Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp676535rwd;
        Thu, 1 Jun 2023 05:21:38 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ78GRfUEheTHkiqmi7oqmst5/89+2gAMhM5wJTVSdrFBR5Zxw7k6gEW8LhB/Zdc00H5lPEx
X-Received: by 2002:a17:902:d4d0:b0:1b1:76c2:2966 with SMTP id o16-20020a170902d4d000b001b176c22966mr2144604plg.20.1685622098294;
        Thu, 01 Jun 2023 05:21:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685622098; cv=none;
        d=google.com; s=arc-20160816;
        b=AgZVl83WgWfnLOvKR9SUoElAIhABEQ1y15lGFPV/5YCttsPBrGeVjc1GD0ZE+MGkTz
         00tjRdDNrft15qaYaFKeZZo1GlDbns1xMV5RxY1BvwoLmZ5YNyNHBjj+1F91dlr1ZBIE
         hTEsD+NdMg8neyJCVajRzax0YgA8O7MJrvpgWxk8DrfIFneg0ACHgXulYIXQGQruKLJg
         e+3yPV5FN9Hs6UYS8gYAguQOO7dhLvEms8xc4bgTbUHLZ3GBFPNx78ApUJw4HysaiVQv
         RmjoAOv0oPF2JcXP7VKTUUgV+BA+l5qKbeUG8sX6TQeKSKa/azj7yA8kquNGyzbq3wb6
         zyBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=xyPeoWutKyPiILXgLviwGF1RLzkupo3yExspEf61QSc=;
        b=cdAjgezFLQtbvAxnghNSg4QlV3Go7dPQwozxnp6FgL+lX241iWnfNAEPSJBbI3q2x2
         Bi1yBl4QCfTooTfJlpSnuKorTKMZ1mV1gX2HP/Gs8tSaVAggd/zertO9brM7HgrY3cQa
         KHexaVDrSb7loAC03s1AzZRd1uAh7uZ0XrJI7mhA/vgVld8nrGowXYA7zH/jeKfIYTak
         rNFXKwg7MV7/7LKSHsvzn2O1ZP/YIVjkYhYfqUoQBmlPymcocgaP97Wb2H2mL+yoVZu6
         40sZRUkM7+MXFkvinrRjFf39AjLfJk/wqMWHnpPegQ7UFfwzLBBRGtyP3Sg54VbLonR0
         VM1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@szeredi.hu header.s=google header.b=gXuksHS2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c18-20020a170902c1d200b001a6e719421asi2575507plc.366.2023.06.01.05.21.25;
        Thu, 01 Jun 2023 05:21:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@szeredi.hu header.s=google header.b=gXuksHS2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232340AbjFAMOn (ORCPT <rfc822;abelvesa@gmail.com> + 99 others);
        Thu, 1 Jun 2023 08:14:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57478 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233230AbjFAMOh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Jun 2023 08:14:37 -0400
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E5C0E60
        for <linux-kernel@vger.kernel.org>; Thu,  1 Jun 2023 05:14:16 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-96fdc081cb3so99567566b.2
        for <linux-kernel@vger.kernel.org>; Thu, 01 Jun 2023 05:14:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=szeredi.hu; s=google; t=1685621596; x=1688213596;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=xyPeoWutKyPiILXgLviwGF1RLzkupo3yExspEf61QSc=;
        b=gXuksHS2G+jIJhUGBbUNjw/Kp8UgLvtwfvk2K1C4T1pZpYHIBEAQLW51xyX43VGcjk
         GNykJTKyqGdrNQOYpogcCBk8YczFIaj96DUaruH/VajUWK9C6MiCbxctzTu/3GXcpEcs
         72wEtWANLjdiGmP9AJbhKtikgTGG2YM35ujVQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685621596; x=1688213596;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=xyPeoWutKyPiILXgLviwGF1RLzkupo3yExspEf61QSc=;
