Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-18656

Use after free in lnet sanity-lnet test 301

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • Lustre 2.17.0
    • None
    • None
    • 3
    • 9223372036854775807

    Description

      Testing rocky 8.10 with page poisoning enabled hit this crash highlighting use after free in current master:

       [ 2044.249779] Lustre: DEBUG MARKER: == sanity-lnet test 301: Check for dynamic adds of same/wrong interface (memory leak) ========================================================== 21:03:05 (1737252185)
[ 2044.369813] Lustre: DEBUG MARKER: /home/green/git/lustre-release/lustre/../lnet/utils/lnetctl lnet unconfigure
[ 2044.433107] Lustre: DEBUG MARKER: /home/green/git/lustre-release/lustre/../lnet/utils/lnetctl lnet configure
[ 2044.514581] Lustre: DEBUG MARKER: /home/green/git/lustre-release/lustre/../lnet/utils/lnetctl net add --net tcp --if ens2
[ 2044.532854] LNet: 84320:0:(lib-socket.c:568:lnet_inet_enumerate()) lnet: Ignoring interface test1pg: it's down
[ 2044.536096] LNet: Added LNI 192.168.204.14@tcp [8/256/0/180]
[ 2044.537684] LNet: Accept secure, port 988
[ 2045.273623] Lustre: DEBUG MARKER: /home/green/git/lustre-release/lustre/../lnet/utils/lnetctl net add --net tcp --if ens2
[ 2045.295446] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP
[ 2045.299522] CPU: 0 PID: 84439 Comm: lnetctl Kdump: loaded Tainted: G        W  O      -------- -  - 4.18.0rh8.10-debug #5
[ 2045.302652] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
[ 2045.304624] RIP: 0010:lnet_ni_free+0x249/0x750 [lnet]
[ 2045.305693] Code: 00 48 83 05 38 7b 0b 00 01 e9 13 02 00 00 48 8b 45 50 48 83 05 1f 99 0b 00 01 4c 39 e8 0f 84 fc fd ff ff 48 8b 15 1f 99 0b 00 <39> 48 70 75 0e e9 04 04 00 00 3b 48 70 0f 84 fb 03 00 00 48 8b 00
[ 2045.311222] RSP: 0018:ffffa84608a3b478 EFLAGS: 00010207
[ 2045.313092] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9a009364ee00 RCX: 0000000000000002
[ 2045.314467] RDX: 0000000000000000 RSI: ffffffffc07d2e11 RDI: ffff9a009364ee00
[ 2045.316064] RBP: ffff9a00b0a75900 R08: 0000000000000000 R09: 0000000000000000
[ 2045.317420] R10: 0000000000000000 R11: 0000000000000003 R12: ffffa84608a3b620
[ 2045.318794] R13: ffff9a00b0a75950 R14: 00000000ffffffff R15: 0000000000000000
[ 2045.320049] FS:  00007f467e17dc40(0000) GS:ffff9a00c1a00000(0000) knlGS:0000000000000000
[ 2045.321629] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2045.323290] CR2: 00007f467d1537e0 CR3: 0000000127a55002 CR4: 0000000000170ef0
[ 2045.324776] Call Trace:
[ 2045.325249]  ? show_regs.cold.9+0x22/0x2f
[ 2045.326023]  ? __die_body+0x22/0x90
[ 2045.326899]  ? die_addr+0x50/0x90
[ 2045.327521]  ? do_general_protection+0x21d/0x4a0
[ 2045.328529]  ? general_protection+0x1e/0x30
[ 2045.329316]  ? lnet_dyn_add_ni+0x221/0x310 [lnet]
[ 2045.330245]  ? lnet_ni_free+0x249/0x750 [lnet]
