Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp526249ybh; Wed, 22 Jul 2020 06:46:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJweFJJD2P5ag8hySTuz3WX/lIyFS55FiFQOkIMHsB4u/vPhNf2++v5+2JalWjKe3eNvDxtA X-Received: by 2002:a17:906:9381:: with SMTP id l1mr29122784ejx.20.1595425615162; Wed, 22 Jul 2020 06:46:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595425615; cv=none; d=google.com; s=arc-20160816; b=XZpOS24Yz/YTb3I3pTSgUkoaAzATTELAZ3DgudcKXufKEVflNwhtztQjzjN3zVXxFp sx0cxkocD1V2leDNetZkomA70wKQ8OTdk94b8aEHQRS3BBJP9ofrzBbWPig09F8TLT2/ p7SUBFM1GckjncQe/Ab0a+9EB/PxTEDx3kaUvMHGvzMP8OKBORgjcfHTcFIaFRr0JNA8 ZR6Ga3Fmo9Op4Ii699VsKg3tzhHg/i09vFsOQ5IwnkPQ9FTXnEYu8dVGtEQww6KHfxGj FpUiA92j9hEJXFyVNfPY+i2iXhlzflAY21z4bTNTcLHgBdT4ZPVjJErTsWLt17mg94hr Ktyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=EWtLJL7w8EdfjQzaisXGJJvbCuuFzVysmmdZePTzIok=; b=ixVcETbZXbUIlfl086R4K/EUPRBS6FXPVhnnwDiOdEuj0EpDiaGfyAvlMWky7PklrK MR35yqcVFUVH18+w1TTS1u0BHpEm5Eblphez+G+UGbDFWAIzkxuLw+k2HjVwu0vHEQ3z frXQW2FbfpZMFjvrDC/eDuQ6QZQjWnTaY/y84jZ9ie6w6m6Lj4uTyGaZg8inhyUAVOg0 yWS0iV+EGg/xfqXBsveWIBkLfj9BsEE4/SKsrRDnT6ZIp9Ey2RK+KZ+VNsLm661VE3Tr 54CUsuFiHzyTcz/WaAUqL0Y3JhjzkCnNDffMOshVPQic/jyYjA+TB6zly8/ZP3sikYJo AHdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=rjrwIKiP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si22348ejx.378.2020.07.22.06.46.32; Wed, 22 Jul 2020 06:46:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=rjrwIKiP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731994AbgGVNoO (ORCPT + 99 others); Wed, 22 Jul 2020 09:44:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726425AbgGVNoO (ORCPT ); Wed, 22 Jul 2020 09:44:14 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CE2B7C0619DC for ; Wed, 22 Jul 2020 06:44:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=EWtLJL7w8EdfjQzaisXGJJvbCuuFzVysmmdZePTzIok=; b=rjrwIKiPstA8yWJdW8Up2uspRV rwKIKh2XGEQ8tsJnoviP/DdIzp7ETM6Aw2W7bWNFN6+/19Ep962KY+oYk6N2RfW6iTsPQwng9C1ck jCbXc75SuPEoul7ukUFRZ2ITNrZ8Iqz3AwtGBDyc0tpbphhA3HM3bwMrLZCAG1dqsVqoMBVsk0ePX G4F7ljF1XvtFxlsulDDNM+rOmscanmsidDtI20CB9kGHWv1qRGWxYi+A5+xL+2rAAnlM0zRz1Httk dkomk/kaEge6PfFiDVjblvm+ObOQ8KVFSS8KEz9fx/AmLj6VLpzSMt4kj8V+aUqg+FpPnQ8x/MVaj fk7OHEHQ==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jyF2X-0003j3-A3; Wed, 22 Jul 2020 13:44:09 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id B4B7F3006D0; Wed, 22 Jul 2020 15:44:06 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 829A1233D6983; Wed, 22 Jul 2020 15:44:06 +0200 (CEST) Date: Wed, 22 Jul 2020 15:44:06 +0200 From: Peter Zijlstra To: Qian Cai Cc: mark.rutland@arm.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH -next] fork: silence a false postive warning in __mmdrop Message-ID: <20200722134406.GN10769@hirez.programming.kicks-ass.net> References: <20200604150344.1796-1-cai@lca.pw> <20200722100637.GR119549@hirez.programming.kicks-ass.net> <20200722131900.GA4041@lca.pw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200722131900.GA4041@lca.pw> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 22, 2020 at 09:19:00AM -0400, Qian Cai wrote: > On Wed, Jul 22, 2020 at 12:06:37PM +0200, peterz@infradead.org wrote: > > On Thu, Jun 04, 2020 at 11:03:44AM -0400, Qian Cai wrote: > > > The linux-next commit bf2c59fce407 ("sched/core: Fix illegal RCU from > > > offline CPUs") delayed, > > > > > > idle->active_mm = &init_mm; > > > > > > into finish_cpu() instead of idle_task_exit() which results in a false > > > positive warning that was originally designed in the commit 3eda69c92d47 > > > ("kernel/fork.c: detect early free of a live mm"). > > > > > > WARNING: CPU: 127 PID: 72976 at kernel/fork.c:697 > > > __mmdrop+0x230/0x2c0 > > > do_exit+0x424/0xfa0 > > > Call Trace: > > > do_exit+0x424/0xfa0 > > > do_group_exit+0x64/0xd0 > > > sys_exit_group+0x24/0x30 > > > system_call_exception+0x108/0x1d0 > > > system_call_common+0xf0/0x278 > > > > Please explain; because afaict this is a use-after-free. > > > > The thing is __mmdrop() is going to actually free the mm, so then what > > is finish_cpu()'s mmdrop() going to do? > > > > ->active_mm() should have a refcount on the mm. > > Well, the refcount issue you mentioned then happens all before bf2c59fce407 was > introduced as well, but then it looks harmless because mmdrop() in finish_cpu() > will do, > > if (unlikely(atomic_dec_and_test(&mm->mm_count))) > __mmdrop(mm); That's not harmless, that's a use-after-free. Those can cause memory corruption bugs and the like at best. Who knows what's at the location of mm->mm_count after we've already freed it. > where that atomic_dec_and_test() see the negative refcount and will not involve > __mmdrop() again. It is not clear to me that once the CPU is offline if it > needs to care about its idle thread mm_count at all. Even if this refcount > issue is finally addressed, it could hit this warning in finish_cpu() without > this patch. > > On the other hand, if you look at the commit 3eda69c92d47, it is clearly that > the assumption of, > > WARN_ON_ONCE(mm == current->active_mm); > > is totally gone due to bf2c59fce407. Thus, the patch is to fix that discrepancy > first and then I'll look at that the imbalance mmdrop()/mmgrab() elsewhere. No, you're talking nonsense. We must not free @mm when 'current->active_mm == mm', never.