From patchwork Mon Sep 19 03:12:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Feng Tang <feng.tang@intel.com>
X-Patchwork-Id: 12979672
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C416FC32771
	for <linux-mm@archiver.kernel.org>; Mon, 19 Sep 2022 03:13:04 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E9D3D940007; Sun, 18 Sep 2022 23:13:03 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E4C2B6B0073; Sun, 18 Sep 2022 23:13:03 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D13AF940007; Sun, 18 Sep 2022 23:13:03 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id C17CC6B0072
	for <linux-mm@kvack.org>; Sun, 18 Sep 2022 23:13:03 -0400 (EDT)
Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 8FDFBC03A8
	for <linux-mm@kvack.org>; Mon, 19 Sep 2022 03:13:03 +0000 (UTC)
X-FDA: 79927363446.13.B890FBF
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
	by imf21.hostedemail.com (Postfix) with ESMTP id 6D97E1C0006
	for <linux-mm@kvack.org>; Mon, 19 Sep 2022 03:13:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1663557182; x=1695093182;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=TJneCTmLlrztD6YAx7hnp5eutOdkGZbB+hdFQjt3lUk=;
  b=SCqBrasUfZAqeWgdg8oxwUn7BxKKQ4frVtql+c11x6DEvd4gnLQOXANl
   1WQ9ACMMGjas2YR59TfbSGto+EoX2ZfWhN5h/f3cjVzu5SmB52jCH4obs
   XLY0RSWOuN/Di+5OmsRJqSpVADepDU3HYRkUR3owCJIq4RCUx5wb8kst0
   VB2cHkVWszlvF0W5rLCchm33wOEzxi0CJ+jwt/9CiRuGHPRaDSs4jaWoa
   7ObYWOl8+mtZPqOzvcnoLaWTl8fhmv21ejTz6wWi/aG94U2yely5RIaOl
   UlhoQvQJ9pZjo6d7vsMAbBKcprKvhaR3Gbgs281wlT5+nBULQocSvetef
   A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10474"; a="296884236"
X-IronPort-AV: E=Sophos;i="5.93,325,1654585200";
   d="scan'208";a="296884236"
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 18 Sep 2022 20:13:01 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.93,325,1654585200";
   d="scan'208";a="569477795"
Received: from feng-clx.sh.intel.com ([10.238.200.228])
  by orsmga003.jf.intel.com with ESMTP; 18 Sep 2022 20:12:57 -0700
From: Feng Tang <feng.tang@intel.com>
To: Vlastimil Babka <vbabka@suse.cz>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Waiman Long <longman@redhat.com>
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	kasan-dev@googlegroups.com,
	Feng Tang <feng.tang@intel.com>
Subject: [PATCH] mm/slab_common: fix possiable double free of kmem_cache
Date: Mon, 19 Sep 2022 11:12:41 +0800
Message-Id: <20220919031241.1358001-1-feng.tang@intel.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel
 header.b=SCqBrasU;
	spf=pass (imf21.hostedemail.com: domain of feng.tang@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=feng.tang@intel.com;
	dmarc=pass (policy=none) header.from=intel.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663557183; a=rsa-sha256;
	cv=none;
	b=VyTdk9WaZpxf3pSRYxqSLTLVrab2c47/+6infy22XNIcBpAKKyPWqCLWrWnf20jcGTYvDj
	RWSy0zDsvssHuGVYvZRyna2VH7lJ3XUi4KUWzLlihDcfWoxaxWNVnphYewmV6X0J7LrjiK
	rLZTrPLDG2uadTBnz4k7eBV0M0BmjWk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1663557183;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:references:dkim-signature;
	bh=FZjlYl7FscekgfCjfYFDbh04Q1yveWpCRvs3I06iz68=;
	b=XV3G9nv4QnQH78fYsuHIE4kFvbVomG7wxfwpE0i0hK2OZcsPRWjItlz0gaeFzNOiNn7EJS
	fI36j10cwhFNl0v8vPPW7h3zYcfnk78wsXhbIyryEBajfj0HMjIfzbuznNBqSTdZtgCkd5
	/JphO9kSHgZa92clExI00gaDEVnevcc=
Authentication-Results: imf21.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel
 header.b=SCqBrasU;
	spf=pass (imf21.hostedemail.com: domain of feng.tang@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=feng.tang@intel.com;
	dmarc=pass (policy=none) header.from=intel.com
X-Stat-Signature: d5iz3x1zh7qj54ube7z6iyrqafbq1wyi
X-Rspamd-Queue-Id: 6D97E1C0006
X-Rspam-User: 
X-Rspamd-Server: rspam05
X-HE-Tag: 1663557182-392364
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

When doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu'
kunit test case cause a use-after-free error:

  BUG: KASAN: use-after-free in kobject_del+0x14/0x30
  Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261

  CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G    B            N 6.0.0-rc5-next-20220916 #17
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x48
   print_address_description.constprop.0+0x87/0x2a5
   print_report+0x103/0x1ed
   kasan_report+0xb7/0x140
   kobject_del+0x14/0x30
   kmem_cache_destroy+0x130/0x170
   test_exit+0x1a/0x30
   kunit_try_run_case+0xad/0xc0
   kunit_generic_run_threadfn_adapter+0x26/0x50
   kthread+0x17b/0x1b0
   </TASK>

The cause is inside kmem_cache_destroy():

kmem_cache_destroy
    acquire lock/mutex
    shutdown_cache
        schedule_work(kmem_cache_release) (if RCU flag set)
    release lock/mutex
    kmem_cache_release (if RCU flag set)

in some certain timing, the scheduled work could be run before
the next RCU flag checking which will get a wrong state.

Fix it by caching the RCU flag inside protected area, just like 'refcnt'

Signed-off-by: Feng Tang <feng.tang@intel.com>
Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Reviewed-by: Waiman Long <longman@redhat.com>
---

note:

The error only happens on linux-next tree, and not in Linus' tree,
which already has Waiman's commit:
0495e337b703 ("mm/slab_common: Deleting kobject in kmem_cache_destroy()
without holding slab_mutex/cpu_hotplug_lock")

 mm/slab_common.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mm/slab_common.c b/mm/slab_common.c
index 07b948288f84..ccc02573588f 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -475,6 +475,7 @@ void slab_kmem_cache_release(struct kmem_cache *s)
 void kmem_cache_destroy(struct kmem_cache *s)
 {
 	int refcnt;
+	bool rcu_set;
 
 	if (unlikely(!s) || !kasan_check_byte(s))
 		return;
@@ -482,6 +483,8 @@ void kmem_cache_destroy(struct kmem_cache *s)
 	cpus_read_lock();
 	mutex_lock(&slab_mutex);
 
+	rcu_set = s->flags & SLAB_TYPESAFE_BY_RCU;
+
 	refcnt = --s->refcount;
 	if (refcnt)
 		goto out_unlock;
@@ -492,7 +495,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
 out_unlock:
 	mutex_unlock(&slab_mutex);
 	cpus_read_unlock();
-	if (!refcnt && !(s->flags & SLAB_TYPESAFE_BY_RCU))
+	if (!refcnt && !rcu_set)
 		kmem_cache_release(s);
 }
 EXPORT_SYMBOL(kmem_cache_destroy);