[genirq/msi] 43daaa9982: BUG:KASAN:use-after-free_in__pci_enable_msi_range

Wednesday, 29 December 2021

Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 43daaa99829219efa59a6327839e692066abbe0f ("genirq/msi: Simplify sysfs
handling")
https://git.kernel.org/cgit/linux/kernel/git/tglx/devel.git msi

in testcase: kernel-selftests
version: kernel-selftests-x86_64-a1616593-1_20211225
with following parameters:

	group: group-00
	ucode: 0x11

test-description: The kernel contains a set of "self tests" under the
tools/testing/selftests/ directory. These are intended to be small unit tests to exercise
individual code paths in the kernel.
test-url: https://www.kernel.org/doc/Documentation/kselftest.txt

on test machine: 288 threads 2 sockets Intel(R) Xeon Phi(TM) CPU 7295 @ 1.50GHz with 80G
memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang(a)intel.com&gt;

[ 68.314909][ T12] BUG: KASAN: use-after-free in __pci_enable_msi_range
(drivers/pci/msi/msi.h:36 drivers/pci/msi/msi.c:474 drivers/pci/msi/msi.c:905) 
[   68.314909][   T12] Read of size 2 at addr ffff888100063664 by task kworker/0:1/12
[   68.314909][   T12]
[   68.314909][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted
5.16.0-rc5-00094-g43daaa998292 #1
[   68.314909][   T12] Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS
GVPRCRB1.86B.0018.D06.1710190403 10/19/2017
[   68.314909][   T12] Workqueue: events work_for_cpu_fn
[   68.314909][   T12] Call Trace:
[   68.314909][   T12]  <TASK>
[ 68.314909][ T12] dump_stack_lvl (lib/dump_stack.c:107) 
[ 68.314909][ T12] print_address_description+0x21/0x140 
[ 68.314909][ T12] ? __pci_enable_msi_range (drivers/pci/msi/msi.h:36
drivers/pci/msi/msi.c:474 drivers/pci/msi/msi.c:905) 
[ 68.314909][ T12] ? __pci_enable_msi_range (drivers/pci/msi/msi.h:36
drivers/pci/msi/msi.c:474 drivers/pci/msi/msi.c:905) 
[ 68.314909][ T12] kasan_report.cold (mm/kasan/report.c:434 mm/kasan/report.c:450) 
[ 68.314909][ T12] ? __pci_enable_msi_range (drivers/pci/msi/msi.h:36
drivers/pci/msi/msi.c:474 drivers/pci/msi/msi.c:905) 
[ 68.314909][ T12] __pci_enable_msi_range (drivers/pci/msi/msi.h:36
drivers/pci/msi/msi.c:474 drivers/pci/msi/msi.c:905) 
[ 68.314909][ T12] pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1029) 
[ 68.314909][ T12] ? pci_enable_msix_range (drivers/pci/msi/msi.c:1008) 
[ 68.314909][ T12] ? pci_address_to_pio+0x40/0x40 
[ 68.314909][ T12] pcie_port_device_register (include/linux/pci.h:1882
drivers/pci/pcie/portdrv_core.c:107 drivers/pci/pcie/portdrv_core.c:178
drivers/pci/pcie/portdrv_core.c:353) 
[ 68.314909][ T12] ? lock_release (kernel/locking/lockdep.c:438
kernel/locking/lockdep.c:5659) 
[ 68.314909][ T12] ? pcie_port_service_unregister (drivers/pci/pcie/portdrv_core.c:316) 
[ 68.314909][ T12] ? pcie_portdrv_remove (drivers/pci/pcie/portdrv_pci.c:103) 
[ 68.314909][ T12] pcie_portdrv_probe (drivers/pci/pcie/portdrv_pci.c:117) 
[ 68.314909][ T12] ? pcie_portdrv_remove (drivers/pci/pcie/portdrv_pci.c:103) 
[ 68.314909][ T12] local_pci_probe (drivers/pci/pci-driver.c:323) 
[ 68.314909][ T12] ? pci_device_shutdown (drivers/pci/pci-driver.c:305) 
[ 68.314909][ T12] work_for_cpu_fn (kernel/workqueue.c:5194) 
[ 68.314909][ T12] process_one_work (arch/x86/include/asm/jump_label.h:27
include/linux/jump_label.h:212 include/trace/events/workqueue.h:108
kernel/workqueue.c:2303) 
[ 68.314909][ T12] ? rcu_read_unlock (include/linux/rcupdate.h:717 (discriminator 5)) 
[ 68.314909][ T12] ? pwq_dec_nr_in_flight (kernel/workqueue.c:2193) 
[ 68.314909][ T12] ? rwlock_bug+0xc0/0xc0 
[ 68.314909][ T12] worker_thread (include/linux/list.h:284 kernel/workqueue.c:2446) 
[ 68.314909][ T12] ? process_one_work (kernel/workqueue.c:2388) 
[ 68.314909][ T12] kthread (kernel/kthread.c:327) 
[ 68.314909][ T12] ? set_kthread_struct (kernel/kthread.c:272) 
[ 68.314909][ T12] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[   68.314909][   T12]  </TASK>
[   68.314909][   T12]
[   68.314909][   T12] Allocated by task 12:
[ 68.314909][ T12] kasan_save_stack (mm/kasan/common.c:38) 
[ 68.314909][ T12] __kasan_kmalloc (mm/kasan/common.c:46 mm/kasan/common.c:434
mm/kasan/common.c:513 mm/kasan/common.c:522) 
[ 68.314909][ T12] msi_alloc_desc (include/linux/slab.h:590 include/linux/slab.h:724
kernel/irq/msi.c:39) 
[ 68.314909][ T12] msi_add_msi_desc (kernel/irq/msi.c:76 (discriminator 9)) 
[ 68.314909][ T12] msi_setup_msi_desc (drivers/pci/msi/msi.c:366) 
[ 68.314909][ T12] __pci_enable_msi_range (drivers/pci/msi/msi.c:448
drivers/pci/msi/msi.c:905) 
[ 68.314909][ T12] pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1029) 
[ 68.314909][ T12] pcie_port_device_register (include/linux/pci.h:1882
drivers/pci/pcie/portdrv_core.c:107 drivers/pci/pcie/portdrv_core.c:178
drivers/pci/pcie/portdrv_core.c:353) 
[ 68.314909][ T12] pcie_portdrv_probe (drivers/pci/pcie/portdrv_pci.c:117) 
[ 68.314909][ T12] local_pci_probe (drivers/pci/pci-driver.c:323) 
[ 68.314909][ T12] work_for_cpu_fn (kernel/workqueue.c:5194) 
[ 68.314909][ T12] process_one_work (arch/x86/include/asm/jump_label.h:27
include/linux/jump_label.h:212 include/trace/events/workqueue.h:108
kernel/workqueue.c:2303) 
[ 68.314909][ T12] worker_thread (include/linux/list.h:284 kernel/workqueue.c:2446) 
[ 68.314909][ T12] kthread (kernel/kthread.c:327) 
[ 68.314909][ T12] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[   68.314909][   T12]
[   68.314909][   T12] Freed by task 12:
[ 68.314909][ T12] kasan_save_stack (mm/kasan/common.c:38) 
[ 68.314909][ T12] kasan_set_track (mm/kasan/common.c:46) 
[ 68.314909][ T12] kasan_set_free_info (mm/kasan/generic.c:372) 
[ 68.314909][ T12] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328
mm/kasan/common.c:374) 
[ 68.314909][ T12] kfree (mm/slub.c:1749 mm/slub.c:3513 mm/slub.c:4561) 
[ 68.314909][ T12] msi_free_msi_descs_range (kernel/irq/msi.c:136 (discriminator 2)) 
[ 68.314909][ T12] msi_domain_alloc_irqs_descs_locked (kernel/irq/msi.c:955) 
[ 68.314909][ T12] __pci_enable_msi_range (drivers/pci/msi/msi.c:458
drivers/pci/msi/msi.c:905) 
[ 68.314909][ T12] pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1029) 
[ 68.314909][ T12] pcie_port_device_register (include/linux/pci.h:1882
drivers/pci/pcie/portdrv_core.c:107 drivers/pci/pcie/portdrv_core.c:178
drivers/pci/pcie/portdrv_core.c:353) 
[ 68.314909][ T12] pcie_portdrv_probe (drivers/pci/pcie/portdrv_pci.c:117) 
[ 68.314909][ T12] local_pci_probe (drivers/pci/pci-driver.c:323) 
[ 68.314909][ T12] work_for_cpu_fn (kernel/workqueue.c:5194) 
[ 68.314909][ T12] process_one_work (arch/x86/include/asm/jump_label.h:27
include/linux/jump_label.h:212 include/trace/events/workqueue.h:108
kernel/workqueue.c:2303) 
[ 68.314909][ T12] worker_thread (include/linux/list.h:284 kernel/workqueue.c:2446) 
[ 68.314909][ T12] kthread (kernel/kthread.c:327) 
[ 68.314909][ T12] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[   68.314909][   T12]
[   68.314909][   T12] The buggy address belongs to the object at ffff888100063600
[   68.314909][   T12]  which belongs to the cache kmalloc-128 of size 128
[   68.314909][   T12] The buggy address is located 100 bytes inside of
[   68.314909][   T12]  128-byte region [ffff888100063600, ffff888100063680)
[   68.314909][   T12] The buggy address belongs to the page:
[   68.314909][   T12] page:00000000f9812823 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x100060
[   68.314909][   T12] head:00000000f9812823 order:2 compound_mapcount:0
compound_pincount:0
[   68.314909][   T12] flags:
0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[   68.314909][   T12] raw: 0017ffffc0010200 0000000000000000 dead000000000122
ffff88810004c8c0
[   68.314909][   T12] raw: 0000000000000000 0000000080400040 00000001ffffffff
0000000000000000
[   68.314909][   T12] page dumped because: kasan: bad access detected
[   68.314909][   T12]
[   68.314909][   T12] Memory state around the buggy address:
[   68.314909][   T12]  ffff888100063500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   68.314909][   T12]  ffff888100063580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.314909][   T12] >ffff888100063600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[   68.314909][   T12]                                                        ^
[   68.314909][   T12]  ffff888100063680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.314909][   T12]  ffff888100063700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   68.314909][   T12] ==================================================================
[   68.314909][   T12] Disabling lock debugging due to kernel taint
[   68.906957][   T12] pcieport 0000:00:01.0: PME: Signaling with IRQ 24
[   68.929322][   T12] pcieport 0000:00:01.0: AER: enabled with IRQ 24
[   68.951517][   T12] sysfs: cannot create duplicate filename
'/devices/pci0000:00/0000:00:02.0/msi_irqs/25'
[   68.962445][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B            
5.16.0-rc5-00094-g43daaa998292 #1
[   68.963411][   T12] Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS
GVPRCRB1.86B.0018.D06.1710190403 10/19/2017
[   68.963411][   T12] Workqueue: events work_for_cpu_fn

To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.

---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013