Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp4584092pxb; Tue, 5 Oct 2021 06:16:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvLZjN/WB7/IDAdj+7JczjUqckMXhBd8Gh2e5TwwEgAguwdbwsFEtVgkb7XKufjE/Py50k X-Received: by 2002:a17:906:1ed7:: with SMTP id m23mr24115243ejj.558.1633439806535; Tue, 05 Oct 2021 06:16:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633439806; cv=none; d=google.com; s=arc-20160816; b=tg+xl/vsZhsoIotN9I9lmq1/ahCUcJ/sU3ZE61N5mP+xrz63HW7vYS/cXFO7S2P8Yg HKkHmvzOptysAfcBx6z/YkINOitkj7M+AvVf90Q7orpih76t6DzLOwRqVBLy/CrDRc+4 J2EZKRbd3ia8n7FV2yWHFQ9++EfWtY5XTfUXtLLMchX7xuUrxcatBZ3LNoQS5MJAuFd5 ruIJUl6IPCR1t/Ms63U3Wxv/s8rwpzZcib+XxsFS0zMgkC1d5AY+pEE8oytlD85EEftx 1FbGn5ngPLOO+d5NVplIt54GRn7Z94A68DsEB1sD0rjQkG9UA46Rf6TCOTlFn2FgoqoB zNhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=DD50t/ui3X4BJA4oPKNwBkzyGqWUMXT+Evme1qr8OjQ=; b=Wdrx4Hxk8o6MXCaEtubVeW7BF318P1x92yQRqj5LIYhftknNrLAVfR7YkP1UAs9RHm NoEhH718zUtajaSBw7xBGiarDWZvVKWnW+SjQY0aR8uyQkQ/gxkDblJB5VO1W+QzhLfl aPOHSdCW76T1/pcolO7z+MvWmWzg1CMp7PWU44GFChbou/Z3P0iczWKKYmlK3MuTWPi0 ZtTJY9UFGHugsT+fjoR+Hd8APdUtaN9GRfqgSxMHLyC7anmZ3AjUN0uOQPBhreixNKKW fatBTKmcjQwCLdTxo4qxWObRzqFK7fx3Rgc/auUJkzPWlvQGoyiewW/dI1nZftGrqsTA cypg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=CFiQjJLE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f5si22289096ejj.587.2021.10.05.06.16.13; Tue, 05 Oct 2021 06:16:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=CFiQjJLE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234950AbhJENNS (ORCPT + 99 others); Tue, 5 Oct 2021 09:13:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234940AbhJENNQ (ORCPT ); Tue, 5 Oct 2021 09:13:16 -0400 Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BEBAC061749; Tue, 5 Oct 2021 06:11:25 -0700 (PDT) Received: by mail-lf1-x133.google.com with SMTP id i4so86790075lfv.4; Tue, 05 Oct 2021 06:11:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=DD50t/ui3X4BJA4oPKNwBkzyGqWUMXT+Evme1qr8OjQ=; b=CFiQjJLEQNEWaSqiukj6Yi1DQK7ITQjDfkZy3V9E7r+HL3RFn3+jWhENFuFdPHZp38 0vvXYXVsXCkjAITsd3U+rBhI5Bl4MjagjgitHOfRRZxnMF/fD9dapeZkUA5hEGS3Xfpa +K+/1usTFWLMWShpZ6CJm2o6WTaPdW8f3xtoENfZ5h13Vvj9w0yuFVbXqRZ0wlwkHywx 2nTlOXrD5gMUlyidojpYd4E8bT6fVXiPeBp+Q1a1BoESbSiI6oCRaGzv60xpwymIBLXm dSkukEg3TbIhac1upWK0sNDgO4rOu4JZR3EMD0+Do8ZSzU9i4aX55EMKeUbK8cLdhelU JE2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=DD50t/ui3X4BJA4oPKNwBkzyGqWUMXT+Evme1qr8OjQ=; b=mYhHFpUG4IUcrCRR9UCO4qRWQP2U794qAzEv3OFTXuEW3NYzhIIBFnevLRmkut2tcz A/tDJdPz+GGI9AfXyCuC+J5AQdIONd4g/KXLQgUf6o72QmTI10W70m9lqeNPipfL6iAg db+wGYoZUMIAyySjLFhi8Ed+fzq76HVL6/i32ep3ESpTbN1Egevg1xZ7sgzA5eNKR63C AtkAk+jNCmjYpJeYVwn/+1TKAKi/diZkFeJMsMJrC1yUliRJmPV/tQX9f/W0sUk6Cn7u kY4tjsBHKjdw/kpksmJaH3yBc2QG4VFnIEgGrKBNfFkK7mDr0N/l/xjRp6WSKknMTMLe iDoQ== X-Gm-Message-State: AOAM533ayMlOWrUsILFbTn4h9uxJzyyllAiYKlKOLu9vxe65e+u9HJj/ XqFWESMp5Qy+Sj1qsj8/jZyaj/5onXx9EDRl9Og= X-Received: by 2002:a2e:1645:: with SMTP id 5mr21020950ljw.123.1633439483776; Tue, 05 Oct 2021 06:11:23 -0700 (PDT) MIME-Version: 1.0 References: <0000000000005a800a05cd849c36@google.com> <20211004131516.GV3544071@ziepe.ca> <4F4604B1-6EF7-4435-BB12-87664EF852C3@oracle.com> In-Reply-To: <4F4604B1-6EF7-4435-BB12-87664EF852C3@oracle.com> From: Zhu Yanjun Date: Tue, 5 Oct 2021 21:11:12 +0800 Message-ID: Subject: Re: [syzbot] BUG: RESTRACK detected leak of resources To: Haakon Bugge Cc: Dmitry Vyukov , Jason Gunthorpe , Doug Ledford , syzbot , Leon Romanovsky , OFED mailing list , LKML , "syzkaller-bugs@googlegroups.com" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 5, 2021 at 1:56 AM Haakon Bugge wrote= : > > > > > On 4 Oct 2021, at 15:22, Dmitry Vyukov wrote: > > > > On Mon, 4 Oct 2021 at 15:15, Jason Gunthorpe wrote: > >> > >> On Mon, Oct 04, 2021 at 02:42:11PM +0200, Dmitry Vyukov wrote: > >>> On Mon, 4 Oct 2021 at 12:45, syzbot > >>> wrote: > >>>> > >>>> Hello, > >>>> > >>>> syzbot found the following issue on: > >>>> > >>>> HEAD commit: c7b4d0e56a1d Add linux-next specific files for 20210= 930 > >>>> git tree: linux-next > >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=3D104be6cb= 300000 > >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=3Dc9a1f668= 5aeb48bd > >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=3D3a992c9e4f= d9f0e6fd0e > >>>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU B= inutils for Debian) 2.35.2 > >>>> > >>>> Unfortunately, I don't have any reproducer for this issue yet. > >>>> > >>>> IMPORTANT: if you fix the issue, please add the following tag to the= commit: > >>>> Reported-by: syzbot+3a992c9e4fd9f0e6fd0e@syzkaller.appspotmail.com > >>> > >>> +RESTRACK maintainers > >>> > >>> (it would also be good if RESTRACK would print a more standard oops > >>> with stack/filenames, so that testing systems can attribute issues to > >>> files/maintainers). > >> > >> restrack certainly should trigger a WARN_ON to stop the kernel.. But I > >> don't know what stack track would be useful here. The culprit is > >> always the underlying driver, not the core code.. > > > > There seems to be a significant overlap between > > drivers/infiniband/core/restrack.c and drivers/infiniband/sw/rxe/rxe.c > > maintainers, so perhaps restrack.c is good enough approximation to > > extract relevant people (definitely better then no CC at all :)) > > Looks to me as this is rxe: > > [ 1892.778632][ T8958] BUG: KASAN: use-after-free in __rxe_drop_index_loc= ked+0xb5/0x100 > [snip] > [ 1892.822375][ T8958] Call Trace: > [ 1892.825655][ T8958] > [ 1892.828594][ T8958] dump_stack_lvl+0xcd/0x134 > [ 1892.833273][ T8958] print_address_description.constprop.0.cold+0x6c/0= x30c > [ 1892.840316][ T8958] ? __rxe_drop_index_locked+0xb5/0x100 > [ 1892.845864][ T8958] ? __rxe_drop_index_locked+0xb5/0x100 > [ 1892.851424][ T8958] kasan_report.cold+0x83/0xdf > [ 1892.856200][ T8958] ? __rxe_drop_index_locked+0xb5/0x100 > [ 1892.861761][ T8958] kasan_check_range+0x13d/0x180 > [ 1892.866780][ T8958] __rxe_drop_index_locked+0xb5/0x100 > [ 1892.872164][ T8958] __rxe_drop_index+0x3f/0x60 > [ 1892.876850][ T8958] rxe_dereg_mr+0x14b/0x240 > [ 1892.881381][ T8958] ib_dealloc_pd_user+0x96/0x230 > [ 1892.886566][ T8958] rds_ib_dev_free+0xd4/0x3a0 > > So, RDS de-allocs its PD, ib core must first de-register the PD's local M= R, calls rxe_dereg_mr(), ... int rxe_dereg_mr(struct ib_mr *ibmr, struct ib_udata *udata) { struct rxe_mr *mr =3D to_rmr(ibmr); if (atomic_read(&mr->num_mw) > 0) { pr_warn("%s: Attempt to deregister an MR while bound to MWs= \n", __func__); return -EINVAL; } mr->state =3D RXE_MR_STATE_ZOMBIE; rxe_drop_ref(mr_pd(mr)); rxe_drop_index(mr); <-------This is call trace beginning= . rxe_drop_ref(mr); return 0; } struct rxe_mr { struct rxe_pool_entry pelem; <-----A ref_cnt in this struct. struct ib_mr ibmr; struct ib_umem *umem; struct rxe_pool_entry { struct rxe_pool *pool; struct kref ref_cnt; <-------This ref_cnt may he= lp. struct list_head list; Zhu Yanjun > > > Thxs, H=C3=A5kon > > > > > >> Anyhow, this report is either rxe or rds by the look of it. > >> > >> Jason >