Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#51595 - [linux-grsec] System crash because of size overflow detected in function btrfs_extent_item_to_extent

Attached to Project: Community Packages
Opened by Minori Hiraoka (Mnkai_rin) - Monday, 31 October 2016, 05:43 GMT
Last edited by Daniel Micay (thestinger) - Thursday, 10 November 2016, 05:02 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Daniel Micay (thestinger)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

In current version of linux-grsec(4.7.10.201610262029), doing certain tasks - for example, sometimes when launching thunderbird, or 100% at switching IME (fcitx) mode to fcitx-mozc renders system unusable.

After

Additional info:
* package version(s)
linux-grsec 4.7.10.201610262029

* config and/or log files etc.
Using btrfs partition on LVM on LUKS, MBR
Swap on LVM on LUKS, MBR

Steps to reproduce:
1. Boot system using linux-grsec kernel
2. Change fcitx mode to use fcitx-mozc
3. System hangs

Journalctl record after crash (this record is reversed, and collected when thunderbird crashed)

10월 31 14:32:14 Arisu kernel: [<ffffffffa00707e0>] ? btrfs_congested_fn+0xa0/0xd0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff81162b88>] ondemand_readahead+0xd8/0x2e0
10월 31 14:32:14 Arisu kernel: [<ffffffff811629f2>] __do_page_cache_readahead+0x202/0x2c0
10월 31 14:32:14 Arisu kernel: [<ffffffffa007dda1>] btrfs_readpages+0x31/0x50 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00ace03>] extent_readpages+0x143/0x230 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00aba74>] __extent_readpages.constprop.25+0x364/0x3e0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff8135c100>] ? list_del+0x10/0x40
10월 31 14:32:14 Arisu kernel: [<ffffffffa00a6634>] ? __set_extent_bit+0x4a4/0x600 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00aab72>] __do_readpage+0x4e2/0xe20 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00a5b8e>] ? set_state_bits+0x6e/0x180 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0081001>] btrfs_get_extent+0xd71/0xf50 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa006d638>] btrfs_extent_item_to_extent_map+0x448/0x490 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff811f0878>] report_size_overflow+0x78/0x90
10월 31 14:32:14 Arisu kernel: [<ffffffffa0122160>] ? exit_btrfs_fs+0x6332/0x39d43 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa01221b0>] ? exit_btrfs_fs+0x6382/0x39d43 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa013c497>] ? exit_btrfs_fs+0x20669/0x39d43 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff81078617>] do_group_exit+0x37/0xc0
10월 31 14:32:14 Arisu kernel: [<ffffffff81077a74>] do_exit+0x74/0xb70
10월 31 14:32:14 Arisu kernel: [<ffffffff81074247>] warn_slowpath_null+0x27/0x50
10월 31 14:32:14 Arisu kernel: [<ffffffff81074097>] __warn+0xc7/0xf0
10월 31 14:32:14 Arisu kernel: [<ffffffff81107efc>] ? print_modules+0x7c/0xf0
10월 31 14:32:14 Arisu kernel: [<ffffffff813313f3>] dump_stack+0x76/0xd3
10월 31 14:32:14 Arisu kernel: Call Trace:
10월 31 14:32:14 Arisu kernel: 0000000000000000 0000000000000000 ffffc9001054b550 ffffffff81074097
10월 31 14:32:14 Arisu kernel: ffffc9001054b510 ffffffff813313f3 ffffffff81107efc d3b892bb702aef8a
10월 31 14:32:14 Arisu kernel: 0000000000000002 d3b892bb702aef8a 0000000000000286 0000000000000000
10월 31 14:32:14 Arisu kernel: Hardware name: LENOVO 20AL00EEKR/20AL00EEKR, BIOS GIET83WW (2.33 ) 08/25/2015
