From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
by inbox.dpdk.org (Postfix) with ESMTP id 8D84AA0032;
Fri, 29 Oct 2021 13:51:31 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
by mails.dpdk.org (Postfix) with ESMTP id 592524111F;
Fri, 29 Oct 2021 13:51:31 +0200 (CEST)
Received: from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178])
by mails.dpdk.org (Postfix) with ESMTP id D1EE0410E1
for <dev@dpdk.org>; Fri, 29 Oct 2021 13:51:29 +0200 (CEST)
Received: by inbox.dpdk.org (Postfix, from userid 33)
id BA72AA0547; Fri, 29 Oct 2021 13:51:29 +0200 (CEST)
From: bugzilla@dpdk.org
To: dev@dpdk.org
Date: Fri, 29 Oct 2021 11:51:29 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: DPDK
X-Bugzilla-Component: core
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: david.marchand@redhat.com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: Normal
X-Bugzilla-Assigned-To: dev@dpdk.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
op_sys bug_status bug_severity priority component assigned_to reporter
target_milestone
Message-ID: <bug-867-3@http.bugs.dpdk.org/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://bugs.dpdk.org/
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
MIME-Version: 1.0
Subject: [dpdk-dev] [Bug 867] [asan] mbuf: use-after-free in mbuf_autotest
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
<mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>
https://bugs.dpdk.org/show_bug.cgi?id=3D867
Bug ID: 867
Summary: [asan] mbuf: use-after-free in mbuf_autotest
Product: DPDK
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: core
Assignee: dev@dpdk.org
Reporter: david.marchand@redhat.com
Target Milestone: ---
Using series https://patchwork.dpdk.org/project/dpdk/list/?series=3D19821,
calling mbuf_autotest shows:
41/97 DPDK:fast-tests / mbuf_autotest FAIL 1.07 s (exit status =
1)
--- command ---
DPDK_TEST=3D'mbuf_autotest' /home/runner/work/dpdk/dpdk/build/app/test/dpdk=
-test
--file-prefix=3Dmbuf_autotest
--- stdout ---
RTE>>mbuf_autotest
Test mbuf dynamic fields and flags
Reserved fields:
Reserved flags:
Free space in mbuf (0 =3D occupied, value =3D free zone alignment):
0000: 00 00 00 00 00 00 00 00
0008: 00 00 00 00 00 00 00 00
0010: 00 00 00 00 00 00 00 00
...
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf=
7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bfe72]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte=
_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rt=
e_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_=
dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf=
7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(=
cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bff47]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte=
_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rt=
e_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_=
dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D26477=3D=3DERROR: AddressSanitizer: heap-use-after-free on address 0x=
7f90d842a9d0
at pc 0x0000009b89a8 bp 0x7ffc2cfe8b50 sp 0x7ffc2cfe8b48
READ of size 2 at 0x7f90d842a9d0 thread T0
#0 0x9b89a7 in rte_mbuf_ext_refcnt_read
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9
#1 0x9b89a7 in test_pktmbuf_ext_shinfo_init_helper
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2409:6
#2 0x9b89a7 in test_mbuf
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2950:6
#3 0x4d7600 in cmd_autotest_parsed
/home/runner/work/dpdk/dpdk/build/../app/test/commands.c:71:10
#4 0x7f94e6cf65c8 in cmdline_parse
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_parse.c:290:3
#5 0x7f94e6cf3467 in cmdline_valid_buffer
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:26:8
#6 0x7f94e6cfb7aa in rdline_char_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_rdline.c:446:5
#7 0x7f94e6cf382c in cmdline_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:148:9
#8 0x516ce1 in main
/home/runner/work/dpdk/dpdk/build/../app/test/test.c:214:8
#9 0x7f94e0223bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x42ff59 in _start
(/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test+0x42ff59)
Address 0x7f90d842a9d0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-use-after-free
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9 in
rte_mbuf_ext_refcnt_read
Shadow bytes around the buggy address:
0x0ff29b07d4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d4f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=3D>0x0ff29b07d530: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0ff29b07d540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b07d550: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 fa
0x0ff29b07d560: fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b07d570: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 00
0x0ff29b07d580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07=20
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
=3D=3D26477=3D=3DABORTING
-------
--=20
You are receiving this mail because:
You are the assignee for the bug.=