Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp749406rwd; Wed, 31 May 2023 05:05:20 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7VIKI8QnN1vnJAU7REB/AwU6SX2mZ8Z/uL5zUUjdUQ9X5PXQXriD42/rLC4CAZSOY/L3wc X-Received: by 2002:a17:902:ec81:b0:1ae:2b95:7125 with SMTP id x1-20020a170902ec8100b001ae2b957125mr4753806plg.63.1685534720404; Wed, 31 May 2023 05:05:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685534720; cv=none; d=google.com; s=arc-20160816; b=a+PryUHiDqYUA2oJbbJyVCJwon2LkRVzP5MmVJ7dW/8+PpqVYwTJLFvCE02Rrr7s3Z j4TAc7ghq6Ml2uogpbGtOA7Lp/4BFCCmCG0ujNgY7CvnhRPszFZWOkrNvTkmGKHD3ASy KYybl4FRYNmZZ5nbLEDL0suIw0CrVucTAFT8JdBPFjJzwqqFiRSg8Mth2Ue7HTxzvcvA zVa2NnBAq69iGaQAZl+0ecc/F9YEVFWd+pcx9iHM3/e7MBLmHd4Czm73Qg2gq2ZdACzX BMJ3/+RXj9DZB1LOCCLtjHLL+8n0zjO/LabhYwPIiteM8zyWEPU7sY8VRhIL8yfTWfN3 kRAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Q8yUW6f7zPTfffxLigiRctP+nblSLEZeoMC2WhJm6RA=; b=mDnedebbkxC0+dgS97Ji5wzQJpkMidI2wbXLoHUarxB89FfbE3anUF2VqdKszO/ZeP pOFc2KjOyopddhPY1N60AIetr4r4GCynnjJbfmT/EMjNURl8nAhJjnYkWN1nc2FClSpb PGokP6TqBC5a+h6iJFXsAnSddOsUiiufYaY9BHDqiHeCagb8BeOpDgyUGIt2VC0XzOCE b7lCa23kO10ki1eCStvOvNkjnDiQdQ4DgwQ+VEi9qcbDYcfe7ZXiFJQPNCP2MOLYXxef 8/mMFDEEUgplTXDZ69bHYaHEAvlZYxOdTmOvUkBZlyOaoRAtAYaM+It46Ft1WCKOZ1nq pn4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@szeredi.hu header.s=google header.b=De5afgVQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l5-20020a170903244500b001ae3fa8de08si774095pls.576.2023.05.31.05.05.00; Wed, 31 May 2023 05:05:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@szeredi.hu header.s=google header.b=De5afgVQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235923AbjEaLxp (ORCPT + 99 others); Wed, 31 May 2023 07:53:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50178 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235913AbjEaLxO (ORCPT ); Wed, 31 May 2023 07:53:14 -0400 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 89B0F172E for ; Wed, 31 May 2023 04:52:30 -0700 (PDT) Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-5147dce372eso8285035a12.0 for ; Wed, 31 May 2023 04:52:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; t=1685533941; x=1688125941; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Q8yUW6f7zPTfffxLigiRctP+nblSLEZeoMC2WhJm6RA=; b=De5afgVQ5HipTyqOVU4mV4u3MwUdsinjVRVvW/7yW2GC6ZphKCcsy3CLQvXNENV4PT mG5AJjoIKQNuXK2oiX7ejwA8MvGaSSPHGCnxvr0ubVYKWorbk4yyXnC4PlAYFZ5TTZmE 7TaWGKDBPRugNvPxN1yvLrPufaPNP3rJEJkq4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685533941; x=1688125941; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Q8yUW6f7zPTfffxLigiRctP+nblSLEZeoMC2WhJm6RA=; b=koyIjEVrslKoXDIT3e4GeluMKjRW9IP+0xw/YewTdzmULYgh5EzR7tOadQeTDdb86g uxh+5GxHHcToIEsysMiT16UibBeqFOM8HUCsh5Fd9EPyPUW2mCPI48xhRK2s1YxwiRD4 FrMZ3+5Bmja3/+0FGa8D3Dkw18BEngoNrEhP5FlLjTN8nQOBJlSfFzDSE6bffzH9SkjC 1YvmHqs291GoeHr2AhPQm8Al8e6sLsMXZiYZd9sr2gCw60Mw0eM9VjHP7Qx550rS3rK/ PD7Tsi2cvX6b9MQvHO1DpjkXYX7TZ7SOAfiUoJFTgKWLCYYj1mXyX3qjRUhtBUf7qIx7 XCaA== X-Gm-Message-State: AC+VfDy5mIgMRnjzdEuYMjFZzYClRwfcShzkuV7WUdLmwhU0rok++brQ VGmcbqokSZ5uLUuZRl6f7Zu4f8Xpp62g1PnCbA5nNw== X-Received: by 2002:a17:907:6e15:b0:974:1f6f:111e with SMTP id sd21-20020a1709076e1500b009741f6f111emr5374730ejc.23.1685533940926; Wed, 31 May 2023 04:52:20 -0700 (PDT) MIME-Version: 1.0 References: <20230531092643.45607-1-quic_pragalla@quicinc.com> In-Reply-To: <20230531092643.45607-1-quic_pragalla@quicinc.com> From: Miklos Szeredi Date: Wed, 31 May 2023 13:52:09 +0200 Message-ID: Subject: Re: [PATCH V1] fuse: Abort the requests under processing queue with a spin_lock To: Pradeep P V K Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 31 May 2023 at 11:26, Pradeep P V K wrote: > > There is a potential race/timing issue while aborting the > requests on processing list between fuse_dev_release() and > fuse_abort_conn(). This is resulting into below warnings > and can even result into UAF issues. Okay, but... > > [22809.190255][T31644] refcount_t: underflow; use-after-free. > [22809.190266][T31644] WARNING: CPU: 2 PID: 31644 at lib/refcount.c:28 > refcount_warn_saturate+0x110/0x158 > ... > [22809.190567][T31644] Call trace: > [22809.190567][T31644] refcount_warn_saturate+0x110/0x158 > [22809.190569][T31644] fuse_file_put+0xfc/0x104 ...how can this cause the file refcount to underflow? That would imply that fuse_request_end() will be called for the same request twice. I can't see how that can happen with or without the locking change. Do you have a reproducer? Thanks, Miklos