"[Bug Description]
KASAN: slab-out-of-bounds in hns_roce_table_mhop_put+0x584/0x828
[hns_roce]
Read of size 8 at addr ffff802185e08300 by task rmmod/270
The buggy address belongs to the object at ffff802185e06300
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 0 bytes to the right of
8192-byte region [ffff802185e06300, ffff802185e08300)
The buggy address belongs to the page:
page:ffff7fe008617800 refcount:1 mapcount:0 mapping:ffff802340020e00 index:0x0
compound_mapcount: 0
flags: 0x5fffe00000010200(slab|head)
raw: 5fffe00000010200 dead000000000100 dead000000000200 ffff802340020e00
raw: 0000000000000000 00000000803e003e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff802185e08200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff802185e08280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff802185e08300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff802185e08380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff802185e08400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Disabling lock debugging due to kernel taint
[Steps to Reproduce]
Enable KASAN and configure PAGE_SIZE to 64K, insmod hns roce driver and then rmmod it.
[Actual Results]
Call trace because of slab-out-of-bound.
[Expected Results]
Success
[Reproducibility]
Inevitably
[Additional information]
Hardware: D06 CS
Firmware: NA
Kernel: NA
[Resolution]
Not configure eq->next when number of eq_buf is 1 in eq_mhop_alloc()."
RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
"[Bug Description] table_mhop_ put+0x584/ 0x828
KASAN: slab-out-of-bounds in hns_roce_
[hns_roce]
Read of size 8 at addr ffff802185e08300 by task rmmod/270
Call trace: backtrace+ 0x0/0x1e8 stack+0x14/ 0x20 stack+0xc4/ 0xfc address_ description+ 0x60/0x270 report+ 0x164/0x1b8 report+ 0xc/0x18 load8+0x84/ 0xa8 roce_table_ mhop_put+ 0x584/0x828 [hns_roce] roce_table_ put+0x174/ 0x1a0 [hns_roce] roce_mr_ free+0x124/ 0x210 [hns_roce] roce_dereg_ mr+0x90/ 0xb8 [hns_roce] dealloc_ pd_user+ 0x60/0xf0 mad_port_ close+0x128/ 0x1d8 mad_remove_ device+ 0x94/0x118 client_ context+ 0xa0/0xe0 device+ 0xfc/0x1c0 unregister_ device+ 0x60/0xe0 unregister_ device+ 0x24/0x38 roce_exit+ 0x3c/0x138 [hns_roce] roce_hw_ v2_uninit_ instance. isra.30+ 0x28/0x50 [hns_roce_hw_v2] roce_hw_ v2_uninit_ instance+ 0x44/0x60 [hns_roce_hw_v2] uninit_ client_ instance+ 0x15c/0x238 [hclge] uninit_ client_ instance+ 0x84/0xa8 [hnae3] unregister_ client+ 0x84/0x158 [hnae3] roce_hw_ v2_exit+ 0x14/0x20 [hns_roce_hw_v2] sys_delete_ module+ 0x20c/0x308 svc_handler+ 0xbc/0x210
dump_
show_
dump_
print_
__kasan_
kasan_
__asan_
hns_
hns_
hns_
hns_
ib_
ib_
ib_
remove_
disable_
__ib_
ib_
hns_
__hns_
hns_
hclge_
hnae3_
hnae3_
hns_
__arm64_
el0_
el0_svc+0x8/0xc
Allocated by task 255: kmalloc. isra.0+ 0xd0/0x180 kmalloc+ 0xc/0x18 0x16c/0x328 roce_init_ hem_table+ 0x20c/0x428 [hns_roce] roce_init+ 0x214/0xfe0 [hns_roce] roce_hw_ v2_init_ instance+ 0x284/0x330 [hns_roce_hw_v2] roce_hw_ v2_init_ instance+ 0xd0/0x1b8 [hns_roce_hw_v2] init_roce_ client_ instance+ 0x180/0x310 [hclge] init_client_ instance+ 0xcc/0x508 [hclge] init_client_ instance. part.3+ 0x3c/0x80 [hnae3] register_ client+ 0x134/0x1a8 [hnae3] 9c00014 one_initcall+ 0x9c/0x3e0 init_module+ 0xd4/0x2d8 module+ 0x3284/ 0x3690 sys_init_ module+ 0x274/0x308 sys_init_ module+ 0x40/0x50 svc_handler+ 0xbc/0x210
__kasan_
kasan_
__kmalloc+
hns_
hns_
__hns_
hns_
hclge_
hclge_
hnae3_
hnae3_
0xffff20000
do_
do_
load_
__se_
__arm64_
el0_
el0_svc+0x8/0xc
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff802185e06300 ffff7fe00861780 0 refcount:1 mapcount:0 mapping: ffff802340020e0 0 index:0x0 mapcount: 0 200(slab| head) 08200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e08300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 08380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 08400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ======= ======= ======= ======= ======= ======= ======= ======= =======
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 0 bytes to the right of
8192-byte region [ffff802185e06300, ffff802185e08300)
The buggy address belongs to the page:
page:
compound_
flags: 0x5fffe00000010
raw: 5fffe00000010200 dead000000000100 dead000000000200 ffff802340020e00
raw: 0000000000000000 00000000803e003e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff802185e
ffff802185e
>ffff802185
^
ffff802185e
ffff802185e
===
Disabling lock debugging due to kernel taint
[Steps to Reproduce]
Enable KASAN and configure PAGE_SIZE to 64K, insmod hns roce driver and then rmmod it.
[Actual Results]
Call trace because of slab-out-of-bound.
[Expected Results]
Success
[Reproducibility]
Inevitably
[Additional information]
Hardware: D06 CS
Firmware: NA
Kernel: NA
[Resolution]
Not configure eq->next when number of eq_buf is 1 in eq_mhop_alloc()."
RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver