u-boot-nand.img
DARC_writer.sh        preloader-nand.bin  update_nand
eipfwupCommand        recovery.img
etfs-counts           scrambler_target
==========================================

Checking the dmesg shows nothing other than:

===================dmesg==================
[  132.003822] loop30: detected capacity change from 0 to 212992
[  148.008769] QNX4 filesystem 0.2.3 registered.
[  255.961307] capability: warning: `gvfsd-admin' uses 32-bit capabilities (legacy support in use)
[  333.079255] loop31: detected capacity change from 0 to 7565
==========================================

so far, no crashes yet. things seem to work.
Comment 7 Monthero Ronald 2023-12-15 04:33:12 UTC
Hi Niek, Thanks for testing and verifying the patches. Then probably we can close this BZ.
Comment 8 Niek Nooijens 2023-12-15 04:58:02 UTC
I guess so.

Note You need to log in before you can comment on or make changes to this bug.