After upgrading from 4.1.5-hardened-r1, I get two new size overflows detected (although there may be more, I have just started using it). Let me know if you want a separate bug for the two. PAX: size overflow detected in function btrfs_sync_file fs/btrfs/file.c:1871 cicus.679_111 max, count: 289, decl: btrfs_wait_ordered_range; num: 3; context: fndecl; PAX: size overflow detected in function minstrel_ht_get_rate net/mac80211/rc80211_minstrel_ht.c:1056 cicus.211_212 max, count: 1, decl: idx; num: 0; context: ieee80211_tx_rate; I will get kallsyms in a moment (recompile + reload of kernel) and attach them to the bug. Reproducible: Always
gcc-4.9.3 btw. For btrfs: dump_stack+0x45/0x5d report_size_overflow+0x5c/0x60 btrfs_sync_file+0x8c/0x500 vfs_fsync_range+0x54/0xc0 do_fsync+0x3c/0x70 SyS_fsync+0x15/0x30 entry_SYSCALL_64_fastpath+0x12/0x7e For mac80211/minstrel: dump_stack+0x45/0x5d report_size_overflow+0x5c/0x60 minstrel_ht_get_rate+0x490/0x640 rate_control_get_rate+0xcc/0x150 ieee80211_tx_h_rate_ctrl+0x1d1/0x3b0 invoke_tx_handlers+0x5ab/0x1010 ? kfree+0x24/0xf0 ? kmem_cache_free+0x32/0x150 ? ieee80211_tx_prepare+0x33/0x410 ieee80211_tx+0x75/0xf0 ieee80211_xmit+0xe8/0x1b0 __ieee80211_subif_start_xmit+0x662/0xaf0 ? try_to_wake_up+0xdd/0x310 ? wake_up_process+0x26/0x50 ieee80211_subif_start_xmit+0x1a/0x30 dev_hard_start_xmit+0x2f1/0x4e0 ? validate_xmit_skb.isra.106.part.107+0x1c/0x4a0 ? validate_xmit_skb_list+0x42/0x70 sch_direct_xmit+0xd9/0x270 __dev_queue_xmit+0x22d/0x570 dev_queue_xmit_sk+0x16/0x30 ip6_finish_output2+0x3b9/0x460 ? nf_iterate+0x8b/0xa0 ip6_finish_output+0x8c/0xf0 ip6_output+0x9c/0xe0 ? ip6_fragment+0x1160/0x1160 dst_output_sk+0x2b/0x40 NF_HOOK_THRESH.constprop.40+0x8f/0xa0 ? ipv6_icmp_sysctl_init+0x40/0x40 mld_sendpack+0x172/0x280 mld_send_initial_cr.part.30+0x81/0xa0 ? mld_send_initial_cr.part.30+0xa0/0xa0 mld_dad_timer_expire+0x20/0x60 call_timer_fn.isra.22+0x32/0x90 ? mld_send_initial_cr.part.30+0xa0/0xa0 run_timer_softirq+0x14b/0x240 __do_softirq+0xf9/0x230 irq_exit+0xc8/0xf0 smp_apic_timer_interrupt+0x4f/0x70 apic_timer_interrupt+0x87/0x90 cpuidle_enter_state+0x11a/0x1c0 ...
Can you test 4.2.5-r1 since it is the next canditate for stabilization.
I believe this is fixed in 4.2.7. Can you verify.
(In reply to Anthony Basile from comment #3) > I believe this is fixed in 4.2.7. Can you verify. No response, I'm assuming this is no longer an issue. Reopen if its still a problem.
Verified fixed in 4.3.3-r1 (this is the first version I tested). The 4.2.6-r4 version that I was testing previously did not have this exact issue but had a slightly strange cpu utilization bug (it would see the 4 cores but only ever schedule on one) and my brief investigation didn't yield anything useful (errors or otherwise). So I was running an older kernel as I was busy with other things.