[ 2045.331143]  lnet_dyn_add_ni+0x246/0x310 [lnet]
[ 2045.332048]  lnet_genl_parse_local_ni.isra.29+0x272/0x2690 [lnet]
[ 2045.333277]  ? libcfs_str2net_internal+0xd7/0x1c0 [lnet]
[ 2045.334295]  lnet_net_cmd+0x4f9/0xa80 [lnet]
[ 2045.335173]  genl_family_rcv_msg_doit.isra.15+0x127/0x1a0
[ 2045.336192]  genl_family_rcv_msg+0xcf/0x1f0
[ 2045.336984]  ? lnet_dyn_del_net+0x360/0x360 [lnet]
[ 2045.337989]  ? lnet_peer_ni_decref_locked+0x40/0x40 [lnet]
[ 2045.339150]  ? lnet_peer_dist_show_dump+0x490/0x490 [lnet]
[ 2045.340234]  ? lnet_counters_get_common+0x60/0x60 [lnet]
[ 2045.341319]  genl_rcv_msg+0x5b/0xe0
[ 2045.341974]  ? genl_family_rcv_msg+0x1f0/0x1f0
[ 2045.342810]  netlink_rcv_skb+0x62/0x180
[ 2045.343560]  genl_rcv+0x34/0x60
[ 2045.344191]  netlink_unicast+0x250/0x3e0
[ 2045.344926]  netlink_sendmsg+0x3da/0x610
[ 2045.345707]  __sock_sendmsg+0x50/0x90
[ 2045.346451]  ____sys_sendmsg+0x1ed/0x330
[ 2045.347327]  ? copy_msghdr_from_user+0x74/0xb0
[ 2045.348193]  ___sys_sendmsg+0x8c/0xe0
[ 2045.348879]  ? do_raw_spin_unlock+0x75/0x190
[ 2045.349726]  ? _raw_spin_unlock+0x3f/0x60
[ 2045.350518]  ? do_fault+0x3d2/0x670
[ 2045.351248]  ? __handle_mm_fault+0xa51/0xfe0
[ 2045.352093]  ? rcu_read_lock_held_common+0x17/0x90
[ 2045.353001]  ? rcu_read_lock_sched_held+0x2b/0xc0
[ 2045.353917]  ? lock_release+0x343/0x770
[ 2045.354662]  __sys_sendmsg+0x6b/0xe0
[ 2045.355361]  __x64_sys_sendmsg+0x23/0x30
[ 2045.356140]  do_syscall_64+0xce/0x1b0
[ 2045.356836]  entry_SYSCALL_64_after_hwframe+0x4e/0xc3
[ 2045.357782] RIP: 0033:0x7f467d0f3c08
[ 2045.358486] Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 5b 29 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55
[ 2045.362028] RSP: 002b:00007ffd8067f3f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 2045.363467] RAX: ffffffffffffffda RBX: 0000000000d2c430 RCX: 00007f467d0f3c08
[ 2045.365279] RDX: 0000000000000000 RSI: 00007ffd8067f430 RDI: 0000000000000003
[ 2045.366928] RBP: 0000000000d5a330 R08: 000000008feffff8 R09: 0000000000000000
[ 2045.368364] R10: fffffffffffffacb R11: 0000000000000246 R12: 0000000000d2c340
[ 2045.369700] R13: 00007ffd8067f430 R14: 00007ffd8067f530 R15: 00007ffd8067f538
[ 2045.371158] Modules linked in: ksocklnd(O) lnet(O) libcfs(O) veth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver intel_rapl_msr intel_rapl_common sb_edac rapl i2c_piix4 pcspkr squashfs crct10dif_pclmul crc32_pclmul ata_generic crc32c_intel ata_piix ghash_clmulni_intel serio_raw libata dm_mirror dm_region_hash dm_log dm_mod sha512_ssse3 sha512_generic [last unloaded: libcfs]

      crshdump here: http://testing.linuxhacker.ru/lustre-reports/48664/testresults/sanity-lnet-zfs-rocky8.10_x86_64-rocky8.10_x86_64/

      Attachments

        Activity

          People

            wc-triage WC Triage
            green Oleg Drokin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: