On Wed, Mar 13, 2019 at 10:30:09AM +0800, Yanjun Zhu wrote: > > On 2019/3/12 16:15, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@xxxxxxxxxxxx> > > > > [ 80.194474] BUG: KASAN: slab-out-of-bounds in rxe_mem_init_user+0x6c1/0x740 [rdma_rxe] > > [ 80.194852] Read of size 8 at addr ffff88805c01a608 by task ib_send_bw/573 > > [ 80.195245] > > [ 80.195389] CPU: 24 PID: 573 Comm: ib_send_bw Not tainted 5.0.0-rc5+ #189 > > [ 80.195772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 > > [ 80.196436] Call Trace: > > [ 80.198760] rxe_mem_init_user+0x6c1/0x740 [rdma_rxe] > > [ 80.199603] rxe_reg_user_mr+0x9b/0x110 [rdma_rxe] > > [ 80.200210] ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs] > > [ 80.201522] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs] > > [ 80.202351] ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs] > > [ 80.198760] rxe_mem_init_user+0x6c1/0x740 [rdma_rxe] > > [ 80.199603] rxe_reg_user_mr+0x9b/0x110 [rdma_rxe] > > [ 80.200210] ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs] > > [ 80.201522] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs] > > [ 80.202351] ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs] > > [ 80.204980] ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs] > > [ 80.206553] ib_uverbs_ioctl+0x202/0x310 [ib_uverbs] > > [ 80.207298] do_vfs_ioctl+0x193/0x1440 > > [ 80.209126] ksys_ioctl+0x3a/0x70 > > [ 80.209266] __x64_sys_ioctl+0x6f/0xb0 > > [ 80.209415] do_syscall_64+0x13f/0x570 > > [ 80.210320] entry_SYSCALL_64_after_hwframe+0x49/0xbe > > [ 80.210508] RIP: 0033:0x7fa2399aa09b > > [ 80.210651] Code: 0f 1e fa 48 8b 05 ed bd 0c 00 64 c7 00 26 00 00 00 > > 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f > > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d bd bd 0c 00 f7 d8 64 89 01 48 > > [ 80.211272] RSP: 002b:00007ffce51e7c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > [ 80.211567] RAX: ffffffffffffffda RBX: 00007ffce51e7cf0 RCX: 00007fa2399aa09b > > [ 80.211835] RDX: 00007ffce51e7d10 RSI: 00000000c0181b01 RDI: 0000000000000003 > > [ 80.212133] RBP: 00007ffce51e7d28 R08: 0000000000000028 R09: 00007ffce51e7ea4 > > [ 80.212409] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000023d6420 > > [ 80.212693] R13: 00007ffce51e7cf0 R14: 00007ffce51e7eb8 R15: 0000000000000000 > > [ 80.212972] > > [ 80.213066] Allocated by task 573: > > [ 80.213208] __kasan_kmalloc.constprop.5+0xc1/0xd0 > > [ 80.213392] __kmalloc+0x161/0x310 > > [ 80.213536] rxe_mem_alloc+0x52/0x470 [rdma_rxe] > > [ 80.213719] rxe_mem_init_user+0x113/0x740 [rdma_rxe] > > [ 80.213913] rxe_reg_user_mr+0x9b/0x110 [rdma_rxe] > > [ 80.214121] ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs] > > [ 80.214309] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs] > > [ 80.214584] ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs] > > [ 80.214769] ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs] > > [ 80.214971] ib_uverbs_ioctl+0x202/0x310 [ib_uverbs] > > [ 80.215156] do_vfs_ioctl+0x193/0x1440 > > [ 80.215296] ksys_ioctl+0x3a/0x70 > > [ 80.215435] __x64_sys_ioctl+0x6f/0xb0 > > [ 80.215572] do_syscall_64+0x13f/0x570 > > [ 80.215708] entry_SYSCALL_64_after_hwframe+0x49/0xbe > > [ 80.215886] > > [ 80.215995] Freed by task 0: > > [ 80.216134] __kasan_slab_free+0x12e/0x180 > > [ 80.216278] kfree+0x10a/0x2c0 > > [ 80.216445] rcu_process_callbacks+0xa77/0x1260 > > [ 80.216637] __do_softirq+0x2ad/0xacb > > [ 80.216771] > > [ 80.216867] The buggy address belongs to the object at ffff88805c01a588 > > [ 80.216867] which belongs to the cache kmalloc-128 of size 128 > > [ 80.217281] The buggy address is located 0 bytes to the right of > > [ 80.217281] 128-byte region [ffff88805c01a588, ffff88805c01a608) > > [ 80.217684] The buggy address belongs to the page: > > [ 80.217871] page:ffffea0001700600 count:1 mapcount:0 mapping:ffff8880648173c0 index:0xffff88805c018008 compound_mapcount: 0 > > [ 80.218236] flags: 0x4000000000010200(slab|head) > > [ 80.218420] raw: 4000000000010200 ffffea0001786b08 ffff888064800990 ffff8880648173c0 > > [ 80.218707] raw: ffff88805c018008 0000000000220011 00000001ffffffff 0000000000000000 > > [ 80.218984] page dumped because: kasan: bad access detected > > [ 80.219166] > > [ 80.219261] Memory state around the buggy address: > > [ 80.219451] ffff88805c01a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > [ 80.219724] ffff88805c01a580: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > [ 80.220007] >ffff88805c01a600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > [ 80.220275] ^ > > [ 80.220418] ffff88805c01a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > [ 80.220689] ffff88805c01a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb > > > > Test scenario: > > ib_send_bw -x 1 -d rxe0 -a & > > ib_send_bw -x 1 -d rxe0 -a localhost > > With the above test commands, I can not reproduce this problem. Does it need > other condition to trigger this problem? Nothing special: KASAN option enabled in kernel, latest GCC, rdma-next and upstream version of perftest. Thanks
