Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2430989rwb; Mon, 19 Sep 2022 05:10:39 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5YfP+a3eM427YkhELV71D0j77qRT2QIZ0lk+kTBvpO7IoMS8S4mPkREJ7p/J1tFTxeXPQJ X-Received: by 2002:a17:906:8a57:b0:781:9705:df89 with SMTP id gx23-20020a1709068a5700b007819705df89mr134536ejc.266.1663589439256; Mon, 19 Sep 2022 05:10:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663589439; cv=none; d=google.com; s=arc-20160816; b=0Q3Ynxlf8/AUSNMTLJotqVfqZpdoovWDx0CliYDH+j9oDite+DoFlfbQ00EeIY78LN 94Hu9fZjRlHsTbfOZHyANotGDewviKi+mpxfyluq0LXgZqqgCJ8WWEJWOnwxYNnvsf5w 3WcBKARasvsYW9H1kRwbd7GfaDPdQeNYhgV1QG2dSs9wS6ppKGWycioSei9leZ6p13dQ LkGC8B1Sb6Ac4jiDRw83G2exZkNE6ppgYxf3GIoGRvVUVlaNXmcjgNpMneODAyavocbL +QKwBkUGWffdX4DwZzOXOEW6lUQvRBWRudm2SQ7MSwG8EmRHreAnLNbuXEwdAIdJGKCV sgLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=w+dFo8W95tIbaQBNJMj5wAl0o5DxVWuVKQ51rqkGwCY=; b=LR3GZZB7oF1UfUdM4ZIZLJnMsmZbSkNQXudlpk/PulZaE/Qs8+cfjd2Tke5KqaEbxI jdWS5KVZwRNT02JlDaLLrSIVEzHFyG+twwM64PlCj2INy6aiBZGHNqN8QgXVBRE8o/rB QxzOuaoEQH5CyKjRfZgM1hl0ie/REeIgYhiwwhSLi94NmLKLSOrIZio1+5048czKPFke HSP41QTSmGAiZ/pDnOlAlDwJLxGrVK+4C/vYg1Gn3M5ApYAjlM3dgPOgIKLGlXe3kWx5 QiAMQd/TkbSg2On3i8HDn8HrqeZnuWGn5NYiRLcJ+5ewqGdQ+hAJH+SeVjwXUtrnHtC4 st0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NaOuw8SS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hv19-20020a17090760d300b00780ed38dd7fsi6334702ejc.740.2022.09.19.05.10.12; Mon, 19 Sep 2022 05:10:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NaOuw8SS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230170AbiISL5O (ORCPT + 99 others); Mon, 19 Sep 2022 07:57:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46110 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230055AbiISL4s (ORCPT ); Mon, 19 Sep 2022 07:56:48 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97ED56358 for ; Mon, 19 Sep 2022 04:56:36 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id q9so17426751pgq.8 for ; Mon, 19 Sep 2022 04:56:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date; bh=w+dFo8W95tIbaQBNJMj5wAl0o5DxVWuVKQ51rqkGwCY=; b=NaOuw8SSxxqJ9ysb6JwnBPNiZwqql65Y51YAqXNA2eexEHTNXi4fEAMz4bhoBrfg09 pezwwG7aoNzvZskhzIpgjniFHseiAnBPrcY4nIx3DWATu3NZSYVlyXzdceJPS5kTNMeX /tUNskE3Ehru0FUNBFzFuRhUJt9+DiakniLZhriqx8vRgFxwdnESzY1ZnNmnev8qeT0c k6UgM5uMK0cZWpXhevfg/QGrb1YgvPwyiMcnQjn0jxI0HlqRaOTCT9fJ95v2u9njnSWX VFYkRf4TSWf2D9jqZOOSSrvOvyq5rYMorR0RdEkYW4VT32bHtFH/E1g58qeNFNmszpyk ywXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date; bh=w+dFo8W95tIbaQBNJMj5wAl0o5DxVWuVKQ51rqkGwCY=; b=CZhXbgx2Q5SVXExu9HCwAuiyqj0O30Nc9cAc0SKG0KiIaQ+yJ57BRM4Dol6kqs28Rp QEjMzKTuvhVUbl8qgzeOKPigUEHk77DWSHANL/xz7fQbaJB4KxlPV36TOtfKI408KXdC D7B/u5UJUf1ZH2Fg69Wq1FYyIdKEc0lBguvMqNoKUHAWFTItI+jk5sauzPSAASC/SmxH nBj3ynP1Ba9l70cGzvnLX5BGeMsI/hxedcLH2BVAQ1hHU0IcIY0jOU2xYon1rUFLF0zc XUml2etA7NPAJ6t6F0hx7j1KGgU7XxcjUtheZoyAdmdetdbFmtevKhu7B9/gOUMAzhTa r8fA== X-Gm-Message-State: ACrzQf3SEug0w/xpl5qz4IzNdkPTDrc8lMYgKUiwL3vWMnORUmF6ZsYH 8z7B4qP34MiKRDmpfTFn2xg= X-Received: by 2002:a63:ed4d:0:b0:438:8ba7:e598 with SMTP id m13-20020a63ed4d000000b004388ba7e598mr15031564pgk.226.1663588596054; Mon, 19 Sep 2022 04:56:36 -0700 (PDT) Received: from hyeyoo ([114.29.91.56]) by smtp.gmail.com with ESMTPSA id e2-20020a17090301c200b001754e086eb3sm20543948plh.302.2022.09.19.04.56.