Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 9fb9eb4b59acc607e978288c96ac7efa917153d4 ("PCI/MSI: Let core code free MSI descriptors")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

in testcase: ltp
version: ltp-x86_64-14c1f76-1_20211225
with following parameters:

	test: numa
	ucode: 0x42e

test-description: The LTP testsuite contains a collection of tools for testing the Linux kernel and related features.
test-url: http://linux-test-project.github.io/


on test machine: 48 threads 2 sockets Intel(R) Xeon(R) CPU E5-2697 v2 @ 2.70GHz with 112G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@intel.com>


[ 17.860629][ T306] BUG: KASAN: use-after-free in __pci_enable_msi_range (drivers/pci/msi/msi.h:36 drivers/pci/msi/msi.c:475 drivers/pci/msi/msi.c:907) 
[   17.860629][  T306] Read of size 2 at addr ffff888f49b2ee5c by task kworker/0:2/306
[   17.860629][  T306]
[   17.860629][  T306] CPU: 0 PID: 306 Comm: kworker/0:2 Not tainted 5.16.0-rc5-00073-g9fb9eb4b59ac #1
[   17.860629][  T306] Hardware name: Intel Corporation S2600WP/S2600WP, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
[   17.860629][  T306] Workqueue: events work_for_cpu_fn
[   17.860629][  T306] Call Trace:
[   17.860629][  T306]  <TASK>
[ 17.860629][ T306] dump_stack_lvl (lib/dump_stack.c:107) 
[ 17.860629][ T306] print_address_description+0x21/0x140 
[ 17.860629][ T306] ? __pci_enable_msi_range (drivers/pci/msi/msi.h:36 drivers/pci/msi/msi.c:475 drivers/pci/msi/msi.c:907) 
[ 17.860629][ T306] kasan_report.cold (mm/kasan/report.c:434 mm/kasan/report.c:450) 
[ 17.860629][ T306] ? __pci_enable_msi_range (drivers/pci/msi/msi.h:36 drivers/pci/msi/msi.c:475 drivers/pci/msi/msi.c:907) 
[ 17.860629][ T306] __pci_enable_msi_range (drivers/pci/msi/msi.h:36 drivers/pci/msi/msi.c:475 drivers/pci/msi/msi.c:907) 
[ 17.860629][ T306] pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1031) 
[ 17.860629][ T306] ? pci_enable_msix_range (drivers/pci/msi/msi.c:1010) 
[ 17.860629][ T306] ? pci_address_to_pio+0x40/0x40 
[ 17.860629][ T306] pcie_port_device_register (include/linux/pci.h:1882 drivers/pci/pcie/portdrv_core.c:107 drivers/pci/pcie/portdrv_core.c:178 drivers/pci/pcie/portdrv_core.c:353) 
[ 17.860629][ T306] ? pcie_port_service_unregister (drivers/pci/pcie/portdrv_core.c:316) 
[ 17.860629][ T306] ? dequeue_entity (kernel/sched/fair.c:4379) 
[ 17.860629][ T306] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161) 
[ 17.860629][ T306] ? __switch_to (arch/x86/include/asm/bitops.h:55 include/asm-generic/bitops/instrumented-atomic.h:29 include/linux/thread_info.h:89 arch/x86/include/asm/fpu/sched.h:65 arch/x86/kernel/process_64.c:622) 
[ 17.860629][ T306] ? pcie_portdrv_remove (drivers/pci/pcie/portdrv_pci.c:103) 
[ 17.860629][ T306] pcie_portdrv_probe (drivers/pci/pcie/portdrv_pci.c:117) 
[ 17.860629][ T306] ? pcie_portdrv_remove (drivers/pci/pcie/portdrv_pci.c:103) 
[ 17.860629][ T306] local_pci_probe (drivers/pci/pci-driver.c:323) 
[ 17.860629][ T306] ? pci_device_shutdown (drivers/pci/pci-driver.c:305) 
[ 17.860629][ T306] work_for_cpu_fn (kernel/workqueue.c:5194) 
[ 17.860629][ T306] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2303) 
[ 17.860629][ T306] worker_thread (include/linux/list.h:284 kernel/workqueue.c:2358 kernel/workqueue.c:2450) 
[ 17.860629][ T306] ? __kthread_parkme (arch/x86/include/asm/bitops.h:207 (discriminator 4) include/asm-generic/bitops/instrumented-non-atomic.h:135 (discriminator 4) kernel/kthread.c:249 (discriminator 4)) 
[ 17.860629][ T306] ? schedule (arch/x86/include/asm/bitops.h:207 (discriminator 1) include/asm-generic/bitops/instrumented-non-atomic.h:135 (discriminator 1) include/linux/thread_info.h:118 (discriminator 1) include/linux/sched.h:2120 (discriminator 1) kernel/sched/core.c:6328 (discriminator 1)) 
[ 17.860629][ T306] ? process_one_work (kernel/workqueue.c:2388) 
[ 17.860629][ T306] ? process_one_work (kernel/workqueue.c:2388) 
[ 17.860629][ T306] kthread (kernel/kthread.c:327) 
[ 17.860629][ T306] ? set_kthread_struct (kernel/kthread.c:272) 
[ 17.860629][ T306] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[   17.860629][  T306]  </TASK>
[   17.860629][  T306]
[   17.860629][  T306] Allocated by task 306:
[ 17.860629][ T306] kasan_save_stack (mm/kasan/common.c:38) 
[ 17.860629][ T306] __kasan_kmalloc (mm/kasan/common.c:46 mm/kasan/common.c:434 mm/kasan/common.c:513 mm/kasan/common.c:522) 
[ 17.860629][ T306] alloc_msi_entry (include/linux/slab.h:590 include/linux/slab.h:724 kernel/irq/msi.c:38) 