10월 31 14:32:14 Arisu kernel: CPU: 1 PID: 23513 Comm: mozStorage #1 Tainted: G O 4.7.10.201610262029-1-grsec #1
10월 31 14:32:14 Arisu kernel: aes_x86_64 lrw gf128mul glue_helper ahci ablk_helper cryptd libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd scsi_mod rtsx_pci usbcore
10월 31 14:32:14 Arisu kernel: mei_wdt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass intel_cstate intel_rapl_perf evdev input_leds m
10월 31 14:32:14 Arisu kernel: Modules linked in: cmac ctr ccm rfcomm xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun acpi_call(O) snd_hda_codec_hdmi option usb_ww
10월 31 14:32:14 Arisu kernel: WARNING: CPU: 1 PID: 23513 at kernel/exit.c:675 do_exit+0x74/0xb70
10월 31 14:32:14 Arisu kernel: ------------[ cut here ]------------
10월 31 14:32:14 Arisu kernel: [<ffffffff816a9a90>] entry_SYSCALL_64_fastpath+0x1a/0xbd
10월 31 14:32:14 Arisu kernel: [<ffffffff811e92bf>] sys_pread64+0x9f/0xd0
10월 31 14:32:14 Arisu kernel: [<ffffffff8120fa3d>] ? __fget_light+0x2d/0x80
10월 31 14:32:14 Arisu kernel: [<ffffffff811e75e5>] vfs_read+0xc5/0x220
10월 31 14:32:14 Arisu kernel: [<ffffffff811e62aa>] __vfs_read+0x13a/0x1a0
10월 31 14:32:14 Arisu kernel: [<ffffffff81153b5a>] generic_file_read_iter+0x64a/0xaf0
10월 31 14:32:14 Arisu kernel: [<ffffffff81162e0b>] page_cache_async_readahead+0x7b/0x90
10월 31 14:32:14 Arisu kernel: [<ffffffffa00707e0>] ? btrfs_congested_fn+0xa0/0xd0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff81162b88>] ondemand_readahead+0xd8/0x2e0
10월 31 14:32:14 Arisu kernel: [<ffffffff811629f2>] __do_page_cache_readahead+0x202/0x2c0
10월 31 14:32:14 Arisu kernel: [<ffffffffa007dda1>] btrfs_readpages+0x31/0x50 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00ace03>] extent_readpages+0x143/0x230 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00aba74>] __extent_readpages.constprop.25+0x364/0x3e0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff8135c100>] ? list_del+0x10/0x40
10월 31 14:32:14 Arisu kernel: [<ffffffffa00a6634>] ? __set_extent_bit+0x4a4/0x600 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00aab72>] __do_readpage+0x4e2/0xe20 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa00a5b8e>] ? set_state_bits+0x6e/0x180 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa0081001>] btrfs_get_extent+0xd71/0xf50 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffffa006d638>] btrfs_extent_item_to_extent_map+0x448/0x490 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff811f086c>] report_size_overflow+0x6c/0x90
10월 31 14:32:14 Arisu kernel: [<ffffffffa013c497>] ? exit_btrfs_fs+0x20669/0x39d43 [btrfs]
10월 31 14:32:14 Arisu kernel: [<ffffffff813313f3>] dump_stack+0x76/0xd3
10월 31 14:32:14 Arisu kernel: Call Trace:
10월 31 14:32:14 Arisu kernel: ffffffffa013c497 00000000000003b6 ffffc9001054b650 ffffffff811f086c
10월 31 14:32:14 Arisu kernel: ffffc9001054b620 ffffffff813313f3 fffffffffc0a0000 d3b892bb702aef8a
10월 31 14:32:14 Arisu kernel: d3b892bb00000002 d3b892bb702aef8a 0000000000000286 0000000000000000
10월 31 14:32:14 Arisu kernel: Hardware name: LENOVO 20AL00EEKR/20AL00EEKR, BIOS GIET83WW (2.33 ) 08/25/2015
10월 31 14:32:14 Arisu kernel: CPU: 1 PID: 23513 Comm: mozStorage #1 Tainted: G O 4.7.10.201610262029-1-grsec #1
10월 31 14:32:14 Arisu kernel: PAX: size overflow detected in function btrfs_extent_item_to_extent_map fs/btrfs/file-item.c:950 cicus.362_134 min, count: 86, decl: orig_

