From: kernel test robot <oliver.sang@intel.com>
To: Leon Romanovsky <leon@kernel.org>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>, <oliver.sang@intel.com>
Subject: [leon-rdma:dma-split] [nvme] a5d61e7689: UBSAN:array-index-out-of-bounds_in_drivers/nvme/host/pci.c
Date: Tue, 12 Mar 2024 15:08:08 +0800 [thread overview]
Message-ID: <202403121435.b3e4d54b-oliver.sang@intel.com> (raw)
Hello,
kernel test robot noticed "UBSAN:array-index-out-of-bounds_in_drivers/nvme/host/pci.c" on:
commit: a5d61e76896667a7e9e5385e6f6c8b2d571dd820 ("nvme-pci: use blk_rq_dma_map() for NVMe SGL")
https://git.kernel.org/cgit/linux/kernel/git/leon/linux-rdma.git dma-split
in testcase: kernel-selftests
version: kernel-selftests-x86_64-4306b286-1_20240301
with following parameters:
group: tc-testing
compiler: gcc-12
test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202403121435.b3e4d54b-oliver.sang@intel.com
[ 94.342338][ C31] ------------[ cut here ]------------
[ 94.342911][ C31] UBSAN: array-index-out-of-bounds in drivers/nvme/host/pci.c:538:53
[ 94.343852][ C31] index 128 is out of range for type 'dma_addr_t [128]'
[ 94.344526][ C31] CPU: 31 PID: 0 Comm: swapper/31 Not tainted 6.8.0-rc7-00016-ga5d61e768966 #1
[ 94.345371][ C31] Hardware name: Gigabyte Technology Co., Ltd. X299 UD4 Pro/X299 UD4 Pro-CF, BIOS F8a 04/27/2021
[ 94.346344][ C31] Call Trace:
[ 94.346704][ C31] <IRQ>
[ 94.347044][ C31] dump_stack_lvl (lib/dump_stack.c:108)
[ 94.347515][ C31] __ubsan_handle_out_of_bounds (lib/ubsan.c:218 lib/ubsan.c:347)
[ 94.348097][ C31] nvme_unmap_data (drivers/nvme/host/pci.c:538 drivers/nvme/host/pci.c:526) nvme
[ 94.348647][ C31] nvme_pci_complete_rq (drivers/nvme/host/pci.c:857) nvme
[ 94.349221][ C31] nvme_poll_cq (drivers/nvme/host/pci.c:920 drivers/nvme/host/pci.c:947) nvme
[ 94.349746][ C31] ? nvme_timeout (drivers/nvme/host/pci.c:957) nvme
[ 94.350292][ C31] nvme_irq (drivers/nvme/host/pci.c:961) nvme
[ 94.350762][ C31] ? nvme_timeout (drivers/nvme/host/pci.c:957) nvme
[ 94.351318][ C31] ? reacquire_held_locks (kernel/locking/lockdep.c:5405)
[ 94.351856][ C31] ? __lock_release+0x111/0x440
[ 94.352407][ C31] __handle_irq_event_percpu (kernel/irq/handle.c:158)
[ 94.352966][ C31] handle_irq_event (kernel/irq/handle.c:195 kernel/irq/handle.c:210)
[ 94.353448][ C31] handle_edge_irq (kernel/irq/chip.c:833)
[ 94.353933][ C31] __common_interrupt (arch/x86/kernel/irq.c:271 (discriminator 22))
[ 94.354432][ C31] common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))
[ 94.354906][ C31] </IRQ>
[ 94.355258][ C31] <TASK>
[ 94.355587][ C31] asm_common_interrupt (arch/x86/include/asm/idtentry.h:640)
[ 94.356094][ C31] RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291 (discriminator 1))
[ 94.356677][ C31] Code: bf ff ff ff ff 49 89 c6 e8 49 08 51 ff 31 ff e8 02 8d 6d fd 45 84 ff 0f 85 49 02 00 00 e8 64 01 51 ff 84 c0 0f 84 31 02 00 00 <45> 85 ed 0f 88 95 01 00 00 4d 63 fd 49 83 ff 09 0f 87 43 03 00 00
All code
========
0: bf ff ff ff ff mov $0xffffffff,%edi
5: 49 89 c6 mov %rax,%r14
8: e8 49 08 51 ff callq 0xffffffffff510856
d: 31 ff xor %edi,%edi
f: e8 02 8d 6d fd callq 0xfffffffffd6d8d16
14: 45 84 ff test %r15b,%r15b
17: 0f 85 49 02 00 00 jne 0x266
1d: e8 64 01 51 ff callq 0xffffffffff510186
22: 84 c0 test %al,%al
24: 0f 84 31 02 00 00 je 0x25b
2a:* 45 85 ed test %r13d,%r13d <-- trapping instruction
2d: 0f 88 95 01 00 00 js 0x1c8
33: 4d 63 fd movslq %r13d,%r15
36: 49 83 ff 09 cmp $0x9,%r15
3a: 0f 87 43 03 00 00 ja 0x383
Code starting with the faulting instruction
===========================================
0: 45 85 ed test %r13d,%r13d
3: 0f 88 95 01 00 00 js 0x19e
9: 4d 63 fd movslq %r13d,%r15
c: 49 83 ff 09 cmp $0x9,%r15
10: 0f 87 43 03 00 00 ja 0x359
[ 94.358420][ C31] RSP: 0018:ffffc900003c7d88 EFLAGS: 00000202
[ 94.359031][ C31] RAX: 000000000005f091 RBX: ffffe8ffffb81d98 RCX: 1ffffffff0b7e149
[ 94.359795][ C31] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff83c72b6a
[ 94.360566][ C31] RBP: ffffffff8567c560 R08: 0000000000000001 R09: fffffbfff0b7ec8c
[ 94.361327][ C31] R10: ffffffff85bf6467 R11: 0000000000000000 R12: 0000000000000003
[ 94.362089][ C31] R13: 0000000000000003 R14: 00000015f73dceaa R15: 0000000000000000
[ 94.362857][ C31] ? cpuidle_enter_state (arch/x86/include/asm/irqflags.h:42 arch/x86/include/asm/irqflags.h:77 drivers/cpuidle/cpuidle.c:289)
[ 94.363400][ C31] ? cpuidle_enter_state (arch/x86/include/asm/irqflags.h:42 arch/x86/include/asm/irqflags.h:77 drivers/cpuidle/cpuidle.c:289)
[ 94.363930][ C31] cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
[ 94.364395][ C31] cpuidle_idle_call (kernel/sched/idle.c:219)
