From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 68C49C54EE9
	for <linux-mm@archiver.kernel.org>; Mon, 19 Sep 2022 11:56:38 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C53DB6B0074; Mon, 19 Sep 2022 07:56:37 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C02FE6B0075; Mon, 19 Sep 2022 07:56:37 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id AA3A2940007; Mon, 19 Sep 2022 07:56:37 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id 9C3D66B0074
	for <linux-mm@kvack.org>; Mon, 19 Sep 2022 07:56:37 -0400 (EDT)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 630D21A1AF1
	for <linux-mm@kvack.org>; Mon, 19 Sep 2022 11:56:37 +0000 (UTC)
X-FDA: 79928682834.10.7C66B06
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173])
	by imf27.hostedemail.com (Postfix) with ESMTP id 1229240002
	for <linux-mm@kvack.org>; Mon, 19 Sep 2022 11:56:36 +0000 (UTC)
Received: by mail-pf1-f173.google.com with SMTP id l65so27818030pfl.8
        for <linux-mm@kvack.org>; Mon, 19 Sep 2022 04:56:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date;
        bh=w+dFo8W95tIbaQBNJMj5wAl0o5DxVWuVKQ51rqkGwCY=;
        b=NaOuw8SSxxqJ9ysb6JwnBPNiZwqql65Y51YAqXNA2eexEHTNXi4fEAMz4bhoBrfg09
         pezwwG7aoNzvZskhzIpgjniFHseiAnBPrcY4nIx3DWATu3NZSYVlyXzdceJPS5kTNMeX
         /tUNskE3Ehru0FUNBFzFuRhUJt9+DiakniLZhriqx8vRgFxwdnESzY1ZnNmnev8qeT0c
         k6UgM5uMK0cZWpXhevfg/QGrb1YgvPwyiMcnQjn0jxI0HlqRaOTCT9fJ95v2u9njnSWX
         VFYkRf4TSWf2D9jqZOOSSrvOvyq5rYMorR0RdEkYW4VT32bHtFH/E1g58qeNFNmszpyk
         ywXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date;
        bh=w+dFo8W95tIbaQBNJMj5wAl0o5DxVWuVKQ51rqkGwCY=;
        b=tZi0My84BEfMqJmQD5DuZQctbhJT8Cdu6ZtecILr5cGX7ORjdBj02kl8mgiUUhxyqe
         yf9sdYwvJtPtF/KwqB7ib4xQyUeZBjrzwfl914jbtLGz3+goCSNTTbEKHH6U/6mYe7VC
         A9HXTFbwaIe8QzHFDFc/2klHl8ntB3AYPoJhs8B/c6emQoSDM4iFSlovSsmQ5gGzhxFJ
         cECJYAIaiyaUiT4CNkGhQMdO5ox2Smjv9wgqZXIcqwzV4uk/6fZijonmuFzjJGMTGprF
         GK8jxCfmYFSyqjZpHmvRBReGAocPE8bf+lpXtIDNJGdL03cQYuC7bjigODJd068JEjI7
         dhoA==
X-Gm-Message-State: ACrzQf10eR4q936PaKcL8pXLSdqri4tUL8Mzr6nRSxFR9RlnZoWqwF3O
	sGCtl1xwzXwXVkAqsjxscCM=
X-Google-Smtp-Source: AMsMyM53FmotOXSPejjaUMCTU5EKC+ZmNDr7kavVp1n986Cq0i7Ol/6XOC4YADW2KQljkolCgUtFBQ==
X-Received: by 2002:a63:ed4d:0:b0:438:8ba7:e598 with SMTP id m13-20020a63ed4d000000b004388ba7e598mr15031564pgk.226.1663588596054;
        Mon, 19 Sep 2022 04:56:36 -0700 (PDT)
Received: from hyeyoo ([114.29.91.56])
        by smtp.gmail.com with ESMTPSA id e2-20020a17090301c200b001754e086eb3sm20543948plh.302.2022.09.19.04.56.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Sep 2022 04:56:35 -0700 (PDT)
Date: Mon, 19 Sep 2022 20:56:29 +0900
From: Hyeonggon Yoo <42.hyeyoo@gmail.com>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Feng Tang <feng.tang@intel.com>, Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Andrew Morton <akpm@linux-foundation.org>,
	Waiman Long <longman@redhat.com>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com
Subject: Re: [PATCH] mm/slab_common: fix possiable double free of kmem_cache
Message-ID: <YyhY7RBLxCEuSHp9@hyeyoo>
References: <20220919031241.1358001-1-feng.tang@intel.com>
 <e38cc728-f5e5-86d1-d6a1-c3e99cc02239@suse.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <e38cc728-f5e5-86d1-d6a1-c3e99cc02239@suse.cz>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1663588597;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=w+dFo8W95tIbaQBNJMj5wAl0o5DxVWuVKQ51rqkGwCY=;
	b=olhJI7N0HgbklZ1mfppf9GKBJi9DiNSHcHtHyjHIK6Z6LrkFNnhCnDBhNv+HC9lebms6Vy
	JucShKU4Zobjl69s+eqEsrXNHNyZgXAOGSaNWPIree6m+4no/SjmORIl/IejK46+U6PgVO
	R6c/oCo49F7Fy8TSqJfcYu3OlL46kRk=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=NaOuw8SS;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf27.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.210.173 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663588597; a=rsa-sha256;
	cv=none;
	b=Ac+6HRP3fLraoJ1RAO859lrtdtCdgOscMp1JtEafxTCHBZbffgsfP5DaZf/M5D3TVOtokq
	X5fIzmpMGWYy8MbN4kgwgT6I0KnlpyxU5Hcs5f8pHx8p/1hOOqg3nxLAK5/WVzb1+GXgyc
	r1AoYZcEftq/BE5u10HMJW3esWTK4Qc=
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=NaOuw8SS;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf27.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.210.173 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com
X-Rspam-User: 
X-Stat-Signature: oje9uyi18b6xka3bk3t3cie19f8eogno
X-Rspamd-Queue-Id: 1229240002
X-Rspamd-Server: rspam12
X-HE-Tag: 1663588596-328158
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Sep 19, 2022 at 11:12:38AM +0200, Vlastimil Babka wrote:
> On 9/19/22 05:12, Feng Tang wrote:
> > When doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu'
> > kunit test case cause a use-after-free error:
> >

