Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp742619ybz; Wed, 15 Apr 2020 17:59:54 -0700 (PDT) X-Google-Smtp-Source: APiQypLWsPD+4bObI5AY29pNI9dgbjah+oJNzF1iceOurbpxP/8tkExqQ87WTCoPcGGMIrV1xgUT X-Received: by 2002:a17:906:cc2:: with SMTP id l2mr7773239ejh.115.1586998794116; Wed, 15 Apr 2020 17:59:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586998794; cv=none; d=google.com; s=arc-20160816; b=EL6RNzzZHH8rpqFWjYq3oZZvN/ULhdHktqytCrMgrwpfGf6NOOcb2KX5Lzmh7C8S+B A+w0vmKvcApIr0xPakEvBtWzh1dCiR/3ztbuG+qt1KJyPisIElO6g2cmmyXwLGqyy6Nz e2O0VB4mTKetWAy8bDVtffEifO6e3qI2jv0tg/5D5jR9/3YmTStwE/FiDzNTo8icSlQb 8oucDnwfWRXHYlcuuzhOIwVGwsaZEteb3CWG4VwHyEFP/YTMyrvjy8sKNLGyBgNHL4Ib 9pTr1j89Mwf/WtKPnWq7rrcDAZBo1Wd+52c/JnUJvyN2Mx/TFf892FnahEWOF/4ktACo x+6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=knn/dlFMJe+jBiPRvoYotRhrStD5zdaknNc5601DouQ=; b=DEMctzvc4+eBNSbfrLHbjpi+Vr5zcRlVYFxj1WULhZ/BbYiyMplEXTFsiE7ckHRtyJ TUyZS1mhuDWJmVGznl8HAMGJi4ORmZYg71jB3R6ZZsecUwSG2OeOxNxchHbyabD8RoNf /hXkO4uMmjNvpmC6TLvta9iZXI8RaNQ9RjrePbJRc8VucRO/U96/j1bBKu4kYnP6blom 1D1oy57RCmBUU8uGKC8vWFrrM+0o0u6BD+Mo9ZnbEHQ/92k3rRNdaqsAe70uZVOmueAE qpS/x/DFNaQPfqkNK2SlSX0Y7epZQ0LF3HgrgXp3atb1i4EClLuQlqaLAk5Too1mqVN1 JHRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=monom.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b16si11570644ejb.327.2020.04.15.17.59.31; Wed, 15 Apr 2020 17:59:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=monom.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2441745AbgDOTOw (ORCPT + 99 others); Wed, 15 Apr 2020 15:14:52 -0400 Received: from mail.monom.org ([188.138.9.77]:40386 "EHLO mail.monom.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726385AbgDOTFS (ORCPT ); Wed, 15 Apr 2020 15:05:18 -0400 Received: from mail.monom.org (localhost [127.0.0.1]) by filter.mynetwork.local (Postfix) with ESMTP id D23AE500699; Wed, 15 Apr 2020 21:05:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.monom.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.2 Received: from [192.168.154.205] (b9168f17.cgn.dg-w.de [185.22.143.23]) by mail.monom.org (Postfix) with ESMTPSA id 91DFF50029E; Wed, 15 Apr 2020 21:05:14 +0200 (CEST) Subject: Re: [PATCH RT] signal: Prevent double-free of user struct To: Sebastian Andrzej Siewior , Matt Fleming Cc: linux-rt@vger.kernel.org, linux-kernel@vger.kernel.org References: <20200407095413.30039-1-matt@codeblueprint.co.uk> <20200415164628.2dgrj4ghvtev45sy@linutronix.de> From: Daniel Wagner Message-ID: Date: Wed, 15 Apr 2020 21:05:14 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <20200415164628.2dgrj4ghvtev45sy@linutronix.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Sebastian, On 15.04.20 18:46, Sebastian Andrzej Siewior wrote: > On 2020-04-07 10:54:13 [+0100], Matt Fleming wrote: >> The way user struct reference counting works changed significantly with, >> >> fda31c50292a ("signal: avoid double atomic counter increments for user accounting") >> >> Now user structs are only freed once the last pending signal is >> dequeued. Make sigqueue_free_current() follow this new convention to >> avoid freeing the user struct multiple times and triggering this >> warning: >> >> refcount_t: underflow; use-after-free. >> WARNING: CPU: 0 PID: 6794 at lib/refcount.c:288 refcount_dec_not_one+0x45/0x50 >> Call Trace: >> refcount_dec_and_lock_irqsave+0x16/0x60 >> free_uid+0x31/0xa0 >> ? schedule_hrtimeout_range_clock+0x104/0x110 >> __dequeue_signal+0x17c/0x190 >> dequeue_signal+0x5a/0x1b0 >> do_sigtimedwait+0x208/0x250 >> __x64_sys_rt_sigtimedwait+0x6f/0xd0 >> do_syscall_64+0x72/0x200 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe > > While all this sounds reasonable, may I ask what did you do to trigger > this? This can be triggered by running sigwaittest. # sigwaittest -t -a -p 98 a few seconds should be enough to get the splat. > This is v5.6 only, correct? I've seen this also with a frankstein version of 5.2-rt...v5-4-rt :) Thanks, Daniel