This task depends upon

Closed by  Daniel Micay (thestinger)
Thursday, 10 November 2016, 05:02 GMT
Reason for closing:  Fixed
Comment by Daniel Micay (thestinger) - Monday, 31 October 2016, 20:34 GMT
You can use pax_size_overflow_report_only for the time being. It's known to uncover a lot of bugs.
Comment by Minori Hiraoka (Mnkai_rin) - Monday, 31 October 2016, 22:23 GMT
As you suggested, I rebooted my system using pax_size_overflow_report_only. Will report any further issues.
Meanwhile, I noticed this log while booting up. (journal also reversed)

11월 01 07:18:40 Arisu kernel: [<ffffffff816ab2f8>] page_fault+0x28/0x30
11월 01 07:18:40 Arisu kernel: [<ffffffff8105eb42>] do_page_fault+0x22/0x40
11월 01 07:18:40 Arisu kernel: [<ffffffff8105e65e>] __do_page_fault+0x1fe/0x6c0
11월 01 07:18:40 Arisu kernel: [<ffffffff8118aa82>] handle_mm_fault+0x13f2/0x1f60
11월 01 07:18:40 Arisu kernel: [<ffffffff81184364>] __do_fault+0xb4/0x1b0
11월 01 07:18:40 Arisu kernel: [<ffffffff81154540>] filemap_fault+0x460/0x540
11월 01 07:18:40 Arisu kernel: [<ffffffff81162e0b>] page_cache_async_readahead+0x7b/0x90
11월 01 07:18:40 Arisu kernel: [<ffffffff81162b88>] ondemand_readahead+0xd8/0x2e0
11월 01 07:18:40 Arisu kernel: [<ffffffff811629f2>] __do_page_cache_readahead+0x202/0x2c0
11월 01 07:18:40 Arisu kernel: [<ffffffffa007dda1>] btrfs_readpages+0x31/0x50 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa00ace03>] extent_readpages+0x143/0x230 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa00aba74>] __extent_readpages.constprop.25+0x364/0x3e0 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffff8135c100>] ? list_del+0x10/0x40
11월 01 07:18:40 Arisu kernel: [<ffffffffa00a6431>] ? __set_extent_bit+0x2a1/0x600 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa00aab72>] __do_readpage+0x4e2/0xe20 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa00a5b8e>] ? set_state_bits+0x6e/0x180 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa0081001>] btrfs_get_extent+0xd71/0xf50 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffffa006d638>] btrfs_extent_item_to_extent_map+0x448/0x490 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffff811f086c>] report_size_overflow+0x6c/0x90
11월 01 07:18:40 Arisu kernel: [<ffffffffa013c497>] ? exit_btrfs_fs+0x20669/0x39d43 [btrfs]
11월 01 07:18:40 Arisu kernel: [<ffffffff813313f3>] dump_stack+0x76/0xd3
11월 01 07:18:40 Arisu kernel: Call Trace:
11월 01 07:18:40 Arisu kernel: ffffffffa013c497 00000000000003b6 ffffc9000669b620 ffffffff811f086c
11월 01 07:18:40 Arisu kernel: ffffc9000669b5f0 ffffffff813313f3 ffffffffff860000 3bf82b034cd5a413
11월 01 07:18:40 Arisu kernel: 3bf82b0300000002 3bf82b034cd5a413 0000000000000286 0000000000000000
11월 01 07:18:40 Arisu kernel: Hardware name: LENOVO 20AL00EEKR/20AL00EEKR, BIOS GIET83WW (2.33 ) 08/25/2015
11월 01 07:18:40 Arisu kernel: CPU: 3 PID: 4256 Comm: journalctl Tainted: G O 4.7.10.201610262029-1-grsec #1
11월 01 07:18:40 Arisu kernel: PAX: size overflow detected in function btrfs_extent_item_to_extent_map fs/btrfs/file-item.c:950 cicus.362_134 min, count: 86, decl: orig_start; num: 0; context: extent_map;

This happened when I was starting lightdm, and lightdm could not access system user's information, resulting in only black screen.
After rebooting, it worked properly this time. Maybe this is related to specific type of I/O request?

