Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp499864rwd; Thu, 1 Jun 2023 03:13:08 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4qkk4OjwUk2BdtP2Ty6n9+NWdZhXtw1gB2b32gBLPKT2mOsaGz2Hi8UHZ/dfBoSY9+ivJE X-Received: by 2002:a05:622a:10a:b0:3f7:fee1:e2e9 with SMTP id u10-20020a05622a010a00b003f7fee1e2e9mr10174397qtw.18.1685614388712; Thu, 01 Jun 2023 03:13:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685614388; cv=none; d=google.com; s=arc-20160816; b=aoAiY9pBtWU8eur2aCZaRGzl2sDiyMk4LLA1FabxufB7OvHL5/44dq8oimk4CpL6d0 ef3jBqP225dDgrKmoEtFmzJBVcRtlFSrjbytWg2u7zQe34Kgbjsg6f81GPb1Wmo4lPDF 62Q0w4J3v+oGAXhGmBqKHZGIkrgS9NPWTND70yfg2fLG3lNtaRXkYsYFDntdnoF3JYSi SW7baXtbiRY0qUvDxgp/jSYXaXCjhXUNR7ma4JFg+Vyb/D+JyXtrGUF2lDFchdttUCZr hJTjQcixeTKfHE7Fkw7uDuuxilMCYuDsfkDhpqiGlapAL9jE3MbDoee5EAjF6JBBke7M kROg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=9YhZL77hUjojM3sAha0buzcJVPx5TiIbyValSPOlTpM=; b=0k6Xt0RSY3A5/xi1y02WJHi5DvBUjjcBQRDOiJ4Azj3SA5T+MML+nWOporFWhq8E5F gJHceDBmn/DfDOGOon9yyTXU7TTEUPl5G6YgOXCYo0ytqjADhakTmYEFSUQ3mcwrxg24 2BnSXrhQO7K/ZojCuRQgBKcB2HJ0X+JhL5IdOzatCNsbJVglU6o/KF4x4gN576CyV7o5 ru83akBZzZVMhX+1HyC6EJqZcijroJRiq7S6IYN9eKfxrY1e3TvP4vhcbgUAiGb+yGuz tY7M0GJQ5UbAs2i0ihFM8xBI0FLqJJ35XCqHDXXPeWXG4+9pXqc47qoBe2gKwiQ7YOjf /N4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=kHlAaDXh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l64-20020a633e43000000b0053ef0644ccbsi2666277pga.266.2023.06.01.03.12.55; Thu, 01 Jun 2023 03:13:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=kHlAaDXh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233206AbjFAKEe (ORCPT + 99 others); Thu, 1 Jun 2023 06:04:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41974 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231759AbjFAKER (ORCPT ); Thu, 1 Jun 2023 06:04:17 -0400 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 807431BC0; Thu, 1 Jun 2023 03:02:31 -0700 (PDT) Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3518RgB0013360; Thu, 1 Jun 2023 10:02:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding; s=qcppdkim1; bh=9YhZL77hUjojM3sAha0buzcJVPx5TiIbyValSPOlTpM=; b=kHlAaDXhkn1zQqBSmwOg8xDX2V5VggyOBAWPRvLa7kkSsGxtVVJTtSpzPfJ1y3cW+yc+ NI6UMziYeo1SD9Q8WPMR4n80YRurC2R9ne28bNcBknKmiFzrJz62ppgrhfNCBswJfK2z m36XK/5MC3GFS8TJ77/S4oJ0EkihtmdvXm1b27Lm8ctaq5c7RruAdGrklsqXz9JQcMZC 43foSAZg/pLjZ5QdHjd+5X5MBccuY6jS/L3cIxzMS7YdPF7CqFqdRlKpONuvaZG120aR L2qvyByPlNRE4q9LZMALeGjhPCeVSW440u3ODAUCSDN4iMr0NLJgrqwSiGiMdJCv0sXh OQ== Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3qxnwv0g08-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 01 Jun 2023 10:02:29 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 351A2SWd015318 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 1 Jun 2023 10:02:28 GMT Received: from [10.217.216.105] (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.42; Thu, 1 Jun 2023 03:02:27 -0700 Message-ID: <27f39698-8b70-52df-3371-338f2de27108@quicinc.com> Date: Thu, 1 Jun 2023 15:32:24 +0530 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH V1] fuse: Abort the requests under processing queue with a spin_lock Content-Language: en-US To: Miklos Szeredi CC: , References: <20230531092643.45607-1-quic_pragalla@quicinc.com> From: Pradeep Pragallapati In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: sPjmLtvOwCeNyHSUez6TyW-EhIzoSR4x X-Proofpoint-ORIG-GUID: sPjmLtvOwCeNyHSUez6TyW-EhIzoSR4x X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-01_06,2023-05-31_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 priorityscore=1501 lowpriorityscore=0 phishscore=0 suspectscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 mlxscore=0 mlxlogscore=787 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2306010089 X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/31/2023 5:22 PM, Miklos Szeredi wrote: > On Wed, 31 May 2023 at 11:26, Pradeep P V K wrote: >> There is a potential race/timing issue while aborting the >> requests on processing list between fuse_dev_release() and >> fuse_abort_conn(). This is resulting into below warnings >> and can even result into UAF issues. > Okay, but... > >> [22809.190255][T31644] refcount_t: underflow; use-after-free. >> [22809.190266][T31644] WARNING: CPU: 2 PID: 31644 at lib/refcount.c:28 >> refcount_warn_saturate+0x110/0x158 >> ... >> [22809.190567][T31644] Call trace: >> [22809.190567][T31644] refcount_warn_saturate+0x110/0x158 >> [22809.190569][T31644] fuse_file_put+0xfc/0x104 > ...how can this cause the file refcount to underflow? That would > imply that fuse_request_end() will be called for the same request > twice. I can't see how that can happen with or without the locking > change. Please ignore this patch. i overlooked it as list_splice in fuse_dev_release() and made the change. > Do you have a reproducer? don't have exact/specific steps but i will try to recreate. This is observed during stability testing (involves io, reboot, monkey, e.t.c.) for 24hrs. So, far this is seen on both 5.15 and 6.1 kernels. Do you have any points or speculations to share ? Thanks, Pradeep > Thanks, > Miklos