Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Mon, 19 Sep 2022 20:50:34 +0800
From:   Feng Tang <feng.tang@intel.com>
To:     Vlastimil Babka <vbabka@suse.cz>
CC:     Christoph Lameter <cl@linux.com>,
        Pekka Enberg <penberg@kernel.org>,
        "David Rientjes" <rientjes@google.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        "Roman Gushchin" <roman.gushchin@linux.dev>,
        Hyeonggon Yoo <42.hyeyoo@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Waiman Long <longman@redhat.com>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "kasan-dev@googlegroups.com" <kasan-dev@googlegroups.com>
Subject: Re: [PATCH] mm/slab_common: fix possiable double free of kmem_cache
Message-ID: <Yyhlmq8GA5FnNoxq@feng-clx>
References: <20220919031241.1358001-1-feng.tang@intel.com>
 <e38cc728-f5e5-86d1-d6a1-c3e99cc02239@suse.cz>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <e38cc728-f5e5-86d1-d6a1-c3e99cc02239@suse.cz>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?6NpvSP7/8al9Q99C+A0ThbNddw5TQb4bZYNnK75JBhp14j7fOaiSPrl7rajb?=
 =?us-ascii?Q?jkARIBDR71oqk2tt5IM1C9Ix5fMXWhSW2xA64eWeB6rAbqwjXk534wDGztJ9?=
 =?us-ascii?Q?b8E6jNaiWdA1K5+CWq6pFuPCoEmGEg6NtMJIPfob0mbbDdbgUcYxjBtapbU6?=
 =?us-ascii?Q?q5iw+tunDFYi9TRGyNidmyF2U9WNQC6tuKx2hiXSq9EewY501p0ilhRFOk8e?=
 =?us-ascii?Q?bmhAFJFKJ83H4aARlwfmHb2DIxED7k7gvmSVojjMx9bfBpcU/KiKibmYv8Zz?=
 =?us-ascii?Q?5r/3i2uqIJieWttwimuHaeWT/ZIzuURVln63ZA+SAv/orFkT47uL2mkyK+co?=
 =?us-ascii?Q?HJAm6hWQgkZMuT+31kGdOjrPSqcwWIF1zqvBFnBJHn56WWpdZX1vx+DLyryb?=
 =?us-ascii?Q?qgjQbWns7VVXvZj4zE6iDADxcuCaQ2/6KWID2tWC573bf0HFBr51cF8HfhFY?=
 =?us-ascii?Q?JD+90E81zGhWdY7nnCNZ6j/po70M66HhGmN38SR1RuYsTiWytedke7gizmPd?=
 =?us-ascii?Q?WM8Zhzi1zQZ23cakrEQyKUvz7zWk3mACNJDcQGOZhXPb//4BiU6tC6PSS6q3?=
 =?us-ascii?Q?RKxDDLgssTVxoC42Nt9NMmgjTs4IJIoRWE2Zo0V4EFDbDPt+BXJbqHHpbYpZ?=
 =?us-ascii?Q?upC2X/SuNG5oGBbTExBxuAr3syc3RFxxXioapFkS9xzlCSwj4/991uwPKzVV?=
 =?us-ascii?Q?ERES5VIgtT7yh8KOdnzTr031NDOqraRISzgM3D0stFTdrEsjY1sEk+d0vHUl?=
 =?us-ascii?Q?WGFwaC02Og6H0V57TAvEn8r7QkmNtjv57zw4QgWlRM+nZnEPGTETNBUBUpAP?=
 =?us-ascii?Q?L5yYQL57PGJpBmIaFFWfPA3SIo7YtI7eCwB7EbfkRyXH2fFaz2Q96ZUjEPDG?=
 =?us-ascii?Q?oOpwBf7MHGiQ9F/q1H3KfpQhN6fmKZQ4Cjdybgif6fjeXZO+V10vQKdrBox8?=
 =?us-ascii?Q?hDXSLr5P1OKmYMPr8acMHr/DjDadChce+pSx6kacnzFf55k+EEE9OtZxLgPK?=
 =?us-ascii?Q?W0QETEVr4Mhlbz5Vj/u6DUFBEMpwReZaND79va03jrs7qk/VBqvSg42/e6g3?=
 =?us-ascii?Q?tCTqWA410fhLMKI2m9NDkOJWeLBPhgjSCcHBw3Kri1mQh+0Ck5he+Dp5KLOV?=
 =?us-ascii?Q?wCI6POvn0CuCxqXk6EyhE6KmhHMKGodiLKadB0SJfqtuO+7XzH9vNjJGsbRn?=
 =?us-ascii?Q?1bgG0oA6qgy0e8Px78KRdWUNe4JQpxgcQ6H/Ble8NcuJzNJO9e0dlGtj0JFd?=
 =?us-ascii?Q?k87eioCGTNPWFnY+9AcyAgNme3fSHD3ROrsUnn/TnsxAE8mafnZa1fJ8rOBV?=
 =?us-ascii?Q?kUUZc/PqICE1zLsP04S9drSXCSLOw1XavwMh/GU15xpIiaGBipH5ULoLaHf7?=
 =?us-ascii?Q?AiGZ0PAx8XjabSvVAhfhbz3vfCvvte/adSk+Doqh1TfdvzMkDh2U0nopURn7?=
 =?us-ascii?Q?7R9/WUTX974IodvOBv8VUSMRs0X1W4O8chZdd4BBUhZb4Lm9X+MFuDU3TvbY?=
 =?us-ascii?Q?+rAPaX8B/zE1913oWywpHOGVMMPEQLY3B/A9nVhS9SzVbNMdLeH0gqcu6bSE?=
 =?us-ascii?Q?4JFUT3HAnJW76cejQbNtjNqKs8hCQgoQOSaDscLU?=
X-MS-Exchange-CrossTenant-Network-Message-Id: 0fe6c720-393e-401a-1813-08da9a3d9b59
X-MS-Exchange-CrossTenant-AuthSource: MN0PR11MB6304.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2022 12:51:01.7898
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: tebfLycAcnYf4HiBE0JyuVlOcQCzylK6sTALfghavpsTg7lq8z4FgUoKS51/AAa7F8FnatpGzBHXrA1SaDqf8g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB6290
X-OriginatorOrg: intel.com
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Sep 19, 2022 at 05:12:38PM +0800, Vlastimil Babka wrote:
> On 9/19/22 05:12, Feng Tang wrote:
[...]
> > The cause is inside kmem_cache_destroy():
> > 
> > kmem_cache_destroy
> >     acquire lock/mutex
> >     shutdown_cache
> >         schedule_work(kmem_cache_release) (if RCU flag set)
> >     release lock/mutex
> >     kmem_cache_release (if RCU flag set)
> 
> 				      ^ not set
> 
> I've fixed that up.

Oops.. Thanks for catching it!

> > 
> > in some certain timing, the scheduled work could be run before
> > the next RCU flag checking which will get a wrong state.
> > 
> > Fix it by caching the RCU flag inside protected area, just like 'refcnt'
> > 
> > Signed-off-by: Feng Tang <feng.tang@intel.com>
> 
> Thanks!
> 
> > ---
> > 
> > note:
> > 
> > The error only happens on linux-next tree, and not in Linus' tree,
> > which already has Waiman's commit:
> > 0495e337b703 ("mm/slab_common: Deleting kobject in kmem_cache_destroy()
> > without holding slab_mutex/cpu_hotplug_lock")
> 
> Actually that commit is already in Linus' rc5 too, so I will send your fix
> this week too. Added a Fixes: 0495e337b703 (...) too.

Got it, thanks

- Feng