If I'm not mistaken, I think the subject should be:
s/double free/use after free/g

> >   BUG: KASAN: use-after-free in kobject_del+0x14/0x30
> >   Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261
> > 
> >   CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G    B            N 6.0.0-rc5-next-20220916 #17
> >   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> >   Call Trace:
> >    <TASK>
> >    dump_stack_lvl+0x34/0x48
> >    print_address_description.constprop.0+0x87/0x2a5
> >    print_report+0x103/0x1ed
> >    kasan_report+0xb7/0x140
> >    kobject_del+0x14/0x30
> >    kmem_cache_destroy+0x130/0x170
> >    test_exit+0x1a/0x30
> >    kunit_try_run_case+0xad/0xc0
> >    kunit_generic_run_threadfn_adapter+0x26/0x50
> >    kthread+0x17b/0x1b0
> >    </TASK>
> > 
> > The cause is inside kmem_cache_destroy():
> > 
> > kmem_cache_destroy
> >     acquire lock/mutex
> >     shutdown_cache
> >         schedule_work(kmem_cache_release) (if RCU flag set)
> >     release lock/mutex
> >     kmem_cache_release (if RCU flag set)
> 
> 				      ^ not set
> 
> I've fixed that up.
> 
> > 
> > in some certain timing, the scheduled work could be run before
> > the next RCU flag checking which will get a wrong state.
> > 
> > Fix it by caching the RCU flag inside protected area, just like 'refcnt'

Very nice catch, thanks!

Otherwise (and with Vlastimil's fix):

Looks good to me.
Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>

> > 
> > Signed-off-by: Feng Tang <feng.tang@intel.com>
> 
> Thanks!
> 
> > ---
> > 
> > note:
> > 
> > The error only happens on linux-next tree, and not in Linus' tree,
> > which already has Waiman's commit:
> > 0495e337b703 ("mm/slab_common: Deleting kobject in kmem_cache_destroy()
> > without holding slab_mutex/cpu_hotplug_lock")
> 
> Actually that commit is already in Linus' rc5 too, so I will send your fix
> this week too. Added a Fixes: 0495e337b703 (...) too.
> 
> >  mm/slab_common.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/mm/slab_common.c b/mm/slab_common.c
> > index 07b948288f84..ccc02573588f 100644
> > --- a/mm/slab_common.c
> > +++ b/mm/slab_common.c
> > @@ -475,6 +475,7 @@ void slab_kmem_cache_release(struct kmem_cache *s)
> >  void kmem_cache_destroy(struct kmem_cache *s)
> >  {
> >  	int refcnt;
> > +	bool rcu_set;
> >  
> >  	if (unlikely(!s) || !kasan_check_byte(s))
> >  		return;
> > @@ -482,6 +483,8 @@ void kmem_cache_destroy(struct kmem_cache *s)
> >  	cpus_read_lock();
> >  	mutex_lock(&slab_mutex);
> >  
> > +	rcu_set = s->flags & SLAB_TYPESAFE_BY_RCU;
> > +
> >  	refcnt = --s->refcount;
> >  	if (refcnt)
> >  		goto out_unlock;
> > @@ -492,7 +495,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
> >  out_unlock:
> >  	mutex_unlock(&slab_mutex);
> >  	cpus_read_unlock();
> > -	if (!refcnt && !(s->flags & SLAB_TYPESAFE_BY_RCU))
> > +	if (!refcnt && !rcu_set)
> >  		kmem_cache_release(s);
> >  }
> >  EXPORT_SYMBOL(kmem_cache_destroy);
> 

-- 
Thanks,
Hyeonggon