Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp777504ybz; Wed, 15 Apr 2020 18:49:51 -0700 (PDT) X-Google-Smtp-Source: APiQypLJ3wKjXUMRFGv43f+Q0dSHuDzagKWpir1V7C2mi/RNJ5PzUhyKCK2Gw7g+bHryJ7mOJd78 X-Received: by 2002:aa7:c152:: with SMTP id r18mr27223585edp.378.1587001791075; Wed, 15 Apr 2020 18:49:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587001791; cv=none; d=google.com; s=arc-20160816; b=rFPDpcUY/sNzA0rmt9YlpSgzRSjGBg3UrYtRx88JwDqr7vTOE7MptwJtKDdLq1eUvW RiXmOvEVJf2xFtNdCkMLaIO12LDrg7hkaj3tvs8thrX1JaPtkRm+8ksiUGGOMiDhFeRK wM21uB+hn6U8NVdBQkKadgKybDsnl/KXRuFbLn/EHg7xsX0yv2wmNMqGLrzMgJcIUjkV izc7/n42YAvJhRw2rJf2+njHiXHHmyHyrQDtaqiATgbqN9ZpizmT57YPgg47iW1KSTWi rW/uxHKhjDeJLy/TJUptfPbp2NJXWFaacm79l3vlGyDZLFL+ADbqLIOxmK+ui17J/DIF Ig1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=1pCPyvop27p32FWiZyhNH0za3dC+o6FoXLYFcPh/pxk=; b=EBcjVTVTi3YV0WNSZXEVzk76nk6lCh874c3WMA32j5W1ltQEeRiARmL7Oow54wgbJG 7zAjhvQtimvpgDtaXwjKTwa49Y87Ebg9F7e95FgEr5cpqIOhUzFE3KFNltwB6Grt9Vz/ YyxB8RslEoQoYs3muRqiK6qdw6xvCmjH/YIQ/HTcpN8Ai9b93xgtPp3ri5ODtFvZ44Hc vgqJ541hvZyUzG6giFrFvIW9E/CddGueGBQNC/DmEQFxpH0WaPdrF1Z+RVy7baRC5DF5 ridpLydvVKtQnPYbYC79nLgHY9sB9OgJLlv2CIb6ugiioqi0TgoinIRQlX3JbF/mybnG gozA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g15si12259910edm.374.2020.04.15.18.49.28; Wed, 15 Apr 2020 18:49:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1416212AbgDOQqc (ORCPT + 99 others); Wed, 15 Apr 2020 12:46:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1416207AbgDOQqb (ORCPT ); Wed, 15 Apr 2020 12:46:31 -0400 Received: from Galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6DF7C061A0C for ; Wed, 15 Apr 2020 09:46:30 -0700 (PDT) Received: from bigeasy by Galois.linutronix.de with local (Exim 4.80) (envelope-from ) id 1jOlBE-0006ny-Gl; Wed, 15 Apr 2020 18:46:28 +0200 Date: Wed, 15 Apr 2020 18:46:28 +0200 From: Sebastian Andrzej Siewior To: Matt Fleming Cc: linux-rt@vger.kernel.org, linux-kernel@vger.kernel.org, Daniel Wagner Subject: Re: [PATCH RT] signal: Prevent double-free of user struct Message-ID: <20200415164628.2dgrj4ghvtev45sy@linutronix.de> References: <20200407095413.30039-1-matt@codeblueprint.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200407095413.30039-1-matt@codeblueprint.co.uk> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-04-07 10:54:13 [+0100], Matt Fleming wrote: > The way user struct reference counting works changed significantly with, > > fda31c50292a ("signal: avoid double atomic counter increments for user accounting") > > Now user structs are only freed once the last pending signal is > dequeued. Make sigqueue_free_current() follow this new convention to > avoid freeing the user struct multiple times and triggering this > warning: > > refcount_t: underflow; use-after-free. > WARNING: CPU: 0 PID: 6794 at lib/refcount.c:288 refcount_dec_not_one+0x45/0x50 > Call Trace: > refcount_dec_and_lock_irqsave+0x16/0x60 > free_uid+0x31/0xa0 > ? schedule_hrtimeout_range_clock+0x104/0x110 > __dequeue_signal+0x17c/0x190 > dequeue_signal+0x5a/0x1b0 > do_sigtimedwait+0x208/0x250 > __x64_sys_rt_sigtimedwait+0x6f/0xd0 > do_syscall_64+0x72/0x200 > entry_SYSCALL_64_after_hwframe+0x49/0xbe While all this sounds reasonable, may I ask what did you do to trigger this? This is v5.6 only, correct? Sebastian