Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp526249ybh;
        Wed, 22 Jul 2020 06:46:55 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJweFJJD2P5ag8hySTuz3WX/lIyFS55FiFQOkIMHsB4u/vPhNf2++v5+2JalWjKe3eNvDxtA
X-Received: by 2002:a17:906:9381:: with SMTP id l1mr29122784ejx.20.1595425615162;
        Wed, 22 Jul 2020 06:46:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595425615; cv=none;
        d=google.com; s=arc-20160816;
        b=XZpOS24Yz/YTb3I3pTSgUkoaAzATTELAZ3DgudcKXufKEVflNwhtztQjzjN3zVXxFp
         sx0cxkocD1V2leDNetZkomA70wKQ8OTdk94b8aEHQRS3BBJP9ofrzBbWPig09F8TLT2/
         p7SUBFM1GckjncQe/Ab0a+9EB/PxTEDx3kaUvMHGvzMP8OKBORgjcfHTcFIaFRr0JNA8
         ZR6Ga3Fmo9Op4Ii699VsKg3tzhHg/i09vFsOQ5IwnkPQ9FTXnEYu8dVGtEQww6KHfxGj
         FpUiA92j9hEJXFyVNfPY+i2iXhlzflAY21z4bTNTcLHgBdT4ZPVjJErTsWLt17mg94hr
         Ktyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=EWtLJL7w8EdfjQzaisXGJJvbCuuFzVysmmdZePTzIok=;
        b=ixVcETbZXbUIlfl086R4K/EUPRBS6FXPVhnnwDiOdEuj0EpDiaGfyAvlMWky7PklrK
         MR35yqcVFUVH18+w1TTS1u0BHpEm5Eblphez+G+UGbDFWAIzkxuLw+k2HjVwu0vHEQ3z
         frXQW2FbfpZMFjvrDC/eDuQ6QZQjWnTaY/y84jZ9ie6w6m6Lj4uTyGaZg8inhyUAVOg0
         yWS0iV+EGg/xfqXBsveWIBkLfj9BsEE4/SKsrRDnT6ZIp9Ey2RK+KZ+VNsLm661VE3Tr
         54CUsuFiHzyTcz/WaAUqL0Y3JhjzkCnNDffMOshVPQic/jyYjA+TB6zly8/ZP3sikYJo
         AHdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=rjrwIKiP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j7si22348ejx.378.2020.07.22.06.46.32;
        Wed, 22 Jul 2020 06:46:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=rjrwIKiP;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731994AbgGVNoO (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Wed, 22 Jul 2020 09:44:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44510 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726425AbgGVNoO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Jul 2020 09:44:14 -0400
Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CE2B7C0619DC
        for <linux-kernel@vger.kernel.org>; Wed, 22 Jul 2020 06:44:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version:
        References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description;
        bh=EWtLJL7w8EdfjQzaisXGJJvbCuuFzVysmmdZePTzIok=; b=rjrwIKiPstA8yWJdW8Up2uspRV
        rwKIKh2XGEQ8tsJnoviP/DdIzp7ETM6Aw2W7bWNFN6+/19Ep962KY+oYk6N2RfW6iTsPQwng9C1ck
        jCbXc75SuPEoul7ukUFRZ2ITNrZ8Iqz3AwtGBDyc0tpbphhA3HM3bwMrLZCAG1dqsVqoMBVsk0ePX
        G4F7ljF1XvtFxlsulDDNM+rOmscanmsidDtI20CB9kGHWv1qRGWxYi+A5+xL+2rAAnlM0zRz1Httk
        dkomk/kaEge6PfFiDVjblvm+ObOQ8KVFSS8KEz9fx/AmLj6VLpzSMt4kj8V+aUqg+FpPnQ8x/MVaj
        fk7OHEHQ==;
Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net)
        by casper.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux))
        id 1jyF2X-0003j3-A3; Wed, 22 Jul 2020 13:44:09 +0000
Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (Client did not present a certificate)
        by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id B4B7F3006D0;
        Wed, 22 Jul 2020 15:44:06 +0200 (CEST)
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000)
        id 829A1233D6983; Wed, 22 Jul 2020 15:44:06 +0200 (CEST)
Date:   Wed, 22 Jul 2020 15:44:06 +0200
From:   Peter Zijlstra <peterz@infradead.org>
To:     Qian Cai <cai@lca.pw>
Cc:     mark.rutland@arm.com, akpm@linux-foundation.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH -next] fork: silence a false postive warning in __mmdrop
Message-ID: <20200722134406.GN10769@hirez.programming.kicks-ass.net>
References: <20200604150344.1796-1-cai@lca.pw>
 <20200722100637.GR119549@hirez.programming.kicks-ass.net>
 <20200722131900.GA4041@lca.pw>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200722131900.GA4041@lca.pw>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jul 22, 2020 at 09:19:00AM -0400, Qian Cai wrote:
> On Wed, Jul 22, 2020 at 12:06:37PM +0200, peterz@infradead.org wrote:
> > On Thu, Jun 04, 2020 at 11:03:44AM -0400, Qian Cai wrote:
> > > The linux-next commit bf2c59fce407 ("sched/core: Fix illegal RCU from
> > > offline CPUs") delayed,
> > > 
> > > idle->active_mm = &init_mm;
> > > 
> > > into finish_cpu() instead of idle_task_exit() which results in a false
> > > positive warning that was originally designed in the commit 3eda69c92d47
> > > ("kernel/fork.c: detect early free of a live mm").
> > > 
> > >  WARNING: CPU: 127 PID: 72976 at kernel/fork.c:697
> > >  __mmdrop+0x230/0x2c0
> > >  do_exit+0x424/0xfa0
> > >  Call Trace:
> > >  do_exit+0x424/0xfa0
> > >  do_group_exit+0x64/0xd0
> > >  sys_exit_group+0x24/0x30
> > >  system_call_exception+0x108/0x1d0
> > >  system_call_common+0xf0/0x278
> > 
> > Please explain; because afaict this is a use-after-free.
> > 
> > The thing is __mmdrop() is going to actually free the mm, so then what
> > is finish_cpu()'s mmdrop() going to do?
> > 
> > ->active_mm() should have a refcount on the mm.
> 
> Well, the refcount issue you mentioned then happens all before bf2c59fce407 was
> introduced as well, but then it looks harmless because mmdrop() in finish_cpu()
> will do,
> 
> 	if (unlikely(atomic_dec_and_test(&mm->mm_count)))
> 		__mmdrop(mm);

That's not harmless, that's a use-after-free. Those can cause memory
corruption bugs and the like at best. Who knows what's at the location
of mm->mm_count after we've already freed it.

> where that atomic_dec_and_test() see the negative refcount and will not involve
> __mmdrop() again. It is not clear to me that once the CPU is offline if it
> needs to care about its idle thread mm_count at all. Even if this refcount
> issue is finally addressed, it could hit this warning in finish_cpu() without
> this patch.
> 
> On the other hand, if you look at the commit 3eda69c92d47, it is clearly that
> the assumption of,
> 
>    WARN_ON_ONCE(mm == current->active_mm);
> 
> is totally gone due to bf2c59fce407. Thus, the patch is to fix that discrepancy
> first and then I'll look at that the imbalance mmdrop()/mmgrab() elsewhere.

No, you're talking nonsense. We must not free @mm when
'current->active_mm == mm', never.