On Wed, 2018-11-07 at 08:42 -0800, Bart Van Assche wrote:
+AD4 Hello,
+AD4
+AD4 If I run the srp tests from the blktests test suite long enough against
+AD4 kernel v4.20-rc1 then the complaint shown below appears. Has anyone else
+AD4 already encountered this? This is how I run the srp tests:
+AD4
+AD4 (cd blktests +ACYAJg while ./check -q srp+ADs do :+ADs done)
+AD4
+AD4 Thanks,
+AD4
+AD4 Bart.
+AD4
+AD4 +AFs ... +AF0
This issue also occurs with kernel v5.0-rc2:
+AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9
BUG: KASAN: use-after-free in rxe+AF8-resp+AF8-queue+AF8-pkt+-0x2b/0x70 +AFs-rdma+AF8-rxe+AF0
Read of size 1 at addr ffff88803fff7455 by task ksoftirqd/0/9
CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.0.0-rc2-dbg+- +ACM-5
Hardware name: QEMU Standard PC (i440FX +- PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
dump+AF8-stack+-0x86/0xca
print+AF8-address+AF8-description+-0x71/0x239
kasan+AF8-report.cold.3+-0x1b/0x3e
+AF8AXw-asan+AF8-load1+-0x47/0x50
rxe+AF8-resp+AF8-queue+AF8-pkt+-0x2b/0x70 +AFs-rdma+AF8-rxe+AF0
rxe+AF8-rcv+-0x543/0xb00 +AFs-rdma+AF8-rxe+AF0
rxe+AF8-loopback+-0xe/0x10 +AFs-rdma+AF8-rxe+AF0
rxe+AF8-requester+-0x144c/0x2120 +AFs-rdma+AF8-rxe+AF0
rxe+AF8-do+AF8-task+-0xdd/0x170 +AFs-rdma+AF8-rxe+AF0
tasklet+AF8-action+AF8-common.isra.14+-0xc0/0x280
tasklet+AF8-action+-0x3d/0x50
+AF8AXw-do+AF8-softirq+-0x128/0x5ae
run+AF8-ksoftirqd+-0x35/0x50
smpboot+AF8-thread+AF8-fn+-0x38b/0x490
kthread+-0x1cf/0x1f0
ret+AF8-from+AF8-fork+-0x24/0x30
Allocated by task 9:
save+AF8-stack+-0x43/0xd0
+AF8AXw-kasan+AF8-kmalloc.constprop.9+-0xd0/0xe0
kasan+AF8-slab+AF8-alloc+-0x16/0x20
kmem+AF8-cache+AF8-alloc+AF8-node+-0xf1/0x380
+AF8AXw-alloc+AF8-skb+-0xa8/0x310
rxe+AF8-init+AF8-packet+-0xc8/0x220 +AFs-rdma+AF8-rxe+AF0
rxe+AF8-requester+-0x61f/0x2120 +AFs-rdma+AF8-rxe+AF0
rxe+AF8-do+AF8-task+-0xdd/0x170 +AFs-rdma+AF8-rxe+AF0
tasklet+AF8-action+AF8-common.isra.14+-0xc0/0x280
tasklet+AF8-action+-0x3d/0x50
+AF8AXw-do+AF8-softirq+-0x128/0x5ae
Freed by task 31:
save+AF8-stack+-0x43/0xd0
+AF8AXw-kasan+AF8-slab+AF8-free+-0x13e/0x190
kasan+AF8-slab+AF8-free+-0x13/0x20
kmem+AF8-cache+AF8-free+-0xc7/0x350
kfree+AF8-skbmem+-0x66/0xa0
kfree+AF8-skb+-0x80/0x1b0
rxe+AF8-responder+-0x6e7/0x37f0 +AFs-rdma+AF8-rxe+AF0
rxe+AF8-do+AF8-task+-0xdd/0x170 +AFs-rdma+AF8-rxe+AF0
tasklet+AF8-action+AF8-common.isra.14+-0xc0/0x280
tasklet+AF8-action+-0x3d/0x50
+AF8AXw-do+AF8-softirq+-0x128/0x5ae
The buggy address belongs to the object at ffff88803fff7400
which belongs to the cache skbuff+AF8-head+AF8-cache of size 200
The buggy address is located 85 bytes inside of
200-byte region +AFs-ffff88803fff7400, ffff88803fff74c8)
The buggy address belongs to the page:
page:ffffea0000fffd80 count:1 mapcount:0 mapping:ffff88811abb9e00 index:0x0 compound+AF8-mapcount: 0
flags: 0x1fff000000010200(slab+AHw-head)
raw: 1fff000000010200 dead000000000100 dead000000000200 ffff88811abb9e00
raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88803fff7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803fff7380: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+AD4-ffff88803fff7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+AF4
ffff88803fff7480: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff88803fff7500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9-
