From patchwork Wed Sep 13 10:12:07 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
X-Patchwork-Id: 9950889
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	61A2F6024A for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 13 Sep 2017 10:12:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 526281FFB2
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 13 Sep 2017 10:12:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 46D5B2522B; Wed, 13 Sep 2017 10:12:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C11B71FFB2
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 13 Sep 2017 10:12:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752057AbdIMKMM (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Wed, 13 Sep 2017 06:12:12 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:20238 "EHLO
	www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751714AbdIMKML (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Wed, 13 Sep 2017 06:12:11 -0400
Received: from fsav408.sakura.ne.jp (fsav408.sakura.ne.jp [133.242.250.107])
	by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id
	v8DAC5gO054470; Wed, 13 Sep 2017 19:12:05 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72) by fsav408.sakura.ne.jp
	(F-Secure/fsigk_smtp/530/fsav408.sakura.ne.jp);
	Wed, 13 Sep 2017 19:12:05 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav408.sakura.ne.jp)
Received: from AQUA (softbank126072090071.bbtec.net [126.72.90.71])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id v8DAC5At054466;
	Wed, 13 Sep 2017 19:12:05 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
To: vegard.nossum@gmail.com, viro@zeniv.linux.org.uk,
	akpm@linux-foundation.org
Cc: linux-fsdevel@vger.kernel.org
Subject: [PATCH] dentry: Fix kmemcheck splat at take_dentry_name_snapshot()
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
References: <201709042112.BFB76862.FQVFMSOtOJFHOL@I-love.SAKURA.ne.jp>
	<20170904132106.GU5426@ZenIV.linux.org.uk>
	<201709042311.IIE60447.OJSQFMHtOFLVOF@I-love.SAKURA.ne.jp>
	<20170904142233.GV5426@ZenIV.linux.org.uk>
	<CAOMGZ=HCtLUFvhy727b=pCE+BapVZobRaRqymTYr48FqZncBoA@mail.gmail.com>
In-Reply-To: 
 <CAOMGZ=HCtLUFvhy727b=pCE+BapVZobRaRqymTYr48FqZncBoA@mail.gmail.com>
Message-Id: <201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp>
X-Mailer: Winbiff [Version 2.51 PL2]
X-Accept-Language: ja,en,zh
Date: Wed, 13 Sep 2017 19:12:07 +0900
Mime-Version: 1.0
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Vegard Nossum wrote:
> kmemcheck knows how to memcpy() the shadow memory state between two
> slab-allocated objects, but it doesn't track memory state for the
> stack so if you're copying partially uninitialised object to the stack
> (which I'm guessing is the case here?) then it will produce the
> warning Tetsuo Handa saw.
> 
> BTW as soon as msan/kmsan support for the kernel [1] is merged I am
> planning to nuke kmemcheck from the kernel. msan/kmsan should handle
> it properly.
> 
> [1]: https://github.com/google/kmsan

I think kmemcheck is correct and msan/kmsan must as well splat here,
for they won't be able to know that this

  unsigned char d_iname[DNAME_INLINE_LEN];        /* small names */

field is interpreted as "only bytes up to first '\0' are valid".

----------
>From c4fe364445f7b2490209aba90b289f0543b3cfa8 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Wed, 13 Sep 2017 18:47:50 +0900
Subject: [PATCH] dentry: Fix kmemcheck splat at take_dentry_name_snapshot()

Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes are
initialized at __d_alloc(), we can't copy the whole size unconditionally.

 WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
 636f6e66696766732e746d70000000000010000000000000020000000188ffff
  i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
                                  ^
 RIP: 0010:take_dentry_name_snapshot+0x28/0x50
 RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
 RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
 RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
 RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
 R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
 R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
 FS:  00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0
  take_dentry_name_snapshot+0x28/0x50
  vfs_rename+0x128/0x870
  SyS_rename+0x3b2/0x3d0
  entry_SYSCALL_64_fastpath+0x1a/0xa4
  0xffffffffffffffff

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/dcache.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index f901413..ad6d328 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -291,7 +291,8 @@ void take_dentry_name_snapshot(struct name_snapshot *name, struct dentry *dentry
 		spin_unlock(&dentry->d_lock);
 		name->name = p->name;
 	} else {
-		memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
+		memcpy(name->inline_name, dentry->d_iname,
+		       dentry->d_name.len + 1);
 		spin_unlock(&dentry->d_lock);
 		name->name = name->inline_name;
 	}