On 10.07.26 10:23, Dragos Tatulea wrote:
>
>
> On 10.07.26 09:18, Christian Borntraeger wrote:
>> Am 07.07.26 um 09:17 schrieb Christian Borntraeger:
>>> Am 06.07.26 um 16:15 schrieb Christian Borntraeger:
>>>> We have seen in our CI the following KASAN message:
>>>> BUG: KASAN: slab-out-of-bounds in cmd_exec+0x550/0xca0 [mlx5_core]
>>>> Read of size 272 at addr 0000000176795020 by task qemu-system-s39/82764
>>>> [...]
>>>> [<000011388ab3a7a0>] cmd_exec+0x550/0xca0 [mlx5_core]
>>>> [<000011388ab3b61c>] mlx5_cmd_exec_cb+0x25c/0x4f0 [mlx5_core]
>>>> [<000011388b21e82e>] mlx5_vdpa_exec_async_cmds+0x22e/0x5e0 [mlx5_vdpa]
>>>> [<000011388b21fd44>] create_direct_keys+0x954/0xef0 [mlx5_vdpa]
>>>> [...]
>>>> The buggy address is located 4128 bytes inside of
>>>> allocated 4384-byte region [0000000176794000, 0000000176795120)
>>>>
>>>> So in essence we read 16 bytes beyond 4384-byte allocation.
>>>> create_direct_keys calculates the pointer and length for in and out
>>>> buffers.
>>>> The size calculation for in includes the entire structure
>>>> size (out + in + mtt[]) but the pointer passed to cmd_exec points only
>>>> to the 'in' field, skipping the 'out' field.
>>>>
>>>> This causes mlx5_copy_to_msg() to read beyond the allocated buffer
>>>> by sizeof(out) bytes when copying command data.
>>>>
>>>> Properly calculate the input size to match the pointer and allocation size.
>>>>
>>>> Fixes: 0071b138d44a ("vdpa/mlx5: Create direct MKEYs in parallel")
>>>> Signed-off-by: Christian Borntraeger <[email protected]>
>>>
>>>
>>> Dragos,
>>>
>>> With this fix our nighly CI did not result in a kasan message. As I only
>>> have
>>> limited test coverage a full regression on your side might still be the
>>> right
>>> thing to do.
>>
>> Any feedback?
>>
> Sorry, got carried away with other stuff. Yes, I will check it on our side.
>
> Until then:
> Reviewed-by: Dragos Tatulea <[email protected]>
>
I was able to reproduce the issue with KASAN during our live migration tests.
With this patch the issue is gone. Thanks for the fix!
Tested-by: Dragos Tatulea <[email protected]>
Thanks,
Dragos