        b=E9cMQVpgeIyRhaUgIQ8/NIesqP8Y5dyW30gr/XblkJLyILYew3czXCssDwIHLPDmDi
         htyBxP8hhLy+s8XBi2xxZujqO+0+XSalSMXaJHlMiykBZQA4e+AjIsa7/UEy3Ex3KOYY
         TcyY8HjFRU6Od18o8ME1PRZOUC7AOruIamTbcdcilRi2/yGJUifDTHx9lEWTnMCnmnab
         LoTp7ggYyzhTbjpr9a2PYVmaUS6d3IzYlAr0tWCV/dBtQUzkX60TRgzot4j9ggYJmaEe
         jSCVH1q+5aoMifoB9pfw+Ady6uSvXoVGgHiJZmhGLDK4L1+tG4sxPv8/WLgAsiu6dZOa
         tBag==
X-Gm-Message-State: AC+VfDwMtAx0w/o6KyYzyJwDbWS8yFfZlXa9eem0pUvFTuz/bYEUodDZ
        4J8LcE1X4A/6tGBenjEcHUgokTmzecjN4ajD7MtgPg==
X-Received: by 2002:a17:907:3ea0:b0:96f:9608:da7c with SMTP id
 hs32-20020a1709073ea000b0096f9608da7cmr8501573ejc.36.1685621596227; Thu, 01
 Jun 2023 05:13:16 -0700 (PDT)
MIME-Version: 1.0
References: <20230531092643.45607-1-quic_pragalla@quicinc.com>
 <CAJfpegtr4dZkLzWD_ezAbFgTnbYaGDRq4TR1DUzz4AfFLSLJEA@mail.gmail.com> <27f39698-8b70-52df-3371-338f2de27108@quicinc.com>
In-Reply-To: <27f39698-8b70-52df-3371-338f2de27108@quicinc.com>
From:   Miklos Szeredi <miklos@szeredi.hu>
Date:   Thu, 1 Jun 2023 14:13:04 +0200
Message-ID: <CAJfpegtHicLw7-KjQem60UPaUyco7h1tZ+4EmOdC-=9=C8Tg8Q@mail.gmail.com>
Subject: Re: [PATCH V1] fuse: Abort the requests under processing queue with a spin_lock
To:     Pradeep Pragallapati <quic_pragalla@quicinc.com>
Cc:     linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 1 Jun 2023 at 12:02, Pradeep Pragallapati
<quic_pragalla@quicinc.com> wrote:
>
>
> On 5/31/2023 5:22 PM, Miklos Szeredi wrote:
> > On Wed, 31 May 2023 at 11:26, Pradeep P V K <quic_pragalla@quicinc.com> wrote:
> >> There is a potential race/timing issue while aborting the
> >> requests on processing list between fuse_dev_release() and
> >> fuse_abort_conn(). This is resulting into below warnings
> >> and can even result into UAF issues.
> > Okay, but...
> >
> >> [22809.190255][T31644] refcount_t: underflow; use-after-free.
> >> [22809.190266][T31644] WARNING: CPU: 2 PID: 31644 at lib/refcount.c:28
> >> refcount_warn_saturate+0x110/0x158
> >> ...
> >> [22809.190567][T31644] Call trace:
> >> [22809.190567][T31644]  refcount_warn_saturate+0x110/0x158
> >> [22809.190569][T31644]  fuse_file_put+0xfc/0x104
> > ...how can this cause the file refcount to underflow?  That would
> > imply that fuse_request_end() will be called for the same request
> > twice.  I can't see how that can happen with or without the locking
> > change.
> Please ignore this patch. i overlooked it as list_splice in
> fuse_dev_release() and made the change.
> > Do you have a reproducer?
>
> don't have exact/specific steps but i will try to recreate. This is
> observed during stability testing (involves io, reboot, monkey, e.t.c.)
> for 24hrs. So, far this is seen on both 5.15 and 6.1 kernels. Do you
> have any points or speculations to share ?

Do you have KASAN enabled in the kernel?  That might help UAF issues easier.

Thanks,
Miklos