On Sun, Mar 19, 2023 at 02:12:49AM +0800, Teng Qi wrote: > Regarding the first problem, our tool discovered a possible code path that > > starts from mmap_read_unlock() and leads to sleep in kernel v6.3-rc2 source > > code. > > > > kernel/bpf/mmap_unlock_work.h:52 mmap_read_unlock(mm); > > include/linux/mmap_lock.h:144 up_read(&mm->mmap_lock); > > kernel/locking/rwsem.c:1616 __up_read(sem); > > kernel/locking/rwsem.c:1352 rwsem_wake(sem); > > kernel/locking/rwsem.c:1211 rwsem_mark_wake(sem, RWSEM_WAKE_ANY, &wake_q); > > kernel/locking/rwsem.c:566 wake_q_add_safe(wake_q, tsk); > > kernel/sched/core.c:990 put_task_struct(task); > > include/linux/sched/task.h:119 __put_task_struct(t); > > kernel/fork.c:857 exit_creds(tsk); > > kernel/cred.c:172 put_cred(cred); > > include/linux/cred.h:288 __put_cred(cred); > > kernel/cred.c:151 put_cred_rcu(&cred->rcu); > > kernel/cred.c:121 put_group_info(cred->group_info); > > include/linux/cred.h:53 groups_free(group_info); > > kernel/groups.c:31 kvfree(group_info); > > mm/util.c:647 vfree(addr); <- oops, sleep when size of group_info is large > > > > However, we cannot guarantee that this code path will be triggered during > > runtime since it was generated by a static analysis tool. So it is a purely theoretical issue and out of thousands users of up_read() you've decided to fix one where it is called form mmap_read_unlock(). Why? You also see that __up_read is doing preempt_disable and then calls rwsem_wake() which will theoretically can call vfree() with "oops", right? So agian, why target mmap_read_unlock() ?