[ 17.860629][ T306] msi_add_msi_desc (kernel/irq/msi.c:76) 
[ 17.860629][ T306] msi_setup_msi_desc (drivers/pci/msi/msi.c:367) 
[ 17.860629][ T306] __pci_enable_msi_range (drivers/pci/msi/msi.c:449 drivers/pci/msi/msi.c:907) 
[ 17.860629][ T306] pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1031) 
[ 17.860629][ T306] pcie_port_device_register (include/linux/pci.h:1882 drivers/pci/pcie/portdrv_core.c:107 drivers/pci/pcie/portdrv_core.c:178 drivers/pci/pcie/portdrv_core.c:353) 
[ 17.860629][ T306] pcie_portdrv_probe (drivers/pci/pcie/portdrv_pci.c:117) 
[ 17.860629][ T306] local_pci_probe (drivers/pci/pci-driver.c:323) 
[ 17.860629][ T306] work_for_cpu_fn (kernel/workqueue.c:5194) 
[ 17.860629][ T306] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2303) 
[ 17.860629][ T306] worker_thread (include/linux/list.h:284 kernel/workqueue.c:2358 kernel/workqueue.c:2450) 
[ 17.860629][ T306] kthread (kernel/kthread.c:327) 
[ 17.860629][ T306] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[   17.860629][  T306]
[   17.860629][  T306] Freed by task 306:
[ 17.860629][ T306] kasan_save_stack (mm/kasan/common.c:38) 
[ 17.860629][ T306] kasan_set_track (mm/kasan/common.c:46) 
[ 17.860629][ T306] kasan_set_free_info (mm/kasan/generic.c:372) 
[ 17.860629][ T306] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) 
[ 17.860629][ T306] kfree (mm/slub.c:1749 mm/slub.c:3513 mm/slub.c:4561) 
[ 17.860629][ T306] msi_free_msi_descs_range (kernel/irq/msi.c:136 (discriminator 2)) 
[ 17.860629][ T306] msi_domain_alloc_irqs_descs_locked (kernel/irq/msi.c:958) 
[ 17.860629][ T306] __pci_enable_msi_range (drivers/pci/msi/msi.c:459 drivers/pci/msi/msi.c:907) 
[ 17.860629][ T306] pci_alloc_irq_vectors_affinity (drivers/pci/msi/msi.c:1031) 
[ 17.860629][ T306] pcie_port_device_register (include/linux/pci.h:1882 drivers/pci/pcie/portdrv_core.c:107 drivers/pci/pcie/portdrv_core.c:178 drivers/pci/pcie/portdrv_core.c:353) 
[ 17.860629][ T306] pcie_portdrv_probe (drivers/pci/pcie/portdrv_pci.c:117) 
[ 17.860629][ T306] local_pci_probe (drivers/pci/pci-driver.c:323) 
[ 17.860629][ T306] work_for_cpu_fn (kernel/workqueue.c:5194) 
[ 17.860629][ T306] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2303) 
[ 17.860629][ T306] worker_thread (include/linux/list.h:284 kernel/workqueue.c:2358 kernel/workqueue.c:2450) 
[ 17.860629][ T306] kthread (kernel/kthread.c:327) 
[ 17.860629][ T306] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[   17.860629][  T306]
[   17.860629][  T306] The buggy address belongs to the object at ffff888f49b2ee00
[   17.860629][  T306]  which belongs to the cache kmalloc-128 of size 128
[   17.860629][  T306] The buggy address is located 92 bytes inside of
[   17.860629][  T306]  128-byte region [ffff888f49b2ee00, ffff888f49b2ee80)
[   17.860629][  T306] The buggy address belongs to the page:
[   17.860629][  T306] page:000000000287bdee refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf49b2e
[   17.860629][  T306] head:000000000287bdee order:1 compound_mapcount:0
[   17.860629][  T306] flags: 0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
[   17.860629][  T306] raw: 0057ffffc0010200 0000000000000000 dead000000000122 ffff88810004c8c0
[   17.860629][  T306] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   17.860629][  T306] page dumped because: kasan: bad access detected
[   17.860629][  T306]
[   17.860629][  T306] Memory state around the buggy address:
[   17.860629][  T306]  ffff888f49b2ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.860629][  T306]  ffff888f49b2ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.860629][  T306] >ffff888f49b2ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.860629][  T306]                                                     ^
[   17.860629][  T306]  ffff888f49b2ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.860629][  T306]  ffff888f49b2ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.860629][  T306] ==================================================================
[   17.860629][  T306] Disabling lock debugging due to kernel taint
[   18.438903][  T306] pcieport 0000:00:01.0: PME: Signaling with IRQ 25
[   18.448863][  T306] pcieport 0000:00:02.0: PME: Signaling with IRQ 26
[   18.458334][  T306] IOAPIC[0]: Preconfigured routing entry (0-16 -> IRQ 16 Level:1 ActiveLow:1)
[   18.468383][  T306] pcieport 0000:00:03.0: PME: Signaling with IRQ 27
[   18.478073][  T306] pcieport 0000:00:11.0: PME: Signaling with IRQ 28


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang