lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 16 Feb 2021 20:54:13 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Bob Pearson <rpearsonhpe@...il.com>
Cc:     Jason Gunthorpe <jgg@...dia.com>, Bob Pearson <rpearson@....com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        lkp@...ts.01.org, lkp@...el.com
Subject: [RDMA/rxe]  899aba891c:
 WARNING:at_drivers/infiniband/sw/rxe/rxe_comp.c:#rxe_completer[rdma_rxe]


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 899aba891cab1555c9ca16a558769efb177baf44 ("RDMA/rxe: Fix FIXME in rxe_udp_encap_recv()")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master


in testcase: blktests
version: blktests-x86_64-a210761-1_20210124
with following parameters:

	test: srp-group-00
	ucode: 0xe2



on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   28.924776] ------------[ cut here ]------------
[   28.945715] ib_srpt:srpt_cm_req_recv: ib_srpt imm_data_offset = 68
[   28.950300] WARNING: CPU: 3 PID: 29 at drivers/infiniband/sw/rxe/rxe_comp.c:761 rxe_completer+0x9bc/0xda0 [rdma_rxe]
[   28.957254] ib_srpt:srpt_create_ch_ib: ib_srpt srpt_create_ch_ib: max_cqe= 8191 max_sge= 32 sq_size = 4096 ch= 00000000f53b66aa
[   28.967012] Modules linked in: ib_srp scsi_transport_srp target_core_user uio target_core_pscsi target_core_file ib_srpt target_core_iblock target_core
_mod rdma_cm iw_cm
[   28.978500] ib_srpt:srpt_cm_req_recv: ib_srpt registering src addr 192.168.3.94 or i_port_id 0xfe8000000000000066006afffe3091ac
[   28.978501]  ib_cm
[   28.978509] ib_srpt:srpt_cm_req_recv: ib_srpt Establish connection sess=000000002be5fb65 name=192.168.3.94 ch=00000000f53b66aa
[   28.993644]  ib_umad scsi_debug
[   29.005180] ib_srp:srp_max_it_iu_len: ib_srp: max_iu_len = 8260
[   29.007142]  rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core null_blk loop xfs libcrc32c dm_multipath
[   29.018538] scsi host5: ib_srp: using immediate data
[   29.018685] ib_srpt:srpt_zerolength_write: ib_srpt 192.168.3.94-20: queued zerolength write
[   29.018935] ib_srpt Received SRP_LOGIN_REQ with i_port_id fe80:0000:0000:0000:6600:6aff:fe30:91ac, t_port_id 6600:6aff:fe30:91ac:6600:6aff:fe30:91ac an
d it_iu_len 8260 on port 1 (guid=fe80:0000:0000:0000:6600:6aff:fe30:91ac); pkey 0xffff
[   29.018971] ib_srpt:srpt_cm_req_recv: ib_srpt imm_data_offset = 68
[   29.019560] ib_srpt:srpt_create_ch_ib: ib_srpt srpt_create_ch_ib: max_cqe= 8191 max_sge= 32 sq_size = 4096 ch= 000000009d5609e2
[   29.019576] ib_srpt:srpt_cm_req_recv: ib_srpt registering src addr 192.168.3.94 or i_port_id 0xfe8000000000000066006afffe3091ac
[   29.019584] ib_srpt:srpt_cm_req_recv: ib_srpt Establish connection sess=000000004137b4b8 name=192.168.3.94 ch=000000009d5609e2
[   29.019875] ib_srp:srp_max_it_iu_len: ib_srp: max_iu_len = 8260
[   29.019877] scsi host5: ib_srp: using immediate data
[   29.020008] ------------[ cut here ]------------
[   29.020008] refcount_t: underflow; use-after-free.
[   29.020014] WARNING: CPU: 1 PID: 19 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0x100
[   29.020018] Modules linked in: ib_srp scsi_transport_srp target_core_user uio target_core_pscsi target_core_file ib_srpt target_core_iblock target_core
_mod rdma_cm iw_cm ib_cm ib_umad scsi_debug rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core null_blk loop xfs libcrc32c dm_multipath dm_mod ipmi_devi
