On 5/31/2023 5:22 PM, Miklos Szeredi wrote:
On Wed, 31 May 2023 at 11:26, Pradeep P V K <quic_pragalla@xxxxxxxxxxx> wrote:
There is a potential race/timing issue while aborting the
requests on processing list between fuse_dev_release() and
fuse_abort_conn(). This is resulting into below warnings
and can even result into UAF issues.
Okay, but...
[22809.190255][T31644] refcount_t: underflow; use-after-free.
[22809.190266][T31644] WARNING: CPU: 2 PID: 31644 at lib/refcount.c:28
refcount_warn_saturate+0x110/0x158
...
[22809.190567][T31644] Call trace:
[22809.190567][T31644] refcount_warn_saturate+0x110/0x158
[22809.190569][T31644] fuse_file_put+0xfc/0x104
...how can this cause the file refcount to underflow? That would
imply that fuse_request_end() will be called for the same request
twice. I can't see how that can happen with or without the locking
change.
Please ignore this patch. i overlooked it as list_splice in
fuse_dev_release() and made the change.
Do you have a reproducer?
don't have exact/specific steps but i will try to recreate. This is
observed during stability testing (involves io, reboot, monkey, e.t.c.)
for 24hrs. So, far this is seen on both 5.15 and 6.1 kernels. Do you
have any points or speculations to share ?
Thanks,
Pradeep
Thanks,
Miklos
