Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp6915368ybf; Fri, 6 Mar 2020 06:59:22 -0800 (PST) X-Google-Smtp-Source: ADFU+vsccpJWnu9qPmLjRAp5j5QOMs51PKw+UkoXfSaOwvReaICerTplnAYAm45Hpk2OGuxHHCBH X-Received: by 2002:a9d:5e9:: with SMTP id 96mr2858390otd.307.1583506762385; Fri, 06 Mar 2020 06:59:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583506762; cv=none; d=google.com; s=arc-20160816; b=AzsxXHsMbr6H6a5y8Y3Kyhcjf8QnxSteQdtOrZdQmjVZfZrIzNp5IFgl7AR6CDEB17 6ic3d9h1Zx8S/fas93I+CZIpfKTzjyiyrL18lmNPqZeNfSXHSXql8c8jhFj4yZwjlQoG U5s9VWrAMAwc7bavOs/RFSxeQOavp4Dmnz4Y7LHYoHJ9L3anuJYkjA71Xwte31PF6zw1 oZ1ste9gj3wjHE+DgnCVp203Ik/ZezCeOiAXs9WgMYVoLG/asdkv16wHiINWjUopB5p9 6xHN3dbTK1mDZGOc9BXTWrIyi0m1y9nmxoa1PeTwksCZhgoTbVbE+xiOB92SB3EURmX/ K8Zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=mOBDoHnwRUB6vwJ5ZeCRAwk2NHenQL0R+1AwgPwm1qE=; b=wJ00gTscAPdPjZURCEf/b2h/Mh2UbCCrVKuxT3/OnI/rb3fxymzM0UXBM8JrwtOmLh LW74XkU2eicxfmIDEb0fr9COTkNO/7Q8KCJWUzyJF4Hu+GEJOfbmhaIqvKTdaoruB13r zss7mIVL+RHk7ZZgWOZOyTBOkm2pLWTFa0wPLphHqwmOntumvVjxLFNUbGRY7ksl0dch H5WbrBDtesrnduVCfNmYDxoNUxC6bjCi5gDnezB6lWnEEXuW8rnpSV4Au1hd+a5dc1DQ OjbNsrmC6fF2Xlf2BLxbJL+QPl+pKDBhylNEUsbgvkAa4aopaMbNLD/T/yH3cDuscgq0 4wpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=HXHhLtM7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a64si1495869oif.256.2020.03.06.06.59.10; Fri, 06 Mar 2020 06:59:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=HXHhLtM7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727089AbgCFO5M (ORCPT + 99 others); Fri, 6 Mar 2020 09:57:12 -0500 Received: from mail-il1-f196.google.com ([209.85.166.196]:34602 "EHLO mail-il1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727075AbgCFO5L (ORCPT ); Fri, 6 Mar 2020 09:57:11 -0500 Received: by mail-il1-f196.google.com with SMTP id c8so1893300ilm.1 for ; Fri, 06 Mar 2020 06:57:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=mOBDoHnwRUB6vwJ5ZeCRAwk2NHenQL0R+1AwgPwm1qE=; b=HXHhLtM7yadtcuawGuR/OolVcyzzUwR6+kgjtly2wv0V5luD4vNO0QpleQk5Dk5XOb fdz9J2+kig02fdSVirJqAp18bp6KUZd9c7P+RAb8Gqwwrw3/BegJs72qOSJcbWYcMDn2 e5Z3azZNgU/Akp1RU13aiVdZco/PDOn1Z/wChXDaUH+IKsgnJmC0EsptUgkj5bLRWVHq F0r6MkykcfjX3gImtb+R3n8BOPkWtnaAZ3j4NQPOEhOE8fLIGsmxcKLjt4nR/jSR+sTX xNBd+/XhD2lJ/7pZb8+DI5G2ZtpbNN3J10BRKg5xdPBGAh7MX1ohE0y5nboGn67j/r06 5MQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=mOBDoHnwRUB6vwJ5ZeCRAwk2NHenQL0R+1AwgPwm1qE=; b=imfG2C/IIAy257aRWSGgt2kuXh5ygil/YJ7q79Y4bpzF+8DMi8JtUB0x/iQ9h8EkR4 VqfYfK/YQWiYqZ8jt2CmSfHbbHdARt72hrDMPW4l8sBQsxHWFqEdAXodZvdjqnyj44fz 1AdHCANy/VPsd8y2eEBUMdyMmFsLE5f6EnWxFiS9GpqVvw2Hs6hHPslsxqrZ1w0u7MNi wVm0+9BqOz6FsECWtjfSuwikC7IQfHyaPCLXMm1fhRQ1NxGSDBjHCGA95ffnvF3NqWFy h7k/odFCxjxqy2sCqsGkPdvft2LVGklr6i2290Qx1NBO2Ol154fiw6/+4wojrsfGm8ND vSQg== X-Gm-Message-State: ANhLgQ3Z8w4Anh4TQYmg4F9LThjrDf9cz9wmbnzW/5XC9O0u+9jAUKCn Rk791p7HF1Zmi25Vl2nYjj0umWYprF0= X-Received: by 2002:a92:9603:: with SMTP id g3mr3712133ilh.231.1583506630398; Fri, 06 Mar 2020 06:57:10 -0800 (PST) Received: from [192.168.1.159] ([65.144.74.34]) by smtp.gmail.com with ESMTPSA id d70sm133312ill.11.2020.03.06.06.57.