*Edit, I do find readahead in every crash's call trace. I still don't know it is actually related to crash.
*Edit2, Same traces happened again when launching thunderbird, but this time program ran successfully.
pax_size_overflow_report_only indeed prevents crashing.
Comment by Minori Hiraoka (Mnkai_rin) - Thursday, 03 November 2016, 08:41 GMT
I updated to new kernel (4.7.10.201611011946-1-grsec), and the problem persists.
This time, log is not reversed. I got this record while trying to use fcitx-mozc.

[ 250.041655] PAX: size overflow detected in function btrfs_extent_item_to_extent_map fs/btrfs/file-item.c:950 cicus.362_134 min, count: 86, decl: orig_start; num: 0; context: extent_map;
[ 250.041662] CPU: 1 PID: 5840 Comm: mozc_server Tainted: G O 4.7.10.201611011946-1-grsec #1
[ 250.041663] Hardware name: LENOVO 20AL00EEKR/20AL00EEKR, BIOS GIET83WW (2.33 ) 08/25/2015
[ 250.041665] d12cb39e00000002 d12cb39e9c9ea180 0000000000000286 0000000000000000
[ 250.041668] ffffc9000df43630 ffffffff813313f3 fffffffffff80000 d12cb39e9c9ea180
[ 250.041670] ffffffffa013c497 00000000000003b6 ffffc9000df43660 ffffffff811f086c
[ 250.041673] Call Trace:
[ 250.041681] [<ffffffff813313f3>] dump_stack+0x76/0xd3
[ 250.041699] [<ffffffffa013c497>] ? exit_btrfs_fs+0x20669/0x39d43 [btrfs]
[ 250.041702] [<ffffffff811f086c>] report_size_overflow+0x6c/0x90
[ 250.041712] [<ffffffffa006d638>] btrfs_extent_item_to_extent_map+0x448/0x490 [btrfs]
[ 250.041722] [<ffffffffa0081001>] btrfs_get_extent+0xd71/0xf50 [btrfs]
[ 250.041734] [<ffffffffa00a5b8e>] ? set_state_bits+0x6e/0x180 [btrfs]
[ 250.041745] [<ffffffffa00aab72>] __do_readpage+0x4e2/0xe20 [btrfs]
[ 250.041754] [<ffffffffa00a6431>] ? __set_extent_bit+0x2a1/0x600 [btrfs]
[ 250.041757] [<ffffffff8135c100>] ? list_del+0x10/0x40
[ 250.041767] [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
[ 250.041777] [<ffffffffa00aba74>] __extent_readpages.constprop.25+0x364/0x3e0 [btrfs]
[ 250.041786] [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
[ 250.041796] [<ffffffffa00ace03>] extent_readpages+0x143/0x230 [btrfs]
[ 250.041805] [<ffffffffa0080290>] ? btrfs_direct_IO+0x5b0/0x5b0 [btrfs]
[ 250.041813] [<ffffffffa007dda1>] btrfs_readpages+0x31/0x50 [btrfs]
[ 250.041816] [<ffffffff811629f2>] __do_page_cache_readahead+0x202/0x2c0
[ 250.041819] [<ffffffff81151447>] ? pagecache_get_page+0x27/0x250
[ 250.041821] [<ffffffff8115439e>] filemap_fault+0x2be/0x540
[ 250.041823] [<ffffffff81184364>] __do_fault+0xb4/0x1b0
[ 250.041825] [<ffffffff8118aa82>] handle_mm_fault+0x13f2/0x1f60
[ 250.041829] [<ffffffff8105e65e>] __do_page_fault+0x1fe/0x6c0
[ 250.041831] [<ffffffff8105eb42>] do_page_fault+0x22/0x40
[ 250.041833] [<ffffffff816ab2f8>] page_fault+0x28/0x30
Comment by PaX Team (paxteam) - Wednesday, 09 November 2016, 19:15 GMT
thanks for the report, this is a false positive that we fixed for 4.8.

Loading...