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Sep 2022 04:56:35 -0700 (PDT) Date: Mon, 19 Sep 2022 20:56:29 +0900 From: Hyeonggon Yoo <42.hyeyoo@gmail.com> To: Vlastimil Babka Cc: Feng Tang , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Andrew Morton , Waiman Long , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com Subject: Re: [PATCH] mm/slab_common: fix possiable double free of kmem_cache Message-ID: References: <20220919031241.1358001-1-feng.tang@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HK_RANDOM_ENVFROM, HK_RANDOM_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 19, 2022 at 11:12:38AM +0200, Vlastimil Babka wrote: > On 9/19/22 05:12, Feng Tang wrote: > > When doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu' > > kunit test case cause a use-after-free error: > > If I'm not mistaken, I think the subject should be: s/double free/use after free/g > > BUG: KASAN: use-after-free in kobject_del+0x14/0x30 > > Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261 > > > > CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > > Call Trace: > > > > dump_stack_lvl+0x34/0x48 > > print_address_description.constprop.0+0x87/0x2a5 > > print_report+0x103/0x1ed > > kasan_report+0xb7/0x140 > > kobject_del+0x14/0x30 > > kmem_cache_destroy+0x130/0x170 > > test_exit+0x1a/0x30 > > kunit_try_run_case+0xad/0xc0 > > kunit_generic_run_threadfn_adapter+0x26/0x50 > > kthread+0x17b/0x1b0 > > > > > > The cause is inside kmem_cache_destroy(): > > > > kmem_cache_destroy > > acquire lock/mutex > > shutdown_cache > > schedule_work(kmem_cache_release) (if RCU flag set) > > release lock/mutex > > kmem_cache_release (if RCU flag set) > > ^ not set > > I've fixed that up. > > > > > in some certain timing, the scheduled work could be run before > > the next RCU flag checking which will get a wrong state. > > > > Fix it by caching the RCU flag inside protected area, just like 'refcnt' Very nice catch, thanks! Otherwise (and with Vlastimil's fix): Looks good to me. Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> > > > > Signed-off-by: Feng Tang > > Thanks! > > > --- > > > > note: > > > > The error only happens on linux-next tree, and not in Linus' tree, > > which already has Waiman's commit: > > 0495e337b703 ("mm/slab_common: Deleting kobject in kmem_cache_destroy() > > without holding slab_mutex/cpu_hotplug_lock") > > Actually that commit is already in Linus' rc5 too, so I will send your fix > this week too. Added a Fixes: 0495e337b703 (...) too. > > > mm/slab_common.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/mm/slab_common.c b/mm/slab_common.c > > index 07b948288f84..ccc02573588f 100644 > > --- a/mm/slab_common.c > > +++ b/mm/slab_common.c > > @@ -475,6 +475,7 @@ void slab_kmem_cache_release(struct kmem_cache *s) > > void kmem_cache_destroy(struct kmem_cache *s) > > { > > int refcnt; > > + bool rcu_set; > > > > if (unlikely(!s) || !kasan_check_byte(s)) > > return; > > @@ -482,6 +483,8 @@ void kmem_cache_destroy(struct kmem_cache *s) > > cpus_read_lock(); > > mutex_lock(&slab_mutex); > > > > + rcu_set = s->flags & SLAB_TYPESAFE_BY_RCU; > > + > > refcnt = --s->refcount; > > if (refcnt) > > goto out_unlock; > > @@ -492,7 +495,7 @@ void kmem_cache_destroy(struct kmem_cache *s) > > out_unlock: > > mutex_unlock(&slab_mutex); > > cpus_read_unlock(); > > - if (!refcnt && !(s->flags & SLAB_TYPESAFE_BY_RCU)) > > + if (!refcnt && !rcu_set) > > kmem_cache_release(s); > > } > > EXPORT_SYMBOL(kmem_cache_destroy); > -- Thanks, Hyeonggon