From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 8D84AA0032;
	Fri, 29 Oct 2021 13:51:31 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 592524111F;
	Fri, 29 Oct 2021 13:51:31 +0200 (CEST)
Received: from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178])
 by mails.dpdk.org (Postfix) with ESMTP id D1EE0410E1
 for <dev@dpdk.org>; Fri, 29 Oct 2021 13:51:29 +0200 (CEST)
Received: by inbox.dpdk.org (Postfix, from userid 33)
 id BA72AA0547; Fri, 29 Oct 2021 13:51:29 +0200 (CEST)
From: bugzilla@dpdk.org
To: dev@dpdk.org
Date: Fri, 29 Oct 2021 11:51:29 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: DPDK
X-Bugzilla-Component: core
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: david.marchand@redhat.com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: Normal
X-Bugzilla-Assigned-To: dev@dpdk.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 target_milestone
Message-ID: <bug-867-3@http.bugs.dpdk.org/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://bugs.dpdk.org/
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
MIME-Version: 1.0
Subject: [dpdk-dev] [Bug 867] [asan] mbuf: use-after-free in mbuf_autotest
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

https://bugs.dpdk.org/show_bug.cgi?id=3D867

            Bug ID: 867
           Summary: [asan] mbuf: use-after-free in mbuf_autotest
           Product: DPDK
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: core
          Assignee: dev@dpdk.org
          Reporter: david.marchand@redhat.com
  Target Milestone: ---

Using series https://patchwork.dpdk.org/project/dpdk/list/?series=3D19821,
calling mbuf_autotest shows:

41/97 DPDK:fast-tests / mbuf_autotest         FAIL     1.07 s (exit status =
1)

--- command ---
DPDK_TEST=3D'mbuf_autotest' /home/runner/work/dpdk/dpdk/build/app/test/dpdk=
-test
--file-prefix=3Dmbuf_autotest
--- stdout ---
RTE>>mbuf_autotest
Test mbuf dynamic fields and flags
Reserved fields:
Reserved flags:
Free space in mbuf (0 =3D occupied, value =3D free zone alignment):
  0000: 00 00 00 00 00 00 00 00
  0008: 00 00 00 00 00 00 00 00
  0010: 00 00 00 00 00 00 00 00
...
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf=
7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bfe72]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte=
_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rt=
e_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_=
dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf=
7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bff47]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte=
_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rt=
e_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_=
dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D26477=3D=3DERROR: AddressSanitizer: heap-use-after-free on address 0x=
7f90d842a9d0
at pc 0x0000009b89a8 bp 0x7ffc2cfe8b50 sp 0x7ffc2cfe8b48
READ of size 2 at 0x7f90d842a9d0 thread T0
    #0 0x9b89a7 in rte_mbuf_ext_refcnt_read
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9
    #1 0x9b89a7 in test_pktmbuf_ext_shinfo_init_helper
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2409:6
    #2 0x9b89a7 in test_mbuf
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2950:6
    #3 0x4d7600 in cmd_autotest_parsed
/home/runner/work/dpdk/dpdk/build/../app/test/commands.c:71:10
    #4 0x7f94e6cf65c8 in cmdline_parse
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_parse.c:290:3
    #5 0x7f94e6cf3467 in cmdline_valid_buffer
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:26:8
    #6 0x7f94e6cfb7aa in rdline_char_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_rdline.c:446:5
    #7 0x7f94e6cf382c in cmdline_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:148:9
    #8 0x516ce1 in main
/home/runner/work/dpdk/dpdk/build/../app/test/test.c:214:8
    #9 0x7f94e0223bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x42ff59 in _start
(/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test+0x42ff59)

Address 0x7f90d842a9d0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-use-after-free
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9 in
rte_mbuf_ext_refcnt_read
Shadow bytes around the buggy address:
  0x0ff29b07d4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d4f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=3D>0x0ff29b07d530: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0ff29b07d540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff29b07d550: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 fa
  0x0ff29b07d560: fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff29b07d570: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 00
  0x0ff29b07d580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
=3D=3D26477=3D=3DABORTING
-------

--=20
You are receiving this mail because:
You are the assignee for the bug.=