On 2019/3/13 12:15, Leon Romanovsky wrote:
On Wed, Mar 13, 2019 at 10:30:09AM +0800, Yanjun Zhu wrote:
On 2019/3/12 16:15, Leon Romanovsky wrote:
From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
[ 80.194474] BUG: KASAN: slab-out-of-bounds in rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
[ 80.194852] Read of size 8 at addr ffff88805c01a608 by task ib_send_bw/573
[ 80.195245]
[ 80.195389] CPU: 24 PID: 573 Comm: ib_send_bw Not tainted 5.0.0-rc5+ #189
[ 80.195772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[ 80.196436] Call Trace:
[ 80.198760] rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
[ 80.199603] rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
[ 80.200210] ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
[ 80.201522] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
[ 80.202351] ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
[ 80.198760] rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
[ 80.199603] rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
[ 80.200210] ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
[ 80.201522] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
[ 80.202351] ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
[ 80.204980] ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
[ 80.206553] ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
[ 80.207298] do_vfs_ioctl+0x193/0x1440
[ 80.209126] ksys_ioctl+0x3a/0x70
[ 80.209266] __x64_sys_ioctl+0x6f/0xb0
[ 80.209415] do_syscall_64+0x13f/0x570
[ 80.210320] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 80.210508] RIP: 0033:0x7fa2399aa09b
[ 80.210651] Code: 0f 1e fa 48 8b 05 ed bd 0c 00 64 c7 00 26 00 00 00
48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d bd bd 0c 00 f7 d8 64 89 01 48
[ 80.211272] RSP: 002b:00007ffce51e7c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 80.211567] RAX: ffffffffffffffda RBX: 00007ffce51e7cf0 RCX: 00007fa2399aa09b
[ 80.211835] RDX: 00007ffce51e7d10 RSI: 00000000c0181b01 RDI: 0000000000000003
[ 80.212133] RBP: 00007ffce51e7d28 R08: 0000000000000028 R09: 00007ffce51e7ea4
[ 80.212409] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000023d6420
[ 80.212693] R13: 00007ffce51e7cf0 R14: 00007ffce51e7eb8 R15: 0000000000000000
[ 80.212972]
[ 80.213066] Allocated by task 573:
[ 80.213208] __kasan_kmalloc.constprop.5+0xc1/0xd0
[ 80.213392] __kmalloc+0x161/0x310
[ 80.213536] rxe_mem_alloc+0x52/0x470 [rdma_rxe]
[ 80.213719] rxe_mem_init_user+0x113/0x740 [rdma_rxe]
[ 80.213913] rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
[ 80.214121] ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
[ 80.214309] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
[ 80.214584] ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
[ 80.214769] ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
[ 80.214971] ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
[ 80.215156] do_vfs_ioctl+0x193/0x1440
[ 80.215296] ksys_ioctl+0x3a/0x70
[ 80.215435] __x64_sys_ioctl+0x6f/0xb0
[ 80.215572] do_syscall_64+0x13f/0x570
[ 80.215708] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 80.215886]
[ 80.215995] Freed by task 0:
[ 80.216134] __kasan_slab_free+0x12e/0x180
[ 80.216278] kfree+0x10a/0x2c0
[ 80.216445] rcu_process_callbacks+0xa77/0x1260
[ 80.216637] __do_softirq+0x2ad/0xacb
[ 80.216771]
[ 80.216867] The buggy address belongs to the object at ffff88805c01a588
[ 80.216867] which belongs to the cache kmalloc-128 of size 128
[ 80.217281] The buggy address is located 0 bytes to the right of
[ 80.217281] 128-byte region [ffff88805c01a588, ffff88805c01a608)
[ 80.217684] The buggy address belongs to the page:
[ 80.217871] page:ffffea0001700600 count:1 mapcount:0 mapping:ffff8880648173c0 index:0xffff88805c018008 compound_mapcount: 0
[ 80.218236] flags: 0x4000000000010200(slab|head)
[ 80.218420] raw: 4000000000010200 ffffea0001786b08 ffff888064800990 ffff8880648173c0
[ 80.218707] raw: ffff88805c018008 0000000000220011 00000001ffffffff 0000000000000000
[ 80.218984] page dumped because: kasan: bad access detected
[ 80.219166]
[ 80.219261] Memory state around the buggy address:
[ 80.219451] ffff88805c01a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 80.219724] ffff88805c01a580: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 80.220007] >ffff88805c01a600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 80.220275] ^
[ 80.220418] ffff88805c01a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 80.220689] ffff88805c01a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
Test scenario:
ib_send_bw -x 1 -d rxe0 -a &
ib_send_bw -x 1 -d rxe0 -a localhost
With the above test commands, I can not reproduce this problem. Does it need
other condition to trigger this problem?
Nothing special: KASAN option enabled in kernel, latest GCC, rdma-next and
upstream version of perftest.
Thanks. Wit KASAN option enabled in kernel, in ubuntu 16.04, all the
packages are updated. the latest kernel (with this patch) is built,
ib_send_bw --version
Version: 5.60
The above call trace does not appear. It seems that this patch can work
well in my test environment.
Zhu Yanjun
Thanks