[ 94.364892][ C31] ? arch_cpu_idle_exit+0x40/0x40
[ 94.365394][ C31] ? check_tsc_sync_source (arch/x86/kernel/tsc_sync.c:393)
[ 94.365939][ C31] do_idle (kernel/sched/idle.c:312)
[ 94.366357][ C31] cpu_startup_entry (kernel/sched/idle.c:409 (discriminator 1))
[ 94.366838][ C31] start_secondary (arch/x86/kernel/smpboot.c:224 arch/x86/kernel/smpboot.c:304)
[ 94.367335][ C31] ? set_cpu_sibling_map (arch/x86/kernel/smpboot.c:254)
[ 94.367876][ C31] ? soft_restart_cpu (arch/x86/kernel/head_64.S:498)
[ 94.368375][ C31] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:461)
[ 94.368979][ C31] </TASK>
[ 94.369313][ C31] ---[ end trace ]---
[ 94.371070][ C31] nvme_log_error: 12 callbacks suppressed
[ 94.371074][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074216960, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.372524][ C31] blk_print_req_error: 12 callbacks suppressed
[ 94.372526][ C31] operation not supported error, dev nvme0n1, sector 1074216960 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.374282][ C31] Buffer I/O error on dev nvme0n1p4, logical block 0, lost async page write
[ 94.375121][ C31] Buffer I/O error on dev nvme0n1p4, logical block 1, lost async page write
[ 94.375943][ C31] Buffer I/O error on dev nvme0n1p4, logical block 2, lost async page write
[ 94.376764][ C31] Buffer I/O error on dev nvme0n1p4, logical block 3, lost async page write
[ 94.377584][ C31] Buffer I/O error on dev nvme0n1p4, logical block 4, lost async page write
[ 94.378404][ C31] Buffer I/O error on dev nvme0n1p4, logical block 5, lost async page write
[ 94.379225][ C31] Buffer I/O error on dev nvme0n1p4, logical block 6, lost async page write
[ 94.380045][ C31] Buffer I/O error on dev nvme0n1p4, logical block 7, lost async page write
[ 94.380872][ C31] Buffer I/O error on dev nvme0n1p4, logical block 8, lost async page write
[ 94.381692][ C31] Buffer I/O error on dev nvme0n1p4, logical block 9, lost async page write
[ 94.396085][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074217216, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.396981][ C31] operation not supported error, dev nvme0n1, sector 1074217216 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.399424][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074217472, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.400314][ C31] operation not supported error, dev nvme0n1, sector 1074217472 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.401929][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074217728, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.402816][ C31] operation not supported error, dev nvme0n1, sector 1074217728 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.404410][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074217984, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.405294][ C31] operation not supported error, dev nvme0n1, sector 1074217984 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.406598][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074218240, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.407476][ C31] operation not supported error, dev nvme0n1, sector 1074218240 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.408772][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074218496, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.409648][ C31] operation not supported error, dev nvme0n1, sector 1074218496 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.410939][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074218752, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.411815][ C31] operation not supported error, dev nvme0n1, sector 1074218752 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.413105][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074219008, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.413982][ C31] operation not supported error, dev nvme0n1, sector 1074219008 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
[ 94.415278][ C31] nvme0n1: I/O Cmd(0x1) @ LBA 1074219264, 256 blocks, I/O Error (sct 0x0 / sc 0x2)
[ 94.416155][ C31] operation not supported error, dev nvme0n1, sector 1074219264 op 0x1:(WRITE) flags 0x4800 phys_seg 32 prio class 0
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240312/202403121435.b3e4d54b-oliver.sang@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2024-03-12 7:08 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202403121435.b3e4d54b-oliver.sang@intel.com \
--to=oliver.sang@intel.com \
--cc=leon@kernel.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).