On 11/8/18 7:15 PM, Yanjun Zhu wrote:
On 2018/11/8 0:42, Bart Van Assche wrote:
==================================================================
BUG: KASAN: use-after-free in rxe_resp_queue_pkt+0x2b/0x70 [rdma_rxe]
Read of size 1 at addr ffff8800361722d5 by task kworker/1:2/26251
CPU: 1 PID: 26251 Comm: kworker/1:2 Not tainted 4.20.0-rc1-dbg+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1
04/01/2014
Workqueue: target_completion target_complete_ok_work [target_core_mod]
Call Trace:
<IRQ>
dump_stack+0x86/0xca
print_address_description+0x71/0x239
kasan_report.cold.5+0x242/0x301
__asan_load1+0x47/0x50
rxe_resp_queue_pkt+0x2b/0x70 [rdma_rxe]
Is it memory corruption?
first, rxe_resp_queue_pkt, then, rxe_responder.
But now it seems that first rxe_responder, then rxe_resp_queue_pkt
access it.
It is weird.
Hi Zhu,
I have not tried to root-cause this but I think this could also be the
result of a race condition, e.g. one thread freeing the packet while
another thread is still accessing it.
Bart.