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 06 Mar 2020 06:57:09 -0800 (PST) Subject: Re: KASAN: use-after-free Read in percpu_ref_switch_to_atomic_rcu To: Dan Carpenter Cc: Dmitry Vyukov , syzbot , Al Viro , io-uring@vger.kernel.org, linux-fsdevel , Borislav Petkov , "H. Peter Anvin" , LKML , Ingo Molnar , Peter Zijlstra , syzkaller-bugs , Thomas Gleixner , tony.luck@intel.com, the arch/x86 maintainers References: <00000000000067c6df059df7f9f5@google.com> <3f805e51-1db7-3e57-c9a3-15a20699ea54@kernel.dk> <20200306143552.GC19839@kadam> From: Jens Axboe Message-ID: Date: Fri, 6 Mar 2020 07:57:07 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <20200306143552.GC19839@kadam> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/6/20 7:35 AM, Dan Carpenter wrote: > > There a bunch of similar bugs. It's seems a common anti-pattern. > > block/blk-cgroup.c:85 blkg_free() warn: freeing 'blkg' which has percpu_ref_exit() > block/blk-core.c:558 blk_alloc_queue_node() warn: freeing 'q' which has percpu_ref_exit() > drivers/md/md.c:5528 md_free() warn: freeing 'mddev' which has percpu_ref_exit() > drivers/target/target_core_transport.c:583 transport_free_session() warn: freeing 'se_sess' which has percpu_ref_exit() > fs/aio.c:592 free_ioctx() warn: freeing 'ctx' which has percpu_ref_exit() > fs/aio.c:806 ioctx_alloc() warn: freeing 'ctx' which has percpu_ref_exit() > fs/io_uring.c:6115 io_sqe_files_unregister() warn: freeing 'data' which has percpu_ref_exit() > fs/io_uring.c:6431 io_sqe_files_register() warn: freeing 'ctx->file_data' which has percpu_ref_exit() > fs/io_uring.c:7134 io_ring_ctx_free() warn: freeing 'ctx' which has percpu_ref_exit() > kernel/cgroup/cgroup.c:4948 css_free_rwork_fn() warn: freeing 'css' which has percpu_ref_exit() > mm/backing-dev.c:615 cgwb_create() warn: freeing 'wb' which has percpu_ref_exit() The file table io_uring issue is using the ref in a funky way, switching in and out of atomic if we need to quiesce it. That's different from other use cases, that just use it as a "normal" reference. Hence for the funky use case, you can potentially have a switch in progress when you exit the ref. You really want to wait for that, the easiest solution is to punt the exit + free to an RCU callback, if there's nothing else you need to handle once the switch is done. So I would not be so quick to assume that similar patterns (exit + free) have similar issues. -- Jens Axboe