Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp676535rwd; Thu, 1 Jun 2023 05:21:38 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ78GRfUEheTHkiqmi7oqmst5/89+2gAMhM5wJTVSdrFBR5Zxw7k6gEW8LhB/Zdc00H5lPEx X-Received: by 2002:a17:902:d4d0:b0:1b1:76c2:2966 with SMTP id o16-20020a170902d4d000b001b176c22966mr2144604plg.20.1685622098294; Thu, 01 Jun 2023 05:21:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685622098; cv=none; d=google.com; s=arc-20160816; b=AgZVl83WgWfnLOvKR9SUoElAIhABEQ1y15lGFPV/5YCttsPBrGeVjc1GD0ZE+MGkTz 00tjRdDNrft15qaYaFKeZZo1GlDbns1xMV5RxY1BvwoLmZ5YNyNHBjj+1F91dlr1ZBIE hTEsD+NdMg8neyJCVajRzax0YgA8O7MJrvpgWxk8DrfIFneg0ACHgXulYIXQGQruKLJg e+3yPV5FN9Hs6UYS8gYAguQOO7dhLvEms8xc4bgTbUHLZ3GBFPNx78ApUJw4HysaiVQv RmjoAOv0oPF2JcXP7VKTUUgV+BA+l5qKbeUG8sX6TQeKSKa/azj7yA8kquNGyzbq3wb6 zyBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=xyPeoWutKyPiILXgLviwGF1RLzkupo3yExspEf61QSc=; b=cdAjgezFLQtbvAxnghNSg4QlV3Go7dPQwozxnp6FgL+lX241iWnfNAEPSJBbI3q2x2 Bi1yBl4QCfTooTfJlpSnuKorTKMZ1mV1gX2HP/Gs8tSaVAggd/zertO9brM7HgrY3cQa KHexaVDrSb7loAC03s1AzZRd1uAh7uZ0XrJI7mhA/vgVld8nrGowXYA7zH/jeKfIYTak rNFXKwg7MV7/7LKSHsvzn2O1ZP/YIVjkYhYfqUoQBmlPymcocgaP97Wb2H2mL+yoVZu6 40sZRUkM7+MXFkvinrRjFf39AjLfJk/wqMWHnpPegQ7UFfwzLBBRGtyP3Sg54VbLonR0 VM1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@szeredi.hu header.s=google header.b=gXuksHS2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c18-20020a170902c1d200b001a6e719421asi2575507plc.366.2023.06.01.05.21.25; Thu, 01 Jun 2023 05:21:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@szeredi.hu header.s=google header.b=gXuksHS2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232340AbjFAMOn (ORCPT + 99 others); Thu, 1 Jun 2023 08:14:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233230AbjFAMOh (ORCPT ); Thu, 1 Jun 2023 08:14:37 -0400 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E5C0E60 for ; Thu, 1 Jun 2023 05:14:16 -0700 (PDT) Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-96fdc081cb3so99567566b.2 for ; Thu, 01 Jun 2023 05:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; t=1685621596; x=1688213596; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xyPeoWutKyPiILXgLviwGF1RLzkupo3yExspEf61QSc=; b=gXuksHS2G+jIJhUGBbUNjw/Kp8UgLvtwfvk2K1C4T1pZpYHIBEAQLW51xyX43VGcjk GNykJTKyqGdrNQOYpogcCBk8YczFIaj96DUaruH/VajUWK9C6MiCbxctzTu/3GXcpEcs 72wEtWANLjdiGmP9AJbhKtikgTGG2YM35ujVQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685621596; x=1688213596; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xyPeoWutKyPiILXgLviwGF1RLzkupo3yExspEf61QSc=; b=E9cMQVpgeIyRhaUgIQ8/NIesqP8Y5dyW30gr/XblkJLyILYew3czXCssDwIHLPDmDi htyBxP8hhLy+s8XBi2xxZujqO+0+XSalSMXaJHlMiykBZQA4e+AjIsa7/UEy3Ex3KOYY TcyY8HjFRU6Od18o8ME1PRZOUC7AOruIamTbcdcilRi2/yGJUifDTHx9lEWTnMCnmnab LoTp7ggYyzhTbjpr9a2PYVmaUS6d3IzYlAr0tWCV/dBtQUzkX60TRgzot4j9ggYJmaEe jSCVH1q+5aoMifoB9pfw+Ady6uSvXoVGgHiJZmhGLDK4L1+tG4sxPv8/WLgAsiu6dZOa tBag== X-Gm-Message-State: AC+VfDwMtAx0w/o6KyYzyJwDbWS8yFfZlXa9eem0pUvFTuz/bYEUodDZ 4J8LcE1X4A/6tGBenjEcHUgokTmzecjN4ajD7MtgPg== X-Received: by 2002:a17:907:3ea0:b0:96f:9608:da7c with SMTP id hs32-20020a1709073ea000b0096f9608da7cmr8501573ejc.36.1685621596227; Thu, 01 Jun 2023 05:13:16 -0700 (PDT) MIME-Version: 1.0 References: <20230531092643.45607-1-quic_pragalla@quicinc.com> <27f39698-8b70-52df-3371-338f2de27108@quicinc.com> In-Reply-To: <27f39698-8b70-52df-3371-338f2de27108@quicinc.com> From: Miklos Szeredi Date: Thu, 1 Jun 2023 14:13:04 +0200 Message-ID: Subject: Re: [PATCH V1] fuse: Abort the requests under processing queue with a spin_lock To: Pradeep Pragallapati Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 1 Jun 2023 at 12:02, Pradeep Pragallapati wrote: > > > On 5/31/2023 5:22 PM, Miklos Szeredi wrote: > > On Wed, 31 May 2023 at 11:26, Pradeep P V K wrote: > >> There is a potential race/timing issue while aborting the > >> requests on processing list between fuse_dev_release() and > >> fuse_abort_conn(). This is resulting into below warnings > >> and can even result into UAF issues. > > Okay, but... > > > >> [22809.190255][T31644] refcount_t: underflow; use-after-free. > >> [22809.190266][T31644] WARNING: CPU: 2 PID: 31644 at lib/refcount.c:28 > >> refcount_warn_saturate+0x110/0x158 > >> ... > >> [22809.190567][T31644] Call trace: > >> [22809.190567][T31644] refcount_warn_saturate+0x110/0x158 > >> [22809.190569][T31644] fuse_file_put+0xfc/0x104 > > ...how can this cause the file refcount to underflow? That would > > imply that fuse_request_end() will be called for the same request > > twice. I can't see how that can happen with or without the locking > > change. > Please ignore this patch. i overlooked it as list_splice in > fuse_dev_release() and made the change. > > Do you have a reproducer? > > don't have exact/specific steps but i will try to recreate. This is > observed during stability testing (involves io, reboot, monkey, e.t.c.) > for 24hrs. So, far this is seen on both 5.15 and 6.1 kernels. Do you > have any points or speculations to share ? Do you have KASAN enabled in the kernel? That might help UAF issues easier. Thanks, Miklos