From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org,
linux-rt-users <linux-rt-users@vger.kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Carsten Emde <C.Emde@osadl.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
John Kacur <jkacur@redhat.com>, Daniel Wagner <wagi@monom.org>,
Tom Zanussi <zanussi@kernel.org>,
"Srivatsa S. Bhat" <srivatsa@csail.mit.edu>,
Matt Fleming <matt@codeblueprint.co.uk>
Subject: Re: [PATCH RT 1/6] signal: Prevent double-free of user struct
Date: Thu, 13 Aug 2020 10:25:45 +0200 [thread overview]
Message-ID: <b4c933e7-62e2-7018-d848-b5cde0d9ef26@prevas.dk> (raw)
In-Reply-To: <20200813014555.384329363@goodmis.org>
On 13/08/2020 03.45, Steven Rostedt wrote:
> 5.4.54-rt33-rc1 stable review patch.
> If anyone has any objections, please let me know.
>
No objections, quite the contrary. I think this should also be applied
to 4.19-rt:
Commit fda31c50292a is also in 4.19.y (as 797479da0ae9), since 4.19.112
and hence also 4.19.112-rt47. For a while we've tried to track down a
hang that at least sometimes manifests quite similarly
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 14 at lib/refcount.c:280 refcount_dec_not_one+0xc0/0xd8
...
Call Trace:
[cf45be10] [c0238258] refcount_dec_not_one+0xc0/0xd8 (unreliable)
[cf45be20] [c02383c8] refcount_dec_and_lock_irqsave+0x20/0xa4
[cf45be40] [c0024a70] free_uid+0x2c/0xa0
[cf45be60] [c00384f0] put_cred_rcu+0x58/0x8c
[cf45be70] [c005f048] rcu_cpu_kthread+0x364/0x49c
[cf45bee0] [c003a0d0] smpboot_thread_fn+0x21c/0x29c
[cf45bf10] [c0036464] kthread+0xe0/0x10c
[cf45bf40] [c000f1cc] ret_from_kernel_thread+0x14/0x1c
But our reproducer is rather complicated and involves cutting power to
neighbouring boards, and takes many minutes to trigger. So I tried
Daniel's reproducer
sigwaittest -t -a -p 98
and almost immediately got a trace much more similar to the one in the
commit message
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 1526 at lib/refcount.c:280
refcount_dec_not_one+0xc0/0xd8
...
Call Trace:
[cebc9e00] [c0238258] refcount_dec_not_one+0xc0/0xd8 (unreliable)
[cebc9e10] [c02383c8] refcount_dec_and_lock_irqsave+0x20/0xa4
[cebc9e30] [c0024a70] free_uid+0x2c/0xa0
[cebc9e50] [c002574c] dequeue_signal+0x90/0x1a4
[cebc9e80] [c0028f74] sys_rt_sigtimedwait+0x24c/0x288
[cebc9f40] [c000f12c] ret_from_syscall+0x0/0x40
With this patch applied, the sigwaittest has now run for 10 minutes
without problems.
I'll have to run some more tests with our reproducer to see if it really
is the same issue, but even if not, the fact that the sigwaittest fails
should be enough to put this in 4.19-rt.
Three requests (in order of importance):
* pull this into 4.19-rt
* add a note about the sigwaittest reproducer to the commit log
* do publish the rt-rcs in some git repository; that makes it a lot
easier to cherry-pick and test patches
Thanks,
Rasmus
next prev parent reply other threads:[~2020-08-13 8:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-13 1:45 [PATCH RT 0/6] Linux 5.4.54-rt33-rc1 Steven Rostedt
2020-08-13 1:45 ` [PATCH RT 1/6] signal: Prevent double-free of user struct Steven Rostedt
2020-08-13 8:25 ` Rasmus Villemoes [this message]
2020-08-13 19:28 ` Steven Rostedt
2020-08-13 1:45 ` [PATCH RT 2/6] workqueue: Sync with upstream Steven Rostedt
2020-08-13 1:45 ` [PATCH RT 3/6] Bluetooth: Acquire sk_lock.slock without disabling interrupts Steven Rostedt
2020-08-13 1:45 ` [PATCH RT 4/6] net: phy: fixed_phy: Remove unused seqcount Steven Rostedt
2020-08-13 1:45 ` [PATCH RT 5/6] rwsem: Provide down_read_non_owner() and up_read_non_owner() for -RT Steven Rostedt
2020-08-13 1:45 ` [PATCH RT 6/6] Linux 5.4.54-rt33-rc1 Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4c933e7-62e2-7018-d848-b5cde0d9ef26@prevas.dk \
--to=rasmus.villemoes@prevas.dk \
--cc=C.Emde@osadl.org \
--cc=bigeasy@linutronix.de \
--cc=jkacur@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rt-users@vger.kernel.org \
--cc=matt@codeblueprint.co.uk \
--cc=rostedt@goodmis.org \
--cc=srivatsa@csail.mit.edu \
--cc=tglx@linutronix.de \
--cc=wagi@monom.org \
--cc=zanussi@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).