ntf ipmi_msghandler sd_mod t10_pi sg intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pcl
mul i915 crc32_pclmul crc32c_intel dell_wmi ghash_clmulni_intel dell_smbios intel_gtt rapl sparse_keymap wmi_bmof intel_cstate dell_wmi_descriptor drm_kms
_helper ahci libahci syscopyarea mei_wdt dcdbas intel_uncore sysfillrect sysimgblt i2c_i801 fb_sys_fops libata i2c_smbus mei_me drm mei wmi intel_pch_ther
mal video intel_pmc_core acpi_pad ip_tables
[   29.020055] CPU: 1 PID: 19 Comm: ksoftirqd/1 Tainted: G          I       5.11.0-rc4-00158-g899aba891cab #1
[   29.020058] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[   29.020059] RIP: 0010:refcount_warn_saturate+0xa6/0x100
[   29.020061] Code: 05 a0 6e 5f 01 01 e8 93 40 5d 00 0f 0b c3 80 3d 8e 6e 5f 01 00 75 95 48 c7 c7 f8 24 39 82 c6 05 7e 6e 5f 01 01 e8 74 40 5d 00 <0f> 0b c3 80 3d 6d 6e 5f 01 00 0f 85 72 ff ff ff 48 c7 c7 50 25 39
[   29.020062] RSP: 0018:ffffc900000f7be0 EFLAGS: 00010282
[   29.020064] RAX: 0000000000000000 RBX: ffff88886b686a28 RCX: 0000000000000027
[   29.020065] RDX: 0000000000000027 RSI: 0000000000000002 RDI: ffff888871c97cf8
[   29.020066] RBP: ffff88886b686a00 R08: ffff888871c97cf0 R09: ffffc900000f7b78
[   29.020067] R10: 0000000000000001 R11: 0000000000000002 R12: ffff88886de88000
[   29.020068] R13: 000000000000000c R14: ffff88886e2ba000 R15: ffff88886e2ba008
[   29.020069] FS:  0000000000000000(0000) GS:ffff888871c80000(0000) knlGS:0000000000000000
[   29.020070] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.020071] CR2: 00007f9e89e5d000 CR3: 0000000870c8e001 CR4: 00000000003706e0
[   29.020072] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.020073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.020073] Call Trace:
[   29.020076]  rxe_responder+0x11c/0x2220 [rdma_rxe]
[   29.020081]  ? ip_route_output_key_hash+0x76/0xa0
[   29.020084]  ? xfrm_lookup_route+0x1e/0xc0
[   29.020087]  rxe_do_task+0x9c/0xe0 [rdma_rxe]
[   29.020092]  rxe_rcv+0x2dc/0x8a0 [rdma_rxe]
[   29.020095]  ? copy_data+0xc1/0x2a0 [rdma_rxe]
[   29.020100]  rxe_requester+0x752/0x1120 [rdma_rxe]
[   29.020103]  rxe_do_task+0x9c/0xe0 [rdma_rxe]
[   29.020107]  tasklet_action_common+0x58/0x100
[   29.020111]  __do_softirq+0xe6/0x2ca
[   29.020113]  ? smpboot_thread_fn+0x26/0x1e0
[   29.020115]  run_ksoftirqd+0x1a/0x40
[   29.020118]  smpboot_thread_fn+0x10b/0x1e0
[   29.020120]  ? sort_range+0x20/0x20
[   29.020121]  kthread+0x116/0x160
[   29.020124]  ? kthread_park+0xa0/0xa0
[   29.020125]  ret_from_fork+0x22/0x30
[   29.020129] ---[ end trace d22cfc8971a08f85 ]---



To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp install                job.yaml  # job file is attached in this email
        bin/lkp split-job --compatible job.yaml
        bin/lkp run                    compatible-job.yaml



Thanks,
Oliver Sang


View attachment "config-5.11.0-rc4-00158-g899aba891cab" of type "text/plain" (173972 bytes)

View attachment "job-script" of type "text/plain" (5715 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (25288 bytes)

View attachment "blktests" of type "text/plain" (949 bytes)

View attachment "job.yaml" of type "text/plain" (4812 bytes)

View attachment "reproduce" of type "text/plain" (103 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