Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5049048ybi; Sat, 20 Jul 2019 11:44:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqyTGTkUOvH0u25es+lvTkzyIVXRgH0/0XLeOgyjTvNKxi/h9n/UTP2oEn9KKsQRDhHaJpuH X-Received: by 2002:a17:902:d70a:: with SMTP id w10mr61024993ply.251.1563648287939; Sat, 20 Jul 2019 11:44:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563648287; cv=none; d=google.com; s=arc-20160816; b=xQZhgIYJ+j6+Lc9EeCRywfP66LTHaduVH+nt3BctuL/RcXhfX62vQpv1NfNnTFNAK3 BD6eyRtaReWecMq3gn1RCNbZEOu5n1QJISfot5lxbZe7UNXMR8bvEOChP3+qVECcTlqN ckvPi9cQM607PcMgCja/kbEx1RRawWq3SyVRQe3vZ26xXys9HCeX07/PruBmv8cdcSlL RFXpbPf6ybZmXpyXc3lOfOtw1Kl+RWedcekiR/rq/v2LqKQjdX46Gl+I756CMoDNfmDi 2VOaT2OJzivdcx2Lbazv/KxUvJ/QMmuYqTT0y1TftOPxWcXiorEAWs3AqbJNoPQVBxMm 7EoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language:in-reply-to:mime-version :user-agent:date:message-id:organization:from:references:cc:to :subject; bh=PJV6+Tm1k+iCwpbH1u8LMCJKOIc4E5wWVRewTZK2xJg=; b=q3+kkcuVRmV2deupRKAMsr9MyPOHZSWi31T5QtTIpK95kDg1HoqOUChmxoaCykqEZn XWYvEAsryQfvaaX85RTpMCUex81kp/y4z7m2kMvyuskAyIAzeCHRbh5GAv4ySrsIBswP WIpLkDk59cPIwjvMbHelKGXq5c94UzAxCKrfKGTjMn4wXEgP+aL6p1PchqWvE/xBho9C QPpMvWQ3XiNUT2/sAb8qGtHfvN//bjANSMr/g3/MMHRVry9+Wdzc+C/Imwta6sYEbHmy Da8hIg4XVVNVja73NUXdQw11wuNorV2EVk4ZI2Cc1ONl5Yy1SoPomMt+QxvayGHxnNGq Z1GQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z10si3829809pln.285.2019.07.20.11.44.31; Sat, 20 Jul 2019 11:44:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726106AbfGTPES (ORCPT + 99 others); Sat, 20 Jul 2019 11:04:18 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49318 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726029AbfGTPES (ORCPT ); Sat, 20 Jul 2019 11:04:18 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1588A3082E57; Sat, 20 Jul 2019 15:04:14 +0000 (UTC) Received: from llong.remote.csb (ovpn-120-88.rdu2.redhat.com [10.10.120.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id D5A8B1024719; Sat, 20 Jul 2019 15:04:10 +0000 (UTC) Subject: Re: [PATCH v8 13/19] locking/rwsem: Make rwsem->owner an atomic_long_t To: Luis Henriques , Linus Torvalds Cc: Borislav Petkov , Will Deacon , huang ying , Peter Zijlstra , the arch/x86 maintainers , Thomas Gleixner , Tim Chen , Ingo Molnar , Davidlohr Bueso , Linux List Kernel Mailing , "H. Peter Anvin" , Jeff Layton References: <20190520205918.22251-1-longman@redhat.com> <20190520205918.22251-14-longman@redhat.com> <20190719184538.GA20324@hermes.olymp> <2ed44afa-4528-a785-f188-2daf24343f97@redhat.com> <87h87hksim.fsf@suse.com> From: Waiman Long Organization: Red Hat Message-ID: <81e82d5b-5074-77e8-7204-28479bbe0df0@redhat.com> Date: Sat, 20 Jul 2019 11:04:10 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <87h87hksim.fsf@suse.com> Content-Type: multipart/mixed; boundary="------------7CE4E258FA1DECF46F49C77A" Content-Language: en-US X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Sat, 20 Jul 2019 15:04:17 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a multi-part message in MIME format. --------------7CE4E258FA1DECF46F49C77A Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 7/20/19 4:41 AM, Luis Henriques wrote: > "Linus Torvalds" writes: > >> On Fri, Jul 19, 2019 at 12:32 PM Waiman Long wrote: >>> This patch shouldn't change the behavior of the rwsem code. The code >>> only access data within the rw_semaphore structures. I don't know why it >>> will cause a KASAN error. I will have to reproduce it and figure out >>> exactly which statement is doing the invalid access. >> The stack traces should show line numbers if you run them through >> scripts/decode_stacktrace.sh. >> >> You need to have debug info enabled for that, though. >> >> Luis? >> >> Linus > Yep, sure. And I should have done this in the initial report. It's a > different trace, I had to recompile the kernel. > > (I'm also adding Jeff to the CC list.) > > Cheers, Thanks for the information. I think I know where the problem is. Would you mind applying the attached patch to see if it can fix the KASAN error. Thanks, Longman --------------7CE4E258FA1DECF46F49C77A Content-Type: text/x-patch; name="0001-locking-rwsem-Don-t-call-owner_on_cpu-on-read-owner.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename*0="0001-locking-rwsem-Don-t-call-owner_on_cpu-on-read-owner.pat"; filename*1="ch" From 445dc58add71f976c20359568d370f5059d30f77 Mon Sep 17 00:00:00 2001 From: Waiman Long Date: Sat, 20 Jul 2019 10:45:39 -0400 Subject: [PATCH] locking/rwsem: Don't call owner_on_cpu() on read-owner For writer, the owner value is cleared on unlock. For reader, it is left intact on unlock for providing better debugging aid on crash dump and the unlock of one reader may not mean the lock is free. As a result, the owner_on_cpu() shouldn't be used on read-owner as the task pointer value may not be valid and it might have been freed. That is the case in rwsem_spin_on_owner(), but not in rwsem_can_spin_on_owner(). This can lead to use-after-free error from KASAN. For example, BUG: KASAN: use-after-free in rwsem_down_write_slowpath (/home/miguel/kernel/linux/kernel/locking/rwsem.c:669 /home/miguel/kernel/linux/kernel/locking/rwsem.c:1125) Fix this by checking for RWSEM_READER_OWNED flag before calling owner_on_cpu(). Fixes: 94a9717b3c40e ("locking/rwsem: Make rwsem->owner an atomic_long_t") Signed-off-by: Waiman Long --- kernel/locking/rwsem.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c index 37524a47f002..bc91aacaab58 100644 --- a/kernel/locking/rwsem.c +++ b/kernel/locking/rwsem.c @@ -666,7 +666,11 @@ static inline bool rwsem_can_spin_on_owner(struct rw_semaphore *sem, preempt_disable(); rcu_read_lock(); owner = rwsem_owner_flags(sem, &flags); - if ((flags & nonspinnable) || (owner && !owner_on_cpu(owner))) + /* + * Don't check the read-owner as the entry may be stale. + */ + if ((flags & nonspinnable) || + (owner && !(flags & RWSEM_READER_OWNED) && !owner_on_cpu(owner))) ret = false; rcu_read_unlock(); preempt_enable(); -- 2.18.1 --------------7CE4E258FA1DECF46F49C77A--