All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bart Van Assche <Bart.VanAssche@sandisk.com>
To: "hch@lst.de" <hch@lst.de>
Cc: "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>
Subject: Re: [PATCH 1/2] qla2xxx: Fix a recently introduced memory leak
Date: Sun, 29 Jan 2017 05:17:38 +0000	[thread overview]
Message-ID: <1485667034.15853.1.camel@sandisk.com> (raw)
In-Reply-To: <20170126143614.GA19849@lst.de>

On Thu, 2017-01-26 at 15:36 +0100, hch@lst.de wrote:
> On Wed, Jan 25, 2017 at 03:47:20PM +0000, Bart Van Assche wrote:
> > =============================================================================
> > BUG kmalloc-16 (Not tainted): Redzone overwritten
> > -----------------------------------------------------------------------------
> > 
> > Disabling lock debugging due to kernel taint
> > INFO: 0xffff880030bacc78-0xffff880030bacc7f. First byte 0xf instead of 0xcc
> > INFO: Allocated in irq_create_affinity_masks+0x5f/0x260 age=0 cpu=3 pid=812
> > 	___slab_alloc.constprop.79+0x482/0x4f0
> > 	__slab_alloc.isra.75.constprop.78+0x55/0xa0
> > 	__kmalloc+0x27c/0x310
> > 	irq_create_affinity_masks+0x5f/0x260
> 
> This is the normal affinity mask allocation.

(reduced CC-list again)

Hello Christoph,

It seems like irq_create_affinity_masks() wrote past the bounds of the masks array
it allocated. After I had added the following debug code in irq_create_affinity_masks():

        WARN_ON_ONCE(affv <= 0);
        pr_err("%s: affd = { .pre = %d, .post = %d }, nvecs = %d\n",
                __func__, affd->pre_vectors, affd->post_vectors, nvecs);

The following output appeared:

WARNING: CPU: 0 PID: 814 at kernel/irq/affinity.c:69 irq_create_affinity_masks+0x2cd/0x2f0
Call Trace:
 dump_stack+0x85/0xc2
 __warn+0xcb/0xf0
 warn_slowpath_null+0x1d/0x20
 irq_create_affinity_masks+0x2cd/0x2f0
 __pci_enable_msix+0x314/0x4c0
 pci_alloc_irq_vectors_affinity+0xb7/0x140
 qla2x00_request_irqs+0xa6/0x6d0 [qla2xxx]
 qla2x00_probe_one+0xc2e/0x25f0 [qla2xxx]
 pci_device_probe+0x8a/0xf0
 driver_probe_device+0x1f5/0x450
 __driver_attach+0xe3/0xf0
 bus_for_each_dev+0x66/0xa0
 driver_attach+0x1e/0x20
 bus_add_driver+0x200/0x270
 driver_register+0x60/0xe0
 __pci_register_driver+0x5d/0x60
 qla2x00_module_init+0x1c9/0x217 [qla2xxx]
 do_one_initcall+0x44/0x180
 do_init_module+0x5f/0x1f9
 load_module+0x2582/0x2a00
 SYSC_finit_module+0xbc/0xf0
 SyS_finit_module+0xe/0x10
 entry_SYSCALL_64_fastpath+0x23/0xc6

irq_create_affinity_masks: affd = { .pre = 2, .post = 0 }, nvecs = 2

affd comes from the qla2xxx driver: struct irq_affinity desc = { .pre_vectors =
QLA_BASE_VECTORS }. Shouldn't irq_calc_affinity_vectors() guarantee that it
returns a value that is strictly greater than affd->pre_vectors + affd->post_vectors
instead of greater than or equal to affd->pre_vectors + affd->post_vectors?

Thanks,

Bart.

  reply	other threads:[~2017-01-29  5:17 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-23 16:34 [PATCH 0/2] qla2xxx: Two bug fixes Bart Van Assche
2017-01-23 16:34 ` [PATCH 1/2] qla2xxx: Fix a recently introduced memory leak Bart Van Assche
2017-01-23 16:34   ` Bart Van Assche
2017-01-23 16:45   ` Christoph Hellwig
2017-01-23 17:04   ` Madhani, Himanshu
2017-01-24 12:10   ` Johannes Thumshirn
2017-01-24 12:10     ` Johannes Thumshirn
2017-01-25 15:47   ` Bart Van Assche
2017-01-26 14:36     ` hch
2017-01-29  5:17       ` Bart Van Assche [this message]
2017-01-29  9:07         ` hch
2017-01-29 17:14           ` Bart Van Assche
2017-01-25 23:28   ` Martin K. Petersen
2017-01-25 23:28     ` Martin K. Petersen
2017-02-03 16:59     ` Bart Van Assche
2017-02-07  0:23       ` Martin K. Petersen
2017-01-23 16:34 ` [PATCH 2/2] qla2xxx: Avoid that issuing a LIP triggers a kernel crash Bart Van Assche
2017-01-23 16:34   ` Bart Van Assche
2017-01-23 17:41   ` Madhani, Himanshu
2017-01-24 12:12   ` Johannes Thumshirn
2017-01-24 12:12     ` Johannes Thumshirn
2017-01-24 14:59   ` Mauricio Faria de Oliveira
2017-01-25 22:05     ` Madhani, Himanshu
2017-01-25 23:29     ` Martin K. Petersen
2017-01-26  0:09       ` Mauricio Faria de Oliveira

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1485667034.15853.1.camel@sandisk.com \
    --to=bart.vanassche@sandisk.com \
    --cc=hch@lst.de \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.