[Bug 994] [asan] mem: cannot reuse released memory segment

All of lore.kernel.org
 help / color / mirror / Atom feed

From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [Bug 994] [asan] mem: cannot reuse released memory segment
Date: Wed, 13 Apr 2022 15:23:49 +0000	[thread overview]
Message-ID: <bug-994-3@http.bugs.dpdk.org/> (raw)

https://bugs.dpdk.org/show_bug.cgi?id=994

            Bug ID: 994
           Summary: [asan] mem: cannot reuse released memory segment
           Product: DPDK
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: major
          Priority: Normal
         Component: core
          Assignee: dev@dpdk.org
          Reporter: david.marchand@redhat.com
  Target Milestone: ---

This is something I have seen in GHA, where 2M hugepages are used.
acl_autotest fails with:

ACL: allocation of 25166736 bytes on socket 33 for ACL_acl_ctx failed
=================================================================
==318==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f910f800000
at pc 0x7f95216ed407 bp 0x7ffd5e917f50 sp 0x7ffd5e917f48
READ of size 4 at 0x7f910f800000 thread T0
    #0 0x7f95216ed406 in alloc_seg
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_memalloc.c:644:26
    #1 0x7f95216e9a99 in alloc_seg_walk
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_memalloc.c:897:7
    #2 0x7f952168b3ff in rte_memseg_list_walk_thread_unsafe
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/eal_common_memory.c:769:9
    #3 0x7f95216e9476 in eal_memalloc_alloc_seg_bulk
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_memalloc.c:1062:8
    #4 0x7f95216a3776 in alloc_pages_on_heap
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/malloc_heap.c:315:17
    #5 0x7f95216a915c in try_expand_heap_primary
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/malloc_heap.c:415:9
    #6 0x7f95216a915c in try_expand_heap
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/malloc_heap.c:506:9
    #7 0x7f95216a545f in alloc_more_mem_on_socket
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/malloc_heap.c:634:8
    #8 0x7f95216a545f in malloc_heap_alloc_on_heap_id
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/malloc_heap.c:690:7
    #9 0x7f95216a406e in malloc_heap_alloc
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/malloc_heap.c:748:8
    #10 0x7f95216a9936 in malloc_socket
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/rte_malloc.c:72:8
    #11 0x7f95216a9de3 in rte_malloc_socket
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/rte_malloc.c:87:9
    #12 0x7f95216a9de3 in rte_zmalloc_socket
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/rte_malloc.c:111:14
    #13 0x7f951f92821d in rte_acl_create
/home/runner/work/dpdk/dpdk/build/../lib/acl/rte_acl.c:407:9
    #14 0x5191cb in test_invalid_parameters
/home/runner/work/dpdk/dpdk/build/../app/test/test_acl.c:1499:8
    #15 0x5191cb in test_acl
/home/runner/work/dpdk/dpdk/build/../app/test/test_acl.c:1732:6
    #16 0x4d7a10 in cmd_autotest_parsed
/home/runner/work/dpdk/dpdk/build/../app/test/commands.c:68:10
    #17 0x7f952019c5c8 in cmdline_parse
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_parse.c:287:3
    #18 0x7f9520199467 in cmdline_valid_buffer
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:24:8
    #19 0x7f95201a17aa in rdline_char_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_rdline.c:444:5
    #20 0x7f952019982c in cmdline_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:146:9
    #21 0x5170f1 in main
/home/runner/work/dpdk/dpdk/build/../app/test/test.c:217:8
    #22 0x7f95173ddc86 in __libc_start_main
/build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #23 0x430369 in _start
(/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test+0x430369)

Address 0x7f910f800000 is a wild pointer.
SUMMARY: AddressSanitizer: heap-use-after-free
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_memalloc.c:644:26 in
alloc_seg
Shadow bytes around the buggy address:
  0x0ff2a1ef7fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef7fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef7fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef7fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef7ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff2a1ef8000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff2a1ef8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==318==ABORTING

I think this is because a memory segment (used for heap) address range is
poisoned in ASan shadow after heap is shrunk.
The problem goes away with:

diff --git a/lib/eal/linux/eal_memalloc.c b/lib/eal/linux/eal_memalloc.c
index f8b1588cae..c387ef1d4e 100644
--- a/lib/eal/linux/eal_memalloc.c
+++ b/lib/eal/linux/eal_memalloc.c
@@ -37,6 +37,7 @@
 #include "eal_memalloc.h"
 #include "eal_memcfg.h"
 #include "eal_private.h"
+#include "malloc_elem.h"

 const int anonymous_hugepages_supported =
 #ifdef MAP_HUGE_SHIFT
@@ -641,6 +642,7 @@ alloc_seg(struct rte_memseg *ms, void *addr, int socket_id,
         * that is already there, so read the old value, and write itback.
         * kernel populates the page with zeroes initially.
         */
+       asan_set_zone(addr, sizeof(int), 0x0);
        *(volatile int *)addr = *(volatile int *)addr;

        iova = rte_mem_virt2iova(addr);

-- 
You are receiving this mail because:
You are the assignee for the bug.

                 reply	other threads:[~2022-04-13 15:23 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f8b1588ca dfblob:c387ef1d4 )
 OR (
bs:"[Bug 994] [asan] mem: cannot reuse released memory segment" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-994-3@http.bugs.dpdk.org/ \
    --to=bugzilla@dpdk.org \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.