Actually just saw this happen again (after some time): @40000000567d810f3137829c <0>[105891.310647] PAX: size overflow detected in function try_merge_map fs/btrfs/extent_map.c:238 cicus.107_102 max, count: 13, decl: block_len; num: 0; context: extent_map; @40000000567d810f31384204 kern.warn: [105891.310776] CPU: 1 PID: 30023 Comm: pulseaudio Tainted: G W 4.3.3-hardened-r1 #1 ... @40000000567d810f313a3dd4 kern.warn: [105891.310797] Call Trace: @40000000567d810f313a709c kern.warn: [105891.310809] [<ffffffff8f465b68>] dump_stack+0x44/0x5c @40000000567d810f313aa74c kern.warn: [105891.310815] [<ffffffff8f1dc736>] report_size_overflow+0x36/0x40 @40000000567d810f313addfc kern.warn: [105891.310824] [<ffffffff8f367e24>] try_merge_map+0x1f4/0x310 @40000000567d810f313b14ac kern.warn: [105891.310829] [<ffffffff8f368185>] add_extent_mapping+0x125/0x1b0 @40000000567d810f313b4b5c kern.warn: [105891.310834] [<ffffffff8f34edc0>] btrfs_get_extent+0x6b0/0xd60 @40000000567d810f313b7a3c kern.warn: [105891.310839] [<ffffffff8f37246c>] __do_readpage+0x25c/0xcc0 @40000000567d810f313bb0ec kern.warn: [105891.310845] [<ffffffff8f36e44e>] ? insert_state+0x9e/0x130 @40000000567d810f313beb84 kern.warn: [105891.310850] [<ffffffff8f34e710>] ? btrfs_set_bit_hook+0x220/0x220 @40000000567d810f313cc644 kern.warn: [105891.310854] [<ffffffff8f36c53f>] ? btrfs_lookup_ordered_range+0x12f/0x170 @40000000567d810f313d1c34 kern.warn: [105891.310858] [<ffffffff8f373436>] __extent_readpages.constprop.52+0x346/0x360 @40000000567d810f313d4344 kern.warn: [105891.310863] [<ffffffff8f1aa0ba>] ? __inc_zone_page_state+0x2a/0x40 @40000000567d810f313d5e9c kern.warn: [105891.310867] [<ffffffff8f34e710>] ? btrfs_set_bit_hook+0x220/0x220 @40000000567d810f313d7ddc kern.warn: [105891.310873] [<ffffffff8f18f9ca>] ? add_to_page_cache_lru+0x8a/0xa0 @40000000567d810f313da104 kern.warn: [105891.310877] [<ffffffff8f374d92>] extent_readpages+0x1c2/0x1d0 @40000000567d810f313dc044 kern.warn: [105891.310881] [<ffffffff8f34e710>] ? btrfs_set_bit_hook+0x220/0x220 @40000000567d810f313ddb9c kern.warn: [105891.310886] [<ffffffff8f34bba2>] btrfs_readpages+0x32/0x40 @40000000567d810f313df30c kern.warn: [105891.310891] [<ffffffff8f19c049>] __do_page_cache_readahead+0x1b9/0x240 @40000000567d810f313e0e64 kern.warn: [105891.310895] [<ffffffff8f19c1c2>] ondemand_readahead+0xf2/0x2f0 @40000000567d810f313e25d4 kern.warn: [105891.310899] [<ffffffff8f19c4b6>] page_cache_sync_readahead+0x46/0x70 @40000000567d810f313e3d44 kern.warn: [105891.310903] [<ffffffff8f191c5a>] generic_file_read_iter+0x63a/0x830 @40000000567d810f313e589c kern.warn: [105891.310908] [<ffffffff8f1ee06f>] ? dput+0xdf/0x240 @40000000567d810f313ebe2c kern.warn: [105891.310913] [<ffffffff8f1d2dc5>] __vfs_read+0xd5/0x100 @40000000567d810f313ed984 kern.warn: [105891.310917] [<ffffffff8f1d2ec7>] vfs_read+0xd7/0x240 @40000000567d810f313ef0f4 kern.warn: [105891.310925] [<ffffffff8faa66fd>] ? mutex_lock+0xd/0x40 @40000000567d810f313f0864 kern.warn: [105891.310929] [<ffffffff8f1d3579>] SyS_read+0x49/0xb0 @40000000567d810f313f4acc kern.warn: [105891.310934] [<ffffffff8faa8a64>] entry_SYSCALL_64_fastpath+0x12/0x7e
(In reply to Vladimir Lushnikov from comment #6) > Actually just saw this happen again (after some time): > > @40000000567d810f3137829c <0>[105891.310647] PAX: size overflow detected in > function try_merge_map fs/btrfs/extent_map.c:238 cicus.107_102 max, count: > 13, decl: block_len; num: 0; context: extent_map; > pulseaudio Tainted: G W 4.3.3-hardened-r1 #1 this is fixed in the latest grsec (201512222129), is that included in -r1?
(In reply to PaX Team from comment #7) > (In reply to Vladimir Lushnikov from comment #6) > > Actually just saw this happen again (after some time): > > > > @40000000567d810f3137829c <0>[105891.310647] PAX: size overflow detected in > > function try_merge_map fs/btrfs/extent_map.c:238 cicus.107_102 max, count: > > 13, decl: block_len; num: 0; context: extent_map; > > pulseaudio Tainted: G W 4.3.3-hardened-r1 #1 > > this is fixed in the latest grsec (201512222129), is that included in -r1? we've moved past that, so the fix is in the latest hardened-sources.